Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

HijackThis Log: Please help Diagnose


  • This topic is locked This topic is locked
12 replies to this topic

#1 Rammr

Rammr

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 29 April 2005 - 03:50 PM

I'm having trouble with annoying popups and running processes that can charge the processor a lot.
Spybot and Adaware couldn't get rid of the problem. I have never used HijackThis before. Here's the log I made:



Logfile of HijackThis v1.99.1
Scan saved at 22:37:43, on 29/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\windows\System32\svhost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\windows\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus1.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Internet Explorer\shttps\http.exe
C:\DOCUME~1\Erik\LOCALS~1\Temp\BundleLite_westfrontier1001.exe
C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pfxyozqbbxwlkmnnvxjddrd.com/DIR...y3nRMpPB8/.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
F3 - REG:win.ini: run=C:\windows\System32\svhost.exe
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\windows\ceres.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\windows\System32\nsz3.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [System backup] C:\windows\System32\wmplayer.exe
O4 - HKLM\..\Run: [ffis] C:\windows\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\windows\farmmext.exe
O4 - HKLM\..\Run: [Internet Explorer] c:\Program Files\Internet Explorer\shttps\http.exe
O4 - HKLM\..\Run: [Desktop Search] C:\windows\isrvs\desktop.exe
O4 - HKLM\..\Run: [SAHBundle] C:\DOCUME~1\Erik\LOCALS~1\Temp\BundleLite_westfrontier1001.exe run
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [System backup] C:\windows\System32\wmplayer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2bleeped.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F657A8B-6C43-425F-A101-62055599C370}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D10AD0E-11FE-42CA-ABF5-6BD991698A9A}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2C16626-A2B4-41BE-8534-DEEEE8BD7C0B}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F657A8B-6C43-425F-A101-62055599C370}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CS3\Services\Tcpip\..\{3F657A8B-6C43-425F-A101-62055599C370}: NameServer = 69.50.184.85,195.225.176.37
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe



I hope you can help me out!

Edited by Rammr, 29 April 2005 - 03:55 PM.


BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:33 AM

Posted 29 April 2005 - 05:16 PM

Hello,

That is a real nasty collection you have in here... and it smells like a variant of Bube. So, please read and perform next instructions very carefully:

http://www.bleepingcomputer.com/forums/How...rvs-t11662.html

When done, post back a new hijackthislog together with the log from Kaspersky.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 Rammr

Rammr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 30 April 2005 - 07:46 AM

Here's the new hijackthis log, followed by two kaspersky logs (the first time I scanned the program seemed to "hang" on a certain .exe file for over 10 minutes when just started, so I stopped and scanned again):



Logfile of HijackThis v1.99.1
Scan saved at 14:38:38, on 30/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\windows\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\windows\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus1.exe
C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
C:\windows\System32\wuauclt.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pfxyozqbbxwlkmnnvxjddrd.com/DIR...y3nRMpPB8/.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
F3 - REG:win.ini: run=C:\windows\System32\svhost.exe
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\windows\ceres.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\windows\System32\nsz3.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [ffis] C:\windows\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\windows\farmmext.exe
O4 - HKLM\..\Run: [Desktop Search] C:\windows\isrvs\desktop.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [System backup] C:\windows\System32\wmplayer.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2bleeped.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F657A8B-6C43-425F-A101-62055599C370}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D10AD0E-11FE-42CA-ABF5-6BD991698A9A}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2C16626-A2B4-41BE-8534-DEEEE8BD7C0B}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F657A8B-6C43-425F-A101-62055599C370}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CS3\Services\Tcpip\..\{3F657A8B-6C43-425F-A101-62055599C370}: NameServer = 69.50.184.85,195.225.176.37
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe









Statistics:
Task start time: 30/04/2005 13:07:27
Task completion time: 30/04/2005 13:19:50
Objects scanned: 414
Viruses detected: 1
Viruses disinfected: 1
Objects deleted: 0
Objects quarantined: 0

Settings:
Objects to be scanned:
My Computer
If an infected object is found:
Perform recommended action
Scan level:
Maximum Protection
Objects to be excluded from the scan scope:
Option not used

Report:
C:\WINDOWS\EXPLORER.EXE is infected with a virus Virus.Win32.Bube.l 30/04/2005 13:07:28
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\WinLogon [Shell=Explorer.exe] is infected with a virus Registry: startUp link to C:\WINDOWS\EXPLORER.EXE object with "Infected" verdict 30/04/2005 13:07:28
C:\WINDOWS\EXPLORER.EXE moved to the backup storage 30/04/2005 13:07:28
C:\WINDOWS\EXPLORER.EXE disinfected 30/04/2005 13:07:29



Statistics:
Task start time: 30/04/2005 13:20:01
Task completion time: 30/04/2005 14:27:43
Objects scanned: 254546
Viruses detected: 76
Viruses disinfected: 2
Objects deleted: 74
Objects quarantined: 0

Settings:
Objects to be scanned:
My Computer
If an infected object is found:
Perform recommended action
Scan level:
Maximum Protection
Objects to be excluded from the scan scope:
Option not used

Report:
C:\Documents and Settings\Albertina\efefe.exe is infected with a virus not-a-virus:AdWare.ToolBar.ISearch.d 30/04/2005 13:20:06
C:\Documents and Settings\Albertina\efefe.exe moved to the backup storage 30/04/2005 13:20:07
C:\Documents and Settings\Albertina\efefe.exe deleted 30/04/2005 13:20:07
C:\Documents and Settings\Albertina\tool.exe/data0003 is infected with a virus not-a-virus:AdWare.ToolBar.HotSearchBar.e 30/04/2005 13:20:07
C:\Documents and Settings\Albertina\tool.exe moved to the backup storage 30/04/2005 13:20:07
C:\Documents and Settings\Albertina\tool.exe deleted 30/04/2005 13:20:07
C:\Documents and Settings\Albertina\Local Settings\Temp\1.exe/data0002 is infected with a virus not-a-virus:AdWare.BetterInternet 30/04/2005 13:20:20
C:\Documents and Settings\Albertina\Local Settings\Temp\1.exe moved to the backup storage 30/04/2005 13:20:20
C:\Documents and Settings\Albertina\Local Settings\Temp\1.exe is infected with a virus not-a-virus:AdWare.BetterInternet 30/04/2005 13:20:20
C:\Documents and Settings\Albertina\Local Settings\Temp\1.exe deleted 30/04/2005 13:20:20
C:\Documents and Settings\Albertina\Local Settings\Temp\BundleLite_westfrontier1001.exe is infected with a virus not-a-virus:AdWare.Sahat.m 30/04/2005 13:20:26
C:\Documents and Settings\Albertina\Local Settings\Temp\BundleLite_westfrontier1001.exe moved to the backup storage 30/04/2005 13:20:26
C:\Documents and Settings\Albertina\Local Settings\Temp\BundleLite_westfrontier1001.exe deleted 30/04/2005 13:20:26
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\8FB7E0DD\thin_bundlelite2[1].exe/data0002 is infected with a virus not-a-virus:AdWare.Sahat.m 30/04/2005 13:20:59
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\8FB7E0DD\thin_bundlelite2[1].exe moved to the backup storage 30/04/2005 13:20:59
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\8FB7E0DD\thin_bundlelite2[1].exe is infected with a virus not-a-virus:AdWare.Sahat.m 30/04/2005 13:20:59
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\8FB7E0DD\thin_bundlelite2[1].exe deleted 30/04/2005 13:20:59
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\LFFJTXWE\thin_poker[1].exe/data0002 is infected with a virus not-a-virus:AdWare.BetterInternet 30/04/2005 13:22:07
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\LFFJTXWE\thin_poker[1].exe moved to the backup storage 30/04/2005 13:22:07
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\LFFJTXWE\thin_poker[1].exe is infected with a virus not-a-virus:AdWare.BetterInternet 30/04/2005 13:22:07
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\LFFJTXWE\thin_poker[1].exe deleted 30/04/2005 13:22:07
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\WHYJWHMJ\thin_bundlelite[1].exe/data0002 is infected with a virus not-a-virus:AdWare.Sahat.m 30/04/2005 13:22:34
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\WHYJWHMJ\thin_bundlelite[1].exe moved to the backup storage 30/04/2005 13:22:34
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\WHYJWHMJ\thin_bundlelite[1].exe is infected with a virus not-a-virus:AdWare.Sahat.m 30/04/2005 13:22:34
C:\Documents and Settings\Albertina\Local Settings\Temporary Internet Files\Content.IE5\WHYJWHMJ\thin_bundlelite[1].exe deleted 30/04/2005 13:22:34
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom.zip\erik@servedby.advertising[1].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom1.zip\erik@advertising[1].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom10.zip\erik@advertising[2].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom10.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom2.zip\erik@servedby.advertising[2].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom3.zip\erik@advertising[1].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom3.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom4.zip\albertina@servedby.advertising[1].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom4.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom5.zip\albertina@advertising[1].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom5.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom6.zip\albertina@servedby.advertising[1].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom6.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom7.zip\albertina@advertising[1].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom7.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom8.zip\erik@www2.yesadvertising[2].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom8.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom9.zip\erik@servedby.advertising[2].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Advertisingcom9.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Adviva.zip\albertina@adviva[1].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Adviva.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\related.htm password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch.zip\sbRecovery.reg password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AllCyberSearch.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip\albertina@atdmt[2].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc1.zip\erik@atdmt[2].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc2.zip\albertina@atdmt[2].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc3.zip\erik@atdmt[2].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc3.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc4.zip\erik@atdmt[2].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc4.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc5.zip\willy@atdmt[2].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc5.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc6.zip\albertina@atdmt[1].txt password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc6.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:48
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc7.zip\albertina@atdmt[2].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc7.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc8.zip\erik@atdmt[2].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\AvenueAInc8.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BFast.zip\albertina@bfast[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BFast.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BFast1.zip\albertina@bfast[2].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BFast1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Clop.zip\willy@lop[2].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Clop.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Clop1.zip\erik@lop[2].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Clop1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction.zip\erik@qksrv[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction1.zip\erik@qksrv[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction2.zip\erik@qksrv[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction3.zip\erik@commission-junction[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommissionJunction3.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick.zip\erik@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick1.zip\albertina@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick10.zip\albertina@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick10.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick11.zip\albertina@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick11.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick12.zip\albertina@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick12.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick13.zip\erik@n479ad.doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick13.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick14.zip\erik@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick14.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick15.zip\albertina@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick15.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick2.zip\erik@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick3.zip\erik@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick3.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick4.zip\erik@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick4.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick5.zip\erik@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick5.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick6.zip\erik@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick6.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick7.zip\albertina@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick7.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick8.zip\erik@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick8.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick9.zip\willy@doubleclick[1].txt password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DoubleClick9.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.reg password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:49
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.reg password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.reg password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.reg password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.reg password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit5.zip\sbRecovery.reg password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit5.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FastClick.zip\albertina@fastclick[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FastClick.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FastClick1.zip\erik@fastclick[2].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FastClick1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FastClick2.zip\albertina@fastclick[2].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FastClick2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FastClick3.zip\erik@fastclick[2].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FastClick3.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Gator.zip\erik@gator[2].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Gator.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Gator1.zip\albertina@gator[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Gator1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Gator2.zip\erik@gator[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Gator2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox.zip\erik@hitbox[2].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox1.zip\erik@ehg.hitbox[2].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox2.zip\erik@hitbox[2].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox3.zip\erik@hg1.hitbox[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox3.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox4.zip\erik@hitbox[2].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox4.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox5.zip\erik@phg.hitbox[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox5.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox6.zip\erik@hg1.hitbox[2].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox6.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox7.zip\erik@ehg.hitbox[2].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox7.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox8.zip\erik@ehg-mtv.hitbox[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitBox8.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitsLink.zip\albertina@counter.hitslink[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\HitsLink.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LinkSynergy.zip\erik@linksynergy[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\LinkSynergy.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex.zip\erik@mediaplex[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex1.zip\albertina@mediaplex[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex2.zip\erik@mediaplex[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex3.zip\erik@mediaplex[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex3.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex4.zip\erik@mediaplex[1].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex4.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex5.zip\willy@mediaplex[2].txt password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex5.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:50
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex6.zip\erik@mediaplex[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MediaPlex6.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker.zip\erik@stats3.porntrack[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker1.zip\erik@stats3.porntrack[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker2.zip\erik@stats3.porntrack[2].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker3.zip\erik@stats3.porntrack[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker3.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker4.zip\erik@stats3.porntrack[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker4.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker5.zip\erik@stats3.porntrack[2].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker5.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker6.zip\erik@stats3.porntrack[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\PornTracker6.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList.zip\erik@sexlist[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList1.zip\erik@sexlist[2].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList2.zip\erik@sexlist[2].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList3.zip\erik@sexlist[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList3.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList4.zip\erik@sexlist[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexList4.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker.zip\erik@counter16.sextracker[2].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker1.zip\erik@counter3.sextracker[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker1.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker10.zip\erik@counter10.sextracker[2].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker10.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker11.zip\erik@counter5.sextracker[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker11.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker12.zip\erik@sextracker[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker12.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker13.zip\erik@counter16.sextracker[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker13.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker14.zip\erik@counter12.sextracker[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker14.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker15.zip\erik@sextracker[2].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker15.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker16.zip\erik@counter5.sextracker[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker16.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker17.zip\erik@counter3.sextracker[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker17.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker18.zip\erik@counter5.sextracker[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker18.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker19.zip\erik@sextracker[2].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker19.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker2.zip\erik@sextracker[2].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker2.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker20.zip\erik@counter4.sextracker[2].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker20.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker21.zip\erik@counter2.sextracker[1].txt password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker21.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:51
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker22.zip\erik@counter13.sextracker[1].txt password protected, has not been processed 30/04/2005 13:23:52
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker22.zip\sbRecovery.ini password protected, has not been processed 30/04/2005 13:23:52
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SexTracker23.zip\erik@counter16.sextracker[2].txt password protected, has not been processed 30/04/2005 13:23:52
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Se

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:33 AM

Posted 30 April 2005 - 08:05 AM

Hi there,

Good news Kaspersky disinfected your explorer.exe

Now let's see what comes back afterwards.
I'm pretty sure some files are still hidden here.

First of all, open your spybot search & destroy, select the backup/quarantaine-option and DELETE everything that's in there!

Now I want you to print out next instructions or save them into notepald, because you have to work in safe mode again.

* Download and install Cleanup!
Do not use it yet.

* Download Pfind: http://www.bleepingcomputer.com/files/pfind.php
UNZIP the contents to a permanent folder !! Important !!
So make sure all those files remain in the same folder.
Don't use it yet!

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.


Reboot in SAFE MODE !! Important !!
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.pfxyozqbbxwlkmnnvxjddrd.com/DIR...y3nRMpPB8/.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = iexplore
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
F3 - REG:win.ini: run=C:\windows\System32\svhost.exe
O2 - BHO: CeresObj Class - {00000049-8F91-4D9C-9573-F016E7626484} - C:\windows\ceres.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\windows\System32\nsz3.dll (file missing)
O4 - HKLM\..\Run: [ffis] C:\windows\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [farmmext] C:\windows\farmmext.exe
O4 - HKLM\..\Run: [Desktop Search] C:\windows\isrvs\desktop.exe
O4 - HKCU\..\Run: [System backup] C:\windows\System32\wmplayer.exe
O15 - Trusted Zone: *.addictivetechnologies.com
O15 - Trusted Zone: *.addictivetechnologies.net
O15 - Trusted Zone: *.admin2cash.biz
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.bettersearch.biz
O15 - Trusted Zone: *.c4tdownload.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.crazywinnings.com
O15 - Trusted Zone: *.finefind.nettraffic2cash.biz
O15 - Trusted Zone: *.iframe.biz
O15 - Trusted Zone: *.megapornix.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.newiframe.biz
O15 - Trusted Zone: *.overpro.com
O15 - Trusted Zone: *.pizdato.biz
O15 - Trusted Zone: *.private-dialer.biz
O15 - Trusted Zone: *.private-iframe.biz
O15 - Trusted Zone: *.sp2admin.biz
O15 - Trusted Zone: *.sp2bleeped.biz
O15 - Trusted Zone: *.topconverting.com
O15 - Trusted Zone: *.windupdates.com
O15 - Trusted Zone: *.ysbweb.com
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in Trusted Zone, should be Internet Zone (HKLM)
O17 - HKLM\System\CCS\Services\Tcpip\..\{3F657A8B-6C43-425F-A101-62055599C370}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{6D10AD0E-11FE-42CA-ABF5-6BD991698A9A}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CCS\Services\Tcpip\..\{E2C16626-A2B4-41BE-8534-DEEEE8BD7C0B}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CS2\Services\Tcpip\..\{3F657A8B-6C43-425F-A101-62055599C370}: NameServer = 69.50.184.85,195.225.176.37
O17 - HKLM\System\CS3\Services\Tcpip\..\{3F657A8B-6C43-425F-A101-62055599C370}: NameServer = 69.50.184.85,195.225.176.37
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


* Click on Fix Checked when finished and exit HijackThis.

Enter your control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.

Go to start > run and type: sc delete delprot

* Search for next files and delete them if still present:

C:\windows\farmmext.exe
C:\windows\isrvs <== this folder
C:\Windows\system32\drivers\delprot.sys
C:\Windows\delprot.ini
C:\windows\System32\wmplayer.exe
C:\windows\System32\svhost.exe (Watch out here!! DO NOT DELETE svchost.exe!! )


Doubleclick pfind.bat
It will scan for a while, so please be patient.
Wait till the doswindow closes.

* Start Cleanup! and click cleanup.
When done, it will ask you to log off to finish its task.

Reboot back to normal mode.

* Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.

Post the contents of C:\pfind.txt in your next reply together with a new hijackthislog.

Edited by miekiemoes, 30 April 2005 - 08:07 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 Rammr

Rammr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 30 April 2005 - 09:21 AM

Here's the pfind.txt and the new hijackthis.log:



Files found with this application may be legitimate.
Only remove files that you know are malware related.
Checking the C:\windows folder


Checking the C:\windows\SYSTEM32 folder
C:\windows\SYSTEM32\pav.sig: .aspack
C:\windows\SYSTEM32\pav.sig: :.aspackze
C:\windows\SYSTEM32\pav.sig: .aspack.text
C:\windows\SYSTEM32\pav.sig: H.aspack.text
C:\windows\SYSTEM32\pav.sig: .aspack.text
C:\windows\SYSTEM32\pav.sig: 4.aspack
C:\windows\SYSTEM32\pav.sig: F<SW.aspack
C:\windows\SYSTEM32\pav.sig: [.aspack
C:\windows\SYSTEM32\pav.sig: UPX!
C:\windows\SYSTEM32\pav.sig: .aspack0
C:\windows\SYSTEM32\pav.sig: .aspack
C:\windows\SYSTEM32\pav.sig: .aspack
C:\windows\SYSTEM32\pav.sig: H@.aspack.text
C:\windows\SYSTEM32\poker.exe: UPX!


Checking all directories under the C:\windows\SYSTEM32\drivers folder
C:\windows\SYSTEM32\Drivers\avg7core.sys: error finding UPX! header
C:\windows\SYSTEM32\Drivers\avg7core.sys: =FSG!u$h
C:\windows\SYSTEM32\Drivers\avg7core.sys: UPX!
C:\windows\SYSTEM32\Drivers\etc\hosts: 127.0.0.1 qoologic.com
C:\windows\SYSTEM32\Drivers\etc\hosts: 127.0.0.1 adsrv.qoologic.com
C:\windows\SYSTEM32\Drivers\etc\hosts: 127.0.0.1 www.qoologic.com


Checking the C:\Documents and Settings\All Users\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\All Users\Application Data folder



Checking the C:\Documents and Settings\Administrator\Start Menu\programs\Startup\ folder



Checking the C:\Documents and Settings\Administrator\Application Data folder






Logfile of HijackThis v1.99.1
Scan saved at 16:15:21, on 30/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\windows\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus1.exe
C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe



When running hijackthis just now, some things showed up that weren't there in safe mode (logged in as Administrator, though all users have admin rights on this pc). So I checked and removed those afterwards in normal mode. Then ran it again and made this log. Should I run hijackthis in each user profile?

- edit -
The problems seem to be gone, but there's still some things I don't like on my pc:
In my document and settings folder there are .exe's like "efvefefe.exe" and others that used to come popping up in DOS windows.
In the registry there's a folder called "drelkge789AEF5" with some subfolders that don't seem to be any good.
Can I safely delete those?


Many thanks for the help so far :thumbsup:

Edited by Rammr, 30 April 2005 - 09:45 AM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:33 AM

Posted 30 April 2005 - 09:57 AM

Yes, delete those files in your documents and settings folder.

Yes, it's possible that some items didn't show up in your log, because you were logged in as an administrator in safe mode.

Check and fix next one in hijackthis again:

R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)

I want you to check something.. Go to next site: http://virusscan.jotti.org/
On top you'll find.. File to upload and scan. Browse to next file and let it scan:

C:\windows\SYSTEM32\poker.exe

Post the results in your next reply.

And yes, delete next key: drelkge789AEF5 in your registry. This one contains adult and searchsites.

Please perform a full scan with an updated Spybot s&d and I suggest you to install adaware SE ( http://www.lavasoftusa.com/software/adaware/ ) and let it also perform a full scan to get rid of some leftovers.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 Rammr

Rammr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 30 April 2005 - 10:07 AM

I let it scan the file, here is what it says:



File: poker.exe
Status:
MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 9d16ecf9a729256ddf38e2d04721ff1f
Packers detected:
UPX
Scanner results
AntiVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
mks_vir
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VBA32
Found nothing


I'll make sure to update spybot and adaware and scan with those now.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:33 AM

Posted 30 April 2005 - 10:10 AM

Edit.. I forgot to answer your question..

Yes, post from each account a hijackthislog, so we can also delete the leftovers in it if present. :thumbsup:

That poker.exe? Do you know it? If not, delete it.

Edited by miekiemoes, 30 April 2005 - 10:11 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 Rammr

Rammr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 30 April 2005 - 10:37 AM

Here are the logs for each account:



Logfile of HijackThis v1.99.1
Scan saved at 17:33:58, on 30/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\windows\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\windows\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus1.exe
C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\winlogon.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe



Logfile of HijackThis v1.99.1
Scan saved at 17:30:18, on 30/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\windows\system32\winlogon.exe
C:\windows\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\windows\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus1.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [SuperAdBlocker] C:\Program Files\SuperAdBlocker.com\Super Ad Blocker\SADBLOCK.EXE
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe



Logfile of HijackThis v1.99.1
Scan saved at 17:31:52, on 30/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\windows\system32\winlogon.exe
C:\windows\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\windows\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus1.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.be/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe



Logfile of HijackThis v1.99.1
Scan saved at 17:33:12, on 30/04/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\windows\System32\smss.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\services.exe
C:\windows\system32\lsass.exe
C:\windows\system32\svchost.exe
C:\windows\System32\svchost.exe
C:\windows\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\windows\System32\nvsvc32.exe
C:\windows\System32\svchost.exe
C:\windows\system32\winlogon.exe
C:\windows\system32\winlogon.exe
C:\windows\Explorer.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\windows\System32\RunDll32.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\Program Files\Messenger Plus! 3\MsgPlus1.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iwmbzftykuagu.us/I3iEQRUT9NVDhi...9_vVRAmY0_.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.modelwarships.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?p...er=6&ar=msnhome
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\System32\FirstReboot.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\Messenger Plus! 3\MsgPlus1.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Watch.lnk = C:\WINDOWS\twain_32\A4CIS600\WATCH.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Gelijkwaardige pagina's - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Koppelingspagina's - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Opgeslagen momentopname van de pagina - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\windows\System32\nvsvc32.exe



I deleted the poker.exe.
Adaware found quite a lot of stuff, guess I should have upgraded a lot earlier.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:33 AM

Posted 30 April 2005 - 12:09 PM

In the last log, check and fix next line:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.iwmbzftykuagu.us/I3iEQRUT9NVDhi...9_vVRAmY0_.html

An important thing to do is please disable your systemrestore.(note: this will delete all your system restore points and malware that were present in it).
How to disable system restore in XP
Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :thumbsup:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap http://windowsupdate.microsoft.com/ to update to SP2

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!

Edited by miekiemoes, 30 April 2005 - 12:10 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 Rammr

Rammr
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:12:33 AM

Posted 30 April 2005 - 02:17 PM

Ok I will certainly follow your advise :thumbsup:


Hartelijk bedankt / merci beaucoup! :flowers:

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:33 AM

Posted 30 April 2005 - 02:33 PM

Graag gedaan hoor. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:33 AM

Posted 30 April 2005 - 05:21 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
an email with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users