Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde And Many Others


  • Please log in to reply
11 replies to this topic

#1 sicatrix

sicatrix

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 02 January 2006 - 06:30 AM

Hey, I decided to scan this laptop with all the stuff and found a bunch of virtumonde, a few other things i can't remember off hand, was like trojan something from the scans. I alsso have problems with my Zone Alarm. After i installed zone alarm, it blocked every single online game, or anything that has to connect to something else to go thru the internet. Here is my HijackThis log.

Logfile of HijackThis v1.99.1
Scan saved at 2:25:20 AM, on 1/2/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F95EE0-26D4-4010-93CF-9AA4F6E1EC1E}: NameServer = 209.193.4.7 209.193.4.8
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\m6rmlg9116.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsubleepa Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe

BC AdBot (Login to Remove)

 


#2 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 11 January 2006 - 12:25 PM

Hi sicatrix,

Sorry for the delay, we've really been swamped lately. If you still need help, please start out by posting a new log in this thread. Please describe what you may have done to fix the problem and what is happening with your system now (since you posted your last log).

The thing about people

is they change

when they walk away.--Mipso


#3 sicatrix

sicatrix
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 11 January 2006 - 10:51 PM

Logfile of HijackThis v1.99.1
Scan saved at 6:50:00 PM, on 1/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
Here is my new hijack log, I been trying to go throught the Zone Alarm stuff off their website, but nothing seems to help their. It seemed to block everything pretty good.

MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\WebRebates4\webrebates.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\WebRebates4\w11150.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_14.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Accoona - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - C:\Program Files\Accoona\atoolbar.dll
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F95EE0-26D4-4010-93CF-9AA4F6E1EC1E}: NameServer = 209.193.4.7 209.193.4.8
O18 - Filter: text/html - {03974811-C15F-462c-B6B0-2D2336AA57D0} - (no file)
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\m6rmlg9116.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsubleepa Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe

#4 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 13 January 2006 - 11:42 PM

Hi sicatrix,

Sorry it took so long to get back to you.

Quite a few changes in your log and you have several problems to deal with. Let's deal with New.Net first.

Please download LSP-Fix from the following link and save it to a location you can find later if necessary.

LSP-Fix Download Link

To remove New.net. please go to Add/Remove Programs via your Control Panel, look for and remove New.Net. If you can't find it, then please go here and follow the removal instructions in Procedure 4 at the bottom of the page.

While you are in Add/Remove, also uninstall the following:

Accoona
WebRebates


If you can not connect to the Internet after removing New.net, please run the LSP-Fix program I had you download earlier, and click on the Finish button. Reboot and you should be able to get back on.

Scan again with HijackThis 1.99.1. Put a checkmark by the following entries, double-checking to be sure that only these entries are checked:

O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_14.dll
O2 - BHO: Accoona Search Assistant - {944864A5-3916-46E2-96A9-A2E84F3F1208} - C:\Program Files\Accoona\ASearchAssist.dll
O3 - Toolbar: Accoona - {364B6276-C6C1-40B6-A6D7-6C48871FD707} - C:\Program Files\Accoona\atoolbar.dll
O4 - HKLM\..\Run: [webrebates] "C:\Program Files\WebRebates4\webrebates.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O8 - Extra context menu item: Web Rebates. - file://C:\Program Files\WebRebates4\websrebates\webtrebates\toprC0.htm
O18 - Filter: text/html - {03974811-C15F-462c-B6B0-2D2336AA57D0} - (no file)


Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

Reboot your computer into Safe Mode and delete the following folders if they exist:

C:\Program Files\NewDotNet
C:\Program Files\Accoona
C:\Program Files\WebRebates4


Reboot back into normal mode.

Download L2mfix from one of these two locations:

http://www.atribune.org/downloads/l2mfix.exe
http://www.downloads.subratam.org/l2mfix.exe

*Save the file to your desktop and double click l2mfix.exe.
*Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop.
*Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

If you receive, while running option #1, an error similar to ''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. Choose close to terminate the application..", then please use option 5 or the web page link in the l2mfix folder to solve this error condition.


Also scan again with HijackThis and post another log.

I'm not sure what's going on with Zone Alarm. Can you be a little more specific what's happening? Are you being asked if you want to block an application first or is it just blocking it? If you can post a link to what you were looking at on their website and how it relates to your problem it might be helpful.

The thing about people

is they change

when they walk away.--Mipso


#5 sicatrix

sicatrix
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 14 January 2006 - 03:27 PM

I tried using the Instant Support at

http://www.zonelabs.com/store/content/supp...=en&lid=ps_zaav

Zone Alarm doesn't even ask if I want to allow or block the games, it just auto blocks every single game or thing that has to log throught some kinda server to use. I tried uninstalling Zone Alarm but that didnt do anything.

L2MFIX find log 010406
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Control Panel]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\m6rmlg9116.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wzcnotif]
"DLLName"="wzcdlg.dll"
"Logon"="WZCEventLogon"
"Logoff"="WZCEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000000

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{5E44E225-A408-11CF-B581-008029601108}"="Adaptec DirectCD Shell Extension"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{8e9d6600-f84a-11ce-8daa-00aa004a5691}"="Shell extensions for NetWare"
"{e3f2bac0-099f-11cf-8daa-00aa004a5691}"="Shell extensions for NetWare"
"{52c68510-09a0-11cf-8daa-00aa004a5691}"="Shell extensions for NetWare"
"{D89937E0-C7D0-11D1-9960-00A0244EE2F7}"="Internet Connections"
"{a6359360-4bf7-11d2-ae14-00a0244ee2f7}"="Dial-Up Phonebooks"
"{eaaa4b80-4bf7-11d2-ae14-00a0244ee2f7}"="Dial Locations"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{D9872D13-7651-4471-9EEE-F0A00218BEBB}"="Multiscan"
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}"="iTunes"

**********************************************************************************
HKEY ROOT CLASSIDS:
**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
atmtd.dll Thu Nov 3 2005 3:36:10p A.... 687,592 671.48 K
cmdlin~1.dll Tue Dec 27 2005 5:35:52p A.... 43,520 42.50 K
msupda~1.dll Thu Nov 17 2005 8:54:26p A.... 33,280 32.50 K
sporder.dll Mon Jan 2 2006 3:22:04p A.... 8,464 8.27 K
w95inf16.dll Sun Dec 18 2005 8:09:22p A.... 2,272 2.22 K
w95inf32.dll Sun Dec 18 2005 8:09:22p A.... 4,608 4.50 K

6 items found: 6 files, 0 directories.
Total of file sizes: 779,736 bytes 761.46 K
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
mcrh.tmp Thu Nov 24 2005 8:19:28p A.... 195 0.19 K
yadgh.tmp Mon Oct 31 2005 11:25:08p ..SH. 475 0.46 K

2 items found: 2 files (1 H/S), 0 directories.
Total of file sizes: 670 bytes 0.65 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 9C27-04E3

Directory of C:\WINDOWS\System32

01/13/2006 08:07 PM <DIR> dllcache
11/25/2005 05:53 PM 1,174 yadgh.ini2
11/24/2005 08:19 PM 529,372 yadgh.bak2
10/31/2005 11:25 PM 475 yadgh.tmp
10/31/2005 11:24 PM 475 yadgh.ini
10/12/2005 06:12 AM 354,182 yadgh.bak1
02/02/2004 04:28 PM 32 {E5B88C34-75D3-40C1-BA56-253A66328E91}.dat
02/02/2004 04:27 PM 32 {1498CED1-36B1-4274-8981-C1E6C197C4B2}.dat
01/31/2004 11:31 AM <DIR> Microsoft
7 File(s) 885,742 bytes
2 Dir(s) 16,528,986,112 bytes free




Logfile of HijackThis v1.99.1
Scan saved at 11:27:03 AM, on 1/14/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
R3 - URLSearchHook: (no name) - <default> - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F95EE0-26D4-4010-93CF-9AA4F6E1EC1E}: NameServer = 209.193.4.7 209.193.4.8
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\m6rmlg9116.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsubleepa Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe

#6 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 14 January 2006 - 10:30 PM

OK, your logs are a little strange, but that's nothing new. We'll work thru it.

Please make sure that you can view all hidden files. Instructions on how to do this can be found here:

How to see hidden files in Windows

I need to get samples of some of your files. Please create a folder called c:\submit. Now copy the following files into that directory:

C:\WINDOWS\SYSTEM32\yadgh.tmp

To copy the files simply navigate to the directory they are in and right click on the file name, and then click Copy. Now go back to the c:\submit folder. Right click the folder and select Paste.

Once the files are all copied zip the folder and rename submit.zip to sicatrix.zip. If you are not sure how to send the files to a zip folder click the following link for a tutorial: How to create and extract a Zip File in Windows ME/XP/2003
How to create and extract a ZIP File in Windows 95/98/2000

When the files are zipped click this link to go to the BC submisions page:
http://www.bleepingcomputer.com/submit-malware.php

1. Fill in the required fields and then click the Browse button.
2. Navigate to sicatrix.zip and click the Send File button.

Download VirtumundoBeGone from:

http://secured2k.home.comcast.net/tools/VirtumundoBeGone.exe

* Save it to your Desktop
* Reboot your system
* Close all running programs (including your Internet Browser)
* Double-click VirtumundoBeGone.exe on the desktop
* Follow the directions as indicated

Please be advised that this program will generate a "BLUE SCREEN OF DEATH"... this is an expected/necessary part of the process, so don't be surprised when it happens.

VirtumundoBeGone generates a "log" file of its own, which it should have placed on your Desktop called VBG.TXT. Please REPLY to this thread, and copy/paste the VirtumundoBeGone log back here together with a new HijackThis log.

Download and install the trial version of Ewido Security Suite.
When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
- Launch Ewido by double-clicking the desktop icon.
- You may get a message that the database could not be found. This is normal-- click the OK button.
- The program will now go to the main screen.
- On the left hand side of the main screen click update.
- Click on Start update.
- The update will start and a progress bar will show the updates being installed.
Once the updates are installed close Ewido.

Download System Security Suite here:
System Security Suite Download. Unzip it to your desktop and install the program. Don't use it yet.


If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Reboot your computer into Safe Mode and do the following:
  • Open ewido and click on scanner
  • Click on Complete System Scan and the scan will begin.
  • NOTE: During some scans with ewido it is finding cases of false positives.**
    • You will need to step through the process of cleaning files one-by-one.
    • If ewido detects a file you KNOW to be legitimate, select none as the action.
    • DO NOT select "Perform action on all infections"
    • If you are unsure of any entry found select none for now.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop.
Now close ewido security suite.

Scan with HijackThis and check the following--don't be concerned if they aren't there as ewido may already have fixed them:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: (no name) - <default> - (no file)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O20 - Winlogon Notify: Control Panel - C:\WINDOWS\system32\m6rmlg9116.dll (file missing)


Close all other windows--you should only see HijackThis on your Desktop--and then click the "Fix checked" button.

Open Add/Remove Programs and uninstall PartyPoker if found--it may not bad in itself but even if you installed this yourself it's associated with malware.

Then delete this folder:

C:\Program Files\PartyPoker

* Open System Security Suite.
* In the Items to Clear tab make sure the following are checked:
- Internet Explorer (left pane): Cookies & Temporary files
- My Computer (right pane): Temporary files & Recycle Bin
*Press the Clear Selected Items button.
*Allow it to boot your system back into normal mode.

Perform an onlinescan with Panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a few minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the [b]Panda scan report
.

So I'll need to see these logs in this order:

1. ewido
2. Panda
3. HijackThis.

We'll look into Zone Alarm a little later. Are you running the free version or ZA Pro? Do you know the version and build number?

The thing about people

is they change

when they walk away.--Mipso


#7 sicatrix

sicatrix
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 15 January 2006 - 03:03 PM

It's Zone Alarm Antivirus not free version, I bought it.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 10:35:54 AM, 1/15/2006
+ Report-Checksum: E6CD488E

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\YourSiteBar -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historyvariable_search -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historyvariable_search2 -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historyvariable_search3 -> Spyware.ISTBar : Error during cleaning
HKLM\SOFTWARE\YourSiteBar\Historyvariable_search4 -> Spyware.ISTBar : Error during cleaning
:mozilla.10:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Revenue : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-193608-825.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-212818-284.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-213602-276.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-214011-175.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051118-150944-385.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051118-154801-647.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051118-224418-417.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051122-124511-246.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051122-125153-733.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051122-125751-507.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-170816-671.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-170838-932.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-172658-257.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-172850-915.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-195355-777.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-200249-584.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-200730-530.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-202523-160.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-145332-762.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-145835-836.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-151543-168.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-153421-565.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-155246-623.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-163116-135.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-165308-996.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-165614-941.dll -> Logger.Agent.hn : Cleaned with backup
C:\Documents and Settings\Administrator\Desktop\backups\backup-20051125-073427-865.dll -> Logger.Agent.hn : Cleaned with backup
:mozilla.6:C:\Documents and Settings\billy\Application Data\Mozilla\Firefox\Profiles\yg8rlcyx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.7:C:\Documents and Settings\billy\Application Data\Mozilla\Firefox\Profiles\yg8rlcyx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.8:C:\Documents and Settings\billy\Application Data\Mozilla\Firefox\Profiles\yg8rlcyx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\billy\Application Data\Mozilla\Firefox\Profiles\yg8rlcyx.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.6:C:\Documents and Settings\demmertb\Application Data\Mozilla\Firefox\Profiles\6qj7ozhl.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.7:C:\Documents and Settings\demmertb\Application Data\Mozilla\Firefox\Profiles\6qj7ozhl.default\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.8:C:\Documents and Settings\demmertb\Application Data\Mozilla\Firefox\Profiles\6qj7ozhl.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.9:C:\Documents and Settings\demmertb\Application Data\Mozilla\Firefox\Profiles\6qj7ozhl.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.10:C:\Documents and Settings\demmertb\Application Data\Mozilla\Firefox\Profiles\6qj7ozhl.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.11:C:\Documents and Settings\demmertb\Application Data\Mozilla\Firefox\Profiles\6qj7ozhl.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Program Files\filesubmit\snowbord.zip\NNWDAC638.EXE -> Spyware.NewDotNet : Cleaned with backup
C:\Program Files\filesubmit\snowbord.zip\VVSNInst.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\26DCFC14-513E-458B-99FE-DACA62\946B9622-7887-40C6-A50D-1D5901 -> Adware.SAHA : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\290664E6-5263-4B15-8A93-D907D5\E1E2CCCE-5BE6-4C16-8BDA-8E9123/clientax.dll -> Spyware.180Solutions : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\290664E6-5263-4B15-8A93-D907D5\E1E2CCCE-5BE6-4C16-8BDA-8E9123/clientax.dll -> Spyware.180Solutions : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\0C900916-38BB-45F4-8CB0-941FA2 -> Spyware.180Solutions : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\28DB6623-7676-4453-9409-40CF1C -> Spyware.180Solutions : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\4845FE8E-199B-44CB-A397-C32A3F -> Spyware.180Solutions : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\62A14F23-C29C-4BCD-AFE5-A9D037 -> Spyware.180Solutions : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\87370800-376A-4C07-92BA-4114FE -> Spyware.180Solutions : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\D1BED3BB-132C-4043-ABC8-E13AC8 -> Spyware.180Solutions : Error during cleaning
C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\F160811B-FCDE-4A1B-A249-F3A606 -> Spyware.180Solutions : Error during cleaning
C:\Program Files\Red Storm Entertainment\Rogue Spear\MSN\MsnSetup\msnSetup.exe -> Heuristic.Win32.AVKiller : Cleaned with backup
C:\Program Files\Save -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\ACM.dll -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Save\store.db -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\NDNuninstall6_98.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall7_14.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\system32\hlwin.dll -> Spyware.Suggestor : Cleaned with backup
C:\WINDOWS\system32\msupdate32.dll -> Downloader.Agent.aab : Cleaned with backup
C:\WINDOWS\Temp\TMP1.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP1.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP1.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP1.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP1.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP1.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP10.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP10.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP10.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP10.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP10.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP10.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP11.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP11.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP11.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP11.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP11.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP11.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP12.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP12.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP12.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP12.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP12.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP12.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP13.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP13.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP13.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP13.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP13.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP13.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP14.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP14.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP14.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP14.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP14.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP14.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP15.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP15.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP15.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP15.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP15.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP15.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP16.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP16.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP16.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP16.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP16.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP16.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP17.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP17.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP17.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP17.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP17.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP17.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP18.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP18.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP18.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP18.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP18.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP18.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP19.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP19.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP19.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP19.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP19.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP19.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP1A.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP1A.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP1A.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP1A.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP1A.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP1A.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP1B.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP1B.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP1B.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP1B.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP1B.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP1B.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP1C.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP1C.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP1C.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP1C.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP1C.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP1C.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP1D.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP1D.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP1D.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP1D.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP1D.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP1D.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP1E.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP1E.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP1E.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP1E.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP1E.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP1E.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP1F.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP1F.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP1F.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP1F.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP1F.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP1F.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP2.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP2.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP2.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP2.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP2.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP2.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP20.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP20.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP20.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP20.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP20.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP20.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP21.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP21.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP21.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP21.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP21.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP21.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP22.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP22.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP22.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP22.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP22.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP22.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP23.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP23.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP23.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP23.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP23.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP23.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP24.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP24.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP24.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP24.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP24.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP24.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP25.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP25.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP25.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP25.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP25.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP25.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP26.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP26.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP26.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP26.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP26.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP26.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP27.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP27.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP27.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP27.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP27.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP27.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP28.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP28.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP28.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP28.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP28.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP28.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP29.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP29.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP29.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP29.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP29.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP29.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP2A.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP2A.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP2A.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP2A.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP2A.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP2A.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP2B.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP2B.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP2B.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP2B.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP2B.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP2B.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP2C.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP2C.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP2C.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP2C.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP2C.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP2C.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP2D.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP2D.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP2D.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP2D.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP2D.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP2D.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP2E.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP2E.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP2E.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP2E.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP2E.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP2E.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP2F.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP2F.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP2F.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP2F.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP2F.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP2F.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP3.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP3.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP3.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP3.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP3.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP3.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP30.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP30.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP30.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP30.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP30.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP30.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP31.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP31.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP31.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP31.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP31.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP31.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP32.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP32.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP32.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP32.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP32.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP32.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP33.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP33.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP33.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP33.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP33.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP33.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP34.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP34.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP34.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP34.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP34.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP34.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP35.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP35.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP35.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP35.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP35.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP35.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP36.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP36.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP36.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP36.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP36.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP36.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP37.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP37.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP37.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP37.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP37.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP37.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP38.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP38.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP38.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP38.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP38.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP38.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP39.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP39.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP39.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP39.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP39.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP39.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP3A.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP3A.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP3A.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP3A.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP3A.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP3A.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP3B.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP3B.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP3B.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP3B.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP3B.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP3B.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP3C.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP3C.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP3C.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP3C.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP3C.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP3C.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP3D.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP3D.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP3D.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP3D.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP3D.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP3D.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP3E.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP3E.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP3E.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP3E.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP3E.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP3E.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP3F.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP3F.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP3F.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP3F.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP3F.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP3F.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP4.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP4.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP4.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP4.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP4.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP4.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP40.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP40.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP40.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP40.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP40.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP40.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP41.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP41.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP41.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP41.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP41.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP41.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP42.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP42.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP42.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP42.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP42.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP42.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP43.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP43.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP43.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP43.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP43.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP43.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP44.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP44.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP44.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP44.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP44.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP44.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP45.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP45.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP45.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP45.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP45.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP45.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP46.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP46.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP46.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP46.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP46.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP46.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP47.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP47.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP47.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP47.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP47.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP47.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP48.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP48.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP48.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP48.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP48.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP48.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP49.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP49.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP49.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP49.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP49.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP49.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP5.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP5.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP5.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP5.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP5.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP5.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP6.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP6.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP6.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP6.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP6.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP6.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP7.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP7.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP7.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP7.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP7.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP7.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP8.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP8.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP8.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP8.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP8.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP8.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMP9.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMP9.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMP9.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMP9.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMP9.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMP9.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMPA.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMPA.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMPA.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMPA.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMPA.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMPA.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMPB.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMPB.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMPB.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMPB.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMPB.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMPB.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMPC.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMPC.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMPC.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMPC.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMPC.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMPC.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMPD.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMPD.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMPD.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMPD.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMPD.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMPD.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMPE.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMPE.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMPE.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMPE.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMPE.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMPE.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning
C:\WINDOWS\Temp\TMPF.tmp\IELower.exe -> Spyware.Hijacker.Generic : Error during cleaning
C:\WINDOWS\Temp\TMPF.tmp\is.exe -> Downloader.ConHook.n : Error during cleaning
C:\WINDOWS\Temp\TMPF.tmp\low.exe -> Trojan.LowZones.c : Error during cleaning
C:\WINDOWS\Temp\TMPF.tmp\mc-110-12-0000169.exe -> Spyware.Maxifiles : Error during cleaning
C:\WINDOWS\Temp\TMPF.tmp\mmxateam.exe -> Downloader.VB.rl : Error during cleaning
C:\WINDOWS\Temp\TMPF.tmp\xe.exe -> Downloader.VB.qr : Error during cleaning


::Report End




Incident Status Location

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt[]
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-193608-825.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-212818-284.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-213602-276.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-214011-175.dll
Adware:Adware/StartPage.A

#8 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 15 January 2006 - 03:32 PM

A HJT log too, please.

Also your Panda scan seems to have gotten cut off. The length of each post is limited, so when that happens, click the Add Reply button again and continue--we need to see all the information.

The thing about people

is they change

when they walk away.--Mipso


#9 sicatrix

sicatrix
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 15 January 2006 - 05:35 PM

Logfile of HijackThis v1.99.1
Scan saved at 1:33:45 PM, on 1/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton Internet Security\NISUM.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\Program Files\Norton Internet Security\ccPxySvc.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\sdpasvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis1991.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\RunOnce: [Panda_cleaner_221603] C:\WINDOWS\System32\ActiveScan\pavdr.exe 221603
O4 - HKLM\..\RunOnce: [Panda_cleaner_229034] C:\WINDOWS\System32\ActiveScan\pavdr.exe 229034
O4 - HKLM\..\RunOnce: [Panda_cleaner_218809] C:\WINDOWS\System32\ActiveScan\pavdr.exe 218809
O4 - HKLM\..\RunOnce: [Panda_cleaner_221617] C:\WINDOWS\System32\ActiveScan\pavdr.exe 221617
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D0F95EE0-26D4-4010-93CF-9AA4F6E1EC1E}: NameServer = 209.193.4.7 209.193.4.8
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SDPAUMS server service (SDPASVC) - Matsubleepa Electric Industrial Co.,Ltd. - C:\WINDOWS\System32\sdpasvc.exe


Incident Status Location

Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\yzdj20s1.default\cookies.txt[]
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-193608-825.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-212818-284.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-213602-276.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051117-214011-175.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051118-150944-385.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051118-154801-647.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051118-224418-417.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051122-124511-246.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051122-125153-733.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051122-125751-507.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-170816-671.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-170838-932.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-172658-257.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-172850-915.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-195355-777.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-200249-584.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-200730-530.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051123-202523-160.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-145332-762.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-145835-836.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-151543-168.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-153421-565.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-155246-623.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-163116-135.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-165308-996.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051124-165614-941.dll
Adware:Adware/StartPage.AIW Not disinfected C:\Documents and Settings\Administrator\Desktop\backups\backup-20051125-073427-865.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix\Process.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Administrator\Desktop\l2mfix.exe[Process.exe]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\billy\Application Data\Mozilla\Firefox\Profiles\yg8rlcyx.default\cookies.txt[]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\demmertb\Application Data\Mozilla\Firefox\Profiles\6qj7ozhl.default\cookies.txt[]
Security Risk:HackTool/Gendel.A Not disinfected C:\gendel32.exe
Spyware:Spyware/Smitfraud Not disinfected C:\ntkernel.exe
Spyware:Spyware/New.net Not disinfected C:\Program Files\filesubmit\snowbord.zip\NNWDAC638.EXE
Adware:Adware/ClockSync Not disinfected C:\Program Files\filesubmit\snowbord.zip\VVSNInst.exe
Spyware:Spyware/LinkReplacer Not disinfected C:\Program Files\Hyperlinker\uninst.exe
Adware:Adware/SAHAgent Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\26DCFC14-513E-458B-99FE-DACA62\946B9622-7887-40C6-A50D-1D5901
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\290664E6-5263-4B15-8A93-D907D5\E1E2CCCE-5BE6-4C16-8BDA-8E9123
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\0C900916-38BB-45F4-8CB0-941FA2
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\28DB6623-7676-4453-9409-40CF1C
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\4845FE8E-199B-44CB-A397-C32A3F
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\62A14F23-C29C-4BCD-AFE5-A9D037
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\87370800-376A-4C07-92BA-4114FE
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\D1BED3BB-132C-4043-ABC8-E13AC8
Adware:Adware/nCase Not disinfected C:\Program Files\Microsoft AntiSpyware\Quarantine\E7C37F64-DF1F-422E-8A3C-77C9B0\F160811B-FCDE-4A1B-A249-F3A606
Adware:Adware/SaveNow Not disinfected C:\Program Files\Save\ACM.dll
Adware:Adware/ActivShopper Not disinfected C:\Program Files\TBONAS\TBONcomp.dll
Adware:adware/secure32 Not disinfected C:\secure32.html
Adware:Adware/Ucmore Not disinfected C:\UCmore - The Search Accelerator\How To Uninstall.lnk
Adware:Adware/Ucmore Not disinfected C:\UCmore - The Search Accelerator\UCmore Tour.lnk
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\drsmartload.dat
Spyware:Spyware/New.net Not disinfected C:\WINDOWS\NDNuninstall6_98.exe
Spyware:spyware/new.net Not disinfected C:\WINDOWS\NDNuninstall7_14.exe
Adware:adware/commad Not disinfected C:\WINDOWS\system32\atmtd.dll
Spyware:Spyware/LinkReplacer Not disinfected C:\WINDOWS\system32\hlwin.dll
Spyware:Spyware/LinkReplacer Not disinfected C:\WINDOWS\system32\PreUninstallHL.exe
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Adware:adware/popupsandbanners Not disinfected C:\WINDOWS\teller2.chk
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP1.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP1.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP1.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP1.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP1.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP1.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP10.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP10.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP10.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP10.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP10.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP10.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP11.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP11.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP11.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP11.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP11.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP11.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP12.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP12.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP12.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP12.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP12.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP12.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP13.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP13.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP13.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP13.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP13.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP13.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP14.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP14.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP14.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP14.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP14.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP14.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP15.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP15.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP15.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP15.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP15.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP15.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP16.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP16.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP16.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP16.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP16.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP16.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP17.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP17.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP17.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP17.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP17.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP17.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP18.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP18.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP18.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP18.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP18.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP18.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP19.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP19.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP19.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP19.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP19.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP19.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP1A.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP1A.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP1A.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP1A.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP1A.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP1A.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP1B.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP1B.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP1B.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP1B.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP1B.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP1B.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP1C.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP1C.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP1C.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP1C.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP1C.tmp\mmxateam.exe
Adware:Adware/DollarRevenue Not disinfected C:\WINDOWS\Temp\TMP1C.tmp\xe.exe
Virus:Trj/Lowzones.JX Disinfected C:\WINDOWS\Temp\TMP1D.tmp\IELower.exe
Virus:Trj/Downloader.GMP Disinfected C:\WINDOWS\Temp\TMP1D.tmp\is.exe
Virus:Trj/Downloader.TA Disinfected C:\WINDOWS\Temp\TMP1D.tmp\low.exe
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\Temp\TMP1D.tmp\mc-110-12-0000169.exe
Virus:Trj/Downloader.CIM Disinfected C:\WINDOWS\Temp\TMP1D.tmp\mmxateam.exe

#10 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 15 January 2006 - 10:53 PM

Wow, such a mess. Sorry to do this to you, but there was another log I wanted to see but didn't put it in the list at the bottom of my post. I need to see the VBG.TXT file from VirtumundoBeGone

Also a log from the following:

Download and Save Blacklite to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
*Double-click blbeta.exe then accept the agreement.
*Leave [X]scan through windows explorer checked,
*Click Scan then [b]Next.
*When the scan is complete you'll see a list of all items found. Don't choose rename yet! I want to see the log first, because legit items such as "wbemtest.exe"can also be present.
*There will be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers).

It's Zone Alarm Antivirus not free version, I bought it.

OK, so did you have the anivirus part of program enabled? I think it's possible to just install the firewall, and you already have an antivirus on your system. Or has your prescription for Norton expired? Running two antivirus is not recommended as they can conflict and actually reduce your security. A clash with Norton may be the problem.

The thing about people

is they change

when they walk away.--Mipso


#11 sicatrix

sicatrix
  • Topic Starter

  • Members
  • 70 posts
  • OFFLINE
  •  
  • Local time:03:30 PM

Posted 16 January 2006 - 03:42 AM

I didn't have the Antivirus enabled, and my Norton was expired. I couldnt turn it on because of my Nortons installed. I just used the firewall with Antivirus pretty much.

I also ended up with a new question about my Video card, my video card driver is out of date i guess, and I cant figure out how to get a updated version. Should i just try and get this off a new post?

01/15/06 23:36:21 [Info]: BlackLight Engine 1.0.30 initialized
01/15/06 23:36:21 [Info]: OS: 5.1 build 2600 (Service Pack 1)
01/15/06 23:36:21 [Note]: 7019 4
01/15/06 23:36:21 [Note]: 7005 0
01/15/06 23:37:50 [Note]: 7006 0
01/15/06 23:37:50 [Note]: 7011 1792
01/15/06 23:37:50 [Note]: FSRAW library version 1.7.1014
01/15/06 23:40:09 [Note]: 7007 0



[01/14/2006, 21:18:10] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Administrator\Desktop\VirtumundoBeGone.exe" )
[01/14/2006, 21:18:18] - Detected System Information:
[01/14/2006, 21:18:18] - Windows Version: 5.1.2600, Service Pack 1
[01/14/2006, 21:18:18] - Current Username: Administrator (Admin)
[01/14/2006, 21:18:18] - Windows is in SAFE mode with Networking.
[01/14/2006, 21:18:18] - Searching for Browser Helper Objects:
[01/14/2006, 21:18:18] - BHO 1: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[01/14/2006, 21:18:18] - Finished Searching Browser Helper Objects
[01/14/2006, 21:18:18] - Finishing up...
[01/14/2006, 21:18:18] - Nothing found! Exiting...

#12 Papakid

Papakid

    Guru at being a Newbie


  • Malware Response Team
  • 6,628 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:30 PM

Posted 16 January 2006 - 11:06 AM

The video card driver problem will probably need to be covered in the hardware forum if it's unrelated to your malware problem, which still remains to be seen. It's still unclear if the ZoneAlarm problem is related or not also. We need to get you cleaned up some before we'll know better about that.

I get the feeling your PC may be too far gone since you haven't been running an up to date resident antivirus for a while. We can try to clean it but you should back up any important data on this machine and consider a reformat. We'll give a shot at cleaning up, but either way is going to be time consuming for you.

One thing for sure is you don't need to be on the internet without a good resident antivirus and firewall and if Norton has expired it isn't doing you much good. Since you've purchased ZA Antivirus you should use it in place of Norton--if we can get it straightened out. In my next post I'll help you get Norton uninstalled--you pretty much need to use a removal tool for it now. But I need to know what version of Norton you are running so we can use the right tool. Look in your Add/Remove programs for the exact title--Norton Internet security, Norton 2003, etc., and right click on the icon in your system tray--there should be an about in the menu that will give you the exact version. Post that back here please.

And if you would like to try another anitvirus, either freeware or commercial, let me know that also.

Also I don't usually see this in logs:

O4 - HKLM\..\RunOnce: [Panda_cleaner_229034] C:\WINDOWS\System32\ActiveScan\pavdr.exe 229034

Did you download any program from Panda other than the ActiveX control?

For now let's try this to clean up some.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Download the trial link under "Try Spy Sweeper for Free" to download the program. NOTE: DO NOT click any Free Spyware Scan link and let me know if you can't find the free trial.
  • Install it.
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
Then reboot your computer - IMPORTANT
Then post a new HJT log.

If you have any problems with SpySweeper in normal mode, try it in safe mode *WITHOUT networking*.

Then Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select [b]My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run. It won't clean, but is thorough in it's detections so we know what else needs to be done.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the [b]Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

The thing about people

is they change

when they walk away.--Mipso





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users