Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

General


  • Please log in to reply
10 replies to this topic

#1 bona

bona

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 04 February 2006 - 05:20 PM

Basically a non stop barrage of popups when browsing and I am not able to access the Display Properties window through right clicking the desktop. Any Help would be appreciated.

Logfile of HijackThis v1.99.1
Scan saved at 5:09:32 PM, on 2/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\Che4e8Q.exe
C:\WINDOWS\system32\Hcj2t6.exe
C:\Documents and Settings\Cat\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.huskymail.uconn.edu/?user=cdf03002
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [2LRX2W83X2T3MQ] C:\WINDOWS\System32\RmtQCB55.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Sxbb] C:\WINDOWS\Csgzam.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S3D7.tmp"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Coupons - file://C:\Program Files\couponsandoffers\System\Temp\couponsandoffers_script0.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - { - (no file) (HKCU)
O9 - Extra button: (no name) - {7F24 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-D - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DA - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AA - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-00 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-00010 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028D - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1B - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC}
- (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

BC AdBot (Login to Remove)

 


#2 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 05 February 2006 - 09:52 PM

Go here http://www.thespykiller.co.uk/ and click on Downloads to get the peper trojan uninstaller.

Run the peper fix - Just click on the uninst.exe and let it run. When it is finished it will just close. There will be no dialogue. Also you must be connected to the internet for the uninstaller to be effective.

Boot

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/s...&rc=4129&ac=tsg

* Click the Free Trial link under "SpySweeper" to download the program.
* Install it. Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, click Yes.
* Once the definitions are installed, click Options on the left side.
* Click the Sweep Options tab.
* Under What to Sweep please put a check next to the following:
o Sweep Memory
o Sweep Registry
o Sweep Cookies
o Sweep All User Accounts
o Enable Direct Disk Sweeping
o Sweep Contents of Compressed Files
o Sweep for Rootkits

o Please UNCHECK Do not Sweep System Restore Folder.

* Click Sweep Now on the left side.
* Click the Start button.
* When it's done scanning, click the Next button.
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click Session Log in the upper right corner, copy everything in that window.
* Click the Summary tab and click Finish.
* Paste the contents of the session log you copied into your next reply.
Also post a new Hijack This log.
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#3 bona

bona
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 05 February 2006 - 10:51 PM

Thanks for the prompt reply. Here is the new HijackThis log and the spysweeper log. Also, I still cannot make the display properties window come up from the right click menu.

Logfile of HijackThis v1.99.1
Scan saved at 10:43:20 PM, on 2/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Cat\Desktop\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.huskymail.uconn.edu/?user=cdf03002
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Sxbb] C:\WINDOWS\Csgzam.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S3D7.tmp"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - { - (no file) (HKCU)
O9 - Extra button: (no name) - {7F24 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-D - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DA - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AA - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-00 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-00010 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028D - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1B - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC}
- (no file) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe




Here is the SPYSWEEPER LOG:


********
10:12 PM: | Start of Session, Sunday, February 05, 2006 |
10:12 PM: Spy Sweeper started
10:12 PM: Sweep initiated using definitions version 611
10:12 PM: Starting Memory Sweep
10:15 PM: Memory Sweep Complete, Elapsed Time: 00:02:37
10:15 PM: Starting Registry Sweep
10:15 PM: Found Adware: altnet
10:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\admdata.dll (ID = 103521)
10:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\admdloader.dll (ID = 103522)
10:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\admfdi.dll (ID = 103523)
10:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\system32\admprog.dll (ID = 103524)
10:15 PM: Found Adware: exact cashback/bargain buddy
10:15 PM: HKLM\software\microsoft\windows\currentversion\app management\arpcache\bargain buddy\ (2 subtraces) (ID = 104023)
10:15 PM: Found Adware: browseraid
10:15 PM: HKCR\appid\{87690003-2714-45e7-8a1b-dc0658de778c}\ (1 subtraces) (ID = 105031)
10:15 PM: HKCR\interface\{f8d96098-e9f7-42e1-88f3-a3719d70ea8d}\ (8 subtraces) (ID = 105074)
10:15 PM: Found Adware: isearch toolbar
10:15 PM: HKU\.default\software\microsoft\internet explorer\extensions\cmdmapping\ || {1a00c40b-da85-4aa3-a67f-582d9347eecd} (ID = 129018)
10:15 PM: Found Adware: linkmaker
10:15 PM: HKLM\software\lm\ (5 subtraces) (ID = 129744)
10:15 PM: Found Adware: opensite
10:15 PM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\ucsearch.ocx (ID = 136455)
10:15 PM: Found Adware: seekseek
10:15 PM: HKLM\software\jawa32\ (4 subtraces) (ID = 141529)
10:15 PM: Found Adware: seekseek.com hijacker
10:15 PM: HKLM\software\microsoft\internet explorer\search\ || search assistant (ID = 141574)
10:15 PM: HKU\WRSS_Profile_S-1-5-21-1993962763-1563985344-725345543-1007\software\microsoft\windows\currentversion\updt\ (ID = 105189)
10:15 PM: HKU\WRSS_Profile_S-1-5-21-1993962763-1563985344-725345543-1007\software\{2cf0b992-5eeb-4143-99c0-5297ef71f444}\ (ID = 105190)
10:15 PM: Found Adware: ebates money maker
10:15 PM: HKU\WRSS_Profile_S-1-5-21-1993962763-1563985344-725345543-1007\software\microsoft\internet explorer\extensions\cmdmapping\ || {7f241c00-dab6-11d5-aaa8-0001028df1bc} (ID = 125586)
10:15 PM: HKU\WRSS_Profile_S-1-5-21-1993962763-1563985344-725345543-1007\software\microsoft\internet explorer\extensions\{7f241c00-dab6-11d5-aaa8-0001028df1bc}\ (6 subtraces) (ID = 125588)
10:15 PM: HKU\WRSS_Profile_S-1-5-21-1993962763-1563985344-725345543-1007\software\microsoft\internet explorer\menuext\ebates\ (2 subtraces) (ID = 125590)
10:15 PM: Found Adware: 180search assistant/zango
10:15 PM: HKU\WRSS_Profile_S-1-5-21-1993962763-1563985344-725345543-1007\software\180solutions\ (7 subtraces) (ID = 135617)
10:15 PM: Found Adware: superbar
10:15 PM: HKU\WRSS_Profile_S-1-5-21-1993962763-1563985344-725345543-1007\software\superbar\ (1 subtraces) (ID = 143242)
10:15 PM: Found Adware: peopleonpage
10:15 PM: HKU\WRSS_Profile_S-1-5-21-1993962763-1563985344-725345543-1007\software\pop\ (1 subtraces) (ID = 359435)
10:15 PM: Found Adware: sidesearch
10:15 PM: HKU\WRSS_Profile_S-1-5-21-1993962763-1563985344-725345543-1007\software\microsoft\internet explorer\extensions\cmdmapping\ || {000007c6-17df-4438-92a4-de5537471ba3} (ID = 530423)
10:15 PM: Found Adware: cydoor
10:15 PM: HKU\WRSS_Profile_S-1-5-21-1993962763-1563985344-725345543-1007\software\cydoor\ (19 subtraces) (ID = 639126)
10:15 PM: HKU\WRSS_Profile_S-1-5-21-1993962763-1563985344-725345543-1007\software\cydoor services\ (1 subtraces) (ID = 639128)
10:15 PM: HKU\S-1-5-21-1993962763-1563985344-725345543-1004\software\microsoft\windows\currentversion\updt\ (1 subtraces) (ID = 105189)
10:15 PM: Found Adware: couponsandoffers
10:15 PM: HKU\S-1-5-21-1993962763-1563985344-725345543-1004\software\microsoft\internet explorer\menuext\coupons\ (2 subtraces) (ID = 112527)
10:15 PM: HKU\S-1-5-21-1993962763-1563985344-725345543-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {1a00c40b-da85-4aa3-a67f-582d9347eecd} (ID = 129028)
10:15 PM: Found Adware: ist sidefind
10:15 PM: HKU\S-1-5-21-1993962763-1563985344-725345543-1004\software\microsoft\internet explorer\extensions\cmdmapping\ || {10e42047-deb9-4535-a118-b3f6ec39b807} (ID = 141778)
10:15 PM: HKU\S-1-5-18\software\microsoft\internet explorer\extensions\cmdmapping\ || {1a00c40b-da85-4aa3-a67f-582d9347eecd} (ID = 129028)
10:15 PM: Registry Sweep Complete, Elapsed Time:00:00:28
10:15 PM: Starting Cookie Sweep
10:15 PM: Found Spy Cookie: 421 cookie
10:15 PM: nancy@421[2].txt (ID = 1971)
10:15 PM: Found Spy Cookie: websponsors cookie
10:15 PM: nancy@a.websponsors[1].txt (ID = 3665)
10:15 PM: Found Spy Cookie: tickle cookie
10:15 PM: nancy@cookie.tickle[1].txt (ID = 3530)
10:15 PM: Found Spy Cookie: 5 cookie
10:15 PM: alison@5[2].txt (ID = 1979)
10:15 PM: Found Spy Cookie: yieldmanager cookie
10:15 PM: alison@ad.yieldmanager[2].txt (ID = 3751)
10:15 PM: Found Spy Cookie: hbmediapro cookie
10:15 PM: alison@adopt.hbmediapro[2].txt (ID = 2768)
10:15 PM: Found Spy Cookie: desktop kazaa cookie
10:15 PM: alison@desktop.kazaa[2].txt (ID = 2515)
10:15 PM: Found Spy Cookie: clickandtrack cookie
10:15 PM: alison@hits.clickandtrack[2].txt (ID = 2397)
10:15 PM: Found Spy Cookie: tacoda cookie
10:15 PM: alison@tacoda[1].txt (ID = 6444)
10:15 PM: alison@yieldmanager[1].txt (ID = 3749)
10:15 PM: Found Spy Cookie: atwola cookie
10:15 PM: cat@atwola[1].txt (ID = 2255)
10:15 PM: Cookie Sweep Complete, Elapsed Time: 00:00:01
10:15 PM: Starting File Sweep
10:15 PM: c:\documents and settings\peter\application data\pop! (2 subtraces) (ID = -2147478148)
10:15 PM: Found Adware: clearsearch
10:15 PM: c:\documents and settings\peter\local settings\temp\clrsch (ID = -2147481250)
10:16 PM: couponsandoffers1.exe (ID = 54705)
10:16 PM: couponsandoffers1.exe (ID = 54705)
10:17 PM: Found Adware: bonzi buddy
10:17 PM: a0054996.ico (ID = 51620)
10:17 PM: Found Adware: memorymeter
10:17 PM: kvlhookwin.dll (ID = 69543)
10:17 PM: Found Adware: websearch toolbar
10:17 PM: qdow.dll (ID = 84940)
10:18 PM: ss1.tmp (ID = 76060)
10:18 PM: Found Adware: alset helpexpress
10:18 PM: hxdlazwm.exe (ID = 49754)
10:18 PM: qdow.dll (ID = 84940)
10:19 PM: Found Adware: memorywatcher
10:19 PM: memorywatcher.exe (ID = 69635)
10:19 PM: Found Trojan Horse: backdoor-bdi
10:19 PM: a0054926.exe (ID = 50444)
10:20 PM: memorywatcher.exe (ID = 69635)
10:21 PM: memorywatcher.exe (ID = 69635)
10:22 PM: memorywatcher.exe (ID = 69635)
10:23 PM: Found Adware: elitemediagroup-mediamotor
10:23 PM: mm20.inf (ID = 74036)
10:24 PM: Found Adware: shopathomeselect
10:24 PM: sahagent.exe (ID = 75884)
10:24 PM: Found Adware: tvmedia
10:24 PM: i1c5.tmp (ID = 81622)
10:25 PM: Found Adware: addestroyer
10:25 PM: inneradinstall.log (ID = 49035)
10:28 PM: jawa32.dat (ID = 75302)
10:28 PM: lmd.bin (ID = 65588)
10:28 PM: Found Adware: cydoor peer-to-peer dependency
10:28 PM: cd_clint.dll (ID = 57300)
10:28 PM: memorywatcher.exe (ID = 69635)
10:28 PM: memorywatcher.exe (ID = 69635)
10:28 PM: couponsandoffers1.exe (ID = 54705)
10:28 PM: couponsandoffers1.exe (ID = 54705)
10:28 PM: edow.exe (ID = 84873)
10:28 PM: Found Adware: ist istbar
10:28 PM: fca0ivf.exe (ID = 91001)
10:28 PM: lfsmjp.exe (ID = 64511)
10:28 PM: sdvapj.exe (ID = 64511)
10:29 PM: Found Trojan Horse: peper trojan
10:29 PM: a0056340.exe (ID = 72356)
10:29 PM: a0056341.exe (ID = 72356)
10:29 PM: a0056339.exe (ID = 72356)
10:29 PM: a0056345.exe (ID = 72365)
10:29 PM: a0056344.exe (ID = 72365)
10:29 PM: a0056343.exe (ID = 72365)
10:29 PM: a0056342.exe (ID = 72365)
10:29 PM: Found Adware: powerstrip
10:29 PM: fash.exe (ID = 72688)
10:29 PM: a0054831.exe (ID = 72365)
10:29 PM: a0054833.exe (ID = 72365)
10:29 PM: a0054832.exe (ID = 72365)
10:30 PM: a0056124.exe (ID = 72365)
10:30 PM: a0055032.exe (ID = 72365)
10:31 PM: popsrv.log (ID = 107392)
10:31 PM: Found Adware: java byteverify
10:31 PM: dummy.class-393d648-7a9b63cf.class (ID = 64821)
10:31 PM: Found Adware: ie driver
10:31 PM: sx.htm (ID = 63132)
10:31 PM: sx.htm (ID = 63132)
10:31 PM: Found Adware: wild media - minigolf
10:31 PM: wildapp.inf (ID = 69911)
10:31 PM: Found Adware: mindset interactive - favoriteman
10:31 PM: atpartners.inf (ID = 69817)
10:31 PM: Found Adware: winad
10:31 PM: winadx.inf (ID = 90469)
10:31 PM: Found Adware: twain-tech
10:31 PM: wininit.ini_ (ID = 81900)
10:31 PM: Found Adware: directrevenue-abetterinternet
10:31 PM: alchem.inf (ID = 83109)
10:31 PM: alchem.ini (ID = 83112)
10:31 PM: mediamotor1002.sah (ID = 75826)
10:31 PM: loaderadv470.jar-1ab62644-7cdbc078.zip (ID = 64819)
10:31 PM: Warning: Invalid file - not a PKZip file
10:31 PM: Warning: Invalid file - not a PKZip file
10:31 PM: Warning: Invalid file - not a PKZip file
10:31 PM: Warning: Invalid file - not a PKZip file
10:31 PM: File Sweep Complete, Elapsed Time: 00:16:07
10:31 PM: Full Sweep has completed. Elapsed time 00:19:23
10:31 PM: Traces Found: 156
10:33 PM: Removal process initiated
10:33 PM: Quarantining All Traces: 180search assistant/zango
10:33 PM: Quarantining All Traces: clearsearch
10:33 PM: Quarantining All Traces: directrevenue-abetterinternet
10:33 PM: Quarantining All Traces: ie driver
10:33 PM: Quarantining All Traces: ist istbar
10:33 PM: Quarantining All Traces: peper trojan
10:33 PM: Quarantining All Traces: websearch toolbar
10:33 PM: Quarantining All Traces: backdoor-bdi
10:33 PM: Quarantining All Traces: bonzi buddy
10:33 PM: Quarantining All Traces: isearch toolbar
10:33 PM: Quarantining All Traces: mindset interactive - favoriteman
10:33 PM: Quarantining All Traces: sidesearch
10:33 PM: Quarantining All Traces: winad
10:33 PM: Quarantining All Traces: addestroyer
10:33 PM: Quarantining All Traces: alset helpexpress
10:33 PM: Quarantining All Traces: altnet
10:33 PM: Quarantining All Traces: browseraid
10:33 PM: Quarantining All Traces: couponsandoffers
10:34 PM: Quarantining All Traces: cydoor peer-to-peer dependency
10:34 PM: Quarantining All Traces: cydoor
10:34 PM: Quarantining All Traces: ebates money maker
10:34 PM: Quarantining All Traces: elitemediagroup-mediamotor
10:34 PM: Quarantining All Traces: exact cashback/bargain buddy
10:34 PM: Quarantining All Traces: ist sidefind
10:34 PM: Quarantining All Traces: java byteverify
10:34 PM: Quarantining All Traces: linkmaker
10:34 PM: Quarantining All Traces: memorymeter
10:34 PM: Quarantining All Traces: memorywatcher
10:34 PM: Quarantining All Traces: opensite
10:34 PM: Quarantining All Traces: peopleonpage
10:34 PM: Quarantining All Traces: powerstrip
10:34 PM: Quarantining All Traces: seekseek.com hijacker
10:34 PM: Quarantining All Traces: seekseek
10:34 PM: Quarantining All Traces: shopathomeselect
10:34 PM: Quarantining All Traces: superbar
10:34 PM: Quarantining All Traces: tvmedia
10:34 PM: Quarantining All Traces: twain-tech
10:34 PM: Quarantining All Traces: wild media - minigolf
10:34 PM: Quarantining All Traces: 421 cookie
10:34 PM: Quarantining All Traces: 5 cookie
10:34 PM: Quarantining All Traces: atwola cookie
10:34 PM: Quarantining All Traces: clickandtrack cookie
10:34 PM: Quarantining All Traces: desktop kazaa cookie
10:34 PM: Quarantining All Traces: hbmediapro cookie
10:34 PM: Quarantining All Traces: tacoda cookie
10:34 PM: Quarantining All Traces: tickle cookie
10:34 PM: Quarantining All Traces: websponsors cookie
10:34 PM: Quarantining All Traces: yieldmanager cookie
10:34 PM: Removal process completed. Elapsed time 00:01:06
********
10:09 PM: | Start of Session, Sunday, February 05, 2006 |
10:09 PM: Spy Sweeper started
10:10 PM: Your spyware definitions have been updated.
10:12 PM: | End of Session, Sunday, February 05, 2006 |

#4 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 06 February 2006 - 10:07 AM

Fix these with HJT – mark them, close IE, click fix checked

O4 - HKLM\..\Run: [Sxbb] C:\WINDOWS\Csgzam.exe

O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u

O9 - Extra button: (no name) - { - (no file) (HKCU)
O9 - Extra button: (no name) - {7F24 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-D - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DA - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AA - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8- - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-00 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-00010 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028D - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1 - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1B - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC - (no file) (HKCU)
O9 - Extra button: (no name) - {7F241C00-DAB6-11d5-AAA8-0001028DF1BC}
- (no file) (HKCU)

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\WINDOWS\Csgzam.exe

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot

http://www.kaspersky.com/virusscanner - Online scan

When the scan is finished Save the results from the scan!

Post a new HiJackThis log along with the results from Kaspersky scan


Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#5 bona

bona
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 17 February 2006 - 07:24 PM

I was able to delete the specified files using HiJackThis... and also download the KillBox.zip. however, when i attempt to restart in safe mode... the account that we are using does not come up on the login screen. I checked to see if it was an administrator account and it indeed was. Is there any way that i can just run KillBox in regular mode and then continue with the online scan afterwards?


much appreciated

#6 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 17 February 2006 - 07:48 PM

Yes go ahead 11 days later
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#7 bona

bona
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 17 February 2006 - 09:10 PM

Sorry for the inconvenience, i havent had access to this computer for 2 weeks. Here is the new HiJackThis log and the Kaspersky scan results. Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 9:06:57 PM, on 2/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Cat\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.huskymail.uconn.edu/?user=cdf03002
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S3D7.tmp"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe



Kaspersky:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, February 17, 2006 9:04:47 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 18/02/2006
Kaspersky Anti-Virus database records: 166454
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 37793
Number of viruses found: 22
Number of infected objects: 201
Number of suspicious objects: 0
Duration of the scan process: 00:27:53

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\My Documents\Data\all_files2-1.exe/data0002 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files2-1.exe/data0003 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files2-1.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files2.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files2.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files2.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files2.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files2.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files2.exe/data0009 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files2.exe/data0010 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files2.exe NSIS: infected - 7 skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3.exe/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3.exe NSIS: infected - 6 skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3b.exe/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3b.exe/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3b.exe/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3b.exe/data0003/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3b.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Administrator\My Documents\Data\all_files3b.exe NSIS: infected - 5 skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files2-1.exe/data0002 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files2-1.exe/data0003 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files2-1.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files2.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files2.exe/data0009 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files2.exe/data0010 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files2.exe NSIS: infected - 7 skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3.exe/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3.exe NSIS: infected - 6 skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3b.exe/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3b.exe/data0003/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3b.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\all_files3b.exe NSIS: infected - 5 skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\memwatcher.exe/data0004 Infected: Trojan-Downloader.Win32.VB.q skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\memwatcher.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\memwatcher.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator\My Documents\Data\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Administrator\My Documents\Data\memwatcher.exe/data0004 Infected: Trojan-Downloader.Win32.VB.q skipped
C:\Documents and Settings\Administrator\My Documents\Data\memwatcher.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Administrator\My Documents\Data\memwatcher.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Administrator\My Documents\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5f22f99-7365cfe9.zip/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5f22f99-7365cfe9.zip/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj skipped
C:\Documents and Settings\Cat\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-5f22f99-7365cfe9.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Cat\Local Settings\Temporary Internet Files\Content.IE5\0OLCIAGL\uninst[1].exe Infected: Trojan-Downloader.Win32.VB.ge skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files2-1.exe/data0002 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files2-1.exe/data0003 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files2-1.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0009 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0010 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe NSIS: infected - 7 skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe NSIS: infected - 6 skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe NSIS: infected - 5 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2-1.exe/data0002 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2-1.exe/data0003 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2-1.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0009 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0010 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe NSIS: infected - 7 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe NSIS: infected - 6 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe NSIS: infected - 5 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\memwatcher.exe/data0004 Infected: Trojan-Downloader.Win32.VB.q skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\memwatcher.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\memwatcher.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Default User\My Documents\Data\memwatcher.exe/data0004 Infected: Trojan-Downloader.Win32.VB.q skipped
C:\Documents and Settings\Default User\My Documents\Data\memwatcher.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\memwatcher.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GTAR4H6N\h[1].exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files2-1.exe/data0002 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files2-1.exe/data0003 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files2-1.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files2.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files2.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files2.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files2.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files2.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files2.exe/data0009 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files2.exe/data0010 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files2.exe NSIS: infected - 7 skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3.exe/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3.exe NSIS: infected - 6 skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3b.exe/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3b.exe/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3b.exe/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3b.exe/data0003/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3b.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Nancy\My Documents\Data\all_files3b.exe NSIS: infected - 5 skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files2-1.exe/data0002 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files2-1.exe/data0003 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files2-1.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files2.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files2.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files2.exe/data0009 Infected: Backdoor.Win32.Ruledor.c skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files2.exe/data0010 Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files2.exe NSIS: infected - 7 skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3.exe/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3.exe NSIS: infected - 6 skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3b.exe/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3b.exe/data0003/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3b.exe/data0003 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\all_files3b.exe NSIS: infected - 5 skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\memwatcher.exe/data0004 Infected: Trojan-Downloader.Win32.VB.q skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\memwatcher.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\memwatcher.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Nancy\My Documents\Data\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Nancy\My Documents\Data\memwatcher.exe/data0004 Infected: Trojan-Downloader.Win32.VB.q skipped
C:\Documents and Settings\Nancy\My Documents\Data\memwatcher.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Nancy\My Documents\Data\memwatcher.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Nancy\My Documents\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Peter\My Documents\Data\all_files2.exe/data0005 Infected: Trojan-Downloader.Win32.Keenval.m skipped
C:\Documents and Settings\Peter\My Documents\Data\all_files2.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Peter\My Documents\Data\Data\all_files2.exe/data0005 Infected: Trojan-Downloader.Win32.Keenval.m skipped
C:\Documents and Settings\Peter\My Documents\Data\Data\all_files2.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Peter\My Documents\Data\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Peter\My Documents\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\789E7480.exe Infected: Virus.Win32.HLLP.Hantaner.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\79CD3532.exe Infected: Virus.Win32.HLLP.Hantaner.a skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP657\A0054815.exe Infected: Backdoor.Win32.SdBot.ajw skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP658\A0054816.pif Infected: Backdoor.Win32.SdBot.ajw skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP659\A0054885.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP659\A0054890.pif Infected: Backdoor.Win32.SdBot.ajw skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP660\A0054903.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP660\A0054905.pif Infected: Backdoor.Win32.SdBot.ajw skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP661\A0054918.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP661\A0054920.pif Infected: Backdoor.Win32.SdBot.ajw skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP661\A0054925.exe Infected: Backdoor.Win32.Agent.jn skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP661\A0054927.exe Infected: Backdoor.Win32.SdBot.aad skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP695\A0056193.exe Infected: Backdoor.Win32.Agent.bg skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP696\A0056224.hta Infected: Trojan-Dropper.VBS.Delud skipped
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP697\A0056353.exe Infected: Backdoor.Win32.Agent.bg skipped
C:\temp1.exe/data.rar/gamma.exe Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\temp1.exe/data.rar Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\temp1.exe RarSFX: infected - 2 skipped
C:\WINDOWS\bookmarks.exe Infected: Trojan.Win32.StartPage.hw skipped
C:\WINDOWS\gamma.exe Infected: Trojan-Downloader.Win32.IstBar.is skipped
C:\WINDOWS\Help\hosts Infected: Trojan-Clicker.Win32.Qhost.a skipped

Scan process completed.

#8 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 17 February 2006 - 09:30 PM

Your Norton must be expired

Run SpY Sweeper again


Download the trial version of Ewido Security Suite http://www.ewido.net/en/download/ (W2K/XP Only)
· Install ewido.
· During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
· Launch ewido
· It will prompt you to update click the OK button and it will go to the main screen
· On the left side of the main screen click update
· Click on Start and let it update.
· DO NOT run a scan yet. You will do that later in safe mode.

Restart your computer into safe mode now. Perform the following steps in safe mode:
(Start tapping F8 at the first black screen after power up)

Run Ewido:
· Click on scanner
· Click Complete System Scan and the scan will begin.
· During the scan it will prompt you to clean files, click OK
· When the scan is finished, look at the bottom of the screen and click the Save report button.
· Save the report to your C: Drive
This will take some time to run!
Boot to normal mode
Post that log and a new HiJack log
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#9 bona

bona
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 19 February 2006 - 09:24 PM

I was not able to run any of the programs in safe mode due to the fact that this account does not have the safe mode login screen. I did run them in regular mode. Here are the results. Thank You.

Ewido Scan:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 9:14:53 PM, 2/19/2006
+ Report-Checksum: 67400F89

+ Scan result:

HKLM\SOFTWARE\Classes\PROTOCOLS\Name-Space Handler\res -> Adware.WebSearch : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@cnn.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@com[2].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@media.fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@server.iad.liveperson[2].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned with backup
C:\Documents and Settings\Cat\Cookies\cat@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Cat\Local Settings\Temporary Internet Files\Content.IE5\0OLCIAGL\uninst[1].exe -> Downloader.VB.ge : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GTAR4H6N\h[1].exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP657\A0054815.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP658\A0054816.pif -> Backdoor.SdBot.aad : Cleaned with backup
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP659\A0054885.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP659\A0054890.pif -> Backdoor.SdBot.aad : Cleaned with backup
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP660\A0054903.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP660\A0054905.pif -> Backdoor.SdBot.aad : Cleaned with backup
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP661\A0054918.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP661\A0054920.pif -> Backdoor.SdBot.aad : Cleaned with backup
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP661\A0054927.exe -> Backdoor.SdBot.aad : Cleaned with backup
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP695\A0056193.exe -> Backdoor.Agent.bg : Cleaned with backup
C:\System Volume Information\_restore{7D9560A7-A6BB-4898-887C-7D81C21B6660}\RP697\A0056353.exe -> Backdoor.Agent.bg : Cleaned with backup
C:\temp1.exe/gamma.exe -> Downloader.IstBar.is : Cleaned with backup
C:\temp1.exe/lc.exe -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\bookmarks.exe -> Hijacker.StartPage.hw : Cleaned with backup
C:\WINDOWS\gamma.exe -> Downloader.IstBar.is : Cleaned with backup
C:\WINDOWS\lc.exe -> Adware.WinAD : Cleaned with backup
C:\WINDOWS\NDNuninstall5_40.exe -> Adware.NewDotNet : Cleaned with backup
C:\WINDOWS\system32\P2P Networking -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database -> Adware.P2PNetworking : Cleaned with backup
C:\WINDOWS\system32\P2P Networking\Cache\Database\index256.dbb -> Adware.P2PNetworking : Cleaned with backup


::Report End


HiJackThis Report:

Logfile of HijackThis v1.99.1
Scan saved at 9:19:42 PM, on 2/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Cat\Desktop\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.huskymail.uconn.edu/?user=cdf03002
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Ink Monitor] C:\Program Files\EPSON\Ink Monitor\InkMonitor.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [EPSON Stylus C60 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /A "C:\WINDOWS\system32\E_S3D7.tmp"
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=34738&clcid=0x409
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} - http://www.fastfind.org/ss/client/52983/vs...03C00/setup.exe
O17 - HKLM\System\CCS\Services\VxD\MSTCP: Domain = mydomain.com
O17 - HKLM\System\CS1\Services\VxD\MSTCP: Domain = mydomain.com
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe

#10 MFDnSC

MFDnSC

    Ret. Director I/T


  • Members
  • 4,310 posts
  • OFFLINE
  •  
  • Local time:09:30 AM

Posted 20 February 2006 - 01:21 PM

Is your Norton up to date??????????????

DownLoad http://www.downloads.subratam.org/KillBox.zip

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Documents and Settings\Administrator\My Documents\Data\all_files2-1.exe
C:\Documents and Settings\Administrator\My Documents\Data\all_files2.exe
C:\Documents and Settings\Administrator\My Documents\Data\all_files3.exe
C:\Documents and Settings\Administrator\My Documents\Data\all_files3b.exe
C:\Documents and Settings\Administrator\My Documents\Data\Data\memwatcher.exe
C:\Documents and Settings\Administrator\My Documents\Data\Data\popinstlite.exe


Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START – RUN – type in %temp% OK - Edit – Select all – File – Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new log from normal NOT safe mode

Please give feedback on what worked/didn’t work and the current status of your system
"Nothing could be finer than to be in South Carolina ............"

Member ASAP

#11 bona

bona
  • Topic Starter

  • Members
  • 50 posts
  • OFFLINE
  •  
  • Local time:10:30 AM

Posted 25 February 2006 - 03:31 PM

Thanks for all your help, i think we can close the book on this one. the properties window still can't be accessed through right clicking, but you did help me remove a few nasty things. thanks for everything.

-Bona




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users