Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hjt Log For What I Believe Might Be The Syware Sheriff Worm


  • This topic is locked This topic is locked
6 replies to this topic

#1 SacredGroove

SacredGroove

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 23 May 2006 - 06:46 PM

I get several errors when I boot up my machine. I get the "your computer is in danger!" error and the "your computer is infected with spyware" error.

I get numerous system errors as well. They are as follows:

services and controller app

dlh9jkdq6.exe
dlh9jkdq7.exe
dlh9jkdq9.exe

vxgamet1.exe

Task manager is disabled by admin.

I had to remove everything from the startup file just to get the computer to fully boot before losing the desktop and shutting down.

I have followed all the instructions given by this site such as running ad_aware, spybot and the stringer AV. I could not run the panda. My computer would not download it.

I have run the HijackThis from C:. Here is the log. Thank you all so much for any help you can give!

John


Logfile of HijackThis v1.99.1
Scan saved at 4:39:40 PM, on 5/23/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator\Local Settings\Temp\Temporary Directory 1 for HijackThis.zip\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vroomsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperVY.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe
O4 - HKLM\..\Run: [W]^YaXKYVW]ZOWL] C:\WINDOWS\System32\vbtuyp.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20026\socks.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\ibfvutqg.exe
O4 - HKLM\..\Run: [cde41a6c.exe] C:\WINDOWS\System32\cde41a6c.exe
O4 - HKLM\..\Run: [ZPoint] C:\WINDOWS\System32\winmuse.exe
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKLM\..\Run: [msmsn] c:\windows\system32\msmsn.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwscqo.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\RunServices: [W]^YaXKYVW]ZOWL] C:\WINDOWS\System32\vbtuyp.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\efsdfgxg.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - http://www.accesoplugin.com/dialercab/PPre...ternacional.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13990bfbeb3f3c...ip/RdxIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132622847492
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://zone.msn.com/bingame/gold/default/gf.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014021.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/.../yiebio4025.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: flashdrvr - flashdrvr.dl (file missing)
O20 - Winlogon Notify: gdwxp3 - C:\WINDOWS\SYSTEM32\gdwxp3.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: prwsks - C:\WINDOWS\SYSTEM32\prwsks.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O20 - Winlogon Notify: s_reg - C:\WINDOWS\SYSTEM32\notifysb.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\System32\knfcahao.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dxvwscqo.exe
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\dhiclkni.dll
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:08 AM

Posted 24 May 2006 - 05:37 AM

Hello,

This is a real nasty log, and actually it doesn't suprise me at all because your windows is unpatched. Your system is extremely vulnerable without the necessary pathes. I see in your log that it was made in safe mode - because I am pretty sure you are not able to boot into normal mode with the amount of malware present.

First of all, you didn't unzip/extract hijackthis.. and it's still in the tempfolder.
So I strongly advise to unzip/extract hijackthis.zip.
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Don't use it yet, we'll use it afterwards in safe mode.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.vroomsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=explorer.exe "C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe"
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\system32\winbrume.dll
O2 - BHO: (no name) - {5321E378-FFAD-4999-8C62-03CA8155F0B3} - (no file)
O2 - BHO: IExplorerHelper Class - {E89097ED-3400-411D-9647-D368C3311C98} - C:\WINDOWS\System32\IeHelperVY.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [System] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe
O4 - HKLM\..\Run: [W]^YaXKYVW]ZOWL] C:\WINDOWS\System32\vbtuyp.exe
O4 - HKLM\..\Run: [Microsoft standard protector] C:\WINDOWS\inet20026\socks.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\ibfvutqg.exe
O4 - HKLM\..\Run: [cde41a6c.exe] C:\WINDOWS\System32\cde41a6c.exe
O4 - HKLM\..\Run: [ZPoint] C:\WINDOWS\System32\winmuse.exe
O4 - HKLM\..\Run: [rpcc] rpcc.exe
O4 - HKLM\..\Run: [msmsn] c:\windows\system32\msmsn.exe
O4 - HKLM\..\Run: [SystemLoader] C:\WINDOWS\sysldr32.exe
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\System32\spoolsvv.exe
O4 - HKLM\..\Run: [DCOM Server] C:\WINDOWS\System32\dxvwscqo.exe
O4 - HKLM\..\Run: [Explorer32] C:\WINDOWS\System32\efsdfgxg.exe
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\kernels8.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\RunServices: [W]^YaXKYVW]ZOWL] C:\WINDOWS\System32\vbtuyp.exe
O4 - HKLM\..\RunServices: [Explorer64] C:\WINDOWS\System32\efsdfgxg.exe
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tri...Transporter.cab?
O16 - DPF: {2C0F2AEA-3A9B-46DB-A7BE-80FF329E415D} - http://www.accesoplugin.com/dialercab/PPre...ternacional.cab
O16 - DPF: {54823A9D-6BAE-11D5-B519-0050BA2413EB} (ChkDVDCtl Class) - http://www.gocyberlink.com/winxp/CheckDVD.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/13990bfbeb3f3c...ip/RdxIE601.cab
O16 - DPF: {DB893839-10F0-4AF9-92FA-B23528F530AF} - http://deposito.hostance.net/dialer/1014021.exe
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v6.cab
O16 - DPF: {FA13A9FA-CA9B-11D2-9780-00104B242EA3} (WildTangent Control) - http://www.wildtangent.com/install/wdriver...wave/wtinst.cab
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: flashdrvr - flashdrvr.dl (file missing)
O20 - Winlogon Notify: gdwxp3 - C:\WINDOWS\SYSTEM32\gdwxp3.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: prwsks - C:\WINDOWS\SYSTEM32\prwsks.dll
O20 - Winlogon Notify: SensSrv - C:\WINDOWS\SYSTEM32\senssrv.dll
O20 - Winlogon Notify: s_reg - C:\WINDOWS\SYSTEM32\notifysb.dll
O21 - SSODL: SysTray.Exgl - {636821FC-6F5C-2f1b-B164-E67214F678E2} - C:\WINDOWS\System32\knfcahao.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dxvwscqo.exe
O21 - SSODL: SysTray.Exsl - {6368D5FC-6F5C-4f5b-B164-E67214F67859} - C:\WINDOWS\System32\dhiclkni.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.exe
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00007.dll
C:\WINDOWS\System32\kernels8.exe
C:\WINDOWS\System32\0mcamcap.exe
C:\WINDOWS\inet20026 <== folder
C:\WINDOWS\System32\vbtuyp.exe
C:\Program Files\ibfvutqg.exe
C:\WINDOWS\System32\cde41a6c.exe
C:\WINDOWS\System32\winmuse.exe
c:\windows\system32\msmsn.exe
C:\WINDOWS\sysldr32.exe
C:\WINDOWS\System32\spoolsvv.exe <== DON'T try to delete spoolsv.exe!! Because that one is legit. So watch the spelling!
C:\WINDOWS\System32\dxvwscqo.exe
C:\WINDOWS\System32\efsdfgxg.exe
C:\Documents and Settings\All Users\Documents\Settings\20242402.dll
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
C:\WINDOWS\SYSTEM32\gdwxp3.dll
C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
C:\WINDOWS\SYSTEM32\prwsks.dll
C:\WINDOWS\SYSTEM32\senssrv.dll
C:\WINDOWS\SYSTEM32\notifysb.dll
C:\WINDOWS\System32\knfcahao.dll
C:\WINDOWS\System32\dhiclkni.dll

Please hide your hidden files and folders afterwards again, because above instructions to set your system to show all files, unhide legit files and folders as well.
And I don't want you to delete them because they may look suspicious. To hide them again, just perform the above instructions in the opposite way.

* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer back to normal mode!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply together with a new hijackthislog.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 SacredGroove

SacredGroove
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 25 May 2006 - 02:22 AM

Thank you so much for your time and efforts!

Here is what I've got:

I followed all instructions you gave and almost everything worked. There were just a few things.

I could not delete the following files as they were all in use by another program.

C:Docs and settings\all users\docs\settings\20242402.dll
C:".........................................................\artm_new.dll
C:".........................................................\polymorph.dll
C:".........................................................\notifysb.dll (this one was removed by drweb)

Here is a new hjt log

Logfile of HijackThis v1.99.1
Scan saved at 2:13:22 AM, on 5/25/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_04\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Software Soft Stop] C:\Program Files\Spyware Soft Stop\Spyware Soft Stop.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132622847492
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/.../yiebio4025.cab
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: s_reg - notifysb.dll (file missing)
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Here is the DrWeb log

notifysb.dll;C:\WINDOWS\System32;Trojan.Fakealert;Will be cured after reboot.;
armdvc.sys;C:\WINDOWS\System32;Trojan.PWS.Haxspy;Deleted.;
flashdrv3.sys;C:\WINDOWS\System32;Trojan.PWS.GoldSpy;Deleted.;
ke7dnl.sys;C:\WINDOWS\System32;Trojan.NtRootKit.119;Deleted.;
prw76sks.sys;C:\WINDOWS\System32;Trojan.PWS.GoldSpy;Deleted.;
ablcgfxd.exe;C:\;Trojan.Fakealert;Deleted.;
bsoj.exe;C:\;Adware.Voghp;Moved.;
cdkh.exe;C:\;Trojan.Fakealert;Deleted.;
gdyqjswt.exe;C:\;Trojan.Proxy.890;Deleted.;
grwwqal.exe;C:\;Trojan.Click.1050;Deleted.;
ixqv.exe;C:\;Trojan.Click.1050;Deleted.;
iyfsb.exe;C:\;Trojan.PWS.Snap;Deleted.;
jptxftjp.exe;C:\;Adware.Voghp;Moved.;
kbfu.exe;C:\;Trojan.PWS.Snap;Deleted.;
kkxjufpx.exe;C:\;Trojan.DownLoader.9179;Deleted.;
nftu.exe;C:\;Trojan.Fakealert;Deleted.;
sipmhn.exe;C:\;Trojan.DownLoader.9179;Deleted.;
thgcrfu.exe;C:\;Trojan.Proxy.884;Deleted.;
ujbg.exe;C:\;Trojan.DownLoader.9179;Deleted.;
wcuwjc.exe;C:\;Trojan.DownLoader.10142;Deleted.;
winstall.exe;C:\;Trojan.Fakealert;Deleted.;
xcagpvbg.exe;C:\;Trojan.Click.1050;Deleted.;
xpdklm.exe;C:\;Trojan.Sklog;Deleted.;
yxycsgu.exe;C:\;Trojan.PWS.Snap;Deleted.;
cde41a6c.exe;C:\Documents and Settings\JOHN HIPP\Local Settings\Application Data;Trojan.DownLoader.9179;Deleted.;
!update.exe;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Adware.ClickSpring;Moved.;
12C.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.8193;Deleted.;
130.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.10139;Moved.;
132.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.Fakealert;Deleted.;
136.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Win32.Proxed;Deleted.;
139.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.8193;Deleted.;
13A.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.10139;Moved.;
13C.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.Fakealert;Deleted.;
2.dlb;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.Fakealert;Deleted.;
202201B.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
2028B93.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
202CB6A.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
202D5D0.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
202DBA8.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
6.dlb;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.10137;Deleted.;
7.dlb;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.10138;Deleted.;
95.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.8193;Deleted.;
96.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.10139;Moved.;
98.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.Fakealert;Deleted.;
art136E.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
art1513.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
art4719.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
art61FF.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
art789E.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
art79C5.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
art7ADB.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
art7D18.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
art7F4A.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
artAAE.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
artBF89.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
artE050.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
artE118.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
artE312.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
artF183.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
artF7B3.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
artF826.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
artFCB8.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
dmx57.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.9378;Deleted.;
i3B4.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.1318;Deleted.;
iB5.tmp;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.1318;Deleted.;
Incredifind.exe;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.KeenValAd;Incurable.Moved.;
MiniBug.exe;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Adware.Aws;Moved.;
nnclx485.exe;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Adware.NewDotNet;Moved.;
qvxt2.game;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Probably BACKDOOR.Trojan;Moved.;
s4Setp.exe;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Adware.MyWay;Moved.;
vx1.game;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;BackDoor.Bech;Deleted.;
vx2.game;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.Proxy.890;Deleted.;
vx3.game;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Adware.Websearch;Moved.;
vx4.game;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.9502;Deleted.;
vx6.game;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.10111;Deleted.;
vxt1.game;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.8077;Deleted.;
vxt2.game;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.DownLoader.9572;Deleted.;
vxt4.game;C:\Documents and Settings\JOHN HIPP\Local Settings\Temp;Trojan.Spambot;Incurable.Moved.;
dbcoyv.exe;C:\Program Files;Trojan.StartPage.1299;Deleted.;
xkikup.exe;C:\Program Files;Trojan.StartPage.1299;Deleted.;
ibm00006.dll;C:\Program Files\Common Files\Microsoft Shared\Web Folders;Trojan.PWS.Snap;Deleted.;
ibm00008.dll;C:\Program Files\Common Files\Microsoft Shared\Web Folders;Trojan.PWS.Snap;Deleted.;
backup-20060524-221836-101.dll;C:\Program Files\HiJackThis\backups;Adware.Voghp;Moved.;
backup-20060524-221836-530.dll;C:\Program Files\HiJackThis\backups;Adware.IEHelper;Moved.;
lock.exe;C:\Program Files\Internet Explorer;Trojan.DownLoader.10136;Deleted.;
5.MCQ;C:\Program Files\McAfee\McAfee VirusScan\QUARANT;Trojan.DownLoader.9667;Deleted.;
IncFindBHO.MCQ;C:\Program Files\McAfee\McAfee VirusScan\QUARANT;Adware.IncrediFind;Moved.;
n3tpa1.MCQ;C:\Program Files\McAfee\McAfee VirusScan\QUARANT;BackDoor.Adbreak;Incurable.Moved.;
nem211.MCQ;C:\Program Files\McAfee\McAfee VirusScan\QUARANT;Trojan.Dyfuca;Deleted.;
td1.MCQ;C:\Program Files\McAfee\McAfee VirusScan\QUARANT;Trojan.DownLoader.285;Incurable.Moved.;
wsem213.MCQ;C:\Program Files\McAfee\McAfee VirusScan\QUARANT;Trojan.Dyfuca;Deleted.;
A0251355.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0253355.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0254355.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0254373.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9502;Deleted.;
A0254374.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9667;Deleted.;
A0255355.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0255360.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9572;Deleted.;
A0256359.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.881;Deleted.;
A0256360.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Win32.HLLM.Welf;Deleted.;
A0256361.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Killer;Deleted.;
A0256362.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.853;Deleted.;
A0257355.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0257381.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0257387.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9572;Deleted.;
A0257389.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Incurable.Moved.;
A0257390.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0258383.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.881;Deleted.;
A0258384.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Win32.HLLM.Welf;Deleted.;
A0258386.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0258387.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0258389.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.946;Deleted.;
A0258390.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0258391.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.8077;Deleted.;
A0258392.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Killer;Deleted.;
A0258393.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9572;Deleted.;
A0258394.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.853;Deleted.;
A0258396.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Incurable.Moved.;
A0258398.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;BackDoor.Bech;Deleted.;
A0258399.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Adware.Websearch;Moved.;
A0258400.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9502;Deleted.;
A0258401.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9661;Deleted.;
A0258402.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.899;Deleted.;
A0258403.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.GoldSpy;Deleted.;
A0258404.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Adware.IEHelper;Moved.;
A0258407.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9667;Deleted.;
A0259380.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0259383.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0259385.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0259386.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.10136;Deleted.;
A0259387.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Win32.HLLM.Welf;Deleted.;
A0259389.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.8077;Deleted.;
A0259392.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Incurable.Moved.;
A0259393.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0259394.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.946;Deleted.;
A0259395.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Killer;Deleted.;
A0259396.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;BackDoor.Bech;Deleted.;
A0259397.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.853;Deleted.;
A0259398.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Adware.Websearch;Moved.;
A0259399.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9502;Deleted.;
A0259400.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9661;Deleted.;
A0259401.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.899;Deleted.;
A0259402.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Adware.IEHelper;Moved.;
A0259404.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9908;Incurable.Moved.;
A0259405.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.MulDrop.3299;Deleted.;
A0260380.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0260383.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0260385.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.881;Deleted.;
A0260386.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Win32.HLLM.Welf;Deleted.;
A0260388.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.8077;Deleted.;
A0260389.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9572;Deleted.;
A0260390.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0260392.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Incurable.Moved.;
A0260393.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.946;Deleted.;
A0260394.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Killer;Deleted.;
A0260395.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.853;Deleted.;
A0260396.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;BackDoor.Bech;Deleted.;
A0260397.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Adware.Websearch;Moved.;
A0260398.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9502;Deleted.;
A0260399.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9661;Deleted.;
A0260400.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.899;Deleted.;
A0260402.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Sklog;Deleted.;
A0260403.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Adware.IEHelper;Moved.;
A0261380.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0261383.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0261385.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.881;Deleted.;
A0261386.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Snap;Deleted.;
A0261387.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Win32.HLLM.Welf;Deleted.;
A0261388.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Snap;Deleted.;
A0261391.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0261392.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9572;Deleted.;
A0261393.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Snap;Deleted.;
A0261395.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Incurable.Moved.;
A0261396.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.946;Deleted.;
A0261397.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.10136;Deleted.;
A0261398.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Killer;Deleted.;
A0261399.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.10136;Deleted.;
A0261400.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.853;Deleted.;
A0261401.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;BackDoor.Bech;Deleted.;
A0261402.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Adware.Websearch;Moved.;
A0261403.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9502;Deleted.;
A0261404.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9661;Deleted.;
A0261405.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.899;Deleted.;
A0261406.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Adware.IEHelper;Moved.;
A0261407.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.GoldSpy;Deleted.;
A0261408.sys;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.GoldSpy;Deleted.;
A0261412.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0262380.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0262383.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0262385.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.881;Deleted.;
A0262386.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Win32.HLLM.Welf;Deleted.;
A0262388.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0263380.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0263382.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0263384.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.881;Deleted.;
A0263386.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Win32.HLLM.Welf;Deleted.;
A0263388.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0264383.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0264387.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0264389.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0264390.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Win32.HLLM.Welf;Deleted.;
A0264392.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.8077;Deleted.;
A0264393.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0264394.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9572;Deleted.;
A0264396.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.946;Deleted.;
A0264397.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Incurable.Moved.;
A0264398.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Killer;Deleted.;
A0264399.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.853;Deleted.;
A0265386.inf;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.3634;Deleted.;
A0266125.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0266128.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0266131.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.881;Deleted.;
A0266132.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Win32.HLLM.Welf;Deleted.;
A0266134.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.8077;Deleted.;
A0266530.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Adware.Voghp;Moved.;
A0266531.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Adware.IEHelper;Moved.;
A0266537.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Snap;Deleted.;
A0266538.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Snap;Deleted.;
A0266539.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9540;Deleted.;
A0266540.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.890;Deleted.;
A0266541.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.StartPage.1480;Deleted.;
A0266542.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0266543.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.10136;Deleted.;
A0266544.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9908;Incurable.Moved.;
A0266545.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9496;Deleted.;
A0266546.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Incurable.Moved.;
A0266548.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Probably BACKDOOR.Trojan;Moved.;
A0266549.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Haxspy;Deleted.;
A0266550.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.GoldSpy;Deleted.;
A0266551.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9669;Incurable.Moved.;
A0266552.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Sklog;Deleted.;
A0266553.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Sklog;Deleted.;
A0266555.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Spambot;Deleted.;
A0266565.sys;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Haxspy;Deleted.;
A0266566.sys;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.GoldSpy;Deleted.;
A0266567.sys;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.NtRootKit.119;Deleted.;
A0266568.sys;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.GoldSpy;Deleted.;
A0266569.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Fakealert;Deleted.;
A0266570.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Fakealert;Deleted.;
A0266571.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.890;Deleted.;
A0266572.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Click.1050;Deleted.;
A0266573.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Click.1050;Deleted.;
A0266574.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Snap;Deleted.;
A0266575.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Snap;Deleted.;
A0266576.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0266577.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Fakealert;Deleted.;
A0266578.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0266579.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Proxy.884;Deleted.;
A0266580.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0266581.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.10142;Deleted.;
A0266582.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Fakealert;Deleted.;
A0266583.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Click.1050;Deleted.;
A0266584.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.Sklog;Deleted.;
A0266585.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Snap;Deleted.;
A0266586.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.9179;Deleted.;
A0266587.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.StartPage.1299;Deleted.;
A0266588.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.StartPage.1299;Deleted.;
A0266589.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Snap;Deleted.;
A0266590.dll;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.PWS.Snap;Deleted.;
A0266591.exe;C:\System Volume Information\_restore{82F549D1-A970-4CD7-A2F4-3F93381C9F58}\RP1512;Trojan.DownLoader.10136;Deleted.;
A0019574.exe;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Trojan.DownLoader.493;Deleted.;
A0019575.exe;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Trojan.DownLoader.493;Deleted.;
A0019576.exe;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Trojan.DownLoader.493;Deleted.;
A0019577.exe;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Trojan.DownLoader.493;Deleted.;
A0019578.exe;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Trojan.DownLoader.493;Deleted.;
A0019579.exe;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Trojan.DownLoader.493;Deleted.;
A0019580.exe;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Trojan.DownLoader.493;Deleted.;
A0019581.exe;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Trojan.MulDrop.1027;Deleted.;
A0019582.DLL;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Adware.ClearSearch;Moved.;
A0019583.dll;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Trojan.DownLoader.598;Incurable.Moved.;
A0019585.exe;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Trojan.DownLoader.1125;Deleted.;
A0019586.dll;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP128;Adware.TVMedia;Moved.;
A0019589.exe;C:\System Volume Information\_restore{F4EFC069-7C3D-4585-817F-E2A15F68C485}\RP132;Adware.nCase;Moved.;
comdlj32.dll;C:\WINDOWS;Trojan.Spambot;Deleted.;
NDNuninstall4_85.exe;C:\WINDOWS;Adware.NewDotNet;Moved.;
NDNuninstall6_10.exe;C:\WINDOWS;Adware.NewDotNet;Moved.;
OEM.exe;C:\WINDOWS;Trojan.Spambot;Deleted.;
OEM.exe.bak;C:\WINDOWS;Trojan.Spambot;Deleted.;
troy.exe;C:\WINDOWS;Trojan.PWS.Haxspy;Deleted.;
xpupdate.exe;C:\WINDOWS;Trojan.Fakealert;Deleted.;
thin.inf;C:\WINDOWS\Downloaded Program Files;Trojan.DownLoader.3634;Deleted.;
3.03.00.dll;C:\WINDOWS\inet20026;Trojan.LowZones.157;Deleted.;
alg.exe;C:\WINDOWS\inet20026;Win32.HLLM.Welf;Deleted.;
alg.exe.bak;C:\WINDOWS\inet20026;Win32.HLLM.Welf;Deleted.;
killer.exe;C:\WINDOWS\inet20026;Trojan.Killer;Deleted.;
killer.exe.bak;C:\WINDOWS\inet20026;Trojan.Killer;Deleted.;
mm5.exe;C:\WINDOWS\inet20026;Trojan.Proxy.881;Deleted.;
mm5.exe.bak;C:\WINDOWS\inet20026;Trojan.Proxy.881;Deleted.;
mm6.exe;C:\WINDOWS\inet20026;Trojan.Spambot;Deleted.;
mm6.exe.bak;C:\WINDOWS\inet20026;Trojan.Spambot;Deleted.;
select.exe;C:\WINDOWS\inet20026;Trojan.Proxy.946;Deleted.;
select.exe.bak;C:\WINDOWS\inet20026;Trojan.Proxy.946;Deleted.;
services.exe;C:\WINDOWS\inet20026;Adware.Websearch;Moved.;
socks.exe;C:\WINDOWS\inet20026;Trojan.Proxy.853;Deleted.;
socks.exe.bak;C:\WINDOWS\inet20026;Trojan.Proxy.853;Deleted.;
winlogon.exe;C:\WINDOWS\inet20026;Trojan.DownLoader.7469;Deleted.;
1000.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
1016.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
1036.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
1100.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
1108.exe;C:\WINDOWS\system32;Trojan.DownLoader.9171;Deleted.;
1140.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
1152.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
1156.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
1240.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
1336.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
1560.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
1564.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
2632.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
40kd34fg.exe;C:\WINDOWS\system32;Trojan.MulDrop.1027;Deleted.;
4152.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
468.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
4932.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
528.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
532.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
604.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
612.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
616.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
656.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
660.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
680.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
824.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
872.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
aidlbbbe.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
bcmrmv.exe;C:\WINDOWS\system32;Probably BACKDOOR.Trojan;Moved.;
bhoafgah.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
BO2802040113.dll;C:\WINDOWS\system32;Trojan.MulDrop.1997;Deleted.;
cfaqdcnc.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
cfchajgg.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
cghaebbc.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
chimbaoo.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
coeodmej.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
dcom_19.dll;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
dlh9jkdq2.exe;C:\WINDOWS\system32;Trojan.Fakealert;Deleted.;
dlh9jkdq6.exe;C:\WINDOWS\system32;Trojan.DownLoader.10137;Deleted.;
dlh9jkdq7.exe;C:\WINDOWS\system32;Trojan.DownLoader.10138;Deleted.;
ejoccpph.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
epnoikmj.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
Eprocessing_40kd34fg.exe;C:\WINDOWS\system32;Probably MULDROP.Trojan;Moved.;
flashdrvr.dll;C:\WINDOWS\system32;Trojan.PWS.GoldSpy;Deleted.;
gfopppnj.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
ggbingae.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
gjjbfhid.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
gkjaggmj.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
hdigddih.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
hflpjcbh.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
hhbllhoj.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
hogjmfmg.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
ibqppagf.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
Iftvmk38wbr.dll;C:\WINDOWS\system32;Probably MULDROP.Trojan;Moved.;
ihkohcpg.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
ijodmbdi.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
iknnedll.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
ipmkmcdp.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
jeeblkip.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
jgahehef.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
jhlllcbm.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
jsssvc.exe;C:\WINDOWS\system32;Win32.HLLW.MyBot.based;Deleted.;
kbbhcgcm.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
KVIF_7.dll;C:\WINDOWS\system32;Probably MULDROP.Trojan;Moved.;
ldgnabel.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
loader2.exe;C:\WINDOWS\system32;Trojan.DownLoader.10111;Deleted.;
LGONUI~1.EXE;C:\WINDOWS\system32;Trojan.PurityAd;Deleted.;
nkcifnmg.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
nkfhpijq.dll;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
notifysb.dll;C:\WINDOWS\system32;Trojan.Fakealert;Will be cured after reboot.;
pbpmbcad.exe;C:\WINDOWS\system32;Trojan.Sklog;Deleted.;
PreInstaller_p1.exe;C:\WINDOWS\system32;Trojan.DownLoader.1740;Incurable.Moved.;
qvxgamet2.exe;C:\WINDOWS\system32;Probably BACKDOOR.Trojan;Moved.;
qvxgamet3.exe;C:\WINDOWS\system32;Trojan.PWS.GoldSpy;Deleted.;
rpcc.exe;C:\WINDOWS\system32;Trojan.Spambot;Deleted.;
slx.exe;C:\WINDOWS\system32;Trojan.DownLoader.9540;Deleted.;
taskdir.dll;C:\WINDOWS\system32;Trojan.PWS.Alanchum;Deleted.;
TheMatrixHasYou.exe;C:\WINDOWS\system32;Trojan.Proxy.899;Deleted.;
vtpklofqb.exe;C:\WINDOWS\system32;Win32.Proxed;Deleted.;
vwasbxgp.dll;C:\WINDOWS\system32;Adware.Crew;Moved.;
vwlyagoz.exe;C:\WINDOWS\system32;Trojan.DownLoader.1016;Deleted.;
vxgame1.exe;C:\WINDOWS\system32;BackDoor.Bech;Deleted.;
vxgame3.exe;C:\WINDOWS\system32;Adware.Websearch;Moved.;
vxgame4.exe;C:\WINDOWS\system32;Trojan.DownLoader.9502;Deleted.;
vxgame6.exe;C:\WINDOWS\system32;Trojan.DownLoader.10111;Deleted.;
vxgame6.exe3072.exe;C:\WINDOWS\system32;Trojan.DownLoader.10140;Deleted.;
vxgamet1.exe;C:\WINDOWS\system32;Trojan.DownLoader.8077;Deleted.;
vxgamet2.exe;C:\WINDOWS\system32;Trojan.DownLoader.9572;Deleted.;
vxgamet4.exe;C:\WINDOWS\system32;Trojan.Spambot;Incurable.Moved.;
wgtku.dll;C:\WINDOWS\system32;Adware.WildMedia;Moved.;
Xcite.dll;C:\WINDOWS\system32;Adware.MyWay;Moved.;
yayay.dll.vir;C:\WINDOWS\system32;Trojan.DownLoader.4703;Deleted.;
lock.exe;C:\WINDOWS\system32\dllcache;Trojan.DownLoader.10136;Deleted.;
update.exe;C:\WINDOWS\system32\dllcache;Trojan.MulDrop.3652;Deleted.;
171A.tmp;C:\WINDOWS\Temp;Trojan.Yaspy;Deleted.;
2A1D.tmp;C:\WINDOWS\Temp;Trojan.Spambot;Deleted.;
3317.tmp;C:\WINDOWS\Temp;Trojan.Spambot;Deleted.;
35E8.tmp;C:\WINDOWS\Temp;Trojan.Yaspy;Deleted.;
3B6D.tmp;C:\WINDOWS\Temp;Trojan.Yaspy;Deleted.;
6218.tmp;C:\WINDOWS\Temp;Trojan.Spambot;Deleted.;
85C4.tmp;C:\WINDOWS\Temp;Trojan.Yaspy;Deleted.;
9669.tmp;C:\WINDOWS\Temp;Trojan.Yaspy;Deleted.;
C21.tmp;C:\WINDOWS\Temp;Trojan.Yaspy;Deleted.;
D9C9.tmp;C:\WINDOWS\Temp;Trojan.Yaspy;Deleted.;
F9CB.tmp;C:\WINDOWS\Temp;Trojan.Yaspy;Deleted.;


Thanks again for all your help!

John

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:08 AM

Posted 25 May 2006 - 03:31 AM

Hi John,

As you already noticed, it is/was quite a nasty collection you were having there...

Let's deal with the rest now...

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".
Click the button: All Files (!important!)
Now it should flash green.

Now copy the next bold part:

C:\Documents and Settings\All Users\Documents\Settings\20242402.dll
C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

After reboot,

Uninstall Spyware Soft Stop, because this is a so called spyware remover with a bad reputation.
I also see you have PartyPoker installed.
If you didn't install it with intension to play with, I suggest you uninstall it, because in most cases, these programs are supported by malware, getting installed without asking for it and also lead you to sites where malware is lurking.
If you do play it, then leave it alone.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O4 - HKLM\..\Run: [Software Soft Stop] C:\Program Files\Spyware Soft Stop\Spyware Soft Stop.exe
O20 - Winlogon Notify: 20242402reg - C:\Documents and Settings\All Users\Documents\Settings\20242402.dll
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O20 - Winlogon Notify: polymorphreg - C:\Documents and Settings\All Users\Documents\Settings\polymorph.dll
O20 - Winlogon Notify: s_reg - notifysb.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete next folder:

C:\Program Files\Spyware Soft Stop

And delete the contents of next folder:

C:\Documents and Settings\JOHN HIPP\Application Data\DoctorWeb\quarantaine

Update Your sun Java, because you are running a vulnerable version:
Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
Perform next step again:

* Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.


Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Click "Scan Settings" and check the option to use the EXTENDED DATABASE, then click "OK"
7. Select a target to scan: Click on "My Computer"
8. When the scan is complete choose to save the results as "Save as Text"
9. Post the Kaspersky scan results in your next reply together with a new hijackthislog made in NORMAL mode - not in safe mode.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 SacredGroove

SacredGroove
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:08:08 PM

Posted 26 May 2006 - 12:20 AM

Thank you again for all your help so far!

Here is what is going on now.

I followed your instructions to the best of my ability. I cannot run the cleanmgr now. It brings up an error saying it needs to shut it down.

I was not able to actually uninstall the spyware soft stop program. I had to boot into safe mode to delete the folder as it was running in normal mode and I cannot bring up the task manager to stop the process. (can you tell me how to give myself permissions to the task manager again?)

I installed party poker so that I could play. If it is that bad, I can get rid of it. Do you recommend a poker site to play on?

I tried to run teh Kaspersky Webscan however it also errors out saying that I don't have the right permissions to run the scan.

Here is my latest HJT log in normal mode.

Logfile of HijackThis v1.99.1
Scan saved at 12:11:01 AM, on 5/26/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\Creative\SBLive\Program\AHQInit.exe
C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\atiptaxx.exe
C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hotwebsearch.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20026\winlogon.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Monitor] C:\PROGRA~1\LEXMAR~1\ACMonitor_X83.exe
O4 - HKLM\..\Run: [Lexmark X83 Button Manager] C:\PROGRA~1\LEXMAR~1\AcBtnMgr_X83.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [Alogserv] C:\Program Files\McAfee\McAfee VirusScan\alogserv.exe
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKCU\..\Run: [Matt] C:\Documents and Settings\JOHN HIPP\Application Data\tapu.exe
O4 - HKCU\..\Run: [Bdlvq] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: ConferenceRoom Java Client - http://chat.privatefeeds.com:8000/java/cr.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1132622847492
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://zone.msn.com/bingame/feed/default/SproutLauncher.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup145.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - http://us.dl1.yimg.com/download.yahoo.com/.../yiebio4025.cab
O23 - Service: AVSync Manager (AvSynMgr) - Networks Associates Technologies, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: IMAPI CD-Burning COM Service (ImapiService) - Roxio Inc. - C:\WINDOWS\System32\ImapiRox.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe

Thanks again!

John

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:08 AM

Posted 26 May 2006 - 01:41 AM

Hi,

Let's give this another round..


It looks like the malware already damaged a lot on your system..

I was not able to actually uninstall the spyware soft stop program. I had to boot into safe mode to delete the folder as it was running in normal mode and I cannot bring up the task manager to stop the process. (can you tell me how to give myself permissions to the task manager again?)


So I assume you could delete the folder in safe mode?

Concerning your taskmanager, there could be a policy set, or there could be a fake taskmgr.com being created.

So perform next:

* Download AlcanShorty from here.
  • Click the download button below and agree to download the fix.
  • Download Alcanshorty to your desktop.
  • DoubleClick alcanshorty_en.exe and click install
  • This will create a new folder on your desktop called alcanshorty_en
  • Open that folder and doubleclick Run.bat
  • Once the fix starts, your icons and desktop will disappear, this is normal.
Make sure you have a working internet connection. In case your firewall gives an alert, don't block it,
because alcanshorty needs to download some additional files to let the tool run properly.
  • Wait for the complete script execution box to popup and press OK.
  • Press exit to terminate the BFU program.
* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://www.vroomsearch.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hotwebsearch.com/
R3 - Default URLSearchHook is missing
F3 - REG:win.ini: run=C:\WINDOWS\inet20026\winlogon.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [Matt] C:\Documents and Settings\JOHN HIPP\Application Data\tapu.exe
O4 - HKCU\..\Run: [Bdlvq] C:\WINDOWS\System32\l?gonui.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\System32\vxgame6.exe3072.exe
O4 - HKCU\..\Run: [xp_system] C:\WINDOWS\inet20026\winlogon.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!


Delete next folder and files if still present:

C:\WINDOWS\inet20026 <== folder
C:\Documents and Settings\JOHN HIPP\Application Data\tapu.exe
C:\Windows\xpupdate.exe
C:\WINDOWS\System32\0mcamcap.exe
C:\WINDOWS\System32\vxgame6.exe3072.exe

If you are having problems with deleting them, try it in safe mode.

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

Download and Save blacklight to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
I need that log later.

Try next online scanner:

* Click here to use the F-Secure Online Scanner
It's explained there with images how to allow the ActiveX to start the scan, so read that first.
  • Then click the F-Secure Online Scanner Next Generation Beta link.
  • Once the ActiveX is installed, you should accept the License terms by clicking OK below to start the scan.
  • Click the Full System Scan button.
  • It will start to download scanner components and databases. This can take a while.
  • The main scan will start.
  • Once the scan finished scanning, click the Automatic cleaning (recommended) button
  • It could be possible that your firewall gives an alert - allow it, because that's a connection you establish to submit infected files to F-Secure.
  • The cleaning can take a while, so please be patient.
  • Then click the Show report button and copy and paste what's present under results in your next reply together with the blacklight log and a new hijackthislog.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:03:08 AM

Posted 02 June 2006 - 05:34 PM

Due to the lack of feedback, this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.

Edited by miekiemoes, 02 June 2006 - 05:34 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users