Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown.sagonet.net, Trojan-dropper, Bloodhound.tibs


  • Please log in to reply
38 replies to this topic

#1 Black_Talon

Black_Talon

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 04 June 2006 - 01:22 PM

I just recently had a major infection with several hijackers, browser hijackers, Spy Sheriff, trojans, downloaders, et al. But something is still wrong: the dreaded unknown.sagonet.net connection is using some sort of back door exploit. Using Event Viewer, I was able to determine that it may be a remote desktop port exploit. Internet Explorer is opening covertly (unwindowed) in the background repeatedly (I'm sure this is part of the exploit by now) and taking priority over other winndows without showing itself at all. I also have a problem with a file called dmx53.tmp, which Norton believes is a "bloodhound.tibs" infection; however, by using Google search I have found that this file may be part of a "Trojan-Dropper.Win32.Agent.afj" infection (Japanese HJT log site); a search on the computer for the file yields no results. Also, my port explorer trial explored many executions and days early for an unknown reason. Please help me resolve my problems and to identify any new ones (I've already used Spybot - S&D, Ad-aware, and Norton. My attempt to use Panda ActiveScan was interrupted by an unknown problem after having found suspected hacking tools and spyware). In addition, there is a file that runs on my startup that I am unsure of: "vcibaaa.exe." Here's my log (yes, I know about SpyKiller, and there are some vestiges of old infections):

O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [stratas]
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [stratas]
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [jtncbdfd] C:\WINDOWS\system32\jtncbdfd.exe
O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetl...bGameLoader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149435493609
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCF9A64D-1440-4404-863C-F5DF2B99F798} (Catan Online Game) - http://zone.msn.com/bingame/zpagames/zpa_catan.cab36135.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} (CountSpies.SpyCounter) - http://www.sunbelt-software.com/dell/CounterSpy.CAB
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: IEFilter - {E7CEE683-A378-44C1-A315-DFD83D2B053C} - IEFilter1.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe
O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Edited by Black_Talon, 04 June 2006 - 01:30 PM.


BC AdBot (Login to Remove)

 


#2 Black_Talon

Black_Talon
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 04 June 2006 - 01:27 PM

I know what intell321 is, I've already gotten rid of that. brmfrmsq was also an infection file. The one above it (j...) yields no results. I may have gotten rid of that one, but not sure. I also believe I've gotten rid of all of the sachost variants.

*EDIT* Oops sorry, forgot to extract HJT first. Let me take care of that.

Edited by Black_Talon, 04 June 2006 - 01:46 PM.


#3 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 05 June 2006 - 05:46 PM

Hi Black_Talon and Welcome to the Bleeping Computer.


Right Click the Desktop and Select New--> Folder--> Name it SysClean
  • Download the Sysclean Package to the folder you made.
  • Next,download the Virus Pattern Files (Official Pattern Release) and Spyware Pattern Files (Official Pattern Release) to your desktop from Here
  • Right Click each and Select Extract All to unzip the 2 folders.
  • Now,from the unzipped folders,move lpt$vpn.XXX and tmaptn.XXX files to the SysClean folder.
  • Restart in SAFE MODE(Tap F8 when restarting)
  • Open the SysClean Folder and doubleclick sysclean.com
  • Be sure Automatically clean or delete detected files is checked.
  • Click the Scan button to begin,please be patient,it will take a little bit to finish.
  • Once complete,verify the log from the scan (SYSCLEAN.LOG) is in the SysClean folder and restart back to Normal Mode.
  • Copy&Paste those results in the next reply along with a fresh HijackThis log.


#4 Black_Talon

Black_Talon
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  

Posted 06 June 2006 - 03:29 PM

Uhhh, seems there was a major access problem during the scan... check it out. The scan took much longer than I expected. Still, looks like it got something done with the stuff that stashed itself in System Restore files.

2006-06-05, 19:40:27, Auto-clean mode specified.
2006-06-05, 19:40:27, Running scanner "C:\Documents and Settings\Dale\Desktop\SysClean\TSC.BIN"...
2006-06-05, 19:43:17, Scanner "C:\Documents and Settings\Dale\Desktop\SysClean\TSC.BIN" has finished running.
2006-06-05, 19:43:17, TSC Log:

Damage Cleanup Engine (DCE) 3.98(Build 1012)
Windows XP(Build 2600: Service Pack 2)

Start time : Mon Jun 05 2006 19:40:27

Load Damage Cleanup Template (DCT) "C:\Documents and Settings\Dale\Desktop\SysClean\tsc.ptn" (version 744) [success]

Complete time : Mon Jun 05 2006 19:43:17
Execute pattern count(3094), Virus found count(0), Virus clean count(0), Clean failed count(0)

2006-06-05, 19:44:49, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\290fd81d8907b25c30ce3f1f0c91d6cf_1dce0e75-1303-433a-bfc1-6b582bd25551": Access is denied.
2006-06-05, 19:44:49, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\595f18610cbe75a752ff40d38866f6b2_1dce0e75-1303-433a-bfc1-6b582bd25551": Access is denied.
2006-06-05, 19:44:49, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5f361f57d40b810301e1eacb4c89370b_1dce0e75-1303-433a-bfc1-6b582bd25551": Access is denied.
2006-06-05, 19:44:49, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\62c21006e038890b5e0f3b4a3aa4ec62_1dce0e75-1303-433a-bfc1-6b582bd25551": Access is denied.
2006-06-05, 19:44:49, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7cdac81c03bbea57944cc55e5970b645_1dce0e75-1303-433a-bfc1-6b582bd25551": Access is denied.
2006-06-05, 19:44:49, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\915b6b9604904b91e166373067eea2cf_1dce0e75-1303-433a-bfc1-6b582bd25551": Access is denied.
2006-06-05, 19:44:49, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9b672e0382e02961db6f3279406a49f0_1dce0e75-1303-433a-bfc1-6b582bd25551": Access is denied.
2006-06-05, 19:44:49, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b7448011d72c987fe5a1939814955b02_1dce0e75-1303-433a-bfc1-6b582bd25551": Access is denied.
2006-06-05, 19:44:49, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e73a165b692a6587112134945b2f7b3d_1dce0e75-1303-433a-bfc1-6b582bd25551": Access is denied.
2006-06-05, 19:44:49, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f62cef7fbe869fa76badc77fc63f4727_1dce0e75-1303-433a-bfc1-6b582bd25551": Access is denied.
2006-06-05, 19:44:49, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f7c6cca1464c90dc6f9e842afbc696ec_1dce0e75-1303-433a-bfc1-6b582bd25551": Access is denied.
2006-06-05, 19:45:02, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp": Access is denied.
2006-06-05, 19:46:50, An error was detected on "C:\Documents and Settings\All Users\Documents\*.*": Access is denied.
2006-06-05, 19:46:56, An error occurred while scanning file "C:\Documents and Settings\Dale\NTUSER.DAT": Access is denied.
2006-06-05, 19:46:56, An error occurred while scanning file "C:\Documents and Settings\Dale\ntuser.dat.LOG": Access is denied.
2006-06-05, 19:50:31, An error occurred while scanning file "C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-06-05, 19:50:31, An error occurred while scanning file "C:\Documents and Settings\Dale\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-06-05, 20:15:42, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2006-06-05, 20:15:42, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2006-06-05, 20:15:42, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2006-06-05, 20:15:42, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2006-06-05, 21:29:56, Could not set file for reading on "C:\Program Files\Norton Internet Security\Norton AntiVirus\Savrt\0765NAV~.TMP": Access is denied.
2006-06-05, 22:03:40, Could not set file for reading on "C:\RECYCLER\S-1-5-21-1126409819-1918301184-1743640872-1009\Dc4.pf": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB824141$\user32.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB824141$\win32k.sys": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\colbact.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\comuid.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\es.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\ole32.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll": Access is denied.
2006-06-05, 23:34:31, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB828741$\txflog.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\callcont.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\h323.tsp": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\msgina.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\mst120.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\schannel.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\dao360.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll": Access is denied.
2006-06-05, 23:34:34, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll": Access is denied.
2006-06-05, 23:34:35, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll": Access is denied.
2006-06-05, 23:34:35, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB839645$\shell32.dll": Access is denied.
2006-06-05, 23:34:35, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll": Access is denied.
2006-06-05, 23:34:35, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB839645$\sxs.dll": Access is denied.
2006-06-05, 23:34:35, Could not set file for reading on "C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll": Access is denied.
2006-06-05, 23:35:37, Could not set file for reading on "C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx": Access is denied.
2006-06-05, 23:35:37, Could not set file for reading on "C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll": Access is denied.
2006-06-05, 23:42:16, Could not set file for reading on "C:\WINDOWS\PCHealth\ERRORREP\UserDumps\svchost.exe.20050306-022822-00.hdmp": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\AD-AWARE.EXE-1853B83A.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\AIM.EXE-064777BB.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\AUPDATE.EXE-223E3682.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\CCAPP.EXE-10E11A7C.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\CHCP.COM-17EDBDC9.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-034B0549.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-2858C7E2.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-38C3807C.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\DRWTSN32.EXE-01DDCF15.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\DSAGNT.EXE-2C86BFCE.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\DSBRWS.EXE-070367AA.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\DWWIN.EXE-2C373FB7.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-02121B1A.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\FIREFOX.EXE-06188867.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\HELPSVC.EXE-1C192440.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\HH.EXE-104606B2.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-35E8F032.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\IEDW.EXE-0F1DF43F.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-2D97EBE6.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\IGFXTRAY.EXE-0A23D403.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\IMAPI.EXE-201490BB.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\INTELMEM.EXE-0A63AEEA.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGONUI.EXE-312BE1BF.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\LUALL.EXE-288D30C1.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\LUCALLBACKPROXY.EXE-29128DB6.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\LUCOMS~1.EXE-1DF6F3E9.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\LXBKBMGR.EXE-0FAB599B.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\LXBKBMON.EXE-07E2A002.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\LXBKJSWX.EXE-0C41460E.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\LXBKPSWX.EXE-0E295171.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\MMTASK.EXE-101CFBE9.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIEXEC.EXE-330626DC.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\MSIMN.EXE-183B59AF.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\MSMSGS.EXE-0620E8B3.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\MTSAXINSTALLER.EXE-0CA7D990.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVSHCOM.EXE-37FBB9CD.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVW32.EXE-06EAD342.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\NAVW32.EXE-214D87DC.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\NETSTAT.EXE-04F18BC0.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\NMAIN.EXE-3A3D97F1.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-2F2D61E1.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\NSCSRVCE.EXE-24B30AFD.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\NWIZ.EXE-2D374245.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\OSE.EXE-2C5425B3.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\OWQWZGDN.EXE-34B786CA.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\PCMSERVICE.EXE-3369AF87.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\QTTASK.EXE-1876A1A1.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\READER_SL.EXE-2FCCA463.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\REALSCHED.EXE-0948A6AF.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\REGSVR32.EXE-396DEA2C.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\ROOTKITREVEALER.EXE-23D2ADC1.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-3CAE7316.pf": Access is denied.
2006-06-05, 23:42:52, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-4E4968D8.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-5645E36A.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-57C8756E.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-5F120771.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-6ACD0C83.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNONCE.EXE-01CA3A2F.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\SGTRAY.EXE-31581176.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-06144C13.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\TFSWCTRL.EXE-2D67C816.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\USERINIT.EXE-0743FDA9.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\VERCLSID.EXE-28F52AD2.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\VIEWMGRINSTALLER.EXE-063E8957.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\VIEWMGR_.EXE-1C906785.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\VMGRREMOK.EXE-39DE1AA0.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\VMPREMOV.EXE-041E1D80.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\WGATRAY.EXE-350D4455.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\WINWORD.EXE-33AEA629.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-0D449B4F.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\WMPLAYER.EXE-1ACCF80B.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\WORDPAD.EXE-30063FA0.pf": Access is denied.
2006-06-05, 23:42:53, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-1360D60A.pf": Access is denied.
2006-06-05, 23:48:28, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT": Access is denied.
2006-06-05, 23:48:28, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG": Access is denied.
2006-06-05, 23:48:29, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SAM": Access is denied.
2006-06-05, 23:48:29, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG": Access is denied.
2006-06-05, 23:48:29, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SECURITY": Access is denied.
2006-06-05, 23:48:29, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG": Access is denied.
2006-06-05, 23:48:29, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE": Access is denied.
2006-06-05, 23:48:29, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG": Access is denied.
2006-06-05, 23:48:29, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM": Access is denied.
2006-06-05, 23:48:29, An error occurred while scanning file "C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG": Access is denied.
2006-06-05, 23:51:03, Running scanner "C:\Documents and Settings\Dale\Desktop\SysClean\VSCANTM.BIN"...
2006-06-06, 02:08:03, Files Detected:
Copyright 1990 - 2004 Trend Micro Inc.
Report Date : 6/5/2006 23:51:04
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 479 (115164 Patterns) (2006/06/04) (347900)
Command Line: C:\Documents and Settings\Dale\Desktop\SysClean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Dale\Desktop\SysClean

C:\Documents and Settings\Dale\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-1540eca1-58498121.class [JAVA_BYTEVER.AX]
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\drup[1].exe [TROJ_Generic]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0230180.exe [TROJ_FAKEALERT.I]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0230194.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0230205.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0230206.exe [TROJ_DLOADER.ASQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0230207.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0231194.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0231204.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0231205.exe [TROJ_DLOADER.ASQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0231206.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0232211.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0232212.exe [TROJ_DLOADER.ASQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0232213.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0234202.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0234211.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0234212.exe [TROJ_DLOADER.ASQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0234214.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0235206.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0235214.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0235215.exe [TROJ_DLOADER.ASQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0235216.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236208.old [TROJ_ALEMOD.G]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236216.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236218.dll [TSPY_SMALL.PX]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236224.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236225.exe [TROJ_DLOADER.ASQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236226.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0237210.dll [TROJ_AGENT.BVF]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0237214.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0237224.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0237225.exe [TROJ_DLOADER.ASQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0237226.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0239215.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0239223.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0239224.exe [TROJ_DLOADER.ASQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0239225.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0240217.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0241218.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0242225.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0243225.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0244225.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP709\A0245228.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP709\A0247249.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP709\A0247256.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP709\A0247257.exe [TROJ_DLOADER.ASQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP709\A0247259.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0247285.dll [TROJ_ALEMOD.G]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0247292.dll [TROJ_ALEMOD.G]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0248310.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0248317.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0248318.exe [TROJ_DLOADER.ASQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0248321.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0248344.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0249344.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0250344.exe [TROJ_PROXY.AG]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0250345.exe [TROJ_PROXY.AG]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0250371.dll [WORM_LOCKSKY.BI]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0250386.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0250394.exe [TROJ_FAKEALERT.I]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0252981.dll [TSPY_SINOWAL.AQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0252984.exe [TROJ_DLOADER.AUY]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0252996.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0252999.dll [TSPY_SINOWAL.AQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0253001.exe [TROJ_FAKEALERT.I]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0253002.exe [TROJ_DLOADER.ASQ]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0253003.exe [TROJ_SMALL.BWP]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0253008.exe [TROJ_DLOADER.AQT]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP718\A0253320.exe [TROJ_DAEMONIZ.AM]
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP718\A0253321.exe [TSPY_SINOWAL.AQ]
C:\WINDOWS\SYSTEM32\IEFilter.dll [TSPY_SMALL.PX]
C:\WINDOWS\SYSTEM32\IEFilter1.dll [TSPY_SMALL.PX]
C:\WINDOWS\SYSTEM32\MSIEHelper.dll [TROJ_AGENT.BVF]
C:\WINDOWS\SYSTEM32\msvcrl.dll [WORM_LOCKSKY.BI]
119672 files have been read.
119672 files have been checked.
84418 files have been scanned.
144154 files have been scanned. (including files in archived)
75 files containing viruses.
Found 75 viruses totally.
Maybe 0 viruses totally.
Stop At : 6/6/2006 02:08:01
---------*---------*---------*---------*---------*---------*---------*---------*
2006-06-06, 02:08:03, Files Clean:
Copyright 1990 - 2004 Trend Micro Inc.
Report Date : 6/5/2006 23:51:04
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 479 (115164 Patterns) (2006/06/04) (347900)
Command Line: C:\Documents and Settings\Dale\Desktop\SysClean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Dale\Desktop\SysClean

Success Clean [ JAVA_BYTEVER.AX]( 1) from C:\Documents and Settings\Dale\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file\omfg.class-1540eca1-58498121.class
Success Clean [ TROJ_Generic]( 1) from C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OT6N85YN\drup[1].exe
Success Clean [ JAVA_BYTEVER.B]( 1) from C:\Documents and Settings\Russell\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive1213.jar-455277fe-240c3f63.zip,(Dummy.class)
Success Clean [TROJ_FAKEALERT.I]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0230180.exe
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0230194.dll
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0230205.exe
Success Clean [TROJ_DLOADER.ASQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0230206.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0230207.exe
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0231194.dll
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0231204.exe
Success Clean [TROJ_DLOADER.ASQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0231205.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0231206.exe
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0232211.exe
Success Clean [TROJ_DLOADER.ASQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0232212.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0232213.exe
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0234202.dll
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0234211.exe
Success Clean [TROJ_DLOADER.ASQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0234212.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0234214.exe
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0235206.dll
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0235214.exe
Success Clean [TROJ_DLOADER.ASQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0235215.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP707\A0235216.exe
Success Clean [ TROJ_ALEMOD.G]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236208.old
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236216.dll
Success Clean [ TSPY_SMALL.PX]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236218.dll
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236224.exe
Success Clean [TROJ_DLOADER.ASQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236225.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0236226.exe
Success Clean [ TROJ_AGENT.BVF]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0237210.dll
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0237214.dll
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0237224.exe
Success Clean [TROJ_DLOADER.ASQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0237225.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0237226.exe
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0239215.dll
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0239223.exe
Success Clean [TROJ_DLOADER.ASQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0239224.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0239225.exe
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0240217.dll
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0241218.dll
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0242225.dll
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0243225.dll
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP708\A0244225.dll
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP709\A0245228.dll
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP709\A0247249.dll
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP709\A0247256.exe
Success Clean [TROJ_DLOADER.ASQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP709\A0247257.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP709\A0247259.exe
Success Clean [ TROJ_ALEMOD.G]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0247285.dll
Success Clean [ TROJ_ALEMOD.G]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0247292.dll
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0248310.dll
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0248317.exe
Success Clean [TROJ_DLOADER.ASQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0248318.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0248321.exe
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0248344.dll
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0249344.dll
Success Clean [ TROJ_PROXY.AG]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0250344.exe
Success Clean [ TROJ_PROXY.AG]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0250345.exe
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0250371.dll
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0250386.exe
Success Clean [TROJ_FAKEALERT.I]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP710\A0250394.exe
Success Clean [ TSPY_SINOWAL.AQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0252981.dll
Success Clean [TROJ_DLOADER.AUY]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0252984.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0252996.exe
Success Clean [ TSPY_SINOWAL.AQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0252999.dll
Success Clean [TROJ_FAKEALERT.I]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0253001.exe
Success Clean [TROJ_DLOADER.ASQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0253002.exe
Success Clean [ TROJ_SMALL.BWP]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0253003.exe
Success Clean [TROJ_DLOADER.AQT]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP715\A0253008.exe
Success Clean [TROJ_DAEMONIZ.AM]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP718\A0253320.exe
Success Clean [ TSPY_SINOWAL.AQ]( 1) from C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP718\A0253321.exe
Success Clean [ TSPY_SMALL.PX]( 1) from C:\WINDOWS\SYSTEM32\IEFilter.dll
Success Clean [ TSPY_SMALL.PX]( 1) from C:\WINDOWS\SYSTEM32\IEFilter1.dll
Success Clean [ TROJ_AGENT.BVF]( 1) from C:\WINDOWS\SYSTEM32\MSIEHelper.dll
Success Clean [ WORM_LOCKSKY.BI]( 1) from C:\WINDOWS\SYSTEM32\msvcrl.dll
119672 files have been read.
119672 files have been checked.
84418 files have been scanned.
144154 files have been scanned. (including files in archived)
75 files containing viruses.
Found 75 viruses totally.
Maybe 0 viruses totally.
Stop At : 6/6/2006 02:08:01 2 hours 16 minutes 51 seconds (8210.16 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-06-06, 02:08:03, Clean Fail:
Copyright 1990 - 2004 Trend Micro Inc.
Report Date : 6/5/2006 23:51:04
VSAPI Engine Version : 8.000-1001
VSCANTM Version : 1.1-1001
Virus Pattern Version : 479 (115164 Patterns) (2006/06/04) (347900)
Command Line: C:\Documents and Settings\Dale\Desktop\SysClean\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\Documents and Settings\Dale\Desktop\SysClean

119672 files have been read.
119672 files have been checked.
84418 files have been scanned.
144154 files have been scanned. (including files in archived)
75 files containing viruses.
Found 75 viruses totally.
Maybe 0 viruses totally.
Stop At : 6/6/2006 02:08:01 2 hours 16 minutes 51 seconds (8210.16 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2006-06-06, 02:08:03, Scanner "C:\Documents and Settings\Dale\Desktop\SysClean\VSCANTM.BIN" has finished running.



:thumbsup: Holy crap, sneaky buggers aren't they ?

Edited by Black_Talon, 06 June 2006 - 03:47 PM.


#5 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 June 2006 - 05:46 PM

Allrighty!

Lets see a fresh HijackThis log.

#6 Black_Talon

Black_Talon
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 06 June 2006 - 06:16 PM

Just did a netstat -an... The unknown sagonet connection is not there :thumbsup:

Logfile of HijackThis v1.99.1
Scan saved at 7:12:21 PM, on 6/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\vcibaaaa.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\WINDOWS\System32\DSentry.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\SYSTEM32\winbrume.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Norton Internet Security 2006 - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [stratas]
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe
O4 - HKLM\..\Run: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe
O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\RunServices: [stratas]
O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe
O4 - HKCU\..\Run: [SpyKiller] C:\Program Files\SpyKiller\spykiller.exe /startup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [jtncbdfd] C:\WINDOWS\system32\jtncbdfd.exe
O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra 'Tools' menuitem: PokerNow - {2DB0FBAF-5223-4c96-8C25-F60D5E437D34} - C:\Program Files\PokerNow\PokerNow.exe (file missing)
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Poker.com - {6FDD5236-C9F0-49ef-935D-385F5E21991A} - C:\Program Files\Poker.com\poker.exe (HKCU)
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab34120.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {27527D31-447B-11D5-A46E-0001023B4289} (CoGSManager Class) - http://gamingzone.ubisoft.com/dev/packages/GSManager.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetl...bGameLoader.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.games.y...ctl_0_0_0_1.ocx
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1149435493609
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamespyarcade.com/software/launch/alaunch.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/luxr/default/mjolauncher.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-36E7F593073C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCF9A64D-1440-4404-863C-F5DF2B99F798} (Catan Online Game) - http://zone.msn.com/bingame/zpagames/zpa_catan.cab36135.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.cab
O16 - DPF: {D42ED9FF-DF46-4AD9-A3FE-46BAF896466E} (CountSpies.SpyCounter) - http://www.sunbelt-software.com/dell/CounterSpy.CAB
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab35645.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/zuma/default/popcaploader_v5.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {EDFCDAF5-95D9-40E9-BBE6-10C33190C3EF} (cGameControl Class) - http://zone.msn.com/bingame/rmcb/default/RumbleCube.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: IEFilter - {E7CEE683-A378-44C1-A315-DFD83D2B053C} - IEFilter1.dll (file missing)
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Service - Unknown owner - C:\WINDOWS\system32\Service.exe
O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

Edited by Black_Talon, 06 June 2006 - 06:27 PM.


#7 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 June 2006 - 06:33 PM

Download WinPFind to your C Drive.
http://www.bleepingcomputer.com/files/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

R3 - Default URLSearchHook is missing

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: (no name) - {196B9CB5-4C83-46F7-9B06-9672ECD9D99B} - C:\WINDOWS\SYSTEM32\winbrume.dll (file missing)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)

O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)

O4 - HKLM\..\Run: [stratas]

O4 - HKLM\..\Run: [sachost] C:\WINDOWS\sachostx.exe

O4 - HKLM\..\Run: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe

O4 - HKLM\..\Run: [intell321.exe] C:\WINDOWS\system32\intell321.exe

O4 - HKLM\..\RunServices: [stratas]

O4 - HKLM\..\RunServices: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe

O4 - HKCU\..\Run: [jtncbdfd] C:\WINDOWS\system32\jtncbdfd.exe

O4 - HKCU\..\Run: [brmfrsmq] C:\WINDOWS\system32\brmfrsmq.exe

O21 - SSODL: IEFilter - {E7CEE683-A378-44C1-A315-DFD83D2B053C} - IEFilter1.dll (file missing)

O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

O23 - Service: Service 8 (Service Filter) - Unknown owner - C:\WINDOWS\smncs.exe (file missing)

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Still in HijackThis-> Click Config-> Click Misc Tools-> Click Delete a File on Reboot

When the smaller explorer window opens--> Locate and Double Click the file listed below.

C:\WINDOWS\system32\vcibaaaa.exe


Click Yes to the prompts and let HijackThis reboot the machine.


Reboot into SAFE MODE(Tap F8 when restarting)


After restarting in Safe Mode,Configure Windows to Show All Hidden Files and Folders Here is a link to help with that:
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


Locate and Delete if found

C:\WINDOWS\smncs.exe<-- File

C:\WINDOWS\sachostx.exe<-- File

C:\WINDOWS\system32\vcibaaaa.exe<-- File

C:\WINDOWS\system32\brmfrsmq.exe<-- File

C:\WINDOWS\system32\intell321.exe<-- File

C:\WINDOWS\system32\jtncbdfd.exe<-- File


Click Start-> Run-> Copy&Paste the bold text below into the Open Box and Click OK

sc delete Service Filter


From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient

Once you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder


Restart Normal and have the PC Scanned here:
Bit Defender

You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back with a fresh HijackThis log and the reports from WinPFind and Bit Defender

#8 Black_Talon

Black_Talon
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  

Posted 06 June 2006 - 06:53 PM

Little problem here with HJT... I did the fix checked items with no other windows open. :thumbsup: It quit on me after it prompted me about BHO's, and now it quits on me every time I try to do fix checked items to get the leftovers after all of the BHO's you had me fix. :flowers: ... Main, start page=
blank entry is still there, as are the brmfrmsq, jtncbdfd, stratas, O21, and O23's.

Edited by Black_Talon, 06 June 2006 - 07:06 PM.


#9 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 06 June 2006 - 07:05 PM

Go ahead and get WinPFind,go to Safe Mode and delete any of the files listed.

Scan with WinPFind,restart,do the Bit Defender Scan and post those 2 logs.

We will figure it out from there.

#10 Black_Talon

Black_Talon
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 07 June 2006 - 06:36 AM

My brother got on the computer after I went to bed and got out of BitDefender after it was done and shut down :thumbsup:. I still have the winPfind log, but from the looks of what you said it's a manual save for the BitDefender log. Might there be a cache of the log somewhere so I can dig it up, perhaps in temp or some such place, or should I run the scan again? (it was on its default setting to delete irreparable files so I'm not sure it will find anything). It found all of my quarantined stuff from old infections, got rid of those... think it found other stuff but my brother could be the only person who knows anything, and he doesn't usually pay attention to this kind of matter anyway. BTW I've further checked out vcibaaaa and its description looks legit:
.NET Runtime Optimization Service v1.000.3.1434 (Microsoft Corp.)
Sorry I didn't bring this up earlier.


Windows OS and Versions
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180

Checking Selected Standard Folders

Checking %SystemDrive% folder...

Checking %ProgramFilesDir% folder...

Checking %WinDir% folder...

Checking %System% folder...
PEC2 8/29/2002 6:00:00 AM 41397 C:\WINDOWS\SYSTEM32\DFRG.MSC
PTech 5/23/2006 5:26:00 PM 579888 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 5/3/2006 9:26:24 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 5/3/2006 9:26:24 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 3:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 3:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 5/7/2005 8:17:52 AM 197120 C:\WINDOWS\SYSTEM32\Skittles Hunt For Grievous.scr
UPX! 5/11/2006 7:52:58 PM 288417 C:\WINDOWS\SYSTEM32\SrchSTS.exe
UPX! 5/11/2006 7:52:58 PM 42496 C:\WINDOWS\SYSTEM32\swreg.exe
UPX! 5/11/2006 7:52:58 PM 40960 C:\WINDOWS\SYSTEM32\swsc.exe
PEC2 3/10/2006 2:14:44 PM 65536 C:\WINDOWS\SYSTEM32\vcibaaaa.exe
PECompact2 3/10/2006 2:14:44 PM 65536 C:\WINDOWS\SYSTEM32\vcibaaaa.exe
winsync 8/29/2002 6:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\WBDBASE.DEU
PTech 5/23/2006 5:25:52 PM 285488 C:\WINDOWS\SYSTEM32\WgaTray.exe

Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 1:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys

Items found in C:\WINDOWS\SYSTEM32\drivers\ETC\hosts


Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/6/2006 8:10:54 PM S 2048 C:\WINDOWS\BOOTSTAT.DAT
6/4/2006 6:27:18 PM H 54156 C:\WINDOWS\QTFont.qfn
6/4/2006 1:10:04 PM H 0 C:\WINDOWS\INF\oem42.inf
5/17/2006 11:24:42 AM S 7160 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WGA.cat
5/23/2006 5:27:00 PM S 7160 C:\WINDOWS\SYSTEM32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\WgaNotify.cat
6/6/2006 8:10:44 PM H 8192 C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG
6/6/2006 8:11:20 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG
6/6/2006 8:10:56 PM H 12288 C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG
6/6/2006 8:14:36 PM H 94208 C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG
6/6/2006 8:16:56 PM H 1175552 C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG
5/25/2006 2:03:18 PM H 1024 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT.LOG
5/15/2006 4:59:32 PM S 688 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5
5/25/2006 12:16:54 PM S 31241 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30
5/15/2006 4:59:32 PM S 94 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5
5/25/2006 12:16:54 PM S 124 C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30
6/4/2006 12:04:04 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\7b5959e0-4ffe-4943-b7c6-75344a6c73f1
6/4/2006 12:04:04 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\Preferred
4/21/2006 3:02:00 PM HS 388 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\2436dee6-bf12-4138-8c5f-2dac873b50b4
4/21/2006 3:02:00 PM HS 24 C:\WINDOWS\SYSTEM32\Microsoft\Protect\S-1-5-18\User\Preferred
6/6/2006 4:15:18 PM H 6 C:\WINDOWS\Tasks\SA.DAT
5/27/2006 9:34:40 AM HS 8 C:\WINDOWS\temp\$_2341235.TMP //////Just to interject, believe this is gone

Checking for CPL files...
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Broadcom Corporation 5/8/2003 8:25:18 PM 815104 C:\WINDOWS\SYSTEM32\B57exp.cpl
5/11/2001 1:00:00 AM 183808 C:\WINDOWS\SYSTEM32\bdeadmin.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
9/18/2003 4:18:00 AM R 24576 C:\WINDOWS\SYSTEM32\cpl_moh.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Intel Corporation 6/22/2005 12:46:18 AM 94208 C:\WINDOWS\SYSTEM32\igfxcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Sun Microsystems 4/14/2004 11:10:28 AM 53352 C:\WINDOWS\SYSTEM32\jpicpl32.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 187904 C:\WINDOWS\SYSTEM32\MAIN.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 35840 C:\WINDOWS\SYSTEM32\NCPA.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
3/9/2006 3:29:00 PM 73728 C:\WINDOWS\SYSTEM32\nvtuicpl.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Apple Computer, Inc. 1/6/2004 6:02:40 PM 323072 C:\WINDOWS\SYSTEM32\QuickTime.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/29/2002 6:00:00 AM 28160 C:\WINDOWS\SYSTEM32\TELEPHON.CPL
Microsoft Corporation 8/4/2004 3:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 8/4/2004 3:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\DLLCACHE\wuaucpl.cpl
Intel Corporation 1/23/2005 10:33:44 AM 94208 C:\WINDOWS\SYSTEM32\ReinstallBackups\0000\DriverFiles\igfxcpl.cpl

Checking Selected Startup Folders

Checking files in %ALLUSERSPROFILE%\Startup folder...
3/14/2006 9:59:20 PM 1757 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
9/3/2002 10:00:00 AM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI

Checking files in %ALLUSERSPROFILE%\Application Data folder...
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\All Users\Application Data\DESKTOP.INI

Checking files in %USERPROFILE%\Startup folder...

Checking files in %USERPROFILE%\Application Data folder...
4/12/2006 2:44:02 AM 711 C:\Documents and Settings\Dale\Application Data\AdobeDLM.log
9/3/2002 9:50:46 AM HS 62 C:\Documents and Settings\Dale\Application Data\DESKTOP.INI
4/12/2006 2:43:42 AM 603 C:\Documents and Settings\Dale\Application Data\dm.ini

Checking Selected Registry Keys

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
SV1 =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]

[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{FAD61B3D-699D-49B2-BE16-7F82CB4C59CA} = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\QuickFinderMenu
{C0E10002-0028-0004-C0E1-C0E1C0E1C0E1} = c:\Program Files\WordPerfect Office 11\Programs\PFSE110.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\WinRAR
{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{F9DB5320-233E-11D1-9F84-707F02C10627}
= C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll

[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
AcroIEHlprObj Class = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}
= C:\PROGRA~1\SPYBOT~1\SDHelper.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}
DriveLetterAccess = C:\WINDOWS\system32\dla\tfswshx.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}
AOL Toolbar Launcher = C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9ECB9560-04F9-4bbc-943D-298DDF1699E1}
CNisExtBho Class = C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}
CNavExtBho Class = C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{FE54FA40-D68C-11d2-98FA-00C0F0318AFE}
Real.com = C:\WINDOWS\System32\Shdocvw.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} = Norton Internet Security 2006 : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{C4069E3A-68F1-403E-B40E-20066696354B} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}
MenuText = Sun Java Console : C:\WINDOWS\System32\msjava.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{2DB0FBAF-5223-4c96-8C25-F60D5E437D34}
ButtonText = PokerNow : C:\Program Files\PokerNow\PokerNow.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}
ButtonText = AOL Toolbar :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{6FDD5236-C9F0-49ef-935D-385F5E21991A}
ButtonText = Poker.com : C:\Program Files\Poker.com\poker.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{92780B25-18CC-41C8-B9BE-3C9C571A8263}
ButtonText = Research :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}
ButtonText = AIM : C:\Program Files\AIM\aim.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{B7FE5D70-9AA2-40F1-9C6B-12A255F085E1}
ButtonText = PartyPoker.com : C:\Program Files\PartyPoker\PartyPoker.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}
ButtonText = Real.com :
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\msmsgs.exe

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{21569614-B795-46B1-85F4-E737A8DC09AD}
Shell Search Band = %SystemRoot%\system32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7} = Norton Internet Security 2006 : C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = :
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{DE9C389F-3316-41A7-809B-AA305ED9D922} = AOL Toolbar : C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{C4069E3A-68F1-403E-B40E-20066696354B} = Norton AntiVirus : C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
TkBellExe "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
StorageGuard "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
PCMService "C:\Program Files\Dell\Media Experience\PCMService.exe"
mmtask c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
IntelMeM C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
IgfxTray C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds C:\WINDOWS\system32\hkcmd.exe
DVDSentry C:\WINDOWS\System32\DSentry.exe
dla C:\WINDOWS\system32\dla\tfswctrl.exe
QuickTime Task "C:\Program Files\QuickTime\qttask.exe" -atboottime
stratas
Lexmark X1100 Series "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
NvCplDaemon RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
nwiz nwiz.exe /install
NvMediaCenter RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
ccApp "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
stratas
brmfrsmq C:\WINDOWS\system32\brmfrsmq.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SpyKiller C:\Program Files\SpyKiller\spykiller.exe /startup
MSMSGS "C:\Program Files\Messenger\msmsgs.exe" /background
DellSupport "C:\Program Files\Dell Support\DSAgnt.exe" /startup
jtncbdfd C:\WINDOWS\system32\jtncbdfd.exe
brmfrsmq C:\WINDOWS\system32\brmfrsmq.exe

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoActiveDesktopChanges 0
NoCDBurning 0


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =


HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
DisableTaskMgr 0


[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
UPnPMonitor {e57ce738-33e8-4c51-8354-bb4de9d215d1} = C:\WINDOWS\system32\upnpui.dll
IEFilter {E7CEE683-A378-44C1-A315-DFD83D2B053C} = IEFilter1.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\SYSTEM32\Userinit.exe,
Shell = explorer.exe
System =

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
= igfxsrvc.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs


Scan Complete
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/6/2006 8:25:42 PM

Edited by Black_Talon, 07 June 2006 - 07:11 AM.


#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 07 June 2006 - 10:06 AM

Didnt look close at the WinPFind scan but this file I asked about is most likely bad and not associated with Microsoft in any way.

To be sure scan the file Here

C:\WINDOWS\system32\vcibaaaa.exe

Copy the results to Notepad and post them in the next reply.

#12 Black_Talon

Black_Talon
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  

Posted 07 June 2006 - 04:12 PM

Well, looks like I'm gonna be deleting this file. Who knows how much trouble it's caused already. It's been around since March apparently :thumbsup: . Looks like the incident that brought me close to reformatting also showed me something that was sitting there acting innocent. Back to safe mode to delete it.

Results:

AntiVir 6.34.1.37 06.07.2006 BDS/Agent.VZ.1
Authentium 4.93.8 06.07.2006 no virus found
Avast 4.7.844.0 06.06.2006 no virus found
AVG 386 06.07.2006 BackDoor.Agent.AQX
BitDefender 7.2 06.07.2006 Backdoor.Agent.VZ
CAT-QuickHeal 8.00 06.07.2006 Backdoor.Agent.vz
ClamAV devel-20060426 06.07.2006 Trojan.Small-235
DrWeb 4.33 06.07.2006 Trojan.Spambot
eTrust-InoculateIT 23.72.30 06.07.2006 no virus found
eTrust-Vet 12.6.2246 06.07.2006 no virus found
Ewido 3.5 06.07.2006 Backdoor.Agent.vz
Fortinet 2.77.0.0 06.07.2006 W32/Agent.VZ!tr
F-Prot 3.16f 06.06.2006 no virus found
Ikarus 0.2.65.0 06.07.2006 Backdoor.Win32.Agent.VZ
Kaspersky 4.0.2.24 06.07.2006 Backdoor.Win32.Agent.vz
McAfee 4779 06.07.2006 no virus found
Microsoft 1.1441 06.07.2006 no virus found
NOD32v2 1.1584 06.07.2006 no virus found
Norman 5.90.17 06.07.2006 W32/Agent.ZHG
Panda 9.0.0.4 06.07.2006 no virus found
Sophos 4.06.0 06.07.2006 no virus found
Symantec 8.0 06.07.2006 no virus found
TheHacker 5.9.8.156 06.07.2006 no virus found
UNA 1.83 06.06.2006 Backdoor.Agent
VBA32 3.11.0 06.07.2006 Backdoor.Win32.Agent.vz


Aditional Information
File size: 65536 bytes
MD5: 002a34e3acaf94f7c9845eccc23ff5da

Stupid malware.

Edited by Black_Talon, 07 June 2006 - 04:14 PM.


#13 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 07 June 2006 - 04:24 PM

No problem,If HijackThis is still non functional after deleting the file.

Download a fresh copy to your C drive,Unzip and Scan,post the results.

Dont delete the old HijackThis yet.

#14 Black_Talon

Black_Talon
  • Topic Starter

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Local time:07:34 AM

Posted 08 June 2006 - 03:50 PM

Downloaded a new copy, but it's still not working. :thumbsup:

#15 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 08 June 2006 - 06:10 PM

Thats odd!


Copy the text in the quote box to a blank notepad page and Save it to the Desktop with the name Clr.reg bit dont run it just yet.


REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"jtncbdfd"=-
"brmfrsmq"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"stratas"=-
"brmfrsmq"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"stratas"=-



Restart in Safe and Delete if found

C:\WINDOWS\system32\brmfrsmq.exe

C:\WINDOWS\system32\jtncbdfd.exe


Locate and Double Click Clr.reg and allow it to merge into the registry.


Still in Safe Mode,Scan with WinPFind again.


Restart Normal and have the PC scanned here
http://www.bitdefender.com/scan/licence.php


You will need to be using Internet Explorer for the Scan to work

Save the Report it generates

Post back the reports from WinPFind and Bit Defender




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users