Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Fix My Girlfriends Pos Laptop Before I Destroy It


  • This topic is locked This topic is locked
23 replies to this topic

#1 ucmd03

ucmd03

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 05 June 2006 - 07:32 PM

hi, any help is much appreciated.

i was infected with surfsidekick (at least) and think i got rid of that using the help on this website and google, but still having issues with popups

did the recommended steps already in the sticky, including norton av, avg, adaware, spybot, etc.

here is the hjt log.

Logfile of HijackThis v1.99.1
Scan saved at 8:10:12 PM, on 6/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ms049925881349.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\Program Files\Windows\wWinUpdate.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\CCleaner\ccleaner.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\valerie germain\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=userinit.exe,cbbssgv.exe
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [w0140769.dll] RUNDLL32.EXE w0140769.dll,I2 000db01900140769
O4 - HKLM\..\Run: [ms049925881349] C:\WINDOWS\ms049925881349.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148355064200
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\dmFsZXJpZSBnZXJtYWlu\command.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

and here is the hjt startup log:

StartupList report, 6/4/2006, 6:52:51 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\valerie germain\Desktop\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ms049925881349.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Windows\wWinUpdate.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\TechSmith\SnagIt 8\Snagit32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\valerie germain\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = userinit.exe,cbbssgv.exe

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

IgfxTray = C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds = C:\WINDOWS\system32\hkcmd.exe
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
UpdateManager = "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
SynTPLpr = C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh = C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
HPHUPD05 = c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 = C:\WINDOWS\system32\hphmon05.exe
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
ViewMgr = C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
HP Software Update = C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
w0140769.dll = RUNDLL32.EXE w0140769.dll,I2 000db01900140769
ms049925881349 = C:\WINDOWS\ms049925881349.exe
AVG7_CC = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
UnlockerAssistant = "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
Windows Defender = "C:\Program Files\Windows Defender\MSASCui.exe" -hide

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

(Default) =

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

MoneyAgent = "c:\Program Files\Microsoft Money\System\mnyexpr.exe"
sys_up1 = C:\Program Files\Common Files\svchostsys\svchostsys.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\system32\ssmyst.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll - {00C6482D-C502-44C8-8409-FCE54AD9C208}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

MP Scheduled Scan.job
Norton AntiVirus - Scan my computer - valerie germain.job
Symantec NetDetect.job

--------------------------------------------------

Enumerating Download Program Files:

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\system32\legitcheckcontrol.dll
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[Office Update Installation Engine]
InProcServer32 = C:\WINDOWS\opuc.dll
CODEBASE = http://office.microsoft.com/officeupdate/content/opuc3.cab

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdat...b?1148355064200

[Shutterfly Picture Upload Plugin]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\sfuploadplugin.ocx
CODEBASE = http://web1.shutterfly.com/downloads/Uploader.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash8.ocx
CODEBASE = http://download.macromedia.com/pub/shockwa...ash/swflash.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\Config.Msi\8df32.rbf||C:\DOCUME~1\VALERI~1\LOCALS~1\TEMPOR~1\Content.IE5\index.dat||C:\DOCUME~1\VALERI~1\Cookies\index.dat||C:\DOCUME~1\VALERI~1\LOCALS~1\History\History.IE5\index.dat


--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\system32\webcheck.dll
SysTray: C:\WINDOWS\system32\stobject.dll

--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer\Run

WinUpdate.exe = C:\Program Files\Windows\WinUpdate.exe

--------------------------------------------------

End of report, 8,150 bytes
Report generated in 0.872 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

and here is the the stuff found on bitdefender:

[b]Infected with: Exploit.Html.Codebase.Exec.Gen



Infected with: Dropped:Trojan.Clicker.Small.G



Infected with: Trojan.Downloader.Adload.AA


Infected with: Trojan.Downloader.6172.A


Infected with: Trojan.Download.H


Infected with: Trojan.Downloader.6610.A



Infected with: Trojan.Dropper.Small.QN



Infected with: Trojan.Candebe.CZ


Infected with: Trojan.Dnschange.F


Infected with: Trojan.Downloader.VB.TW


Infected with: Trojan.Qurl.3


Infected with: Trojan.Downloader.GJ


Infected with: Trojan.Runner.F


Infected with: Trojan.Dropper.VB.MZ

Infected with: Backdoor.1053.A



That's about it. please help me before i go to the dark side, macintosh. that's right i said it...

BC AdBot (Login to Remove)

 


m

#2 ucmd03

ucmd03
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 05 June 2006 - 08:13 PM

ttt

#3 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 05 June 2006 - 08:17 PM

Hello and Welcome. Please subscribe to this thread to get immediate notification of replies as soon as they are posted.

Please read this post completely before begining. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * * * * * * * * * * * * * *


Posted Image
  • Download and run - bfu.zip
  • Checkmark the following boxes:
    • Use settings specified in script for the above option
    • Show log after script ends
  • Click the Web button located on the top right corner
  • Copy/Paste this url into the address bar of the Download script window:

    http://metallica.geekstogo.com/alcanshorty.bfu

  • Execute the script by clicking the Execute button.
  • When it finishes running, click the Save button for a copy of the log
  • Post the log created by the script when you have completed the fix
* * * * * * * * * * * * * * * * * *


Download this file - [attachment=866:attachment]
From within it, double click on combo.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Download Dr.Web CureIt & save it on desktop. We shall be using it later

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
F2 - REG:system.ini: UserInit=userinit.exe,cbbssgv.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [w0140769.dll] RUNDLL32.EXE w0140769.dll,I2 000db01900140769
O4 - HKLM\..\Run: [ms049925881349] C:\WINDOWS\ms049925881349.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe



* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • ViewPoint
Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\Program Files\Viewpoint\
    C:\WINDOWS\ms049925881349.exe
    C:\Program Files\Common Files\svchostsys\
    C:\Program Files\Windows\
    C:\WINDOWS\system32\w0140769.dll
    C:\WINDOWS\dmFsZXJpZSBnZXJtYWlu\
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Delete Cookies
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING DR. WEB * * * * * * * * * * * * * * * *
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
** The scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • ComboFix
  • Dr.Web
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

Edited by sUBs, 05 June 2006 - 08:18 PM.


#4 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 05 June 2006 - 08:24 PM

Forgot to add this to my earlier instructions..

Please download the attached file - [attachment=867:attachment]
Double click on it & allow it to merge into the Registry.
It shall remove a malware entry from the registry.

You can do this after running the BFU.


* * * * * *


After you have posted the required logs, I shall require you to update your copy of Sun's java. Older versions of Java have been identified as entry points for malware.

Updating Java and Clearing Cache
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
  • If it is not visible, click on 'Switch to Classic View' in the left pane of the Control Panel or 'Other Control Panel Options'
  • Please find the Update button or tab in the Java Control Panel. Update your Java then reboot.
  • If you are unable to update you can manually update by going here:

    http://www.java.com/en/download/manual.jsp

  • After the reboot, go back into the Control Panel and double-click the Java Icon.
  • Under the Advanced Tab, click <Applet> tag support and select the browser(s) you are using.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Other Files
  • Click OK on Delete Temporary Files Window
    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.


#5 ucmd03

ucmd03
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 07 June 2006 - 03:14 PM

hi,

thanx for the help,

i've got to the point of the drweb, but it says teh "application configuration is incorrect. reinstalling the application may fix this problem."

i even googled and went directly to dr web website and had same issue.

can i try running this from normal mode instead of safe?

ssw

#6 ucmd03

ucmd03
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 07 June 2006 - 03:26 PM

oh, not sure if it matters, but i did down the file to a jump drive on another laptop. the program does work on the other laptop?????

#7 ucmd03

ucmd03
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 07 June 2006 - 04:57 PM

uhhhh, right, i dont know what was deleted, but now i have no start button and other programs are not opening either. SOS!!!

#8 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 07 June 2006 - 08:27 PM

Please tell me what happened. What have you done so far?

#9 ucmd03

ucmd03
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 07 June 2006 - 10:36 PM

well, i restored my computer to the infected state cuz things werent right

i did everything step by step, setting restore points after each step.

realized what was causing the problem was the cleanup program. after running that, drwin would (and other programs) would not run at all

did everything else in the process though.

logs a comin

#10 ucmd03

ucmd03
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 07 June 2006 - 10:48 PM

lattest hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 11:35:47 PM, on 6/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Documents and Settings\valerie germain\Desktop\HijackThis.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148355064200
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


[b] and the combofix log:

Start Time= Wed 06/07/2006 18:31:33.46

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-07 18:05:58 ( .D... ) "C:\Program Files\Snowball Wars"
2006-06-07 18:05:56 ( .D... ) "C:\Program Files\Windows"
2006-06-07 18:05:56 ( .D... ) "C:\Program Files\InetGet"
2006-06-07 18:05:56 ( .D... ) "C:\Program Files\ComPlus Applications"
2006-06-07 18:05:46 ( .D... ) "C:\Program Files\Viewpoint"
2006-06-07 15:47:42 ( .D... ) "C:\Program Files\CleanUp!(2)"
2006-06-04 21:31:16 ( .D... ) "C:\Program Files\InterMute"
2006-06-04 15:31:10 ( .D... ) "C:\Program Files\TechSmith"
2006-06-04 15:20:28 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-06-04 15:18:06 ( .D... ) "C:\Program Files\Windows Defender"
2006-05-31 15:10:52 ( .D... ) "C:\Program Files\Common Files\partypoker"
2006-05-25 20:22:20 ( .D... ) "C:\Program Files\Common Files\simtest"
2006-05-25 01:22:06 53248 ( A.... ) "C:\WINDOWS\bdoscandel.exe"
2006-05-22 21:57:46 ( .D... ) "C:\Program Files\Unlocker"
2006-05-22 21:56:10 ( .D... ) "C:\Program Files\CCleaner"
2006-05-18 21:19:14 ( .D... ) "C:\Program Files\WinZip"
2006-05-16 18:22:20 ( .D... ) "C:\Program Files\FC Edit 2ZZ-GE"
2006-05-16 18:21:32 249856 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-05-16 18:21:16 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-05-16 18:15:54 ( .D... ) "C:\Program Files\BELKIN"
2006-05-14 23:07:50 336 ( A.... ) "C:\WINDOWS\yrjry.dll"
2006-05-13 19:58:00 ( .D... ) "C:\Documents and Settings\valerie germain\Application Data\AVG7"
2006-05-13 19:45:28 ( .D... ) "C:\Program Files\Grisoft"
2006-05-13 19:42:06 32768 ( A.... ) "C:\WINDOWS\sehjoiej.exe"
2006-05-13 19:37:58 2 ( A.... ) "C:\WINDOWS\system32\wnsintsv.exe"
2006-05-13 19:37:52 ( .D... ) "C:\Program Files\Common Files\?ymantec"
2006-05-13 19:36:38 48187 ( A.... ) "C:\WINDOWS\system32\VSL03.exe"
2006-05-13 19:34:24 20480 ( A.... ) "C:\stub_venthh.exe"
2006-05-03 21:26:24 5818784 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-04-10 13:00:34 555824 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-04-10 13:00:30 144688 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-04-10 13:00:28 186672 ( ..... ) "C:\WINDOWS\system32\WgaTray.exe"
2006-04-10 12:36:16 8632 ( ..... ) "C:\WINDOWS\system32\spmsg.dll"
2006-03-30 05:16:04 1492480 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-03-29 21:00:14 16384 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-03-23 16:32:42 3053568 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-03-23 12:43:56 139264 ( A.... ) "C:\WINDOWS\ms049925881349.exe"
2006-03-18 07:09:38 613376 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-03-17 05:07:18 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-03-17 00:03:54 8452096 ( A.... ) "C:\WINDOWS\system32\shell32.dll"
2006-03-16 20:38:02 28672 ( ..... ) "C:\WINDOWS\system32\verclsid.exe"
2006-03-10 06:09:14 5533696 ( A.... ) "C:\WINDOWS\system32\wmp.dll"
2006-03-08 16:50:50 57344 ( A.... ) "C:\WINDOWS\uni_ehhh.exe"
2006-03-08 16:50:50 53248 ( A.... ) "C:\WINDOWS\unin101.exe"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
IgfxTray REG_SZ C:\WINDOWS\system32\igfxtray.exe
HotKeysCmds REG_SZ C:\WINDOWS\system32\hkcmd.exe
SunJavaUpdateSched REG_SZ C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
UpdateManager REG_SZ "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
SynTPLpr REG_SZ C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
SynTPEnh REG_SZ C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
HPHUPD05 REG_SZ c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
HPHmon05 REG_SZ C:\WINDOWS\system32\hphmon05.exe
ccApp REG_SZ "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
KernelFaultCheck REG_EXPAND_SZ %systemroot%\system32\dumprep 0 -k
iTunesHelper REG_SZ "C:\Program Files\iTunes\iTunesHelper.exe"
QuickTime Task REG_SZ "C:\Program Files\QuickTime\qttask.exe" -atboottime
HP Software Update REG_SZ C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
AVG7_CC REG_SZ C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
UnlockerAssistant REG_SZ "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
Windows Defender REG_SZ "C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
<NO NAME> REG_SZ

Scheduled Tasks Folder Contents
C:\WINDOWS\Tasks\desktop.ini
C:\WINDOWS\Tasks\MP Scheduled Scan.job
C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - valerie germain.job
C:\WINDOWS\Tasks\SA.DAT
C:\WINDOWS\Tasks\Symantec NetDetect.job

Completion time: Wed 06/07/2006 18:32:26.25
ComboFix ver 06.06.06 - This logfile is located at C:\ComboFix.txt





i dont know how to post the dr web log, click it and it is like a blank excel file.


aside from the cleanup issue, i didnt find the following:


C:\WINDOWS\ms049925881349.exe
C:\Program Files\Common Files\svchostsys\
C:\WINDOWS\system32\w0140769.dll

#11 ucmd03

ucmd03
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 07 June 2006 - 10:54 PM

never mind i figured out the drweb log:


Dr.Web® Scanner for Windows v4.33.2 (4.33.2.03283)
Copyright © Igor Daniloff, 1992-2006
Log generated on: 2006-06-07, 19:03:23 [PC232921052285][valerie germain]
Command-line: "C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\cureit.exe" /lng /ini:cureit_XP.ini

Engine version: 4.33 (4.33.3.06020)
Engine API version: 2.01
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crwtoday.cdb - 524 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43338.cdb - 989 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43337.cdb - 855 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43336.cdb - 1297 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43335.cdb - 1195 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43334.cdb - 900 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43333.cdb - 1381 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43332.cdb - 1340 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43331.cdb - 2735 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43330.cdb - 2078 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43329.cdb - 2490 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43328.cdb - 743 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43327.cdb - 958 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43326.cdb - 793 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43325.cdb - 713 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43324.cdb - 655 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43323.cdb - 655 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43322.cdb - 778 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43321.cdb - 846 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43320.cdb - 808 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43319.cdb - 764 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43318.cdb - 838 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43317.cdb - 363 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43316.cdb - 730 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43315.cdb - 627 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43314.cdb - 824 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43313.cdb - 842 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43312.cdb - 830 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43311.cdb - 862 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43310.cdb - 853 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43309.cdb - 733 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43308.cdb - 708 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43307.cdb - 839 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43306.cdb - 930 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43305.cdb - 759 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43304.cdb - 721 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43303.cdb - 638 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43302.cdb - 806 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43301.cdb - 504 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crw43300.cdb - 24 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crwebase.cdb - 78674 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\cwrtoday.cdb - 53 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\cwr43301.cdb - 697 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crwrisky.cdb - 1271 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\cwntoday.cdb - 727 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\cwn43302.cdb - 850 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\cwn43301.cdb - 773 virus records
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crwnasty.cdb - 4867 virus records
Total virus records: 124840
Key file: C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\cureit.key
License key number: 0000000010
Registered to: Dr.Web CureIt Project
License key activates: 2005-03-05
License key expires: 2007-03-05


Scan statistics

Objects scanned: 0
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 0 Kb/s
Scan time: 00:00:00


[Scan path] C:\WINDOWS\System32\smss.exe
[Scan path] C:\WINDOWS\system32\csrss.exe
[Scan path] C:\WINDOWS\system32\winlogon.exe
[Scan path] C:\WINDOWS\system32\services.exe
[Scan path] C:\WINDOWS\system32\lsass.exe
[Scan path] C:\WINDOWS\system32\svchost.exe
[Scan path] C:\Program Files\Windows Defender\MsMpEng.exe
[Scan path] C:\WINDOWS\explorer.exe
[Scan path] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\_start.exe
[Scan path] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\cureit.exe
[Scan path] C:\WINDOWS\system32\igfxtray.exe
[Scan path] C:\WINDOWS\system32\hkcmd.exe
[Scan path] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
[Scan path] C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
[Scan path] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
[Scan path] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
[Scan path] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
[Scan path] C:\WINDOWS\system32\hphmon05.exe
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[Scan path] C:\WINDOWS\system32\dumprep.exe
[Scan path] C:\Program Files\iTunes\iTunesHelper.exe
[Scan path] C:\Program Files\QuickTime\qttask.exe
[Scan path] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[Scan path] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
[Scan path] C:\Program Files\Unlocker\UnlockerAssistant.exe
[Scan path] C:\Program Files\Windows Defender\MSASCui.exe
[Scan path] C:\PROGRA~1\Grisoft\AVG7\avgw.exe
[Scan path] C:\Documents and Settings\valerie germain\Start Menu\Programs\Startup\desktop.ini
[Scan path] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
[Scan path] C:\WINDOWS\system32\mmsys.cpl
[Scan path] C:\WINDOWS\system32\icmui.dll
[Scan path] C:\WINDOWS\system32\rshx32.dll
[Scan path] C:\WINDOWS\system32\docprop.dll
[Scan path] C:\WINDOWS\system32\ntshrui.dll
[Scan path] C:\WINDOWS\system32\themeui.dll
[Scan path] C:\WINDOWS\system32\deskadp.dll
[Scan path] C:\WINDOWS\system32\deskmon.dll
[Scan path] C:\WINDOWS\system32\dssec.dll
[Scan path] C:\WINDOWS\system32\SlayerXP.dll
[Scan path] C:\WINDOWS\system32\shscrap.dll
[Scan path] C:\WINDOWS\system32\diskcopy.dll
[Scan path] C:\WINDOWS\system32\ntlanui2.dll
[Scan path] C:\WINDOWS\system32\printui.dll
[Scan path] C:\WINDOWS\system32\dskquoui.dll
[Scan path] C:\WINDOWS\system32\syncui.dll
[Scan path] C:\WINDOWS\system32\hticons.dll
[Scan path] C:\WINDOWS\system32\fontext.dll
[Scan path] C:\WINDOWS\system32\deskperf.dll
[Scan path] C:\WINDOWS\system32\cryptext.dll
[Scan path] C:\WINDOWS\system32\NETSHELL.dll
[Scan path] C:\WINDOWS\system32\wiashext.dll
[Scan path] C:\WINDOWS\system32\remotepg.dll
[Scan path] C:\WINDOWS\system32\wshext.dll
[Scan path] C:\Program Files\Common Files\System\Ole DB\oledb32.dll
[Scan path] C:\WINDOWS\system32\mstask.dll
[Scan path] C:\WINDOWS\system32\shdocvw.dll
[Scan path] C:\WINDOWS\system32\wuaucpl.cpl
[Scan path] C:\WINDOWS\system32\twext.dll
[Scan path] C:\WINDOWS\system32\shmedia.dll
[Scan path] C:\WINDOWS\system32\browseui.dll
[Scan path] C:\WINDOWS\system32\sendmail.dll
[Scan path] C:\WINDOWS\system32\occache.dll
[Scan path] C:\WINDOWS\system32\webcheck.dll
[Scan path] C:\WINDOWS\system32\appwiz.cpl
[Scan path] C:\WINDOWS\system32\shimgvw.dll
[Scan path] C:\WINDOWS\system32\netplwiz.dll
[Scan path] C:\WINDOWS\system32\zipfldr.dll
[Scan path] C:\WINDOWS\system32\cdfview.dll
[Scan path] C:\WINDOWS\system32\extmgr.dll
[Scan path] C:\WINDOWS\system32\msieftp.dll
[Scan path] C:\WINDOWS\system32\docprop2.dll
[Scan path] C:\WINDOWS\system32\dsquery.dll
[Scan path] C:\WINDOWS\system32\dsuiext.dll
[Scan path] C:\WINDOWS\system32\mydocs.dll
[Scan path] C:\WINDOWS\System32\cscui.dll
[Scan path] C:\WINDOWS\msagent\agentpsh.dll
[Scan path] C:\WINDOWS\system32\dfsshlex.dll
[Scan path] C:\WINDOWS\system32\photowiz.dll
[Scan path] C:\WINDOWS\System32\mmcshext.dll
[Scan path] C:\WINDOWS\system32\cabview.dll
[Scan path] C:\Program Files\Outlook Express\wabfind.dll
[Scan path] C:\WINDOWS\system32\wmpshell.dll
[Scan path] C:\WINDOWS\system32\mscoree.dll
[Scan path] C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
[Scan path] C:\PROGRA~1\MICROS~4\OFFICE11\MLSHEXT.DLL
[Scan path] C:\PROGRA~1\MICROS~4\OFFICE11\OLKFSTUB.DLL
[Scan path] C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
[Scan path] C:\Program Files\Synaptics\SynTP\SynTPCpl.dll
[Scan path] C:\Program Files\Common Files\KODAK\IFSCore\kodakshx.dll
[Scan path] C:\WINDOWS\system32\Audiodev.dll
[Scan path] C:\Program Files\iTunes\iTunesMiniPlayer.dll
[Scan path] C:\Program Files\Grisoft\AVG7\avgse.dll
[Scan path] C:\PROGRA~1\WINZIP\WZSHLSTB.DLL
[Scan path] C:\Program Files\Unlocker\UnlockerCOM.dll
[Scan path] C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
[Scan path] C:\Program Files\TechSmith\SnagIt 8\SnagItShellExt.dll
[Scan path] C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
[Scan path] C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[Scan path] C:\WINDOWS\system32\SHELL32.dll
[Scan path] C:\WINDOWS\system32\stobject.dll
[Scan path] C:\WINDOWS\system32\crypt32.dll
[Scan path] C:\WINDOWS\system32\cryptnet.dll
[Scan path] C:\WINDOWS\system32\cscdll.dll
[Scan path] C:\WINDOWS\system32\igfxsrvc.dll
[Scan path] C:\WINDOWS\system32\wlnotify.dll
[Scan path] C:\WINDOWS\system32\sclgntfy.dll
[Scan path] C:\WINDOWS\system32\WgaLogon.dll
[Scan path] C:\WINDOWS\system32\DRIVERS\ACPI.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ACPIEC.sys
[Scan path] C:\WINDOWS\system32\drivers\aec.sys
[Scan path] C:\WINDOWS\System32\drivers\afd.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\agp440.sys
[Scan path] C:\WINDOWS\System32\alg.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\aliide.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\arp1394.sys
[Scan path] C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\asyncmac.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\atapi.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\atmarpc.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\audstub.sys
[Scan path] C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
[Scan path] C:\WINDOWS\System32\Drivers\avg7core.sys
[Scan path] C:\WINDOWS\System32\Drivers\avg7rsw.sys
[Scan path] C:\WINDOWS\System32\Drivers\avg7rsxp.sys
[Scan path] C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\bcmwl5.sys
[Scan path] C:\WINDOWS\system32\drivers\camcaud.sys
[Scan path] C:\WINDOWS\system32\drivers\camchal.sys
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\cdrom.sys
[Scan path] C:\WINDOWS\system32\cisvc.exe
[Scan path] C:\WINDOWS\system32\clipsrv.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\CmBatt.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\compbatt.sys
[Scan path] C:\WINDOWS\system32\dllhost.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\disk.sys
[Scan path] C:\WINDOWS\System32\dmadmin.exe
[Scan path] C:\WINDOWS\System32\drivers\dmboot.sys
[Scan path] C:\WINDOWS\System32\drivers\dmio.sys
[Scan path] C:\WINDOWS\System32\drivers\dmload.sys
[Scan path] C:\WINDOWS\system32\drivers\DMusic.sys
[Scan path] C:\WINDOWS\system32\drivers\drmkaud.sys
[Scan path] C:\WINDOWS\system32\drivers\EABFiltr.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\fdc.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\flpydisk.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\fltMgr.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ftdisk.sys
[Scan path] C:\WINDOWS\System32\Drivers\GEARAspiWDM.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\msgpc.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\HSFHWICH.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\HSF_DP.sys
[Scan path] C:\WINDOWS\System32\Drivers\HTTP.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\i8042prt.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ialmnt5.sys
[Scan path] C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\imapi.sys
[Scan path] C:\WINDOWS\system32\imapi.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\intelide.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\intelppm.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\Ip6Fw.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ipfltdrv.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ipinip.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ipnat.sys
[Scan path] C:\Program Files\iPod\bin\iPodService.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\ipsec.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\irenum.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\isapnp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\kbdclass.sys
[Scan path] C:\WINDOWS\system32\drivers\kmixer.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\mdmxsdk.sys
[Scan path] C:\WINDOWS\system32\mnmsrvc.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\mouclass.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\mrxdav.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\mrxsmb.sys
[Scan path] C:\WINDOWS\system32\msdtc.exe
[Scan path] C:\WINDOWS\system32\msiexec.exe
[Scan path] C:\WINDOWS\system32\drivers\MSKSSRV.sys
[Scan path] C:\WINDOWS\system32\drivers\MSPCLOCK.sys
[Scan path] C:\WINDOWS\system32\drivers\MSPQM.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\mssmbios.sys
[Scan path] C:\Program Files\Norton AntiVirus\navapsvc.exe
[Scan path] C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050126.050\NAVENG.Sys
[Scan path] C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050126.050\NavEx15.Sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ndistapi.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ndisuio.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ndiswan.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\netbios.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\netbt.sys
[Scan path] C:\WINDOWS\system32\netdde.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\nic1394.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\nwlnkflt.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\nwlnkfwd.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ohci1394.sys
[Scan path] C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
[Scan path] C:\WINDOWS\system32\DRIVERS\parport.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\pci.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\pciide.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\pcmcia.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\raspptp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\psched.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\ptilink.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\rasacd.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\rasirda.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\rasl2tp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\raspppoe.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\raspti.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\rdbss.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
[Scan path] C:\WINDOWS\system32\sessmgr.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\redbook.sys
[Scan path] C:\WINDOWS\system32\locator.exe
[Scan path] C:\WINDOWS\system32\rsvp.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\Rtlnic51.sys
[Scan path] C:\Program Files\Norton AntiVirus\SAVRT.SYS
[Scan path] C:\Program Files\Norton AntiVirus\SAVRTPEL.SYS
[Scan path] C:\Program Files\Norton AntiVirus\SAVScan.exe
[Scan path] C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
[Scan path] C:\WINDOWS\System32\SCardSvr.exe
[Scan path] C:\WINDOWS\system32\ScsiAccess.EXE
[Scan path] C:\WINDOWS\system32\DRIVERS\secdrv.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\serenum.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\serial.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\sfloppy.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\smcirda.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\SONYPVU1.SYS
[Scan path] C:\WINDOWS\system32\drivers\splitter.sys
[Scan path] C:\WINDOWS\system32\spoolsv.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\sr.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\srv.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\swenum.sys
[Scan path] C:\WINDOWS\system32\drivers\swmidi.sys
[Scan path] C:\Program Files\Symantec\SYMEVENT.SYS
[Scan path] C:\WINDOWS\system32\Drivers\SYMREDRV.SYS
[Scan path] C:\WINDOWS\system32\Drivers\SYMTDI.SYS
[Scan path] c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\SynTP.sys
[Scan path] C:\WINDOWS\system32\drivers\sysaudio.sys
[Scan path] C:\WINDOWS\system32\smlogsvc.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\tcpip.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\termdd.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\u2s2kxp.sys
[Scan path] C:\WINDOWS\system32\wdfmgr.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\update.sys
[Scan path] C:\WINDOWS\System32\ups.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\usbccgp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\usbehci.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\usbhub.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\usbprint.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\usbscan.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
[Scan path] C:\WINDOWS\system32\DRIVERS\usbuhci.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\usb8023.sys
[Scan path] C:\WINDOWS\System32\drivers\vga.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\viaide.sys
[Scan path] C:\WINDOWS\System32\vssvc.exe
[Scan path] C:\WINDOWS\system32\DRIVERS\w22n51.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\wanarp.sys
[Scan path] C:\WINDOWS\system32\drivers\wdmaud.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\HSF_CNXT.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\wmiacpi.sys
[Scan path] C:\WINDOWS\system32\wbem\wmiapsrv.exe
[Scan path] C:\WINDOWS\System32\drivers\ws2ifsl.sys
[Scan path] C:\WINDOWS\system32\drivers\ialmsbw.sys
[Scan path] C:\WINDOWS\system32\drivers\ialmkchw.sys

Scan statistics

Objects scanned: 268
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 2013 Kb/s
Scan time: 00:00:28


[Scan path] C:\
C:\Documents and Settings\NetworkService\NTUSER.DAT - read error
C:\Documents and Settings\NetworkService\NTUSER~1.LOG - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Documents and Settings\valerie germain\ntuser.dat - read error
C:\Documents and Settings\valerie germain\NTUSER~1.LOG - read error
C:\Documents and Settings\valerie germain\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - read error
C:\Documents and Settings\valerie germain\Local Settings\Application Data\Microsoft\Windows\USRCLA~1.LOG - read error
C:\Program Files\Common Files\svchostsys\svchostsys.exe infected with Trojan.DownLoader.10155 - incurable - moved
C:\Program Files\Common Files\svchostsys\svchostupdate.exe infected with Trojan.DownLoader.10155 - incurable - moved
C:\Program Files\InetGet\wstubSafull.exe infected with Trojan.DownLoader.9894 - deleted
C:\Program Files\Quicken\patchw32.dll probably infected with WIN.WORM.Virus
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP100\A0039007.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP100\A0039019.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP101\A0039092.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP101\A0039101.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP101\A0039122.exe infected with Trojan.DownLoader.10155 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP103\A0039175.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP103\A0039183.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP103\A0039189.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP103\A0039195.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP111\A0039279.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP114\A0039495.exe infected with modification of BackDoor.Generic.987 - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP114\A0039498.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP114\A0039499.exe infected with Trojan.DownLoader.10155 - incurable - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP114\A0039501.exe infected with Trojan.DownLoader.10155 - incurable - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP116\A0039568.exe infected with Trojan.DownLoader.10155 - incurable - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP116\A0039570.exe infected with Trojan.DownLoader.10155 - incurable - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP116\A0039793.exe infected with modification of BackDoor.Generic.987 - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP117\A0039840.exe infected with Trojan.DownLoader.10155 - incurable - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP117\A0039841.exe infected with Trojan.DownLoader.10155 - incurable - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP117\A0039842.exe infected with Trojan.DownLoader.9894 - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031814.exe infected with Win32.HLLW.MyBot.based - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031828.exe is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031829.dll is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031830.dll is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031831.dll is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031842.exe is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031905.dll is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031906.dll is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031907.dll is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031908.exe is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031909.dll is adware program Adware.Surfside
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031917.dll is adware program Adware.Look2me
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032927.exe infected with Win32.HLLW.MyBot.based - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032945.exe infected with Trojan.DownLoader.7262 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032949.exe infected with Trojan.Click.911 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032950.exe infected with Trojan.Popuper - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032954.exe infected with Trojan.DownLoader.9440 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032961.exe is adware program Adware.DollarRevenue
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032964.exe infected with Trojan.DownLoader.6969 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032968.exe infected with Trojan.Click.940 - deleted
>>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032973.exe\data001 infected with Trojan.Popuper
>>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032973.exe\data002 infected with Trojan.Popuper
>>>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032973.exe\data004 infected with Trojan.Dyfuca
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032973.exe - archive contains infected objects - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032974.exe is adware program Adware.ZenoSearch
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032976.exe is adware program Adware.Nexus
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032977.exe infected with modification of BackDoor.Generic.987 - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0033978.exe infected with Trojan.DownLoader.8290 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034993.dll is adware program Adware.Maxifiles
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034994.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034995.dll is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034996.exe is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034997.dll is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034998.exe is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034999.exe infected with BackDoor.Generic.1053 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0035986.exe infected with BackDoor.DarkMoon.66 - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0035998.dll is adware program Adware.Look2me
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0036003.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0036005.exe is adware program Adware.MediaTicket
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036183.exe infected with Trojan.DownLoader.9894 - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036186.dll is adware program Adware.Look2me
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036199.exe is adware program Adware.Zesty
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036200.exe infected with Trojan.DownLoader.5013 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036201.exe is adware program Adware.Surfside
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036202.exe is adware program Adware.TargetServer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036203.exe infected with Trojan.Click.970 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036219.exe is adware program Adware.Etan
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036222.dll is adware program Adware.Look2me
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036223.exe infected with Trojan.Proxy.493 - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036225.dll infected with Trojan.Proxy.493 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036231.exe infected with Trojan.DownLoader.9894 - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP82\A0037221.dll infected with Trojan.DownLoader.8933 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP82\A0037225.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP82\A0037235.exe infected with Trojan.DownLoader.9894 - deleted
>>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037243.exe\data001 infected with Trojan.Popuper
>>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037243.exe\data002 infected with Trojan.Popuper
>>>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037243.exe\data004 infected with Trojan.Dyfuca
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037243.exe - archive contains infected objects - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037244.exe infected with BackDoor.DarkMoon.66 - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037245.exe infected with Trojan.PWS.Punch - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037246.exe infected with Trojan.Qoologic - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037247.exe infected with Trojan.Qoologic - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037248.exe infected with Win32.HLLW.MyBot.based - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037249.exe infected with Trojan.Qoologic - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037253.exe infected with Trojan.Qoologic - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037254.exe infected with BackDoor.Generic.1053 - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037256.exe infected with Trojan.PWS.Punch - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037257.exe infected with Trojan.MulDrop.2716 - incurable - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037258.exe is adware program Adware.NewDotNet
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037263.exe is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037269.dll is adware program Adware.Dh
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037270.dll is adware program Adware.Bkspace
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037273.exe infected with Trojan.Popuper - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037274.exe infected with Trojan.Qoologic - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037276.dll is adware program Adware.Look2me
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037277.exe is adware program Adware.ZenoSearch
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037278.dll infected with Trojan.Qoologic - deleted
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037279.dll is adware program Adware.Look2me
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037280.dll is adware program Adware.Look2me
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037281.dll is adware program Adware.Look2me
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037282.exe is adware program Adware.ZenoSearch
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037283.dll is adware program Adware.Look2me
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037284.exe is adware program Adware.ZenoSearch
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037285.dll is adware program Adware.Lc
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037286.dll is adware program Adware.Lc
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037287.dll is adware program Adware.Lc
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037288.dll is adware program Adware.Lc
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037289.dll is adware program Adware.Lc
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037290.dll is adware program Adware.Lc
>C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037291.dll is adware program Adware.Lc
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037297.dll is adware program Adware.NewDotNet
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037298.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037299.exe is adware program Adware.Yavak
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP86\A0037319.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP88\A0037364.exe infected with Trojan.Click.1211 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037444.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037451.dll is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037453.exe is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037454.exe is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037456.dll is adware program Adware.Surfside
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037464.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037476.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037621.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037627.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP94\A0037679.exe is adware program Adware.DollarRevenue
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP94\A0037680.exe infected with Trojan.DownLoader.9866 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP94\A0037681.exe infected with Trojan.Click.1206 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP94\A0037688.exe infected with Trojan.Click.1207 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP94\A0037692.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP94\A0037698.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP94\A0037709.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP95\A0037723.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP95\A0037729.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP95\A0037743.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP95\A0037749.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP97\A0037759.exe is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP97\A0037760.dll is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP97\A0037761.exe is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP97\A0037762.dll is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP97\A0037763.exe is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP97\A0038752.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038798.dll is adware program Adware.BookedSpace
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038799.exe is adware program Adware.BookedSpace
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038800.exe is adware program Adware.BookedSpace
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038801.dll is adware program Adware.BookedSpace
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038803.dll is adware program Adware.BookedSpace
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038806.exe is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038808.dll is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038809.exe is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038810.exe is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038856.dll is adware program Adware.WebHancer
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038861.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP99\A0038935.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP99\A0038943.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP99\A0038952.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP99\A0038971.exe infected with Trojan.DownLoader.9894 - deleted
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP99\A0038985.exe infected with Trojan.DownLoader.9894 - deleted
C:\WINDOWS\ms049925881349.exe infected with modification of BackDoor.Generic.987 - moved
C:\WINDOWS\unin101.exe infected with Trojan.Click.1166 - deleted
C:\WINDOWS\system32\config\default - read error
C:\WINDOWS\system32\config\default.LOG - read error
C:\WINDOWS\system32\config\SAM - read error
C:\WINDOWS\system32\config\SAM.LOG - read error
C:\WINDOWS\system32\config\SECURITY - read error
C:\WINDOWS\system32\config\SECURITY.LOG - read error
C:\WINDOWS\system32\config\software - read error
C:\WINDOWS\system32\config\software.LOG - read error
C:\WINDOWS\system32\config\system - read error
C:\WINDOWS\system32\config\system.LOG - read error

[Scan path] E:\

Scan statistics

Objects scanned: 133723
Infected objects found: 88
Objects with modifications found: 4
Suspicious objects found: 1
Adware programs found: 68
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 73
Objects renamed: 0
Objects moved: 15
Objects ignored: 0
Scan speed: 65 Kb/s
Scan time: 01:54:27


C:\Program Files\Quicken\patchw32.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031828.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031829.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031830.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031831.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031842.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031905.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031906.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031907.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031908.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031909.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0031917.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032961.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032974.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP79\A0032976.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034993.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034995.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034996.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034997.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0034998.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0035998.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP80\A0036005.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036186.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036199.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036201.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036202.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036219.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP81\A0036222.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037258.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037263.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037269.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037270.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037276.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037277.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037279.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037280.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037281.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037282.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037283.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037284.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037285.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037286.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037287.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037288.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037289.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037290.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037291.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037297.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP84\A0037299.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037451.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037453.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037454.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP90\A0037456.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP94\A0037679.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP97\A0037759.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP97\A0037760.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP97\A0037761.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP97\A0037762.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP97\A0037763.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038798.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038799.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038800.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038801.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038803.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038806.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038808.dll - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038809.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038810.exe - moved
C:\System Volume Information\_restore{1C74FEA9-2D71-4415-8AE0-5DBB04006415}\RP98\A0038856.dll - moved


Total session statistics

Objects scanned: 133991
Infected objects found: 88
Objects with modifications found: 4
Suspicious objects found: 1
Adware programs found: 68
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 73
Objects renamed: 0
Objects moved: 84
Objects ignored: 0
Scan speed: 73 Kb/s
Scan time: 01:54:55



Dr.Web® Scanner for Windows v4.33.2 (4.33.2.03283)
Copyright © Igor Daniloff, 1992-2006
Log generated on: 2006-06-07, 21:58:17 [PC232921052285][valerie germain]
Command-line: "C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\cureit.exe" /lng /ini:cureit_XP.ini

Engine version: 4.33 (4.33.3.06020)
Engine API version: 2.01
[Virus base] C:\DOCUME~1\VALERI~1\LOCALS~1\Temp\RarSFX0\crwtoday.cdb - 524 virus reco

#12 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 08 June 2006 - 06:12 AM

Please read this post completely before begining the fix.


Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


Uninstall the following programs, if present, using Control Panel->Add/Remove Programs:
  • Purity Scan\Snowball Wars by OIN (or any programs by OIN)
Please note any other programs that you dont recognize in that list in your next response

In case Purityscan or OINS is not listed, download and use this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (make sure you get ALL of them)
  • C:\Program Files\Snowball Wars
    C:\Program Files\Windows
    C:\Program Files\InetGet
    C:\Program Files\Viewpoint
    C:\WINDOWS\yrjry.dll
    C:\WINDOWS\sehjoiej.exe
    C:\WINDOWS\system32\wnsintsv.exe
    C:\Program Files\Common Files\?ymantec
    C:\WINDOWS\system32\VSL03.exe
    C:\stub_venthh.exe
    C:\WINDOWS\ms049925881349.exe
    C:\WINDOWS\uni_ehhh.exe
    C:\WINDOWS\unin101.exe
* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Go to Start> Run - type cleanmgr (this starts Windows DiskCleanup)
  • Select Drive C: & click the 'OK' button
  • Select the following options:
    • Temporary Internet Files
    • Recycle Bin
    • Temporary Files
  • Click the 'OK' button
Please post a fresh Hijackthis log when you're done

#13 ucmd03

ucmd03
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 08 June 2006 - 03:03 PM

i was not able to find a few things to delete:

C:\WINDOWS\system32\wnsintsv.exe
C:\Program Files\Common Files\?ymantec
C:\WINDOWS\unin101.exe

here's the latest log:

Logfile of HijackThis v1.99.1
Scan saved at 3:56:20 PM, on 6/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\ScsiAccess.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\valerie germain\Desktop\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.microsoft.com/isapi/redir.dll?p...B_PVER}&ar=home
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.google.com/keyword/%s
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&t...sario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe" -H
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1148355064200
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\system32\ScsiAccess.EXE
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#14 ucmd03

ucmd03
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:56 PM

Posted 08 June 2006 - 08:20 PM

bump

#15 sUBs

sUBs

    sUBs


  • Malware Response Team
  • 2,489 posts
  • OFFLINE
  •  
  • Local time:11:56 AM

Posted 08 June 2006 - 09:26 PM

i was not able to find a few things to delete:

C:\WINDOWS\system32\wnsintsv.exe
C:\Program Files\Common Files\?ymantec
C:\WINDOWS\unin101.exe


No worry. If you've managed to run the OIN uninstaller, that may have removed them.

Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:
  • CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
    Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
    • Tick on the checkbox - Turn off System Restore on all drives
    • Click Apply
    Turn it back 'On' by unticking the same checkbox & click OK


  • DISABLE THE VIEWING OF SYSTEM FILES
    From Windows Explorer, go to Tools>Folder Options> View tab.
    • Untick - Show hidden files and folder
    • Tick - Hide file extensions for known types
    • Tick - Hide protected operating system files
    Click Yes to confirm & then click OK


  • SECURING INTERNET EXPLORER
    From within Internet Explorer click on the Tools menu and then click on Internet Options.
    • Select the Security tab
      • Click once on the Internet icon so it becomes highlighted.
      • Select Custom Level .
        • Change 'Download signed ActiveX controls' to Prompt
        • Change 'Download unsigned ActiveX controls' to Disable
        • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
        • Change 'Installation of desktop items' to Prompt
        • Change 'Launching programs and files in an IFRAME' to Prompt
        • Change 'Navigate sub-frames across different domains' to Prompt
        • When all these changes have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Select OK to exit the Internet Properties page.
  • ANTIVIRUS SOFTWARE
    It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

    See this link for a listing of some online & their stand-alone antivirus programs:

    Virus, Spyware, and Malware Protection and Removal Resources

    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  • FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here.


  • Microsoft Windows Update
    Visit windowsupdate.com regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


  • SPYBOT - SEARCH & DESTROY
    Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here


  • AD-AWARE
    Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here
Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • Google Toolbar - Get the free google toolbar to help stop pop up windows.

  • CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.

  • ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

  • Winpatrol - Download and install the free version of Winpatrol.
    A tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day. Posted Image

Please respond to this thread one more time so we can mark this thread as resolved.


PS... I kid you not about this. Get the Jave update I listed in post #4. If not, you'll be back shortly & most of us will probably ignore you then.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users