Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Trojan Downloaders And Worms


  • This topic is locked This topic is locked
14 replies to this topic

#1 NicholFanning

NicholFanning

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 21 June 2006 - 09:36 AM

This is the log created by hijack this, this is also my work computer so I'd like to avoid trouble and get it resolved quickly...I have installed AVG anti-virus and ZoneAlarm firewall and I have run AdawareSE and Spybot Search and Destroy.....Please help me.....Thank you

Nichol



Logfile of HijackThis v1.99.1
Scan saved at 9:20:44 AM, on 06/21/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\csasvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\thiselt.exe
C:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\mptft.exe
C:\WINDOWS\system32\ssn6tuu.exe
C:\Program Files\ipwins\ipwins.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\nr1rnqm8.exe
C:\WINDOWS\system32\pwintqez.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\STATIO~1.BKM\APPLIC~1\STEM~1\RVICES~1.EXE
C:\WINDOWS\system32\tfthot.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Spybot - Search & Destroy\wunins000.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Documents and Settings\station15.BKM\Desktop\hijackthis_sfx.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,mlkdckf.exe
O2 - BHO: (no name) - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - (no file)
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [kxqmqc] C:\WINDOWS\system32\lgmure.exe reg_run
O4 - HKLM\..\Run: [{DA-AE-E6-63-ZN}] C:\windows\system32\dwdsregt.exe FI002
O4 - HKLM\..\Run: [win32097-59469455] C:\WINDOWS\win32097-59469455.exe
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\system32\mptft.exe
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwintqez.exe FI002
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [huxns] C:\WINDOWS\system32\lgmure.exe reg_run
O4 - HKCU\..\Run: [Hart] "C:\PROGRA~1\STEM32~1\wuauboot.exe" -vt yazr
O4 - HKCU\..\Run: [Flbc] C:\DOCUME~1\STATIO~1.BKM\APPLIC~1\STEM~1\RVICES~1.EXE
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\pwintqez.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\system32\psdsregm.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZC
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.quickbooks.com/v11.263/qboax7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bkm.local
O17 - HKLM\Software\..\Telephony: DomainName = bkm.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bkm.local
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: csrss.dll C:\WINDOWS\system32\csrss.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Solutions Accounting Print Service (CSAPrintService) - Creative Solutions - C:\WINDOWS\csasvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:25 AM

Posted 21 June 2006 - 12:37 PM

Welcome aboard, lets get started :thumbsup:

Download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

==

Then after that, do the following scan and post the results:

Please download Dr.Web CureIt to the desktop:
  • Double-click the drweb-cureit.exe file and allow to run the Express scan.
  • This will scan the files currently running in memory and when something is found, click the YES button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, upload the DrWeb.csv file in your next post along with posting the contents of the Combofix log. :flowers:

Hi there, stranger!

#3 NicholFanning

NicholFanning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 22 June 2006 - 03:27 PM

I had problems running these applications, but I think I got her....here are my logs





Dr.Web® Scanner for Windows v4.33.2 (4.33.2.03283)
Copyright © Igor Daniloff, 1992-2006
Log generated on: 2006-06-22, 14:56:16 [100616A][Station15]
Command-line: "C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\cureit.exe" /lng /ini:cureit_XP.ini

Engine version: 4.33 (4.33.3.06020)
Engine API version: 2.01
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crwtoday.cdb - 600 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43340.cdb - 822 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43339.cdb - 1071 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43338.cdb - 989 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43337.cdb - 855 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43336.cdb - 1297 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43335.cdb - 1195 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43334.cdb - 900 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43333.cdb - 1381 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43332.cdb - 1340 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43331.cdb - 2735 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43330.cdb - 2078 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43329.cdb - 2490 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43328.cdb - 743 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43327.cdb - 958 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43326.cdb - 793 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43325.cdb - 713 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43324.cdb - 655 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43323.cdb - 655 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43322.cdb - 778 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43321.cdb - 846 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43320.cdb - 808 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43319.cdb - 764 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43318.cdb - 838 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43317.cdb - 363 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43316.cdb - 730 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43315.cdb - 627 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43314.cdb - 824 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43313.cdb - 842 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43312.cdb - 830 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43311.cdb - 862 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43310.cdb - 853 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43309.cdb - 733 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43308.cdb - 708 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43307.cdb - 839 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43306.cdb - 930 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43305.cdb - 759 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43304.cdb - 721 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43303.cdb - 638 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43302.cdb - 806 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43301.cdb - 504 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crw43300.cdb - 24 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crwebase.cdb - 78674 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\cwrtoday.cdb - 74 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\cwr43301.cdb - 697 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crwrisky.cdb - 1271 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\cwntoday.cdb - 70 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\cwn43303.cdb - 766 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\cwn43302.cdb - 850 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\cwn43301.cdb - 773 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\crwnasty.cdb - 4867 virus records
Total virus records: 126939
Key file: C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\cureit.key
License key number: 0000000010
Registered to: Dr.Web CureIt Project
License key activates: 2005-03-05
License key expires: 2007-03-05


Scan statistics

Objects scanned: 0
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 0 Kb/s
Scan time: 00:00:00


[Scan path] C:\WINDOWS\system32\smss.exe
[Scan path] C:\WINDOWS\system32\csrss.exe
[Scan path] C:\WINDOWS\system32\winlogon.exe
[Scan path] C:\WINDOWS\system32\services.exe
[Scan path] C:\WINDOWS\system32\lsass.exe
[Scan path] C:\WINDOWS\system32\svchost.exe
[Scan path] C:\WINDOWS\system32\spoolsv.exe
[Scan path] C:\WINDOWS\csasvc.exe
[Scan path] C:\Program Files\Symantec AntiVirus\SavRoam.exe
[Scan path] C:\WINDOWS\system32\wdfmgr.exe
[Scan path] C:\WINDOWS\system32\alg.exe
[Scan path] C:\WINDOWS\explorer.exe
[Scan path] C:\WINDOWS\system32\ctfmon.exe
[Scan path] C:\WINDOWS\SOUNDMAN.EXE
[Scan path] C:\WINDOWS\system32\carpserv.exe
[Scan path] C:\PROGRA~1\SYMANT~1\VPTray.exe
[Scan path] C:\WINDOWS\thiselt.exe
C:\WINDOWS\thiselt.exe infected with Trojan.Popuper - will be cured after reboot

[Scan path] C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\dwdsregt.exe is adware program Adware.ZenoSearch

[Scan path] C:\WINDOWS\system32\mptft.exe
[Scan path] C:\WINDOWS\system32\ssn6tuu.exe
>C:\WINDOWS\system32\ssn6tuu.exe\data001 is adware program Adware.Yavak
>C:\WINDOWS\system32\ssn6tuu.exe\data002 is adware program Adware.Yavak
C:\WINDOWS\system32\ssn6tuu.exe - archive contains infected objects - will be moved after reboot

[Scan path] C:\WINDOWS\system32\tfthot.exe
[Scan path] C:\WINDOWS\system32\nr1rnqm8.exe
[Scan path] C:\WINDOWS\system32\pwintqez.exe
C:\WINDOWS\system32\pwintqez.exe is adware program Adware.ZenoSearch

[Scan path] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\_start.exe
[Scan path] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX0\cureit.exe
[Scan path] C:\WINDOWS\System32\NeroCheck.exe
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[Scan path] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
[Scan path] C:\Program Files\QuickTime\qttask.exe
[Scan path] C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[Scan path] C:\Program Files\ipwins\ipwins.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
[Scan path] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
[Scan path] C:\DOCUME~1\STATIO~1.BKM\APPLIC~1\STEM~1\RVICES~1.EXE
C:\DOCUME~1\STATIO~1.BKM\APPLIC~1\STEM~1\RVICES~1.EXE is adware program Adware.ClickSpring

[Scan path] C:\Program Files\TClock\tclock_install.exe
[Scan path] C:\Program Files\Windows\WinUpdate.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
[Scan path] C:\Documents and Settings\station15.BKM\Start Menu\Programs\Startup\desktop.ini
[Scan path] C:\WINDOWS\system32\psdsregm.exe
C:\WINDOWS\system32\psdsregm.exe is adware program Adware.ZenoSearch

[Scan path] C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[Scan path] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
[Scan path] C:\WINDOWS\system32\mmsys.cpl
[Scan path] C:\WINDOWS\system32\icmui.dll
[Scan path] C:\WINDOWS\system32\rshx32.dll
[Scan path] C:\WINDOWS\system32\docprop.dll
[Scan path] C:\WINDOWS\system32\ntshrui.dll
[Scan path] C:\WINDOWS\System32\themeui.dll
[Scan path] C:\WINDOWS\system32\deskadp.dll
[Scan path] C:\WINDOWS\system32\deskmon.dll
[Scan path] C:\WINDOWS\system32\dssec.dll
[Scan path] C:\WINDOWS\system32\SlayerXP.dll
[Scan path] C:\WINDOWS\system32\shscrap.dll
[Scan path] C:\WINDOWS\system32\diskcopy.dll
[Scan path] C:\WINDOWS\system32\ntlanui2.dll
[Scan path] C:\WINDOWS\system32\printui.dll
[Scan path] C:\WINDOWS\system32\dskquoui.dll
[Scan path] C:\WINDOWS\system32\syncui.dll
[Scan path] C:\WINDOWS\System32\hticons.dll
[Scan path] C:\WINDOWS\system32\fontext.dll
[Scan path] C:\WINDOWS\system32\deskperf.dll
[Scan path] C:\WINDOWS\system32\cryptext.dll
[Scan path] C:\WINDOWS\system32\NETSHELL.dll
[Scan path] C:\WINDOWS\system32\wiashext.dll
[Scan path] C:\WINDOWS\System32\remotepg.dll
[Scan path] C:\WINDOWS\System32\wshext.dll
[Scan path] C:\Program Files\Common Files\System\OLE DB\oledb32.dll
[Scan path] C:\WINDOWS\System32\mstask.dll
[Scan path] C:\WINDOWS\system32\shdocvw.dll
[Scan path] C:\WINDOWS\System32\shmedia.dll
[Scan path] C:\WINDOWS\System32\browseui.dll
[Scan path] C:\WINDOWS\System32\sendmail.dll
[Scan path] C:\WINDOWS\System32\occache.dll
[Scan path] C:\WINDOWS\System32\webcheck.dll
[Scan path] C:\WINDOWS\System32\appwiz.cpl
[Scan path] C:\WINDOWS\system32\shimgvw.dll
[Scan path] C:\WINDOWS\System32\netplwiz.dll
[Scan path] C:\WINDOWS\System32\zipfldr.dll
[Scan path] C:\WINDOWS\System32\cdfview.dll
[Scan path] C:\WINDOWS\System32\msieftp.dll
[Scan path] C:\WINDOWS\System32\docprop2.dll
[Scan path] C:\WINDOWS\System32\dsquery.dll
[Scan path] C:\WINDOWS\System32\dsuiext.dll
[Scan path] C:\WINDOWS\System32\mydocs.dll
[Scan path] C:\WINDOWS\System32\cscui.dll
[Scan path] C:\WINDOWS\msagent\AgentPsh.dll
[Scan path] C:\WINDOWS\System32\dfsshlex.dll
[Scan path] C:\WINDOWS\System32\photowiz.dll
[Scan path] C:\WINDOWS\System32\mmcshext.dll
[Scan path] C:\WINDOWS\system32\cabview.dll
[Scan path] C:\Program Files\Outlook Express\wabfind.dll
[Scan path] C:\WINDOWS\system32\wmpshell.dll
[Scan path] C:\WINDOWS\system32\mscoree.dll
[Scan path] C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
[Scan path] C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
[Scan path] C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
[Scan path] C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
[Scan path] C:\WINDOWS\system32\wuaucpl.cpl
[Scan path] C:\Program Files\Real\RealPlayer\rpshell.dll
[Scan path] C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
[Scan path] C:\WINDOWS\System32\twext.dll
[Scan path] C:\WINDOWS\System32\extmgr.dll
[Scan path] C:\WINDOWS\system32\Audiodev.dll
[Scan path] C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
[Scan path] C:\Program Files\Grisoft\AVG Free\avgse.dll
[Scan path] C:\WINDOWS\system32\nodeipproc.dll
[Scan path] C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[Scan path] C:\WINDOWS\system32\x3cqp0.dll
C:\WINDOWS\system32\x3cqp0.dll is adware program Adware.Yavak

[Scan path] C:\WINDOWS\system32\adrotate.dll
>C:\WINDOWS\system32\adrotate.dll is adware program Adware.Trafgen

[Scan path] C:\WINDOWS\system32\SHELL32.dll
[Scan path] C:\WINDOWS\System32\stobject.dll
[Scan path] C:\WINDOWS\system32\csrss.dll
C:\WINDOWS\system32\csrss.dll is adware program Adware.ClickSpring

[Scan path] C:\WINDOWS\System32\DRIVERS\ACPI.sys
[Scan path] C:\WINDOWS\system32\drivers\aec.sys
[Scan path] C:\WINDOWS\System32\drivers\afd.sys
[Scan path] C:\WINDOWS\system32\drivers\ALCXSENS.SYS
[Scan path] C:\WINDOWS\system32\drivers\ALCXWDM.SYS
[Scan path] C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\asyncmac.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\atapi.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\atmarpc.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\audstub.sys
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
[Scan path] C:\WINDOWS\System32\Drivers\avg7core.sys
[Scan path] C:\WINDOWS\System32\Drivers\avg7rsw.sys
[Scan path] C:\WINDOWS\System32\Drivers\avg7rsxp.sys
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
[Scan path] C:\WINDOWS\System32\Drivers\avgtdi.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\cdrom.sys
[Scan path] C:\WINDOWS\System32\cisvc.exe
[Scan path] C:\WINDOWS\system32\clipsrv.exe
[Scan path] C:\WINDOWS\System32\dllhost.exe
[Scan path] C:\Program Files\Symantec AntiVirus\DefWatch.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\disk.sys
[Scan path] C:\WINDOWS\System32\dmadmin.exe
[Scan path] C:\WINDOWS\System32\drivers\dmboot.sys
[Scan path] C:\WINDOWS\System32\drivers\dmio.sys
[Scan path] C:\WINDOWS\System32\drivers\dmload.sys
[Scan path] C:\WINDOWS\system32\drivers\DMusic.sys
[Scan path] C:\WINDOWS\system32\drivers\drmkaud.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\fdc.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\flpydisk.sys
[Scan path] C:\WINDOWS\system32\drivers\fltmgr.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ftdisk.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\gameenum.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\msgpc.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_DP.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys
[Scan path] C:\WINDOWS\System32\Drivers\HTTP.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\i8042prt.sys
[Scan path] C:\WINDOWS\System32\Drivers\Icam5USB.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\imapi.sys
[Scan path] C:\WINDOWS\System32\imapi.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\intelppm.sys
[Scan path] C:\WINDOWS\system32\drivers\ip6fw.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ipinip.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ipnat.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ipsec.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\irenum.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\isapnp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\kbdclass.sys
[Scan path] C:\WINDOWS\system32\drivers\kmixer.sys
[Scan path] C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[Scan path] C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
[Scan path] C:\WINDOWS\System32\mnmsrvc.exe
[Scan path] C:\WINDOWS\system32\drivers\MODEMCSA.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mouclass.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mrxdav.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
[Scan path] C:\WINDOWS\System32\msdtc.exe
[Scan path] C:\WINDOWS\system32\msiexec.exe
[Scan path] C:\WINDOWS\system32\drivers\MSKSSRV.sys
[Scan path] C:\WINDOWS\system32\drivers\MSPCLOCK.sys
[Scan path] C:\WINDOWS\system32\drivers\MSPQM.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mssmbios.sys
[Scan path] C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe
[Scan path] C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe
[Scan path] C:\WINDOWS\system32\drivers\MSTEE.sys
[Scan path] C:\WINDOWS\system32\drivers\msmpu401.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
[Scan path] C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060621.024\naveng.sys
[Scan path] C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060621.024\navex15.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\NdisIP.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ndistapi.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ndisuio.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ndiswan.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\netbios.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\netbt.sys
[Scan path] C:\WINDOWS\system32\netdde.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys
[Scan path] C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
[Scan path] C:\WINDOWS\System32\DRIVERS\parport.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\pci.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\pciide.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\raspptp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\processr.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\psched.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ptilink.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\PxHelp20.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\rasacd.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\raspppoe.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\raspti.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\rdbss.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\rdpdr.sys
[Scan path] C:\WINDOWS\system32\sessmgr.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\redbook.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys
[Scan path] C:\WINDOWS\System32\locator.exe
[Scan path] C:\WINDOWS\System32\rsvp.exe
[Scan path] C:\Program Files\Symantec AntiVirus\savrt.sys
[Scan path] C:\Program Files\Symantec AntiVirus\Savrtpel.sys
[Scan path] C:\WINDOWS\System32\SCardSvr.exe
[Scan path] C:\WINDOWS\system32\drivers\scsiport.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\secdrv.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\serenum.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\serial.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\sisagp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\sisnic.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\SLIP.sys
[Scan path] C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys
[Scan path] C:\WINDOWS\system32\drivers\splitter.sys
[Scan path] C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE
[Scan path] C:\WINDOWS\System32\DRIVERS\sr.sys
[Scan path] C:\WINDOWS\system32\ZoneLabs\srescan.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\srv.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\strmdisp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\StreamIP.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\swenum.sys
[Scan path] C:\WINDOWS\system32\drivers\swmidi.sys
[Scan path] C:\Program Files\Symantec AntiVirus\Rtvscan.exe
[Scan path] C:\Program Files\Symantec\SYMEVENT.SYS
[Scan path] C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
[Scan path] C:\WINDOWS\System32\Drivers\SYMTDI.SYS
[Scan path] C:\WINDOWS\system32\drivers\sysaudio.sys
[Scan path] C:\WINDOWS\system32\smlogsvc.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\tcpip.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\termdd.sys
[Scan path] C:\WINDOWS\System32\tlntsvr.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\update.sys
[Scan path] C:\WINDOWS\System32\ups.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\usbehci.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\usbhub.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\usbohci.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_V124.sys
[Scan path] C:\WINDOWS\System32\drivers\vga.sys
[Scan path] C:\WINDOWS\System32\vsdatant.sys
[Scan path] C:\WINDOWS\system32\ZoneLabs\vsmon.exe
[Scan path] C:\WINDOWS\System32\vssvc.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\wanarp.sys
[Scan path] C:\WINDOWS\system32\drivers\wdmaud.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys
[Scan path] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[Scan path] C:\WINDOWS\System32\drivers\ws2ifsl.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
[Scan path] C:\Documents and Settings\station15.BKM\Start Menu\Programs\Startup\Zeno.lnk
[Scan path] C:\Documents and Settings\station15.BKM\Start Menu\Programs\Startup\Z_Start.lnk
[Scan path] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

Scan statistics

Objects scanned: 278
Infected objects found: 1
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 9
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 1
Objects ignored: 0
Scan speed: 358 Kb/s
Scan time: 00:02:50


C:\WINDOWS\system32\dwdsregt.exe - incurable - will be moved after reboot
C:\WINDOWS\system32\pwintqez.exe - incurable - will be moved after reboot
C:\DOCUME~1\STATIO~1.BKM\APPLIC~1\STEM~1\RVICES~1.EXE - incurable - will be moved after reboot
C:\WINDOWS\system32\psdsregm.exe - incurable - moved
C:\WINDOWS\system32\x3cqp0.dll - incurable - will be moved after reboot
C:\WINDOWS\system32\adrotate.dll - incurable - will be moved after reboot
C:\WINDOWS\system32\csrss.dll - incurable - will be moved after reboot


Total session statistics

Objects scanned: 278
Infected objects found: 1
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 9
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 8
Objects ignored: 0
Scan speed: 358 Kb/s
Scan time: 00:02:50



Dr.Web® Scanner for Windows v4.33.2 (4.33.2.03283)
Copyright © Igor Daniloff, 1992-2006
Log generated on: 2006-06-22, 15:12:15 [100616A][Station15]
Command-line: "C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\cureit.exe" /lng /ini:cureit_XP.ini

Engine version: 4.33 (4.33.3.06020)
Engine API version: 2.01
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crwtoday.cdb - 600 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43340.cdb - 822 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43339.cdb - 1071 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43338.cdb - 989 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43337.cdb - 855 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43336.cdb - 1297 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43335.cdb - 1195 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43334.cdb - 900 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43333.cdb - 1381 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43332.cdb - 1340 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43331.cdb - 2735 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43330.cdb - 2078 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43329.cdb - 2490 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43328.cdb - 743 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43327.cdb - 958 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43326.cdb - 793 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43325.cdb - 713 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43324.cdb - 655 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43323.cdb - 655 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43322.cdb - 778 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43321.cdb - 846 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43320.cdb - 808 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43319.cdb - 764 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43318.cdb - 838 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43317.cdb - 363 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43316.cdb - 730 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43315.cdb - 627 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43314.cdb - 824 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43313.cdb - 842 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43312.cdb - 830 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43311.cdb - 862 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43310.cdb - 853 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43309.cdb - 733 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43308.cdb - 708 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43307.cdb - 839 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43306.cdb - 930 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43305.cdb - 759 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43304.cdb - 721 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43303.cdb - 638 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43302.cdb - 806 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43301.cdb - 504 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crw43300.cdb - 24 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crwebase.cdb - 78674 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\cwrtoday.cdb - 74 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\cwr43301.cdb - 697 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crwrisky.cdb - 1271 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\cwntoday.cdb - 70 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\cwn43303.cdb - 766 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\cwn43302.cdb - 850 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\cwn43301.cdb - 773 virus records
[Virus base] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\crwnasty.cdb - 4867 virus records
Total virus records: 126939
Key file: C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\cureit.key
License key number: 0000000010
Registered to: Dr.Web CureIt Project
License key activates: 2005-03-05
License key expires: 2007-03-05


Scan statistics

Objects scanned: 0
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 0 Kb/s
Scan time: 00:00:00


[Scan path] C:\WINDOWS\system32\smss.exe
[Scan path] C:\WINDOWS\system32\csrss.exe
[Scan path] C:\WINDOWS\system32\winlogon.exe
[Scan path] C:\WINDOWS\system32\services.exe
[Scan path] C:\WINDOWS\system32\lsass.exe
[Scan path] C:\WINDOWS\system32\svchost.exe
[Scan path] C:\WINDOWS\system32\spoolsv.exe
[Scan path] C:\WINDOWS\explorer.exe
[Scan path] C:\WINDOWS\csasvc.exe
[Scan path] C:\Program Files\Symantec AntiVirus\SavRoam.exe
[Scan path] C:\WINDOWS\SOUNDMAN.EXE
[Scan path] C:\WINDOWS\system32\carpserv.exe
[Scan path] C:\WINDOWS\system32\wdfmgr.exe
[Scan path] C:\WINDOWS\system32\mptft.exe
[Scan path] C:\WINDOWS\system32\tfthot.exe
[Scan path] C:\WINDOWS\system32\ctfmon.exe
[Scan path] C:\WINDOWS\system32\alg.exe
[Scan path] C:\WINDOWS\system32\wuauclt.exe
[Scan path] C:\WINDOWS\System32\Wbem\wmiprvse.exe
[Scan path] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\_start.exe
[Scan path] C:\DOCUME~1\STATIO~1.BKM\LOCALS~1\Temp\RarSFX1\cureit.exe
[Scan path] C:\WINDOWS\System32\NeroCheck.exe
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
[Scan path] C:\PROGRA~1\SYMANT~1\VPTray.exe
[Scan path] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
[Scan path] C:\Program Files\QuickTime\qttask.exe
[Scan path] C:\Program Files\Common Files\Real\Update_OB\realsched.exe
[Scan path] C:\Program Files\ipwins\ipwins.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
[Scan path] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
[Scan path] C:\Program Files\TClock\tclock_install.exe
[Scan path] C:\Program Files\Windows\WinUpdate.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
[Scan path] C:\Documents and Settings\station15.BKM\Start Menu\Programs\Startup\desktop.ini
[Scan path] C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
[Scan path] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
[Scan path] C:\WINDOWS\system32\mmsys.cpl
[Scan path] C:\WINDOWS\system32\icmui.dll
[Scan path] C:\WINDOWS\system32\rshx32.dll
[Scan path] C:\WINDOWS\system32\docprop.dll
[Scan path] C:\WINDOWS\system32\ntshrui.dll
[Scan path] C:\WINDOWS\System32\themeui.dll
[Scan path] C:\WINDOWS\system32\deskadp.dll
[Scan path] C:\WINDOWS\system32\deskmon.dll
[Scan path] C:\WINDOWS\system32\dssec.dll
[Scan path] C:\WINDOWS\system32\SlayerXP.dll
[Scan path] C:\WINDOWS\system32\shscrap.dll
[Scan path] C:\WINDOWS\system32\diskcopy.dll
[Scan path] C:\WINDOWS\system32\ntlanui2.dll
[Scan path] C:\WINDOWS\system32\printui.dll
[Scan path] C:\WINDOWS\system32\dskquoui.dll
[Scan path] C:\WINDOWS\system32\syncui.dll
[Scan path] C:\WINDOWS\System32\hticons.dll
[Scan path] C:\WINDOWS\system32\fontext.dll
[Scan path] C:\WINDOWS\system32\deskperf.dll
[Scan path] C:\WINDOWS\system32\cryptext.dll
[Scan path] C:\WINDOWS\system32\NETSHELL.dll
[Scan path] C:\WINDOWS\system32\wiashext.dll
[Scan path] C:\WINDOWS\System32\remotepg.dll
[Scan path] C:\WINDOWS\System32\wshext.dll
[Scan path] C:\Program Files\Common Files\System\OLE DB\oledb32.dll
[Scan path] C:\WINDOWS\System32\mstask.dll
[Scan path] C:\WINDOWS\system32\shdocvw.dll
[Scan path] C:\WINDOWS\System32\shmedia.dll
[Scan path] C:\WINDOWS\System32\browseui.dll
[Scan path] C:\WINDOWS\System32\sendmail.dll
[Scan path] C:\WINDOWS\System32\occache.dll
[Scan path] C:\WINDOWS\System32\webcheck.dll
[Scan path] C:\WINDOWS\System32\appwiz.cpl
[Scan path] C:\WINDOWS\system32\shimgvw.dll
[Scan path] C:\WINDOWS\System32\netplwiz.dll
[Scan path] C:\WINDOWS\System32\zipfldr.dll
[Scan path] C:\WINDOWS\System32\cdfview.dll
[Scan path] C:\WINDOWS\System32\msieftp.dll
[Scan path] C:\WINDOWS\System32\docprop2.dll
[Scan path] C:\WINDOWS\System32\dsquery.dll
[Scan path] C:\WINDOWS\System32\dsuiext.dll
[Scan path] C:\WINDOWS\System32\mydocs.dll
[Scan path] C:\WINDOWS\System32\cscui.dll
[Scan path] C:\WINDOWS\msagent\AgentPsh.dll
[Scan path] C:\WINDOWS\System32\dfsshlex.dll
[Scan path] C:\WINDOWS\System32\photowiz.dll
[Scan path] C:\WINDOWS\System32\mmcshext.dll
[Scan path] C:\WINDOWS\system32\cabview.dll
[Scan path] C:\Program Files\Outlook Express\wabfind.dll
[Scan path] C:\WINDOWS\system32\wmpshell.dll
[Scan path] C:\WINDOWS\system32\mscoree.dll
[Scan path] C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
[Scan path] C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
[Scan path] C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
[Scan path] C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
[Scan path] C:\WINDOWS\system32\wuaucpl.cpl
[Scan path] C:\Program Files\Real\RealPlayer\rpshell.dll
[Scan path] C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll
[Scan path] C:\WINDOWS\System32\twext.dll
[Scan path] C:\WINDOWS\System32\extmgr.dll
[Scan path] C:\WINDOWS\system32\Audiodev.dll
[Scan path] C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
[Scan path] C:\Program Files\Grisoft\AVG Free\avgse.dll
[Scan path] C:\WINDOWS\system32\nodeipproc.dll
[Scan path] C:\PROGRA~1\SPYBOT~1\SDHelper.dll
[Scan path] C:\WINDOWS\system32\SHELL32.dll
[Scan path] C:\WINDOWS\System32\stobject.dll
[Scan path] C:\WINDOWS\System32\DRIVERS\ACPI.sys
[Scan path] C:\WINDOWS\system32\drivers\aec.sys
[Scan path] C:\WINDOWS\System32\drivers\afd.sys
[Scan path] C:\WINDOWS\system32\drivers\ALCXSENS.SYS
[Scan path] C:\WINDOWS\system32\drivers\ALCXWDM.SYS
[Scan path] C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\asyncmac.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\atapi.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\atmarpc.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\audstub.sys
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
[Scan path] C:\WINDOWS\System32\Drivers\avg7core.sys
[Scan path] C:\WINDOWS\System32\Drivers\avg7rsw.sys
[Scan path] C:\WINDOWS\System32\Drivers\avg7rsxp.sys
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
[Scan path] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
[Scan path] C:\WINDOWS\System32\Drivers\avgtdi.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_BSC2.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\CCDECODE.sys
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
[Scan path] C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\cdrom.sys
[Scan path] C:\WINDOWS\System32\cisvc.exe
[Scan path] C:\WINDOWS\system32\clipsrv.exe
[Scan path] C:\WINDOWS\System32\dllhost.exe
[Scan path] C:\Program Files\Symantec AntiVirus\DefWatch.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\disk.sys
[Scan path] C:\WINDOWS\System32\dmadmin.exe
[Scan path] C:\WINDOWS\System32\drivers\dmboot.sys
[Scan path] C:\WINDOWS\System32\drivers\dmio.sys
[Scan path] C:\WINDOWS\System32\drivers\dmload.sys
[Scan path] C:\WINDOWS\system32\drivers\DMusic.sys
[Scan path] C:\WINDOWS\system32\drivers\drmkaud.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_FALL.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\fdc.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\flpydisk.sys
[Scan path] C:\WINDOWS\system32\drivers\fltmgr.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_FSKS.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ftdisk.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\gameenum.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\msgpc.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSFHWBS2.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_DP.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_MSFT.sys
[Scan path] C:\WINDOWS\System32\Drivers\HTTP.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\i8042prt.sys
[Scan path] C:\WINDOWS\System32\Drivers\Icam5USB.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\imapi.sys
[Scan path] C:\WINDOWS\System32\imapi.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\intelppm.sys
[Scan path] C:\WINDOWS\system32\drivers\ip6fw.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ipfltdrv.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ipinip.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ipnat.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ipsec.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\irenum.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\isapnp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_K56K.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\kbdclass.sys
[Scan path] C:\WINDOWS\system32\drivers\kmixer.sys
[Scan path] C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[Scan path] C:\WINDOWS\System32\DRIVERS\mdmxsdk.sys
[Scan path] C:\WINDOWS\System32\mnmsrvc.exe
[Scan path] C:\WINDOWS\system32\drivers\MODEMCSA.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mouclass.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mrxdav.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mrxsmb.sys
[Scan path] C:\WINDOWS\System32\msdtc.exe
[Scan path] C:\WINDOWS\system32\msiexec.exe
[Scan path] C:\WINDOWS\system32\drivers\MSKSSRV.sys
[Scan path] C:\WINDOWS\system32\drivers\MSPCLOCK.sys
[Scan path] C:\WINDOWS\system32\drivers\MSPQM.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\mssmbios.sys
[Scan path] C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe
[Scan path] C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqladhlp.exe
[Scan path] C:\WINDOWS\system32\drivers\MSTEE.sys
[Scan path] C:\WINDOWS\system32\drivers\msmpu401.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\NABTSFEC.sys
[Scan path] C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060621.024\naveng.sys
[Scan path] C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20060621.024\navex15.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\NdisIP.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ndistapi.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ndisuio.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ndiswan.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\netbios.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\netbt.sys
[Scan path] C:\WINDOWS\system32\netdde.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\nwlnkflt.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\nwlnkfwd.sys
[Scan path] C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
[Scan path] C:\WINDOWS\System32\DRIVERS\parport.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\pci.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\pciide.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\raspptp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\processr.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\psched.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\ptilink.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\PxHelp20.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\rasacd.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\rasl2tp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\raspppoe.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\raspti.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\rdbss.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\RDPCDD.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\rdpdr.sys
[Scan path] C:\WINDOWS\system32\sessmgr.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\redbook.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_SAMP.sys
[Scan path] C:\WINDOWS\System32\locator.exe
[Scan path] C:\WINDOWS\System32\rsvp.exe
[Scan path] C:\Program Files\Symantec AntiVirus\savrt.sys
[Scan path] C:\Program Files\Symantec AntiVirus\Savrtpel.sys
[Scan path] C:\WINDOWS\System32\SCardSvr.exe
[Scan path] C:\WINDOWS\system32\drivers\scsiport.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\secdrv.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\serenum.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\serial.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\sisagp.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\sisnic.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\SLIP.sys
[Scan path] C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_FAXX.sys
[Scan path] C:\WINDOWS\system32\drivers\splitter.sys
[Scan path] C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlagent.EXE
[Scan path] C:\WINDOWS\System32\DRIVERS\sr.sys
[Scan path] C:\WINDOWS\system32\ZoneLabs\srescan.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\srv.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\strmdisp.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\StreamIP.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\swenum.sys
[Scan path] C:\WINDOWS\system32\drivers\swmidi.sys
[Scan path] C:\Program Files\Symantec AntiVirus\Rtvscan.exe
[Scan path] C:\Program Files\Symantec\SYMEVENT.SYS
[Scan path] C:\WINDOWS\System32\Drivers\SYMREDRV.SYS
[Scan path] C:\WINDOWS\System32\Drivers\SYMTDI.SYS
[Scan path] C:\WINDOWS\system32\drivers\sysaudio.sys
[Scan path] C:\WINDOWS\system32\smlogsvc.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\tcpip.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\termdd.sys
[Scan path] C:\WINDOWS\System32\tlntsvr.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_TONE.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\update.sys
[Scan path] C:\WINDOWS\System32\ups.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\usbehci.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\usbhub.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\usbohci.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\USBSTOR.SYS
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_V124.sys
[Scan path] C:\WINDOWS\System32\drivers\vga.sys
[Scan path] C:\WINDOWS\System32\vsdatant.sys
[Scan path] C:\WINDOWS\system32\ZoneLabs\vsmon.exe
[Scan path] C:\WINDOWS\System32\vssvc.exe
[Scan path] C:\WINDOWS\System32\DRIVERS\wanarp.sys
[Scan path] C:\WINDOWS\system32\drivers\wdmaud.sys
[Scan path] C:\WINDOWS\System32\DRIVERS\HSF_CNXT.sys
[Scan path] C:\WINDOWS\System32\wbem\wmiapsrv.exe
[Scan path] C:\WINDOWS\System32\drivers\ws2ifsl.sys
[Scan path] C:\WINDOWS\system32\DRIVERS\WSTCODEC.SYS
[Scan path] C:\Documents and Settings\station15.BKM\Start Menu\Programs\Startup\Zeno.lnk
[Scan path] C:\Documents and Settings\station15.BKM\Start Menu\Programs\Startup\Z_Start.lnk
[Scan path] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk

Scan statistics

Objects scanned: 269
Infected objects found: 0
Objects with modifications found: 0
Suspicious objects found: 0
Adware programs found: 0
Dialer programs found: 0
Joke programs found: 0
Riskware programs found: 0
Hacktool programs found: 0
Objects cured: 0
Objects deleted: 0
Objects renamed: 0
Objects moved: 0
Objects ignored: 0
Scan speed: 907 Kb/s
Scan time: 00:01:06






Start Time= 06/22/06 14:23:57.48
Running from: C:\DOCUME~1\STATIO~1.BKM\DESKTOP\COMBOFIX.EXE

(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

14:35:16.34

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *




* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-08 19:03:32 45,056 "C:\WINDOWS\system32\tfthot.exe"
2006-06-01 15:37:32 143,360 "C:\WINDOWS\system32\mptft.exe"
2006-06-13 08:22:12 2 "C:\WINDOWS\system32\wtstr.exe"
2006-03-23 15:32:42 3,053,568 "C:\WINDOWS\system32\mshtml.dll"
2006-06-11 13:41:18 83,960 "C:\WINDOWS\system32\vsdata.dll"
2006-06-11 13:41:18 157,688 "C:\WINDOWS\system32\vsinit.dll"
2006-06-11 13:41:22 440,312 "C:\WINDOWS\system32\vsutil.dll"
2006-06-08 19:03:44 217,088 "C:\WINDOWS\system32\x3cqp0.dll"
2006-06-11 13:41:24 83,960 "C:\WINDOWS\system32\zlcomm.dll"
2006-06-08 19:03:44 28,672 "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-01 16:50:04 1,159,168 "C:\WINDOWS\system32\ssn6tuu.exe"
2006-05-23 17:25:52 285,488 "C:\WINDOWS\system32\WgaTray.exe"
2006-05-18 12:53:46 24,576 "C:\WINDOWS\system32\msxml3a.dll"
2006-03-30 04:16:04 1,492,480 "C:\WINDOWS\system32\shdocvw.dll"
2006-06-08 19:04:12 8,464 "C:\WINDOWS\system32\sporder.dll"
2006-06-02 00:39:40 81,920 "C:\WINDOWS\system32\csrss.dll"
2006-04-22 06:42:44 176,167 "C:\WINDOWS\system32\rmocx.dll"
2006-04-03 11:40:10 14,048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-11 13:41:22 59,384 "C:\WINDOWS\system32\vswmi.dll"
2006-06-11 13:41:24 100,344 "C:\WINDOWS\system32\vsxml.dll"
2006-06-12 10:25:20 432 "C:\WINDOWS\jbtci.dll"
2006-06-12 08:41:28 53 "C:\WINDOWS\nqccbq.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06/12/06 08:41 AM 53 nqccbq.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-08 19:03:44 28,672 "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-01 16:50:04 1,159,168 "C:\WINDOWS\system32\ssn6tuu.exe"
2006-05-23 17:25:52 285,488 "C:\WINDOWS\system32\WgaTray.exe"
2006-06-08 19:03:32 45,056 "C:\WINDOWS\system32\tfthot.exe"
2006-06-01 15:37:32 143,360 "C:\WINDOWS\system32\mptft.exe"
2006-06-13 08:22:12 2 "C:\WINDOWS\system32\wtstr.exe"
2006-05-18 12:53:46 24,576 "C:\WINDOWS\system32\msxml3a.dll"
2006-03-30 04:16:04 1,492,480 "C:\WINDOWS\system32\shdocvw.dll"
2006-06-08 19:04:12 8,464 "C:\WINDOWS\system32\sporder.dll"
2006-03-23 15:32:42 3,053,568 "C:\WINDOWS\system32\mshtml.dll"
2006-06-11 13:41:18 83,960 "C:\WINDOWS\system32\vsdata.dll"
2006-06-11 13:41:18 157,688 "C:\WINDOWS\system32\vsinit.dll"
2006-06-11 13:41:22 440,312 "C:\WINDOWS\system32\vsutil.dll"
2006-06-08 19:03:44 217,088 "C:\WINDOWS\system32\x3cqp0.dll"
2006-06-11 13:41:24 83,960 "C:\WINDOWS\system32\zlcomm.dll"
2006-06-02 00:39:40 81,920 "C:\WINDOWS\system32\csrss.dll"
2006-04-22 06:42:44 176,167 "C:\WINDOWS\system32\rmocx.dll"
2006-04-03 11:40:10 14,048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-11 13:41:22 59,384 "C:\WINDOWS\system32\vswmi.dll"
2006-06-11 13:41:24 100,344 "C:\WINDOWS\system32\vsxml.dll"
2006-06-12 10:25:20 432 "C:\WINDOWS\jbtci.dll"


((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys
C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:25 AM

Posted 22 June 2006 - 04:02 PM

Please paste your Combofix log fully, it got cut off :thumbsup:

Go ahead and remove Dr. Web CureIT.
Hi there, stranger!

#5 NicholFanning

NicholFanning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 26 June 2006 - 09:03 AM

Start Time= 06/22/06 14:23:57.48
Running from: C:\DOCUME~1\STATIO~1.BKM\DESKTOP\COMBOFIX.EXE

(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

14:35:16.34

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *




* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-08 19:03:32 45,056 "C:\WINDOWS\system32\tfthot.exe"
2006-06-01 15:37:32 143,360 "C:\WINDOWS\system32\mptft.exe"
2006-06-13 08:22:12 2 "C:\WINDOWS\system32\wtstr.exe"
2006-03-23 15:32:42 3,053,568 "C:\WINDOWS\system32\mshtml.dll"
2006-06-11 13:41:18 83,960 "C:\WINDOWS\system32\vsdata.dll"
2006-06-11 13:41:18 157,688 "C:\WINDOWS\system32\vsinit.dll"
2006-06-11 13:41:22 440,312 "C:\WINDOWS\system32\vsutil.dll"
2006-06-08 19:03:44 217,088 "C:\WINDOWS\system32\x3cqp0.dll"
2006-06-11 13:41:24 83,960 "C:\WINDOWS\system32\zlcomm.dll"
2006-06-08 19:03:44 28,672 "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-01 16:50:04 1,159,168 "C:\WINDOWS\system32\ssn6tuu.exe"
2006-05-23 17:25:52 285,488 "C:\WINDOWS\system32\WgaTray.exe"
2006-05-18 12:53:46 24,576 "C:\WINDOWS\system32\msxml3a.dll"
2006-03-30 04:16:04 1,492,480 "C:\WINDOWS\system32\shdocvw.dll"
2006-06-08 19:04:12 8,464 "C:\WINDOWS\system32\sporder.dll"
2006-06-02 00:39:40 81,920 "C:\WINDOWS\system32\csrss.dll"
2006-04-22 06:42:44 176,167 "C:\WINDOWS\system32\rmocx.dll"
2006-04-03 11:40:10 14,048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-11 13:41:22 59,384 "C:\WINDOWS\system32\vswmi.dll"
2006-06-11 13:41:24 100,344 "C:\WINDOWS\system32\vsxml.dll"
2006-06-12 10:25:20 432 "C:\WINDOWS\jbtci.dll"
2006-06-12 08:41:28 53 "C:\WINDOWS\nqccbq.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06/12/06 08:41 AM 53 nqccbq.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-08 19:03:44 28,672 "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-01 16:50:04 1,159,168 "C:\WINDOWS\system32\ssn6tuu.exe"
2006-05-23 17:25:52 285,488 "C:\WINDOWS\system32\WgaTray.exe"
2006-06-08 19:03:32 45,056 "C:\WINDOWS\system32\tfthot.exe"
2006-06-01 15:37:32 143,360 "C:\WINDOWS\system32\mptft.exe"
2006-06-13 08:22:12 2 "C:\WINDOWS\system32\wtstr.exe"
2006-05-18 12:53:46 24,576 "C:\WINDOWS\system32\msxml3a.dll"
2006-03-30 04:16:04 1,492,480 "C:\WINDOWS\system32\shdocvw.dll"
2006-06-08 19:04:12 8,464 "C:\WINDOWS\system32\sporder.dll"
2006-03-23 15:32:42 3,053,568 "C:\WINDOWS\system32\mshtml.dll"
2006-06-11 13:41:18 83,960 "C:\WINDOWS\system32\vsdata.dll"
2006-06-11 13:41:18 157,688 "C:\WINDOWS\system32\vsinit.dll"
2006-06-11 13:41:22 440,312 "C:\WINDOWS\system32\vsutil.dll"
2006-06-08 19:03:44 217,088 "C:\WINDOWS\system32\x3cqp0.dll"
2006-06-11 13:41:24 83,960 "C:\WINDOWS\system32\zlcomm.dll"
2006-06-02 00:39:40 81,920 "C:\WINDOWS\system32\csrss.dll"
2006-04-22 06:42:44 176,167 "C:\WINDOWS\system32\rmocx.dll"
2006-04-03 11:40:10 14,048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-11 13:41:22 59,384 "C:\WINDOWS\system32\vswmi.dll"
2006-06-11 13:41:24 100,344 "C:\WINDOWS\system32\vsxml.dll"
2006-06-12 10:25:20 432 "C:\WINDOWS\jbtci.dll"


((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys
C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-22 08:39:32 24576 ( A.... ) "C:\WINDOWS\system32\ssec.exe"
2006-06-20 09:55:24 389120 ( A.... ) "C:\WINDOWS\system32\nodeipproc.dll"
2006-06-19 22:08:42 0 ( A.... ) "C:\Documents and Settings\station15.BKM\Application Data\internaldb41.dat"
2006-06-19 21:09:36 32976 ( A.... ) "C:\WINDOWS\system32\uninstIcn.exe"
2006-06-19 08:40:10 ( .D... ) "C:\Program Files\elticons"
2006-06-19 08:40:08 129649 ( A.... ) "C:\WINDOWS\elpp100drop.exe"
2006-06-15 14:34:28 ( .D... ) "C:\Program Files\HijackThis"
2006-06-15 13:15:20 ( .D... ) "C:\Program Files\Zone Labs"
2006-06-13 17:06:18 45103 ( A.... ) "C:\WINDOWS\system32\dwdsregt.exe"
2006-06-13 08:22:12 2 ( A.... ) "C:\WINDOWS\system32\wtstr.exe"
2006-06-13 08:22:02 ( .D... ) "C:\Documents and Settings\station15.BKM\Application Data\W?nSxS"
2006-06-12 10:36:24 ( .D... ) "C:\Documents and Settings\station15.BKM\Application Data\AVG7"
2006-06-12 10:35:02 ( .D... ) "C:\Program Files\Grisoft"
2006-06-12 10:25:20 432 ( A.... ) "C:\WINDOWS\jbtci.dll"
2006-06-12 10:06:20 24296 ( A.... ) "C:\WINDOWS\icont.exe"
2006-06-12 09:32:38 ( .D... ) "C:\Program Files\ipwins"
2006-06-12 09:13:52 1392640 ( A.... ) "C:\WINDOWS\cfg32a.exe"
2006-06-12 09:12:18 397312 ( A.... ) "C:\WINDOWS\cfg32p.dll"
2006-06-11 13:42:04 394904 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-06-11 13:42:04 394904 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-06-11 13:41:24 100344 ( A.... ) "C:\WINDOWS\system32\vsxml.dll"
2006-06-11 13:41:24 83960 ( A.... ) "C:\WINDOWS\system32\zlcomm.dll"
2006-06-11 13:41:24 71672 ( A.... ) "C:\WINDOWS\system32\zlcommdb.dll"
2006-06-11 13:41:22 440312 ( A.... ) "C:\WINDOWS\system32\vsutil.dll"
2006-06-11 13:41:22 59384 ( A.... ) "C:\WINDOWS\system32\vswmi.dll"
2006-06-11 13:41:20 268280 ( A.... ) "C:\WINDOWS\system32\vspubapi.dll"
2006-06-11 13:41:20 71672 ( A.... ) "C:\WINDOWS\system32\vsregexp.dll"
2006-06-11 13:41:18 157688 ( A.... ) "C:\WINDOWS\system32\vsinit.dll"
2006-06-11 13:41:18 104440 ( A.... ) "C:\WINDOWS\system32\vsmonapi.dll"
2006-06-11 13:41:18 83960 ( A.... ) "C:\WINDOWS\system32\vsdata.dll"
2006-06-11 13:41:10 796584 ( A.... ) "C:\WINDOWS\system32\libeay32_0.9.6l.dll"
2006-06-09 17:05:06 ( .D... ) "C:\Program Files\TClock"
2006-06-09 08:58:58 32768 ( A.... ) "C:\WINDOWS\meheqjys.exe"
2006-06-09 08:38:58 ( .D... ) "C:\Program Files\PartyPoker"
2006-06-09 08:36:24 45082 ( A.... ) "C:\WINDOWS\system32\psdsregm.exe"
2006-06-09 08:30:30 159836 ( A.... ) "C:\WINDOWS\system32\pwintqez.exe"
2006-06-08 19:07:48 ( .D... ) "C:\Program Files\Windows"
2006-06-08 19:06:42 20480 ( A.... ) "C:\stub_sca3.exe"
2006-06-08 19:06:20 14257 ( A.... ) "C:\numbsoft.exe"
2006-06-08 19:04:12 36864 ( A.... ) "C:\WINDOWS\ieunst.exe"
2006-06-08 19:04:12 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-06-08 19:04:12 ( .D... ) "C:\Program Files\Common Files\rmoi"
2006-06-08 19:03:44 217088 ( A.... ) "C:\WINDOWS\system32\x3cqp0.dll"
2006-06-08 19:03:44 28672 ( A.... ) "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-08 19:03:42 45056 ( A.... ) "C:\WINDOWS\system32tfthot.exe"
2006-06-08 19:03:42 28672 ( A.... ) "C:\WINDOWS\system32ftuninst.exe"
2006-06-08 19:03:34 28672 ( A.... ) "C:\WINDOWS\system32\ftuninst.exe"
2006-06-08 19:03:32 45056 ( A.... ) "C:\WINDOWS\system32\tfthot.exe"
2006-06-08 19:03:00 266240 ( A.... ) "C:\NNSCAA638.EXE"
2006-06-08 19:02:14 463119 ( A.... ) "C:\visfx500.exe"
2006-06-08 19:01:48 45059 ( A.... ) "C:\ZIGID003.exe"
2006-06-08 19:01:46 ( .D... ) "C:\Program Files\??stem32"
2006-06-08 19:01:30 48188 ( A.... ) "C:\WINDOWS\vsl.exe"
2006-06-08 19:01:26 45058 ( A.... ) "C:\WINDOWS\zigi.exe"
2006-06-08 08:54:18 19456 ( A.... ) "C:\WINDOWS\sys01594694557-2006.exe"
2006-06-08 08:25:50 32540 ( A.... ) "C:\WINDOWS\system32\adrot-uninst.exe"
2006-06-06 10:03:38 60416 ( A.... ) "C:\WINDOWS\system32\adrotate.dll"
2006-06-05 09:51:14 ( .D... ) "C:\Program Files\unue"
2006-06-02 00:39:40 81920 ( A.... ) "C:\WINDOWS\system32\csrss.dll"
2006-06-01 16:50:04 1159168 ( A.... ) "C:\WINDOWS\system32\ssn6tuu.exe"
2006-06-01 16:49:52 36864 ( A.... ) "C:\WINDOWS\system32\nr1rnqm8.exe"
2006-06-01 15:37:32 143360 ( A.... ) "C:\WINDOWS\system32\mptft.exe"
2006-05-30 18:19:18 2088960 ( A.... ) "C:\WINDOWS\cfg32.exe"
2006-05-23 17:26:00 579888 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-05-23 17:25:52 402736 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-05-23 17:25:52 285488 ( ..... ) "C:\WINDOWS\system32\WgaTray.exe"
2006-05-19 13:52:26 790 ( A.... ) "C:\PPCleanDeleteAtReboot.bat"
2006-05-18 12:53:46 24576 ( ..... ) "C:\WINDOWS\system32\msxml3a.dll"
2006-05-18 12:51:02 ( .D... ) "C:\Documents and Settings\station15.BKM\Application Data\??stem"
2006-05-18 12:50:34 ( .D... ) "C:\Program Files\dola"
2006-05-18 12:50:22 234247 ( A.... ) "C:\WINDOWS\Taga96.exe"
2006-05-18 12:50:22 163963 ( A.... ) "C:\WINDOWS\system32\pwintqaf.exe"
2006-05-18 12:50:00 42784 ( A.... ) "C:\WINDOWS\thiselt.exe"
2006-05-18 12:49:58 114137 ( A.... ) "C:\WINDOWS\justin2a.exe"
2006-05-17 10:24:54 ( .D... ) "C:\Documents and Settings\station15.BKM\Application Data\ATX"
2006-05-03 23:26:22 5818784 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-04-27 10:08:26 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-04-27 10:08:12 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-04-27 10:07:58 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-04-27 10:07:58 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-04-22 06:42:44 176167 ( A.... ) "C:\WINDOWS\system32\rmocx.dll"
2006-04-03 11:40:10 14048 ( ..... ) "C:\WINDOWS\system32\spmsg.dll"
2006-03-30 04:16:04 1492480 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-03-29 20:00:14 16384 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-03-23 15:32:42 3053568 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiS Tray"=""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"CARPService"="carpserv.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"pdfFactory Dispatcher v2"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fppdis2a.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"pop06apelt"="C:\\WINDOWS\\thiselt.exe"
"{DA-AE-E6-63-ZN}"="C:\\windows\\system32\\dwdsregt.exe FI002"
"win32097-59469455"="C:\\WINDOWS\\win32097-59469455.exe"
"ftexc"="C:\\WINDOWS\\system32\\mptft.exe"
"Hhl7RfpJ"="\"C:\\WINDOWS\\system32\\ssn6tuu.exe\""
"IpWins"="C:\\Program Files\\ipwins\\ipwins.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"webHancer Survey Companion"="C:\\Program Files\\webHancer\\Programs\\whsurvey.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"adstart"="iexplore.exe [url="http://iesettingsupdate""]http://iesettingsupdate"[/url]
"BrowserUpdateSched"="C:\\WINDOWS\\system32\\pwintqez.exe FI002"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Hart"="\"C:\\PROGRA~1\\STEM32~1\\wuauboot.exe\" -vt yazr"
"Flbc"="C:\\DOCUME~1\\STATIO~1.BKM\\APPLIC~1\\STEM~1\\RVICES~1.EXE"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyfefyxet.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Common Files\\hocyc.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Hart"="\"C:\\DOCUME~1\\STATIO~1.BKM\\MYDOCU~1\\MANTEC~1\\wuauboot.exe\" -vt ndrv"
@="C:\\DOCUME~1\\STATIO~1.BKM\\APPLIC~1\\STEM~1\\RVICES~1.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Hart"="\"C:\\DOCUME~1\\STATIO~1.BKM\\MYDOCU~1\\MANTEC~1\\wuauboot.exe\" -vt ndrv"
@="C:\\DOCUME~1\\STATIO~1.BKM\\APPLIC~1\\STEM~1\\RVICES~1.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.norun]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Service Manager.norun"
"backup"="C:\\WINDOWS\\pss\\Service Manager.norunCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Service Manager.norun"
"item"="Service Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^station15.BKM^Start Menu^Programs^Startup^radio@netscape.lnk]
"path"="C:\\Documents and Settings\\station15.BKM\\Start Menu\\Programs\\Startup\\radio@netscape.lnk"
"backup"="C:\\WINDOWS\\pss\\radio@netscape.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\Radio@Netscape Plus\\Program\\radio@netscape.exe "
"item"="radio@netscape"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ssate.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="irun4"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\irun4.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdaEngine0400"
"hkey"="HKLM"
"command"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"inimapping"="0"


Contents of the 'Scheduled Tasks' folder

Completion time: 06/22/06 14:49:05.82
ComboFix ver 06.06.22.2 - This logfile is located at C:\ComboFix.txt


Start Time= 06/22/06 14:23:57.48
Running from: C:\DOCUME~1\STATIO~1.BKM\DESKTOP\COMBOFIX.EXE

(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

14:35:16.34

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *




* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-08 19:03:32 45,056 "C:\WINDOWS\system32\tfthot.exe"
2006-06-01 15:37:32 143,360 "C:\WINDOWS\system32\mptft.exe"
2006-06-13 08:22:12 2 "C:\WINDOWS\system32\wtstr.exe"
2006-03-23 15:32:42 3,053,568 "C:\WINDOWS\system32\mshtml.dll"
2006-06-11 13:41:18 83,960 "C:\WINDOWS\system32\vsdata.dll"
2006-06-11 13:41:18 157,688 "C:\WINDOWS\system32\vsinit.dll"
2006-06-11 13:41:22 440,312 "C:\WINDOWS\system32\vsutil.dll"
2006-06-08 19:03:44 217,088 "C:\WINDOWS\system32\x3cqp0.dll"
2006-06-11 13:41:24 83,960 "C:\WINDOWS\system32\zlcomm.dll"
2006-06-08 19:03:44 28,672 "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-01 16:50:04 1,159,168 "C:\WINDOWS\system32\ssn6tuu.exe"
2006-05-23 17:25:52 285,488 "C:\WINDOWS\system32\WgaTray.exe"
2006-05-18 12:53:46 24,576 "C:\WINDOWS\system32\msxml3a.dll"
2006-03-30 04:16:04 1,492,480 "C:\WINDOWS\system32\shdocvw.dll"
2006-06-08 19:04:12 8,464 "C:\WINDOWS\system32\sporder.dll"
2006-06-02 00:39:40 81,920 "C:\WINDOWS\system32\csrss.dll"
2006-04-22 06:42:44 176,167 "C:\WINDOWS\system32\rmocx.dll"
2006-04-03 11:40:10 14,048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-11 13:41:22 59,384 "C:\WINDOWS\system32\vswmi.dll"
2006-06-11 13:41:24 100,344 "C:\WINDOWS\system32\vsxml.dll"
2006-06-12 10:25:20 432 "C:\WINDOWS\jbtci.dll"
2006-06-12 08:41:28 53 "C:\WINDOWS\nqccbq.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06/12/06 08:41 AM 53 nqccbq.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-08 19:03:44 28,672 "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-01 16:50:04 1,159,168 "C:\WINDOWS\system32\ssn6tuu.exe"
2006-05-23 17:25:52 285,488 "C:\WINDOWS\system32\WgaTray.exe"
2006-06-08 19:03:32 45,056 "C:\WINDOWS\system32\tfthot.exe"
2006-06-01 15:37:32 143,360 "C:\WINDOWS\system32\mptft.exe"
2006-06-13 08:22:12 2 "C:\WINDOWS\system32\wtstr.exe"
2006-05-18 12:53:46 24,576 "C:\WINDOWS\system32\msxml3a.dll"
2006-03-30 04:16:04 1,492,480 "C:\WINDOWS\system32\shdocvw.dll"
2006-06-08 19:04:12 8,464 "C:\WINDOWS\system32\sporder.dll"
2006-03-23 15:32:42 3,053,568 "C:\WINDOWS\system32\mshtml.dll"
2006-06-11 13:41:18 83,960 "C:\WINDOWS\system32\vsdata.dll"
2006-06-11 13:41:18 157,688 "C:\WINDOWS\system32\vsinit.dll"
2006-06-11 13:41:22 440,312 "C:\WINDOWS\system32\vsutil.dll"
2006-06-08 19:03:44 217,088 "C:\WINDOWS\system32\x3cqp0.dll"
2006-06-11 13:41:24 83,960 "C:\WINDOWS\system32\zlcomm.dll"
2006-06-02 00:39:40 81,920 "C:\WINDOWS\system32\csrss.dll"
2006-04-22 06:42:44 176,167 "C:\WINDOWS\system32\rmocx.dll"
2006-04-03 11:40:10 14,048 "C:\WINDOWS\system32\spmsg.dll"
2006-06-11 13:41:22 59,384 "C:\WINDOWS\system32\vswmi.dll"
2006-06-11 13:41:24 100,344 "C:\WINDOWS\system32\vsxml.dll"
2006-06-12 10:25:20 432 "C:\WINDOWS\jbtci.dll"


((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys
C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-22 08:39:32 24576 ( A.... ) "C:\WINDOWS\system32\ssec.exe"
2006-06-20 09:55:24 389120 ( A.... ) "C:\WINDOWS\system32\nodeipproc.dll"
2006-06-19 22:08:42 0 ( A.... ) "C:\Documents and Settings\station15.BKM\Application Data\internaldb41.dat"
2006-06-19 21:09:36 32976 ( A.... ) "C:\WINDOWS\system32\uninstIcn.exe"
2006-06-19 08:40:10 ( .D... ) "C:\Program Files\elticons"
2006-06-19 08:40:08 129649 ( A.... ) "C:\WINDOWS\elpp100drop.exe"
2006-06-15 14:34:28 ( .D... ) "C:\Program Files\HijackThis"
2006-06-15 13:15:20 ( .D... ) "C:\Program Files\Zone Labs"
2006-06-13 17:06:18 45103 ( A.... ) "C:\WINDOWS\system32\dwdsregt.exe"
2006-06-13 08:22:12 2 ( A.... ) "C:\WINDOWS\system32\wtstr.exe"
2006-06-13 08:22:02 ( .D... ) "C:\Documents and Settings\station15.BKM\Application Data\W?nSxS"
2006-06-12 10:36:24 ( .D... ) "C:\Documents and Settings\station15.BKM\Application Data\AVG7"
2006-06-12 10:35:02 ( .D... ) "C:\Program Files\Grisoft"
2006-06-12 10:25:20 432 ( A.... ) "C:\WINDOWS\jbtci.dll"
2006-06-12 10:06:20 24296 ( A.... ) "C:\WINDOWS\icont.exe"
2006-06-12 09:32:38 ( .D... ) "C:\Program Files\ipwins"
2006-06-12 09:13:52 1392640 ( A.... ) "C:\WINDOWS\cfg32a.exe"
2006-06-12 09:12:18 397312 ( A.... ) "C:\WINDOWS\cfg32p.dll"
2006-06-11 13:42:04 394904 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-06-11 13:42:04 394904 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-06-11 13:41:24 100344 ( A.... ) "C:\WINDOWS\system32\vsxml.dll"
2006-06-11 13:41:24 83960 ( A.... ) "C:\WINDOWS\system32\zlcomm.dll"
2006-06-11 13:41:24 71672 ( A.... ) "C:\WINDOWS\system32\zlcommdb.dll"
2006-06-11 13:41:22 440312 ( A.... ) "C:\WINDOWS\system32\vsutil.dll"
2006-06-11 13:41:22 59384 ( A.... ) "C:\WINDOWS\system32\vswmi.dll"
2006-06-11 13:41:20 268280 ( A.... ) "C:\WINDOWS\system32\vspubapi.dll"
2006-06-11 13:41:20 71672 ( A.... ) "C:\WINDOWS\system32\vsregexp.dll"
2006-06-11 13:41:18 157688 ( A.... ) "C:\WINDOWS\system32\vsinit.dll"
2006-06-11 13:41:18 104440 ( A.... ) "C:\WINDOWS\system32\vsmonapi.dll"
2006-06-11 13:41:18 83960 ( A.... ) "C:\WINDOWS\system32\vsdata.dll"
2006-06-11 13:41:10 796584 ( A.... ) "C:\WINDOWS\system32\libeay32_0.9.6l.dll"
2006-06-09 17:05:06 ( .D... ) "C:\Program Files\TClock"
2006-06-09 08:58:58 32768 ( A.... ) "C:\WINDOWS\meheqjys.exe"
2006-06-09 08:38:58 ( .D... ) "C:\Program Files\PartyPoker"
2006-06-09 08:36:24 45082 ( A.... ) "C:\WINDOWS\system32\psdsregm.exe"
2006-06-09 08:30:30 159836 ( A.... ) "C:\WINDOWS\system32\pwintqez.exe"
2006-06-08 19:07:48 ( .D... ) "C:\Program Files\Windows"
2006-06-08 19:06:42 20480 ( A.... ) "C:\stub_sca3.exe"
2006-06-08 19:06:20 14257 ( A.... ) "C:\numbsoft.exe"
2006-06-08 19:04:12 36864 ( A.... ) "C:\WINDOWS\ieunst.exe"
2006-06-08 19:04:12 8464 ( A.... ) "C:\WINDOWS\system32\sporder.dll"
2006-06-08 19:04:12 ( .D... ) "C:\Program Files\Common Files\rmoi"
2006-06-08 19:03:44 217088 ( A.... ) "C:\WINDOWS\system32\x3cqp0.dll"
2006-06-08 19:03:44 28672 ( A.... ) "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-08 19:03:42 45056 ( A.... ) "C:\WINDOWS\system32tfthot.exe"
2006-06-08 19:03:42 28672 ( A.... ) "C:\WINDOWS\system32ftuninst.exe"
2006-06-08 19:03:34 28672 ( A.... ) "C:\WINDOWS\system32\ftuninst.exe"
2006-06-08 19:03:32 45056 ( A.... ) "C:\WINDOWS\system32\tfthot.exe"
2006-06-08 19:03:00 266240 ( A.... ) "C:\NNSCAA638.EXE"
2006-06-08 19:02:14 463119 ( A.... ) "C:\visfx500.exe"
2006-06-08 19:01:48 45059 ( A.... ) "C:\ZIGID003.exe"
2006-06-08 19:01:46 ( .D... ) "C:\Program Files\??stem32"
2006-06-08 19:01:30 48188 ( A.... ) "C:\WINDOWS\vsl.exe"
2006-06-08 19:01:26 45058 ( A.... ) "C:\WINDOWS\zigi.exe"
2006-06-08 08:54:18 19456 ( A.... ) "C:\WINDOWS\sys01594694557-2006.exe"
2006-06-08 08:25:50 32540 ( A.... ) "C:\WINDOWS\system32\adrot-uninst.exe"
2006-06-06 10:03:38 60416 ( A.... ) "C:\WINDOWS\system32\adrotate.dll"
2006-06-05 09:51:14 ( .D... ) "C:\Program Files\unue"
2006-06-02 00:39:40 81920 ( A.... ) "C:\WINDOWS\system32\csrss.dll"
2006-06-01 16:50:04 1159168 ( A.... ) "C:\WINDOWS\system32\ssn6tuu.exe"
2006-06-01 16:49:52 36864 ( A.... ) "C:\WINDOWS\system32\nr1rnqm8.exe"
2006-06-01 15:37:32 143360 ( A.... ) "C:\WINDOWS\system32\mptft.exe"
2006-05-30 18:19:18 2088960 ( A.... ) "C:\WINDOWS\cfg32.exe"
2006-05-23 17:26:00 579888 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-05-23 17:25:52 402736 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-05-23 17:25:52 285488 ( ..... ) "C:\WINDOWS\system32\WgaTray.exe"
2006-05-19 13:52:26 790 ( A.... ) "C:\PPCleanDeleteAtReboot.bat"
2006-05-18 12:53:46 24576 ( ..... ) "C:\WINDOWS\system32\msxml3a.dll"
2006-05-18 12:51:02 ( .D... ) "C:\Documents and Settings\station15.BKM\Application Data\??stem"
2006-05-18 12:50:34 ( .D... ) "C:\Program Files\dola"
2006-05-18 12:50:22 234247 ( A.... ) "C:\WINDOWS\Taga96.exe"
2006-05-18 12:50:22 163963 ( A.... ) "C:\WINDOWS\system32\pwintqaf.exe"
2006-05-18 12:50:00 42784 ( A.... ) "C:\WINDOWS\thiselt.exe"
2006-05-18 12:49:58 114137 ( A.... ) "C:\WINDOWS\justin2a.exe"
2006-05-17 10:24:54 ( .D... ) "C:\Documents and Settings\station15.BKM\Application Data\ATX"
2006-05-03 23:26:22 5818784 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-04-27 10:08:26 ( .D... ) "C:\Program Files\Common Files\xing shared"
2006-04-27 10:08:12 176167 ( A.... ) "C:\WINDOWS\system32\rmoc3260.dll"
2006-04-27 10:07:58 6656 ( A.... ) "C:\WINDOWS\system32\pndx5016.dll"
2006-04-27 10:07:58 5632 ( A.... ) "C:\WINDOWS\system32\pndx5032.dll"
2006-04-22 06:42:44 176167 ( A.... ) "C:\WINDOWS\system32\rmocx.dll"
2006-04-03 11:40:10 14048 ( ..... ) "C:\WINDOWS\system32\spmsg.dll"
2006-03-30 04:16:04 1492480 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-03-29 20:00:14 16384 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-03-23 15:32:42 3053568 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiS Tray"=""
"NeroCheck"="C:\\WINDOWS\\System32\\\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"CARPService"="carpserv.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"pdfFactory Dispatcher v2"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\fppdis2a.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"pop06apelt"="C:\\WINDOWS\\thiselt.exe"
"{DA-AE-E6-63-ZN}"="C:\\windows\\system32\\dwdsregt.exe FI002"
"win32097-59469455"="C:\\WINDOWS\\win32097-59469455.exe"
"ftexc"="C:\\WINDOWS\\system32\\mptft.exe"
"Hhl7RfpJ"="\"C:\\WINDOWS\\system32\\ssn6tuu.exe\""
"IpWins"="C:\\Program Files\\ipwins\\ipwins.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"webHancer Survey Companion"="C:\\Program Files\\webHancer\\Programs\\whsurvey.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"adstart"="iexplore.exe [url="http://iesettingsupdate""]http://iesettingsupdate"[/url]
"BrowserUpdateSched"="C:\\WINDOWS\\system32\\pwintqez.exe FI002"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Hart"="\"C:\\PROGRA~1\\STEM32~1\\wuauboot.exe\" -vt yazr"
"Flbc"="C:\\DOCUME~1\\STATIO~1.BKM\\APPLIC~1\\STEM~1\\RVICES~1.EXE"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyfefyxet.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Common Files\\hocyc.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,de,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Hart"="\"C:\\DOCUME~1\\STATIO~1.BKM\\MYDOCU~1\\MANTEC~1\\wuauboot.exe\" -vt ndrv"
@="C:\\DOCUME~1\\STATIO~1.BKM\\APPLIC~1\\STEM~1\\RVICES~1.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Hart"="\"C:\\DOCUME~1\\STATIO~1.BKM\\MYDOCU~1\\MANTEC~1\\wuauboot.exe\" -vt ndrv"
@="C:\\DOCUME~1\\STATIO~1.BKM\\APPLIC~1\\STEM~1\\RVICES~1.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Service Manager.norun]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Service Manager.norun"
"backup"="C:\\WINDOWS\\pss\\Service Manager.norunCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Service Manager.norun"
"item"="Service Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^station15.BKM^Start Menu^Programs^Startup^radio@netscape.lnk]
"path"="C:\\Documents and Settings\\station15.BKM\\Start Menu\\Programs\\Startup\\radio@netscape.lnk"
"backup"="C:\\WINDOWS\\pss\\radio@netscape.lnkStartup"
"location"="Startup"
"command"="C:\\Program Files\\Radio@Netscape Plus\\Program\\radio@netscape.exe "
"item"="radio@netscape"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ssate.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="irun4"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\irun4.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cdaEngine0400"
"hkey"="HKLM"
"command"="RUNDLL32.exe \"C:\\Program Files\\WildTangent\\Apps\\CDA\\cdaEngine0400.dll\",cdaEngineMain"
"inimapping"="0"


Contents of the 'Scheduled Tasks' folder

Completion time: 06/22/06 14:49:05.82
ComboFix ver 06.06.22.2 - This logfile is located at C:\ComboFix.txt

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:25 AM

Posted 26 June 2006 - 10:57 AM

Alright, lets continue :thumbsup:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download and run this uninstaller:

http://www.outerinfo.com/OiUninstaller.exe

==

Next, please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
  • IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
  • Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post back with the Ewido results aswell as a fresh HijackThis log. :flowers:

Hi there, stranger!

#7 NicholFanning

NicholFanning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 26 June 2006 - 01:03 PM

my safe mode is passworded

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:25 AM

Posted 26 June 2006 - 01:18 PM

Is this your PC and are you the administrator?

If it is a password you have setup, then you should just know it, but if it's not, try just clicking OK (it might be an empty password). :thumbsup:
Hi there, stranger!

#9 NicholFanning

NicholFanning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 27 June 2006 - 11:19 AM

hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 11:12:13 AM, on 06/27/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\csasvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\system32\ntvdm.exe
C:\Program Files\Microsoft SQL Server\MSSQL$LACERTEDB\Binn\sqlservr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\ATX\2005\ATXBKPScheduler05.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
O2 - BHO: (no name) - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - (no file)
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [{DA-AE-E6-63-ZN}] C:\windows\system32\dwdsregt.exe FI002
O4 - HKLM\..\Run: [win32097-59469455] C:\WINDOWS\win32097-59469455.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwintqez.exe FI002
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZC
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.quickbooks.com/v11.263/qboax7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bkm.local
O17 - HKLM\Software\..\Telephony: DomainName = bkm.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bkm.local
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: csrss.dll C:\WINDOWS\system32\csrss.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Solutions Accounting Print Service (CSAPrintService) - Creative Solutions - C:\WINDOWS\csasvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Ewido Report:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:10:23 AM 06/27/06

+ Scan result:



C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009896.exe -> Adware.AdURL : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009889.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009890.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009891.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009892.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009897.exe -> Adware.IEPlug : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009894.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009887.EXE -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009888.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009874.EXE -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009875.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009893.exe -> Adware.SearchAssistant : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009883.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009884.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009885.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009886.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009895.exe -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009876.dll -> Adware.Trafgen : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009877.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009878.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009879.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009880.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009881.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009882.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009872.exe -> Dropper.Agent.hl : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{93804692-D8FB-4069-A3C2-9DD38C72D088}\RP5\A0009873.exe -> Trojan.Runner.h : Cleaned with backup (quarantined).


::Report end

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:25 AM

Posted 28 June 2006 - 04:59 AM

Alright, go ahead and uninstall Ewido.. :thumbsup:

==

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download Brute Force Uninstaller to your desktop.
  • Right-click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

==

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


==

Once in Safe Mode, through Add/Remove programs, uninstall these entries if present:

webHancer
TClock


==

Next, please run a scan with HijackThis and check the following objects for removal if present:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
O2 - BHO: (no name) - {23FB5ADD-DA37-4a40-9FC0-B0E2384CDE92} - (no file)
O2 - BHO: Oddbot - {2B896072-F6E3-4FF7-ADE6-43D5BEC6557C} - C:\WINDOWS\system32\nodeipproc.dll
O2 - BHO: Yvakt Class - {5C3E6596-C64F-48E0-AC1E-B9C6EB3A5915} - C:\WINDOWS\system32\x3cqp0.dll (file missing)
O2 - BHO: Banner Rotator - {D117A61F-92C3-4450-A0C8-F425B14D4127} - C:\WINDOWS\system32\adrotate.dll (file missing)
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O4 - HKLM\..\Run: [{DA-AE-E6-63-ZN}] C:\windows\system32\dwdsregt.exe FI002
O4 - HKLM\..\Run: [win32097-59469455] C:\WINDOWS\win32097-59469455.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [adstart] iexplore.exe http://iesettingsupdate
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\pwintqez.exe FI002
O4 - HKLM\..\Run: [Hhl7RfpJ] "C:\WINDOWS\system32\ssn6tuu.exe"
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: csrss.dll C:\WINDOWS\system32\csrss.dll


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. You might get an error.. Please continue.

==

Then, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by double-clicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do itís job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the Complete script execution box to pop up and hit OK.
  • Press Exit to terminate the BFU program.
Reboot into normal Windows and post a fresh HiJackThis log in your next reply.

Post the following also:

Download GMER:
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan.
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply along with a fresh HijackThis log. :flowers:

Hi there, stranger!

#11 NicholFanning

NicholFanning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 28 June 2006 - 09:38 AM

Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 9:31:24 AM, on 06/28/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\csasvc.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\HijackThis\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [pdfFactory Dispatcher v2] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fppdis2a.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZC
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D92D7607-05D9-4DD8-B68B-D458948FB883} (QuickBooks Online Edition Utilities Class v7) - https://accounting.quickbooks.com/v11.263/qboax7.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bkm.local
O17 - HKLM\Software\..\Telephony: DomainName = bkm.local
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bkm.local
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Solutions Accounting Print Service (CSAPrintService) - Creative Solutions - C:\WINDOWS\csasvc.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

GMER:

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-06-28 09:30:21
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F8F76A80] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F8F76A80] vsdatant.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE F775EC8A

---- EOF - GMER 1.0.10 ----

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:25 AM

Posted 28 June 2006 - 09:57 AM

Hows the system running now? :thumbsup:
Hi there, stranger!

#13 NicholFanning

NicholFanning
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:09:25 PM

Posted 28 June 2006 - 11:39 AM

Seems to be much better, no pop-ups and the reboot went smoothly with no IEupdate running in the beginning...am I cured?

Edited by NicholFanning, 28 June 2006 - 11:39 AM.


#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:25 AM

Posted 28 June 2006 - 12:17 PM

Does look a lot better :thumbsup:

Please read here how to clear old restore points and create a new one.

Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Here's some tips for future to prevent spyware;

Detect and Remove Programs:
  • How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
  • How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.
Prevention Programs:
  • Spywareblaster <= SpywareBlaster will prevent spyware from being installed. (My favourite)
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Other necessary Programs:
  • AntiVirus Program <= An AntiVirus program is a must! Whether it is a free version like AVG or Anti-Vir, or a shareware version like Norton or Kaspersky, this is a must have.
  • Firewall <= A firewall is definatley a must have. Two good free versions are Kerio Personal Firewall and ZoneLabs.
  • More Secure Browser <= Internet Explorer is not the most secure and best browser. There are safer and better alternatives available. I recommend Firefox.
And also see TonyKlein's good advice;
So how did I get infected in the first place? (My favourite)
Hi there, stranger!

#15 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:05:25 AM

Posted 03 July 2006 - 10:33 AM

Since this issue appears to be resolved, this Topic has been closed. Should you need this Topic reopened, please PM a Staff member with the address of this thread. :thumbsup:
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users