Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Help Removing Surfsidekick


  • This topic is locked This topic is locked
6 replies to this topic

#1 mindguru

mindguru

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 22 July 2006 - 05:26 PM

Hi all,

My problem is that I can't seem to remove SurfSideKick from my computer.
Damn thing keeps coming back after every reboot. My Hijack This log is posted below.

Any help is highly appreciated


Logfile of HijackThis v1.99.1
Scan saved at 6:18:51 PM, on 7/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\UB-VPN\cvpnd.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\pop06ap2.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\win32084616785631.exe
C:\WINDOWS\ms045631461678.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\nwinppez.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\redistributor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\PROGRA~1\WINZIP\winzip32.exe
C:\Documents and Settings\rshah\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R3 - URLSearchHook: (no name) - _{4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\sihbx.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,eenfimh.exe
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\system32\s1940.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1415540505.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [defender] C:\\dfndred_7.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrded_7.exe
O4 - HKLM\..\Run: [pop06ap] C:\WINDOWS\pop06ap2.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [win32084616785631] C:\WINDOWS\win32084616785631.exe
O4 - HKLM\..\Run: [ms045631461678] C:\WINDOWS\ms045631461678.exe
O4 - HKLM\..\Run: [rgzda588] RUNDLL32.EXE w05164fe.dll,n 001da5870000000305164fe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\nwinppez.exe CORN003
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\nwinppez.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: University at Buffalo VPN Client.lnk = C:\Program Files\UB-VPN\vpngui.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Note&book) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1415540505.dll/gn_menu1.html
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1415540505.dll/gn_menu2.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\system32\s1940.dll/blogimage
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.stumbleupon.com
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/...ad/tgctlins.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = itorg.ad.buffalo.edu
O17 - HKLM\Software\..\Telephony: DomainName = itorg.ad.buffalo.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = itorg.ad.buffalo.edu
O18 - Filter: text/html - {DA28E0DB-229C-4003-827E-96AE15AD90FB} - C:\WINDOWS\system32\x3cqp0.dll
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: logons - C:\WINDOWS\system32\redist.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: ThemeManager - C:\WINDOWS\system32\mvnsl9571.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UB-VPN\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

BC AdBot (Login to Remove)

 


#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:47 PM

Posted 23 July 2006 - 05:24 AM

Hi mindguru

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Send:

- combofix report
- a fresh HijackThis log
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 mindguru

mindguru
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 24 July 2006 - 09:58 AM

Here is MY hIJACKTHIS log followed by Combofix report. I appreciate all the help...

Logfile of HijackThis v1.99.1
Scan saved at 10:55:09 AM, on 7/24/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\UB-VPN\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\ms045631461678.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\Java\jre1.5.0_06\bin\javaw.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\rshah\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\system32\s1940.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1415540505.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ms045631461678] C:\WINDOWS\ms045631461678.exe
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\nwinppez.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: University at Buffalo VPN Client.lnk = C:\Program Files\UB-VPN\vpngui.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Note&book) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1415540505.dll/gn_menu1.html
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1415540505.dll/gn_menu2.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\system32\s1940.dll/blogimage
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = itorg.ad.buffalo.edu
O17 - HKLM\Software\..\Telephony: DomainName = itorg.ad.buffalo.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = itorg.ad.buffalo.edu
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UB-VPN\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


===================================================================

Start Time= Mon 07/24/2006 10:48:58.85
Running from: C:\Documents and Settings\rshah\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-24 10:10 <DIR> C:\Documents and Settings\rshah\Application Data\skype
2006-07-24 09:11 834 C:\WINDOWS\system32\nt68rrtc12.sys
2006-07-24 09:10 <DIR> C:\Program Files\symantec antivirus
2006-07-23 12:39 24,296 C:\WINDOWS\icont.exe
2006-07-23 01:23 235,977 C:\WINDOWS\system32\p46s0ej7eho.dll
2006-07-23 01:09 234,190 C:\WINDOWS\system32\ir88l5lu1.dll
2006-07-23 01:00 <DIR> C:\Program Files\Common Files\owqu
2006-07-23 00:19 <DIR> C:\Program Files\lavasoft
2006-07-23 00:19 <DIR> C:\Documents and Settings\rshah\Application Data\lavasoft
2006-07-22 23:59 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-22 19:37 1,063 C:\WINDOWS\system32\rgzda588.sys
2006-07-22 18:16 <DIR> C:\Program Files\hijackthis
2006-07-22 17:30 <DIR> C:\Program Files\common files
2006-07-22 17:20 <DIR> C:\Program Files\installshield installation information
2006-07-22 17:20 <DIR> C:\Documents and Settings\rshah\Application Data\a?sembly (asembl~1)
2006-07-22 15:47 <DIR> C:\Documents and Settings\rshah\Application Data\winpatrol
2006-07-22 15:46 <DIR> C:\Program Files\billp studios
2006-07-22 14:48 81,920 C:\WINDOWS\system32\notepad.dll
2006-07-22 14:48 2 C:\WINDOWS\system32\wnstssv.exe
2006-07-22 14:48 <DIR> C:\Program Files\??crosoft (crosof~1)
2006-07-22 14:47 126,464 C:\WINDOWS\system32\redistributor.exe
2006-07-22 14:45 45,080 C:\WINDOWS\system32\oodsregq.exe
2006-07-22 14:40 38,412 C:\WINDOWS\ssqbn.exe
2006-07-22 14:40 159,877 C:\WINDOWS\system32\nwinppez.exe
2006-07-22 14:40 <DIR> C:\Program Files\windows nt
2006-07-22 14:38 45,068 C:\WINDOWS\system32\zicorn003.exe
2006-07-22 14:37 61,440 C:\WINDOWS\system32\rgzda588.dll
2006-07-22 14:37 48,167 C:\WINDOWS\system32\vsl05.exe
2006-07-22 14:37 <DIR> C:\Program Files\system icons
2006-07-22 14:35 <DIR> C:\Program Files\?ssembly (ssembl~1)
2006-07-22 14:34 143,360 C:\WINDOWS\ms045631461678.exe
2006-07-22 14:33 77,824 C:\WINDOWS\system32\dsancl.exe
2006-07-22 14:33 77,824 C:\WINDOWS\system32\cloudsim.exe
2006-07-22 14:33 5,632 C:\WINDOWS\pi1_36.exe
2006-07-22 14:33 32,768 C:\WINDOWS\unstall.exe
2006-07-22 14:33 319,294 C:\WINDOWS\yoinsi.exe
2006-07-22 14:33 234,248 C:\WINDOWS\tagasuarus2.exe
2006-07-22 14:33 233 C:\WINDOWS\mm06y.ini
2006-07-22 14:33 232,749 C:\WINDOWS\pf78.exe
2006-07-22 14:32 45,056 C:\WINDOWS\zuckdha.exe
2006-07-22 14:32 45,056 C:\WINDOWS\system32tfthot.exe
2006-07-22 14:32 36,864 C:\WINDOWS\thiselt.exe
2006-07-22 14:32 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-22 14:32 32,976 C:\WINDOWS\system32\uninsticn.exe
2006-07-22 14:32 28,672 C:\WINDOWS\system32ftuninst.exe
2006-07-22 14:32 28,672 C:\WINDOWS\system32\ftuninst.exe
2006-07-21 17:27 155 C:\WINDOWS\winamp.ini
2006-07-15 09:22 444,324 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-15 01:32 14,617 C:\WINDOWS\xload.exe
2006-07-12 16:55 <DIR> C:\Documents and Settings\rshah\Application Data\sas
2006-06-28 00:55 <DIR> C:\Documents and Settings\rshah\Application Data\google
2006-06-28 00:54 <DIR> C:\Program Files\google
2006-06-21 18:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
2006-06-21 18:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe
2006-06-20 20:55 389,120 C:\WINDOWS\system32\nodeipproc.dll
2006-06-19 16:20 702,768 C:\WINDOWS\system32\wgalogon.dll
2006-06-17 09:58 <DIR> C:\Program Files\internet explorer
2006-06-15 15:26 24,576 C:\WINDOWS\system32\nr1rnqm8.exe
2006-06-11 23:03 <DIR> C:\Documents and Settings\rshah\Application Data\adobeum
2006-06-09 13:56 <DIR> C:\Documents and Settings\rshah\Application Data\macromedia
2006-05-28 17:40 <DIR> C:\Program Files\spybot - search & destroy
2006-05-19 08:59 94,720 C:\WINDOWS\system32\iphlpapi.dll
2006-05-19 08:59 148,480 C:\WINDOWS\system32\dnsapi.dll
2006-05-19 08:59 111,616 C:\WINDOWS\system32\dhcpcsvc.dll


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-23 13:31 834 C:\WINDOWS\system32\nt68rrtc12.sys
2006-07-23 12:40 24,296 C:\WINDOWS\icont.exe
2006-07-23 12:24 235,977 C:\WINDOWS\system32\p46s0ej7eho.dll
2006-07-23 01:09 234,190 C:\WINDOWS\system32\ir88l5lu1.dll
2006-07-22 15:31 299,520 C:\WINDOWS\uninst.exe
2006-07-22 14:47 126,464 C:\WINDOWS\system32\redistributor.exe
2006-07-22 14:45 45,080 C:\WINDOWS\system32\oodsregq.exe
2006-07-22 14:40 38,412 C:\WINDOWS\ssqbn.exe
2006-07-22 14:40 159,877 C:\WINDOWS\system32\nwinppez.exe
2006-07-22 14:39 2 C:\WINDOWS\system32\wnstssv.exe
2006-07-22 14:38 81,920 C:\WINDOWS\system32\notepad.dll
2006-07-22 14:38 45,068 C:\WINDOWS\system32\ZICORN003.exe
2006-07-22 14:38 2,088,960 C:\WINDOWS\cfg32.exe
2006-07-22 14:37 61,440 C:\WINDOWS\system32\rgzda588.dll
2006-07-22 14:37 48,167 C:\WINDOWS\system32\VSL05.exe
2006-07-22 14:37 1,063 C:\WINDOWS\system32\rgzda588.sys
2006-07-22 14:34 143,360 C:\WINDOWS\ms045631461678.exe
2006-07-22 14:33 77,824 C:\WINDOWS\system32\dsancl.exe
2006-07-22 14:33 77,824 C:\WINDOWS\system32\cloudsim.exe
2006-07-22 14:33 5,632 C:\WINDOWS\pi1_36.exe
2006-07-22 14:33 32,768 C:\WINDOWS\unstall.exe
2006-07-22 14:33 319,294 C:\WINDOWS\YOINSI.exe
2006-07-22 14:33 234,248 C:\WINDOWS\Tagasuarus2.exe
2006-07-22 14:33 233 C:\WINDOWS\mm06y.ini
2006-07-22 14:33 232,749 C:\WINDOWS\pf78.exe
2006-07-22 14:32 459 C:\WINDOWS\buweo.dll
2006-07-22 14:32 45,056 C:\WINDOWS\zuckdha.exe
2006-07-22 14:32 45,056 C:\WINDOWS\system32tfthot.exe
2006-07-22 14:32 36,864 C:\WINDOWS\thiselt.exe
2006-07-22 14:32 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-22 14:32 32,976 C:\WINDOWS\system32\uninstIcn.exe
2006-07-22 14:32 28,672 C:\WINDOWS\system32ftuninst.exe
2006-07-22 14:32 28,672 C:\WINDOWS\system32\ftuninst.exe
2006-07-22 14:32 24,576 C:\WINDOWS\system32\nr1rnqm8.exe
2006-07-22 14:31 14,617 C:\WINDOWS\xload.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
@=""
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"ISUSPM Startup"="C:\\PROGRA~1\\COMMON~1\\INSTAL~1\\UPDATE~1\\ISUSPM.exe -startup"
"ISUSScheduler"="\"C:\\Program Files\\Common Files\\InstallShield\\UpdateService\\issch.exe\" -start"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Acrobat Assistant 7.0"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ms045631461678"="C:\\WINDOWS\\ms045631461678.exe"
"WinPatrol"="C:\\PROGRA~1\\BILLPS~1\\WINPAT~1\\winpatrol.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Acrobat\\AdobeUpdateManager.exe\" AcPro7_0_7 -reboot 1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,02,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Scan for Viruses - My Computer (JAC215-SHAHLPTP-test).job

Completion time: Mon 07/24/2006 10:49:21.49
ComboFix ver 06.07.22 - This logfile is located at C:\ComboFix.txt

ComboFix.txt
ComboFix2.txt
ComboFix3.txt

#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:47 PM

Posted 24 July 2006 - 10:19 AM

Hi mindguru

Looking better :thumbsup:

Open HijackThis, click do a system scan only and checkmark these:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O4 - HKLM\..\Run: [ms045631461678] C:\WINDOWS\ms045631461678.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\nwinppez.exe


Close all windows including browser and press fix checked.

Please download the Killbox.
Unzip it to the desktop

Please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\icont.exe
C:\WINDOWS\system32\p46s0ej7eho.dll
C:\WINDOWS\system32\ir88l5lu1.dll
C:\Program Files\Common Files\owqu
C:\WINDOWS\system32\notepad.dll
C:\WINDOWS\system32\wnstssv.exe
C:\WINDOWS\system32\oodsregq.exe
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\system32\nwinppez.exe
C:\WINDOWS\system32\zicorn003.exe
C:\WINDOWS\system32\rgzda588.dll
C:\WINDOWS\system32\vsl05.exe
C:\WINDOWS\ms045631461678.exe
C:\WINDOWS\system32\dsancl.exe
C:\WINDOWS\system32\cloudsim.exe
C:\WINDOWS\pi1_36.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\yoinsi.exe
C:\WINDOWS\tagasuarus2.exe
C:\WINDOWS\mm06y.ini
C:\WINDOWS\pf78.exe
C:\WINDOWS\zuckdha.exe
C:\WINDOWS\system32tfthot.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\system32\uninsticn.exe
C:\WINDOWS\system32ftuninst.exe
C:\WINDOWS\system32\ftuninst.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\WINDOWS\system32\nodeipproc.dll
C:\WINDOWS\system32\nr1rnqm8.exe
C:\WINDOWS\system32\ZICORN003.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\buweo.dll

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Upload these files:

C:\WINDOWS\system32\nt68rrtc12.sys
C:\WINDOWS\system32\rgzda588.sys

to VirusTotal and post results here

Re-run combofix

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Post:

- a fresh HijackThis log
- VirusTotal results
- a fresh combofix log
- kaspersky report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#5 mindguru

mindguru
  • Topic Starter

  • Members
  • 3 posts
  • OFFLINE
  •  
  • Local time:04:47 PM

Posted 29 July 2006 - 01:01 PM

Thanks for the help here and I can see the difference in the performance of my computer thanks to you guys.

Here are the various reports and hpefully your help will get me rid of spywares.

Latest Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 1:51:44 PM, on 7/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\DllHost.exe
C:\Program Files\UB-VPN\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\rshah\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Stumble&Upon - {22D003CE-6952-46C5-80B9-D19B479620AB} - C:\WINDOWS\system32\s1940.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google Notebook - {CCCCCCDB-4DDB-4703-95D4-DD2C526397BF} - C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1415540505.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: University at Buffalo VPN Client.lnk = C:\Program Files\UB-VPN\vpngui.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Note this (Google Note&book) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1415540505.dll/gn_menu1.html
O8 - Extra context menu item: Note this (Google Notebook) - res://C:\Program Files\Google\Google Notebook\gnotes1.0.2.6-1415540505.dll/gn_menu2.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: StumbleUpon: &Blog This - res://C:\WINDOWS\system32\s1940.dll/blogimage
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by103fd.bay103.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/get/flash...ent/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = itorg.ad.buffalo.edu
O17 - HKLM\Software\..\Telephony: DomainName = itorg.ad.buffalo.edu
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = itorg.ad.buffalo.edu
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\UB-VPN\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


Virustotal report

Viurs Total Output

STATUS: FINISHEDComplete scanning result of "rgzda588.sys", received in VirusTotal at 07.28.2006, 18:46:10 (CET).

AntiVir 6.35.1.0 07.28.2006 no virus found
Authentium 4.93.8 07.28.2006 no virus found
Avast 4.7.844.0 07.28.2006 no virus found
AVG 386 07.27.2006 no virus found
BitDefender 7.2 07.28.2006 no virus found
CAT-QuickHeal 8.00 07.28.2006 no virus found
ClamAV devel-20060426 07.27.2006 no virus found
DrWeb 4.33 07.28.2006 no virus found
eTrust-InoculateIT 23.72.80 07.28.2006 no virus found
eTrust-Vet 12.6.2314 07.28.2006 no virus found
Ewido 4.0 07.28.2006 no virus found
Fortinet 2.77.0.0 07.27.2006 no virus found
F-Prot 3.16f 07.27.2006 no virus found
F-Prot4 4.2.1.29 07.27.2006 no virus found
Ikarus 0.2.65.0 07.28.2006 no virus found
Kaspersky 4.0.2.24 07.28.2006 no virus found
McAfee 4816 07.27.2006 no virus found
Microsoft 1.1508 07.27.2006 no virus found
NOD32v2 1.1683 07.28.2006 no virus found
Norman 5.90.23 07.28.2006 no virus found
Panda 9.0.0.4 07.28.2006 no virus found
Sophos 4.07.0 07.28.2006 no virus found
Symantec 8.0 07.28.2006 no virus found
TheHacker 5.9.8.182 07.27.2006 no virus found
UNA 1.83 07.27.2006 no virus found
VBA32 3.11.0 07.27.2006 no virus found
VirusBuster 4.3.7:9 07.28.2006 no virus found


Aditional Information
File size: 1063 bytes

STATUS: FINISHEDComplete scanning result of "nt68rrtc12.sys", received in VirusTotal at 07.28.2006, 18:53:51 (CET).

Antivirus Version Update Result
AntiVir 6.35.1.0 07.28.2006 no virus found
Authentium 4.93.8 07.28.2006 no virus found
Avast 4.7.844.0 07.28.2006 no virus found
AVG 386 07.27.2006 no virus found
BitDefender 7.2 07.28.2006 no virus found
CAT-QuickHeal 8.00 07.28.2006 no virus found
ClamAV devel-20060426 07.27.2006 no virus found
DrWeb 4.33 07.28.2006 no virus found
eTrust-InoculateIT 23.72.80 07.28.2006 no virus found
eTrust-Vet 12.6.2314 07.28.2006 no virus found
Ewido 4.0 07.28.2006 no virus found
Fortinet 2.77.0.0 07.27.2006 no virus found
F-Prot 3.16f 07.27.2006 no virus found
F-Prot4 4.2.1.29 07.27.2006 no virus found
Ikarus 0.2.65.0 07.28.2006 no virus found
Kaspersky 4.0.2.24 07.28.2006 no virus found
McAfee 4816 07.27.2006 no virus found
Microsoft 1.1508 07.27.2006 no virus found
NOD32v2 1.1683 07.28.2006 no virus found
Norman 5.90.23 07.28.2006 no virus found
Panda 9.0.0.4 07.28.2006 no virus found
Sophos 4.07.0 07.28.2006 no virus found
Symantec 8.0 07.28.2006 no virus found
TheHacker 5.9.8.182 07.27.2006 no virus found
UNA 1.83 07.27.2006 no virus found
VBA32 3.11.0 07.27.2006 no virus found
VirusBuster 4.3.7:9 07.28.2006 no virus found


Aditional Information
File size: 834 bytes

Kaspersky report

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, July 29, 2006 1:51:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 29/07/2006
Kaspersky Anti-Virus database records: 210711
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 67535
Number of viruses found: 70
Number of infected objects: 230
Number of suspicious objects: 3
Duration of the scan process: 01:21:43

Infected Object Name / Virus Name / Last Action
C:\!KillBox\icont.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00D00000\44DB7C76.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0000\46FE545C.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0000\46FE545D.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0000\46FE545E.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0000\46FE545F.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0000\46FE5460.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0000\46FE5461.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0000\46FE5462.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0001\46FE54B1.VBN Infected: Trojan-Downloader.Win32.Agent.aaf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0001\46FE54B2.VBN Infected: Trojan-Downloader.Win32.Agent.aaf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0001\46FE54B3.VBN Infected: not-a-virus:AdWare.Win32.CASClient.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0002\46FE54D8.VBN Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0003\46FE54FA.VBN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0004\46FE5D86.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0004\46FE5D87.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0004\46FE5D88.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0004\46FE5D89.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0004\46FE5D8A.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\027C0004\46FE5D8B.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080000\4DCAFB89.VBN Infected: Trojan-Downloader.Win32.Small.bgl skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080001\4DCAFC82.VBN Infected: Trojan-Dropper.Win32.PurityScan.ae skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080001\4DCAFC86.VBN/MediaTicketsInstaller.ocx Infected: Trojan-Dropper.Win32.PurityScan.ae skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080001\4DCAFC86.VBN CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080001\4DCAFC86.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080003\4DCAFE4A.VBN/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080003\4DCAFE4A.VBN Inno: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080003\4DCAFE4A.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080003\4DCAFE4F.VBN Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080004\4DCAFF39.VBN Infected: Trojan-Downloader.Win32.Dyfuca.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080005\4DCB009F.VBN Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080006\4DCB0180.VBN Infected: Trojan-Downloader.Win32.Agent.aaf skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080007\4DCB02E6.VBN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080007\4DCB02E9.VBN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080007\4DCB02EA.VBN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080007\4DCB02EB.VBN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D080008\4DCB0319.VBN Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC40000\4DCE3C4F.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DC40000\4DCE3C50.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11B80000.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11B80000.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11B80000.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11B80000.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11B80000.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11B80001.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11B80001.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11B80001.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11B80001.VBN ZIP: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\11B80001.VBN CryptZ: infected - 3 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0000\56CE9323.VBN Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0001\56CE93D5.VBN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0001\56CE93D6.VBN/data.rar/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0001\56CE93D6.VBN/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0001\56CE93D6.VBN/data.rar/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0001\56CE93D6.VBN/data.rar/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0001\56CE93D6.VBN/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0001\56CE93D6.VBN/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0001\56CE93D6.VBN RarSFX: infected - 6 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0001\56CE93D6.VBN CryptZ: infected - 6 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0002\56CE941F.VBN Infected: not-a-virus:AdWare.Win32.Mirar.b skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0002\56CE9420.VBN Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0003\56CE9481.VBN Infected: Trojan-Downloader.Win32.Dyfuca.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0004\56CE94F9.VBN Infected: Trojan-Dropper.Win32.Small.qn skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0004\56CE94FC.VBN Infected: not-a-virus:AdWare.Win32.SurfSide.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0004\56CE94FD.VBN Infected: not-a-virus:AdWare.Win32.SurfSide.j skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0005\56CE9586.VBN Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\12CC0006\56CE95D0.VBN Infected: not-a-virus:AdWare.Win32.CASClient.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0000\57EE77A0.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0000\57EE77B0.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0000\57EE77B3.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0000\57EE77BB.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0000\57EE77C3.VBN Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0001\57EE79C7.VBN Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0001\57EE79D0.VBN Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0001\57EE79D2.VBN/data0001 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0001\57EE79D2.VBN Inno: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0001\57EE79D2.VBN CryptZ: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0002\57EE7DCD.VBN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0002\57EE7DD3.VBN Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0002\57EE7DD6.VBN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0002\57EE7DD9.VBN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0002\57EE7DDB.VBN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0002\57EE7DDD.VBN Infected: not-a-virus:AdWare.Win32.WebHancer skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0002\57EE7DE0.VBN Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0002\57EE7DE2.VBN Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0003\57EE814B.VBN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0003\57EE8155.VBN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0003\57EE8158.VBN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0003\57EE815A.VBN/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0003\57EE815A.VBN/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0003\57EE815A.VBN/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0003\57EE815A.VBN/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0003\57EE815A.VBN WiseSFX: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0003\57EE815A.VBN CryptZ: infected - 4 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0005\57EE8452.VBN Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\13EC0005\57EE8455.VBN Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\rshah\Local Settings\Temp\pre.exe Infected: Trojan-Clicker.Win32.VB.lb skipped
C:\Documents and Settings\rshah\Local Settings\Temp\Temporary Internet Files\Content.IE5\OLY78LU3\pre[1].emf Suspicious: Exploit.Win32.IMG-WMF skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\0HMRGLUJ\!update-4020[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.cl skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\0HMRGLUJ\626_101[1].exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\0HMRGLUJ\numbsoft[1].exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\O5IF8T6N\loader[1].exe Infected: Trojan-Downloader.Win32.Adload.de skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\QHWNI189\cfg32[1].exe Infected: not-a-virus:AdWare.Win32.BookedSpace.i skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\QHWNI189\ssqbn[1].exe/data0002 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\QHWNI189\ssqbn[1].exe/data0003 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\QHWNI189\ssqbn[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\T1W2KNHZ\ac3_0003[1].exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\T1W2KNHZ\cas2setup[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.d skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\T1W2KNHZ\cas2setup[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\T1W2KNHZ\stub_sca3[1].exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\T1W2KNHZ\webnexmk[1].exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\Documents and Settings\rshah\Local Settings\Temporary Internet Files\Content.IE5\WX2VKH2B\loader[1].exe Infected: Trojan-Downloader.Win32.Adload.de skipped
C:\Program Files\Windows NT\medovupaf.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\Program Files\Windows NT\medovupaf.dll.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\Program Files\аssembly\rundll.exe Infected: Trojan-Downloader.Win32.PurityScan.cl skipped
C:\QooBox\cypwxg.exe.vir Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\QooBox\igpwoos.dll.vir Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\QooBox\iwfaj.dat.vir Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\QooBox\ugcxe.exe.vir Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0130604.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0130605.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0131590.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0131591.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0131592.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0131593.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0131594.exe Infected: Trojan-Downloader.Win32.VB.aga skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0131595.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132609.exe Infected: not-a-virus:AdWare.Win32.PurityScan.em skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132615.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132616.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132641.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132642.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132643.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132644.exe Infected: Trojan-Clicker.Win32.VB.nh skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132646.exe Infected: Trojan-Downloader.Win32.Adload.de skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132647.exe Infected: Trojan-Downloader.Win32.Adload.db skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132648.exe Infected: Trojan-Downloader.Win32.Adload.db skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132649.exe Infected: Trojan-Downloader.Win32.Adload.db skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132650.exe Infected: Trojan-Downloader.Win32.Adload.de skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132652.exe Infected: Trojan-Downloader.Win32.Adload.cu skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132655.exe Infected: Trojan-Dropper.Win32.Agent.hl skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132656.exe Infected: Trojan-Downloader.Win32.Adload.cy skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132661.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132662.exe Infected: Trojan-Dropper.Win32.Agent.aie skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132665.exe Infected: Trojan-Downloader.Win32.Agent.ala skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132707.exe Infected: Trojan-Clicker.Win32.VB.ij skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132711.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132716.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132753.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP274\A0132754.exe Infected: Trojan.Win32.StartPage.ajj skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP276\A0132772.exe Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP277\A0132783.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP277\A0132792.exe/EXE-file/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP277\A0132792.exe/EXE-file Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP277\A0132792.exe Embedded EXE: infected - 2 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP277\A0132819.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP277\A0132819.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP277\A0132819.exe CAB: infected - 2 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP277\A0132821.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP278\A0132843.dll Infected: Trojan.Win32.Agent.sx skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP278\A0132850.exe Infected: Trojan-Downloader.Win32.Dyfuca.ey skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP278\A0132852.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP278\A0132857.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP278\A0132858.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP278\A0132859.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP278\A0132860.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP280\A0134207.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP280\A0134208.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP280\A0134209.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP281\A0134327.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP281\A0134327.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP281\A0134327.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP281\A0136354.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped
C:\WINDOWS\CCZoop05.exe Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\cfg32.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.i skipped
C:\WINDOWS\Downloaded Program Files\amm06.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
C:\WINDOWS\media_motor_bundle.exe/data0002/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\media_motor_bundle.exe/data0002/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\media_motor_bundle.exe/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\media_motor_bundle.exe/data0003/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\media_motor_bundle.exe/data0003/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\media_motor_bundle.exe/data0003 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\media_motor_bundle.exe NSIS: infected - 6 skipped
C:\WINDOWS\ms045631461678.exe Infected: Trojan-Downloader.Win32.VB.aga skipped
C:\WINDOWS\pf78.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\WINDOWS\pf78.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\pf78.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\pf78.exe/data0007 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\pf78.exe NSIS: infected - 4 skipped
C:\WINDOWS\pi1_36.exe Infected: Trojan-Downloader.Win32.Small.cqy skipped
C:\WINDOWS\ssqbn.exe/data0002 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\WINDOWS\ssqbn.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\WINDOWS\ssqbn.exe NSIS: infected - 2 skipped
C:\WINDOWS\SYSC00.exe Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\system32\cloudsim.exe Infected: Trojan-Spy.Win32.VB.eh skipped
C:\WINDOWS\system32\dmonwv.dll_tobedeleted Infected: Trojan-Downloader.Win32.Agent.agw skipped
C:\WINDOWS\system32\dsancl.exe Infected: Trojan-Spy.Win32.VB.eh skipped
C:\WINDOWS\system32\ftuninst.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\WINDOWS\system32\icon_mediamotor.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\system32\icon_mediamotor.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\system32\icon_mediamotor.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\nodeipproc.dll Infected: not-a-virus:AdWare.Win32.BHO.ao skipped
C:\WINDOWS\system32\notepad.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped
C:\WINDOWS\system32\nr1rnqm8.exe Infected: Trojan.Win32.Runner.j skipped
C:\WINDOWS\system32\nsmE3.dll Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\system32\nwinppez.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.q skipped
C:\WINDOWS\system32\oodsregq.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\WINDOWS\system32\redistributor.exe Infected: Trojan.Win32.Agent.sx skipped
C:\WINDOWS\system32\ts_mediamotor.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\system32\ts_mediamotor.exe/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped
C:\WINDOWS\system32\ts_mediamotor.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\VSL05.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\WINDOWS\system32\VSL05.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\WINDOWS\system32\VSL05.exe NSIS: infected - 2 skipped
C:\WINDOWS\system32\x3cqp0.dll_tobedeleted Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped
C:\WINDOWS\system32\ZICORN003.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\WINDOWS\system32ftuninst.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.g skipped
C:\WINDOWS\system32tfthot.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped
C:\WINDOWS\Tagasuarus2.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\WINDOWS\Tagasuarus2.exe/data0003 Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\Tagasuarus2.exe/data0007 Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\WINDOWS\Tagasuarus2.exe NSIS: infected - 3 skipped
C:\WINDOWS\thiselt.exe Infected: not-a-virus:AdWare.Win32.Agent.ag skipped
C:\WINDOWS\unin101.exe Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\uni_eh.exe Infected: Trojan.Win32.VB.tg skipped
C:\WINDOWS\unstall.exe Infected: not-a-virus:AdWare.Win32.MediaMotor.o skipped
C:\WINDOWS\win32084616785631.exe Infected: Trojan-Downloader.Win32.VB.tw skipped
C:\WINDOWS\xload.exe Infected: Trojan-Downloader.Win32.VB.wz skipped
C:\WINDOWS\YOINSI.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\WINDOWS\YOINSI.exe NSIS: infected - 1 skipped
C:\WINDOWS\zuckdha.exe Infected: Trojan-Downloader.Win32.Agent.ala skipped

Scan process completed.


Combofix report

Start Time= Sat 07/29/2006 13:52:37.76
Running from: C:\Documents and Settings\rshah\Desktop

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-29 13:50 <DIR> C:\Documents and Settings\rshah\Application Data\skype
2006-07-29 12:19 <DIR> C:\Program Files\symantec antivirus
2006-07-25 01:47 155 C:\WINDOWS\winamp.ini
2006-07-24 11:08 <DIR> C:\Program Files\spywareblaster
2006-07-24 09:11 834 C:\WINDOWS\system32\nt68rrtc12.sys
2006-07-23 01:00 <DIR> C:\Program Files\Common Files\owqu
2006-07-23 00:19 <DIR> C:\Program Files\lavasoft
2006-07-23 00:19 <DIR> C:\Documents and Settings\rshah\Application Data\lavasoft
2006-07-22 23:59 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-22 19:37 1,063 C:\WINDOWS\system32\rgzda588.sys
2006-07-22 18:16 <DIR> C:\Program Files\hijackthis
2006-07-22 17:30 <DIR> C:\Program Files\common files
2006-07-22 17:20 <DIR> C:\Program Files\installshield installation information
2006-07-22 17:20 <DIR> C:\Documents and Settings\rshah\Application Data\a?sembly (asembl~1)
2006-07-22 15:47 <DIR> C:\Documents and Settings\rshah\Application Data\winpatrol
2006-07-22 15:46 <DIR> C:\Program Files\billp studios
2006-07-22 14:48 81,920 C:\WINDOWS\system32\notepad.dll
2006-07-22 14:48 2 C:\WINDOWS\system32\wnstssv.exe
2006-07-22 14:48 <DIR> C:\Program Files\??crosoft (crosof~1)
2006-07-22 14:47 126,464 C:\WINDOWS\system32\redistributor.exe
2006-07-22 14:45 45,080 C:\WINDOWS\system32\oodsregq.exe
2006-07-22 14:40 38,412 C:\WINDOWS\ssqbn.exe
2006-07-22 14:40 159,877 C:\WINDOWS\system32\nwinppez.exe
2006-07-22 14:40 <DIR> C:\Program Files\windows nt
2006-07-22 14:38 45,068 C:\WINDOWS\system32\zicorn003.exe
2006-07-22 14:37 61,440 C:\WINDOWS\system32\rgzda588.dll
2006-07-22 14:37 48,167 C:\WINDOWS\system32\vsl05.exe
2006-07-22 14:37 <DIR> C:\Program Files\system icons
2006-07-22 14:35 <DIR> C:\Program Files\?ssembly (ssembl~1)
2006-07-22 14:34 143,360 C:\WINDOWS\ms045631461678.exe
2006-07-22 14:33 77,824 C:\WINDOWS\system32\dsancl.exe
2006-07-22 14:33 77,824 C:\WINDOWS\system32\cloudsim.exe
2006-07-22 14:33 5,632 C:\WINDOWS\pi1_36.exe
2006-07-22 14:33 32,768 C:\WINDOWS\unstall.exe
2006-07-22 14:33 319,294 C:\WINDOWS\yoinsi.exe
2006-07-22 14:33 234,248 C:\WINDOWS\tagasuarus2.exe
2006-07-22 14:33 233 C:\WINDOWS\mm06y.ini
2006-07-22 14:33 232,749 C:\WINDOWS\pf78.exe
2006-07-22 14:32 45,056 C:\WINDOWS\zuckdha.exe
2006-07-22 14:32 45,056 C:\WINDOWS\system32tfthot.exe
2006-07-22 14:32 36,864 C:\WINDOWS\thiselt.exe
2006-07-22 14:32 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-22 14:32 32,976 C:\WINDOWS\system32\uninsticn.exe
2006-07-22 14:32 28,672 C:\WINDOWS\system32ftuninst.exe
2006-07-22 14:32 28,672 C:\WINDOWS\system32\ftuninst.exe
2006-07-15 09:22 444,324 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-15 01:32 14,617 C:\WINDOWS\xload.exe
2006-07-12 16:55 <DIR> C:\Documents and Settings\rshah\Application Data\sas
2006-06-28 00:55 <DIR> C:\Documents and Settings\rshah\Application Data\google
2006-06-28 00:54 <DIR> C:\Program Files\google
2006-06-21 18:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
2006-06-21 18:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe
2006-06-20 20:55 389,120 C:\WINDOWS\system32\nodeipproc.dll
2006-06-19 16:20 702,768 C:\WINDOWS\system32\wgalogon.dll
2006-06-17 09:58 <DIR> C:\Program Files\internet explorer
2006-06-15 15:26 24

#6 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:47 PM

Posted 29 July 2006 - 01:11 PM

Hi

Make you hidden and system files visible -> http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Please download ATF Cleaner by Atribune and save
it to desktop. Don't use it yet.

Boot in safe mode -> http://www.pchell.com/support/safemode.shtml

Empty this folder(delete all files and subdirectories):

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\

Empty also this:

C:\!KillBox\

Delete these, if found:

C:\Program Files\Windows NT\medovupaf.dll
C:\Program Files\Windows NT\medovupaf.dll.exe
C:\Program Files\аssembly\rundll.exe
C:\QooBox\cypwxg.exe.vir
C:\QooBox\igpwoos.dll.vir
C:\QooBox\iwfaj.dat.vir
C:\QooBox\ugcxe.exe.vir
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\Downloaded Program Files\amm06.ocx
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\ms045631461678.exe
C:\WINDOWS\pf78.exe
C:\WINDOWS\pi1_36.exe
C:\WINDOWS\ssqbn.exe
C:\WINDOWS\SYSC00.exe Infected:
C:\WINDOWS\system32\cloudsim.exe
C:\WINDOWS\system32\dmonwv.dll_tobedeleted
C:\WINDOWS\system32\dsancl.exe
C:\WINDOWS\system32\ftuninst.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\nodeipproc.dll
C:\WINDOWS\system32\notepad.dll
C:\WINDOWS\system32\nr1rnqm8.exe
C:\WINDOWS\system32\nsmE3.dll
C:\WINDOWS\system32\nwinppez.exe
C:\WINDOWS\system32\oodsregq.exe
C:\WINDOWS\system32\redistributor.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\WINDOWS\system32\VSL05.exe
C:\WINDOWS\system32\x3cqp0.dll_tobedeleted
C:\WINDOWS\system32\ZICORN003.exe
C:\WINDOWS\system32ftuninst.exe
C:\WINDOWS\system32tfthot.exe
C:\WINDOWS\Tagasuarus2.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\unin101.exe
C:\WINDOWS\uni_eh.exe
C:\WINDOWS\unstall.exe
C:\WINDOWS\win32084616785631.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\YOINSI.exe
C:\WINDOWS\zuckdha.exe
C:\Documents and Settings\rshah\Application Data\asembl~1
C:\Program Files\crosof~1
C:\Program Files\ssembl~1


Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Reboot

Re-scan with kaspersky

Re-run combofix

Send:

- a fresh HijackThis log
- kaspersky report
- combofix report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#7 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:10:47 PM

Posted 05 August 2006 - 04:06 AM

Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users