Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Recurring Pop Up Problem (ad.oinadserver And More)


  • This topic is locked This topic is locked
11 replies to this topic

#1 MC Elasmosaurus

MC Elasmosaurus

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 13 August 2006 - 02:03 PM

A few months ago, I started getting pop ups. I noticed the addresses started with ad.oinadserver.com. Then, last week, I got more spyware and even more pop-ups appear. I tried to clean it with Spyware Doctor, Ad-Aware, Spybot, and ewido Anti-Malware. After that, there were less pop-ups, but a great number still appear. Some names I came across with along the spyware-removing/anti-malware process are: Qoologic, some type of Search site, ad.oinadserver.com, Webhancer, and some more which I cannot remember at the moment. A few of the pop-ups I get appear for a second and then after, they seem to hide themselves. I cannot do anything on this computer without closing pop-ups every 10 seconds. Please help!


Here is my HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:48:28 PM, on 8/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Spybot - Search & Destroy\UnzDll.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Edgar Palomo\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Optimum Online
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\frkoy.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,qmqsjcw. exe
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [msmg~1] C:\WINDOWS\SYSTEM32\MSMG~1.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [rbxmoxon] C:\WINDOWS\cjqbhfdt.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\ikdzpzit.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [sdi9f8e2] RUNDLL32.EXE w082af19.dll,n 0029f8e00000000a082af19
O4 - HKLM\..\RunServices: [msmg~1] C:\WINDOWS\SYSTEM32\MSMG~1.EXE
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Edgar Palomo\Desktop\P2K Commander\P2kAutostart.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: Win32 Classes -
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...vp/content.html
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52...meInstaller.exe
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\EDGARP~1\LOCALS~1\Temp\m ma.chm::/joysavsht.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/...acom/wtinst.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/am....1.11_en_dl.cab
O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/...ld/websetup.cab
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork..../winorbiter.cab
O18 - Filter: text/html - {828DEFB6-7F3F-49B1-A024-2B849D619E24} - C:\WINDOWS\System32\y7xnyala7.dll
O20 - AppInit_DLLs: ,
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 13 August 2006 - 03:22 PM

Hello,

Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download Brute Force Uninstaller.
Unzip it to a folder of itís own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script
( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

-------------------------

I see you already have Ewido installed, but you are still using an older version, so uninstall that version and install the latest version.
ttp://www.ewido.net/en/download/]
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
Don't use Ewido yet.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\frkoy.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,qmqsjcw. exe
O4 - HKLM\..\Run: [msmg~1] C:\WINDOWS\SYSTEM32\MSMG~1.EXE
O4 - HKLM\..\Run: [rbxmoxon] C:\WINDOWS\cjqbhfdt.exe
O4 - HKLM\..\Run: [] c:\WINDOWS\System32\
O4 - HKLM\..\Run: [nvid] C:\WINDOWS\System32\ikdzpzit.exe
O4 - HKLM\..\Run: [zzb] c:\WINDOWS\System32\zzb.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [outlook] C:\Program Files\outlook\outlook.exe /auto
O4 - HKLM\..\Run: [sdi9f8e2] RUNDLL32.EXE w082af19.dll,n 0029f8e00000000a082af19
O4 - HKLM\..\RunServices: [msmg~1] C:\WINDOWS\SYSTEM32\MSMG~1.EXE
O4 - HKCU\..\Run: [] c:\WINDOWS\System32\
O4 - HKCU\..\Run: [P2kAutostart] C:\Documents and Settings\Edgar Palomo\Desktop\P2K Commander\P2kAutostart.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll (file missing)
O16 - DPF: Win32 Classes -
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.viewpoint.com/MT...vp/content.html
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\EDGARP~1\LOCALS~1\Temp\m ma.chm::/joysavsht.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://www.wildtangent.com/install/...acom/wtinst.cab
O16 - DPF: {BF4FC0C7-4387-4D18-AD86-DF33DDDE33C7} - http://hot.activebuddy.com/catalog/...ld/websetup.cab
O16 - DPF: {C3EF17D6-2201-11D4-9F0E-00B0D011B1AE} (Communities.com Passport) - http://cartoonorbit.cartoonnetwork..../winorbiter.cab
O18 - Filter: text/html - {828DEFB6-7F3F-49B1-A024-2B849D619E24} - C:\WINDOWS\System32\y7xnyala7.dll
O20 - AppInit_DLLs: ,
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: Power Manager (PowerManager) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Go to start > run and copy and paste the next command in the field:

sc delete PowerManager Hit enter

-------------------------

* Reboot into Safe Mode`: ( without networking support !)
įTo get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.
In safe mode...
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
------------------------
* Start Ewido...
  • Click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close Ewido.
--------------------
* Reboot your system back to normal mode.

* Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot, it should open a log, combofix.txt.
Post this log in your next reply together with the contents of ewido-log present on your desktop and a new HiJackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 MC Elasmosaurus

MC Elasmosaurus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 13 August 2006 - 06:47 PM

I had trouble using ComboFix. I left the computer alone while it scanned, yet it closed itself anyway. I was left with a blank desktop, and I even tried waiting to see if it would automatically reboot. It didn't. While it scanned, I read:

"SurfSideKick Found !!!
Qoologic Found !!!"





Here is my ewido log:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:53:39 PM 8/13/2006

+ Scan result:



C:\Program Files\Common Files\sse.exe -> Adware.Agent : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Desktop\backups\backup-20060813-161702-176.dll -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\ICD1.tmp\amm06.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\mmxsnet.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\NNBar_VCSetup_876075.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\mitDB.tmp.cab/NNBar_VCSetup_876075.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\mitDB.tmp/NNBar_VCSetup_876075.exe -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
HKU\S-1-5-21-117609710-1677128483-1343024091-1003\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\p3lqd9.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155006682.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155006755.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055252.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055257.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055264.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055265.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055267.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055271.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055272.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055273.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055274.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055275.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055276.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055277.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055281.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055282.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055284.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055285.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055287.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055292.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055296.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055297.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155055336.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155092464.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155092468.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155092470.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155092481.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155092536.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155140750.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155140763.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155140775.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155140780.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155140782.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155140822.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155240885.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155240889.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155240902.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155240905.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155240913.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155240915.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155240959.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155258435.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155258438.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155258439.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155258446.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155258508.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155326975.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155326981.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155326987.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155327048.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155395508.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155395517.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155395520.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155395523.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155395538.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155395580.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155431174.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155431246.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155437701.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155437774.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155438222.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155438295.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155441886.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155441959.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155482974.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155482979.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155482982.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155482989.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155482995.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\t1155483046.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044693.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044695.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044696.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044698.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044703.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044706.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044708.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044709.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044713.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044716.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044719.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044723.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044725.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044726.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044728.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044729.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155044742.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089132.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089133.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089144.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089145.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089149.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089150.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089152.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089154.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089159.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089160.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089162.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089164.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089165.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089169.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089177.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089178.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089179.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155089182.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155090193.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155090200.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155090205.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155090211.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155090215.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155177889.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155177896.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155177907.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155250526.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155250527.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155250529.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155250538.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155255274.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155255281.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155255284.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155255287.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155255288.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155255296.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155256465.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155256470.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155256476.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155256483.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155256491.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155265308.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155265309.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155265318.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155265323.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155265325.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155298652.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155298656.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155298659.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155298667.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155303523.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155303535.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155303538.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155303540.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155303550.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155308514.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155308520.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155308525.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155308542.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155308544.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155312282.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155312283.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155312294.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155312299.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155314805.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155314812.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155319777.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155319781.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155319803.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155319804.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155354896.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155354899.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155354907.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155354910.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155477199.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155477203.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155477209.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155477213.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155477219.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Local Settings\Temp\t1155477223.dll -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Program Files\Logitech\Video\ISStart.exe -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Program Files\Logitech\Video\LogiTray.exe -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Program Files\Logitech\Video\ManifestEngine.exe -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Program Files\QuickTime\qttask.exe -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Program Files\iTunes\iTunesHelper.exe -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\LVCOMSX.EXE -> Downloader.Agent.asl : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\drsmartload180a.exe -> Downloader.Pakes : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ufink.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[1056] C:\WINDOWS\System32\vpskpfi.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[856] C:\WINDOWS\System32\vpskpfi.dll -> Downloader.Qoologic.bj : Error during cleaning.
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\pre.exe -> Hijacker.VB.lb : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\SystemDoctor2006FreeInstall.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D18M2707NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Cookies\edgardo@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Cookies\edgardo@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Cookies\edgardo@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Cookies\edgardo@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Edgardo 2\Cookies\edgardo@vdn.valuead[1].txt -> TrackingCookie.Valuead : Cleaned with backup (quarantined).


::Report end



Here is my new HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:46:46 PM, on 8/13/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\devldr32.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\WgaTray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Edgar Palomo\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Optimum Online
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 14 August 2006 - 03:41 AM

Well, it looks like Qoologic and Surfsidekick are removed anyway though.
Can you look if C:\combofix.txt exists and copy and paste the contents in your next reply, because I really need that log though.

If you can't find the log, or it doesn't contain anything, please download this new combofix version and try again:

http://download.bleepingcomputer.com/sUBs/Beta/combofix.exe

This time it won't reboot.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 14 August 2006 - 03:47 AM

By the way.. I see you are also dealing with a fileinfector.. so it could be possible that some programs won't work anymore, because the exe's were infected and Ewido removed them.

These programs are iTunes, Quicktime, Sun Java, your Logitech products and HP products, so I recommend you reinstall them again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 MC Elasmosaurus

MC Elasmosaurus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 14 August 2006 - 04:39 PM

The Combofix.txt did not have any information on it, just the date, so I used the new ComboFix. It seemed to scan correctly as about 4-5 things showed up due to infection. I look in C:/ and the ComboFix.txt still doesn't say anything. I use ComboFix again and try to write down the infections instead, but this time only one came up.

"SurfSideKick!!!

C:/Windows/System32/setup.exe.tmp infected"

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 14 August 2006 - 04:57 PM

Skip that step with combofix and perform an online Kaspersky scan instead:

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply together with a new hijackthislog

Edited by miekiemoes, 14 August 2006 - 04:58 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 MC Elasmosaurus

MC Elasmosaurus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 14 August 2006 - 09:08 PM

Kaspersky Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
06-08-14 9:05 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 15/08/2006
Kaspersky Anti-Virus database records: 202276
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 112259
Number of viruses found: 10
Number of infected objects: 29 / 0
Number of suspicious objects: 2
Duration of the scan process: 02:03:16

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommonName49.zip/AddressBar/comwiz.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CommonName49.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Aim\ufxxdqig\VanillaGorillaDX\cert8.db Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Aim\ufxxdqig\VanillaGorillaDX\key3.db Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Mozilla\Firefox\Profiles\dgth4quv.Default User\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Mozilla\Firefox\Profiles\dgth4quv.Default User\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Mozilla\Firefox\Profiles\dgth4quv.Default User\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Mozilla\Firefox\Profiles\dgth4quv.Default User\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Mozilla\Firefox\Profiles\dgth4quv.Default User\cert8.db Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Mozilla\Firefox\Profiles\dgth4quv.Default User\formhistory.dat Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Mozilla\Firefox\Profiles\dgth4quv.Default User\history.dat Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Mozilla\Firefox\Profiles\dgth4quv.Default User\key3.db Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Mozilla\Firefox\Profiles\dgth4quv.Default User\parent.lock Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-20cccaf4.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-20cccaf4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5996bfa5.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Edgar Palomo\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-5996bfa5.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Edgar Palomo\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Desktop\Donovan - Cosmic Wheels\Donovan_-_Cosmic_Wheels_02_Earth_Sign_Man.mp3.bc! Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Desktop\Donovan - Cosmic Wheels\Donovan_-_Cosmic_Wheels_03_Sleep.mp3.bc! Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Desktop\Donovan - Cosmic Wheels\Donovan_-_Cosmic_Wheels_04_Maria_Magenta.mp3.bc! Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Desktop\Donovan - Cosmic Wheels\Donovan_-_Cosmic_Wheels_05_Wild_Witch_Lady.mp3.bc! Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Desktop\Donovan - Cosmic Wheels\Donovan_-_Cosmic_Wheels_06_The_Music_Makers.mp3.bc! Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Desktop\Donovan - Cosmic Wheels\Donovan_-_Cosmic_Wheels_07_intergalactic_laxative.mp3.bc! Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Desktop\Donovan - Cosmic Wheels\Donovan_-_Cosmic_Wheels_08_I_Like_You.mp3.bc! Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Desktop\My Music\iTunes\iTunes Library.itl Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\recife.exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\recife.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\~DFD7F7.tmp Object is locked skipped
C:\Documents and Settings\Edgar Palomo\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Edgar Palomo\ntuser.dat Object is locked skipped
C:\Documents and Settings\Edgar Palomo\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Edgardo 2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-5289c592.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Edgardo 2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3c936701-5289c592.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Edgardo 2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-3ac6a00b.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w skipped
C:\Documents and Settings\Edgardo 2\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5aa0b436-3ac6a00b.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Edgardo 2\Local Settings\Temporary Internet Files\Content.IE5\99BY5DT3\rcverlib[2].exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\Edgardo 2\Local Settings\Temporary Internet Files\Content.IE5\OISXSNU5\rcverlib[1].exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\Edgardo 2\Local Settings\Temporary Internet Files\Content.IE5\OISXSNU5\rcverlib[2].exe Infected: Trojan-Downloader.Win32.Qoologic.ax skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\IconChanger\iconchng.ich Object is locked skipped
C:\update.exe/ Infected: Backdoor.Win32.SdBot.gen skipped
C:\update.exe MS Expand: infected - 1 skipped
C:\update.exe Cexe: infected - 1 skipped
C:\update.exe FSG: infected - 1 skipped
C:\WINDOWS\bi.exe Infected: Trojan-Dropper.Win32.Agent.og skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLog.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{7DEDE296-609C-4408-A26E-87301580D14C}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\config\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\config\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\config\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\config\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\in3.dll/data0002/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\WINDOWS\SYSTEM32\in3.dll/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\WINDOWS\SYSTEM32\in3.dll/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\WINDOWS\SYSTEM32\in3.dll/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\WINDOWS\SYSTEM32\in3.dll/data0008 Infected: Trojan-Downloader.Win32.Keenval.e skipped
C:\WINDOWS\SYSTEM32\in3.dll/data0009 Infected: Trojan-Downloader.Win32.Keenval.e skipped
C:\WINDOWS\SYSTEM32\in3.dll NSIS: infected - 6 skipped
C:\WINDOWS\SYSTEM32\in3.dll Exe2Dll: infected - 6 skipped
C:\WINDOWS\SYSTEM32\kspydoc.log Object is locked skipped
C:\WINDOWS\SYSTEM32\Sweeper.cfg Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\TEMP\ja.com Infected: Trojan-Dropper.Win32.Agent.atn skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\YOINSI.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped
C:\WINDOWS\YOINSI.exe NSIS: infected - 1 skipped
C:\_audioscrobbler.log Object is locked skipped

Scan process completed.





HiJackThis Log:


Logfile of HijackThis v1.99.1
Scan saved at 9:07 PM, on 06-08-14
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\BitComet\BitComet.exe
C:\WINDOWS\System32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Edgar Palomo\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/ymsgr/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Optimum Online
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe -quiet
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Define - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O8 - Extra context menu item: Download All Files by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGetAll.htm
O8 - Extra context menu item: Download by HiDownload - C:\PROGRA~1\HIDOWN~1\HDGet.htm
O8 - Extra context menu item: Look Up in &Encyclopedia - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra 'Tools' menuitem: Encarta Encyclopedia - {2FDEF853-0759-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_ENC.HTM
O9 - Extra button: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra 'Tools' menuitem: Define - {5DA9DE80-097A-11D4-A92E-006097DBED37} - C:\Program Files\Common Files\Microsoft Shared\Reference 2001\A\ERS_DEF.HTM
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: HiDownload - {F4FBA929-A891-492C-A0F6-5C79CC4F1742} - C:\PROGRA~1\HIDOWN~1\hidownload.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .MTD: C:\PROGRA~1\INTERN~1\Plugins\npmusicn.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200112...meInstaller.exe
O20 - Winlogon Notify: WB - C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 15 August 2006 - 02:05 AM

Hello,

Delete next files..

C:\Documents and Settings\Edgar Palomo\Local Settings\Temp\recife.exe
C:\update.exe
C:\WINDOWS\bi.exe
C:\WINDOWS\SYSTEM32\in3.dll
C:\WINDOWS\TEMP\ja.com
C:\WINDOWS\YOINSI.exe

Clear your Java cache:
Clearing Java Cache:
  • Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
  • It will say "Java Plug-in" under the icon.
  • Under Temporary Internet Files, click the Delete Files button.
  • There are three options in the window to clear the cache - Leave ALL 3 Checked
    • Downloaded Applets
      Downloaded Applications
      Other Files
  • Click OK on Delete Temporary Files Window.

    Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
  • Click OK to leave the Java Control Panel.
Perform the same for clearing the java cache for the Edgardo 2 account as well, so log in under Edgardo 2 for that.
Also perform next for the Edgardo 2 account:
* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the Posted Image icon next to it.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-1_5_0_08-windowsi586-p.exe to install the newest version.
Your hijackthislog looks clean again. :thumbsup:
Let me know in your next reply how things are running now.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 MC Elasmosaurus

MC Elasmosaurus
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:59 PM

Posted 16 August 2006 - 03:36 PM

Everything looks fine. No pop-ups since. :thumbsup: Thank you SO much!

#11 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 16 August 2006 - 04:38 PM

Glad I could help. :thumbsup:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2!
Effective October 11, 2006, Windows XP SP1 and SP1a will transition to a non-supported status. After this date, Microsoft will no longer provide any incident support options or security updates. Existing support documents, however, will continue to be available through the Microsoft Support Product Solution Center Web site.
http://support.microsoft.com/gp/lifean19

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

Also read: Simple and easy ways to keep your computer safe and secure on the Internet

Happy surfing again! :flowers:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:59 AM

Posted 16 August 2006 - 06:23 PM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users