Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Reoccuring Spyware, Smitfraud And Others!


  • This topic is locked This topic is locked
17 replies to this topic

#1 Agent0013

Agent0013

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 18 August 2006 - 10:52 AM

I have cleaned my computer a few dozen times using adaware, spybot, and have used the smitfraud and command system cleaners found on the internet. I have also used AVG and Stinger to scan for viruses. Whatever I have keeps comming back and installing other stuff along with it.

Here is my HijackThis log, if anyone can help me figure out what is in my system.
Thanks!


Logfile of HijackThis v1.99.1
Scan saved at 10:51:51 AM, on 8/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\isnotify.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\WINDOWS\thiselt.exe
C:\WINDOWS\system32\319b36c8.exe
C:\Program Files\Common

Files\{C4D94116-095F-1033-0627-031212010001}\Update.exe
C:\PROGRA~1\YMBOLS~1\spool32.exe
C:\WINDOWS\system32\vohl.exe
C:\Program Files\??sks\e?plorer.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\JN\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet

Settings,ProxyServer = 192.168.1.2:3128
R3 - URLSearchHook: (no name) -

_{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Adobe PDF -

{47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program

Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: ToolBar888 -

{CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program

Files\ToolBar888\MyToolBar.dll
O3 - Toolbar: Safety Bar - {052b12f7-86fa-4921-8482-26c42316b522}

- C:\Program Files\Safety Bar\Safety Bar.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX6600 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P32

"\\EFS\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on EFS]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38

"Auto EPSON Stylus CX6600 Series on EFS" /O14 "\\EFS\EPSONSty" /M

"Stylus CX6600"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]

C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on TED]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38

"Auto EPSON Stylus CX6600 Series on TED" /O15 "\\TED\EPSONS_ME" /M

"Stylus CX6600"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26

"EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

/STARTUP
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX7800 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32

"\\EFS\EPSON Stylus CX7800 Series" /O6 "USB002" /M "Stylus CX7800"
O4 - HKLM\..\Run: [\\TED\EPSON Stylus CX7800 Series]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32

"\\TED\EPSON Stylus CX7800 Series" /O6 "USB004" /M "Stylus CX7800"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX7800 Series on TED]

C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P38

"Auto EPSON Stylus CX7800 Series on TED" /O18 "\\TED\StylusCX7800" /M

"Stylus CX7800"
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [319b36c8.exe]

C:\WINDOWS\system32\319b36c8.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program

Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O15 - Trusted IP range: http://85.12.25.95
O15 - Trusted IP range: http://202.67.220.227
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C}

(WUWebControl Class) -

http://update.microsoft.com/windowsupdate/...ls/en/x86/clien

t/wuweb_site.cab?1136579410214
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} -

http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan

Installer Class) -

http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2

E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O17 -

HKLM\System\CS1\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2

E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O18 - Filter: text/html - {7147713B-F7B8-421E-9435-E9380ED7A49E} -

C:\WINDOWS\system32\llomgf.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision -

C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd -

C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software -

C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. -

C:\WINDOWS\System32\mgabg.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd)

- Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f

"%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

BC AdBot (Login to Remove)

 


#2 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:57 PM

Posted 18 August 2006 - 11:39 AM

Hi Agent0013

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!
Microsoft MVP Consumer Security
Posted Image

Posted Image

#3 Agent0013

Agent0013
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 18 August 2006 - 11:43 AM

Here is the report from the SmitFraudFix program.


SmitFraudFix v2.81

Scan done at 11:41:23.68, Fri 08/18/2006
Run from C:\Documents and Settings\JN\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS


C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !

C:\Documents and Settings\JN\Application Data


Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

C:\DOCUME~1\JN\FAVORI~1

C:\DOCUME~1\JN\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop

C:\DOCUME~1\ALLUSE~1\Desktop\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\Desktop\Security Troubleshooting.url FOUND !

C:\Program Files

C:\Program Files\Safety Bar\ FOUND !

Corrupted keys


Desktop Components



Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End

#4 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:57 PM

Posted 18 August 2006 - 12:05 PM

Hi

Uninstall via add/remove programs (control panel if present):

ToolBar888
IpWins

Open HijackThis, click do a system scan only and checkmark these:

R3 - URLSearchHook: (no name) -
_{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: ToolBar888 -{CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - C:\Program
Files\ToolBar888\MyToolBar.dll
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [319b36c8.exe] C:\WINDOWS\system32\319b36c8.exe
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imageservr.com
O15 - Trusted Zone: http://locator1.cdn.imagesrvr.com
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O15 - Trusted IP range: http://85.12.25.95
O15 - Trusted IP range: http://202.67.220.227
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} -
http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Filter: text/html - {7147713B-F7B8-421E-9435-E9380ED7A49E} -
C:\WINDOWS\system32\llomgf.dll


Close all windows including browser and press fix checked.

Look in your control panels add/remove programs for PuritySCAN By OIN, OuterInfo, OIN or similar , click on it and click remove.
Reboot and delete this folder if found:
C:\Program Files\PurityScan

If not listed, download and run this uninstaller:
Uninstaller

Tutorial for the uninstaller if needed

Reboot when done and delete this folder if found:
C:\Program Files\PurityScan

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install Ewido by double clicking the installer.
  • Follow the prompts. Make sure that Launch Ewido is checked.
  • On the main screen under Your Computer's security.
  • Click on Change state next to Resident shield. It should now change to inactive.
  • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
  • Wait until you see the Update succesfull message.
    Note: If the Update now option is grayed out, follow the steps below.
  • Click on Update on the toolbar.
  • Under Manual update, click on the Start Update button.
  • Wait until you see the Update succesfull message.
[*]Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
[/list]If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.

Please download ATF Cleaner by Atribune and save
it to desktop. Don't use it yet.
______________________________

Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
______________________________

Delete these if found:

C:\Program Files\ToolBar888
C:\Program Files\ipwins\
C:\WINDOWS\thiselt.exe
C:\WINDOWS\system32\319b36c8.exe
C:\WINDOWS\system32\llomgf.dll

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.
______________________________

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.
[/list]Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.
______________________________

Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Posted Image
  • When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
______________________________

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter.
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
______________________________

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post:
  • c:\rapport.txt
  • Ewido log
  • combofix log
  • A new HijackThis log
Your may need several replies to post the requested logs, otherwise they might get cut off.
Microsoft MVP Consumer Security
Posted Image

Posted Image

#5 Agent0013

Agent0013
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 21 August 2006 - 10:09 AM

I have run through all of the steps in your previous post and here are the logs from them. The only step that didn't want to run through completion was the ewido scanner full scan. It would get somewhere around 75% complete and then ewido would crash or close. I ran the full scan and cancelled it half way through so it could remove the stuff it had found so far (20 items or so). And I also ran it with the other scans, registry, memory, windows files etc. And even when it had removed everything it had found so far, the full scan would not complete, so I don't know if it is a memory issue or what.


Rapport.txt
----------------
SmitFraudFix v2.81

Scan done at 14:42:32.07, Fri 08/18/2006
Run from C:\Documents and Settings\JN\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismon.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\DOCUME~1\JN\FAVORI~1\Antivirus Test Online.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted
C:\Program Files\Safety Bar\ Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll













combofix log
--------------------------------
JN - 06-08-21 9:44:27.90
ComboFix 06.08.18 - Running from: C:\Documents and Settings\JN\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKEY_CURRENT_USER\...\Run C:\WINDOWS\system32\sawwxn.exe
O4 - HKEY_LOCAL_MACHINE\...\Run C:\WINDOWS\system32\sawwxn.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\ijnbx.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\tfufisx.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-21 09:41 217 --a------ C:\WINDOWS\qvdeo.dll
2006-08-21 09:22 127488 --a------ C:\WINDOWS\system32\xxlaj.dat
2006-08-18 11:41 53 --a------ C:\WINDOWS\nncblq.dat
2006-08-18 11:41 51712 --a------ C:\WINDOWS\system32\yhvwovj.dll
2006-08-18 11:41 28672 --a------ C:\WINDOWS\system32\ijnbx.exe
2006-08-18 11:41 23552 --a------ C:\WINDOWS\system32\tfufisx.exe
2006-08-18 11:41 127488 --a------ C:\WINDOWS\system32\sawwxn.exe
2006-08-18 11:41 127488 --a------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kiixe.exe
2006-08-07 12:29 40973 --------- C:\WINDOWS\system32\ljjjghe.dll
2006-07-28 11:37 573492 ---hs---- C:\WINDOWS\system32\gebcc.dll


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


2006-08-18 11:41 127488 C:\WINDOWS\system32\sawwxn.exe
2006-08-18 11:41 51712 C:\WINDOWS\system32\yhvwovj.dll
2006-08-18 11:41 23552 C:\WINDOWS\system32\tfufisx.exe
2006-08-18 11:41 127488 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\kiixe.exe
2006-08-21 09:41 217 C:\WINDOWS\qvdeo.dll
2006-08-21 09:22 127488 C:\WINDOWS\system32\xxlaj.dat
2006-08-18 11:41 28672 C:\WINDOWS\system32\ijnbx.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-08-18 11:41 127488 kiixe.exe.qoo
06-08-21 09:22 127488 xxlaj.dat.qoo
06-08-18 11:41 127488 sawwxn.exe.qoo
06-08-18 11:41 51712 yhvwovj.dll.qoo
06-08-18 11:41 28672 ijnbx.exe.qoo
06-08-18 11:41 23552 tfufisx.exe.qoo
06-08-21 09:41 217 qvdeo.dll.qoo
06-08-18 11:41 53 nncblq.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Y1123OU.exe
C:\WINDOWS\system32\tsuninst.exe
C:\Program Files\Inetget2
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{C4D94116-095F-1033-0627-031212010001}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\SKS~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-21 to 2006-08-21 ))))))))))))))))))))))))))))))))))


2006-08-18 10:44 13,844 C:\WINDOWS\system32\crnoadbk.exe
2006-08-18 10:41 13,844 C:\WINDOWS\system32\ydioiwvj.exe
2006-08-18 10:38 13,844 C:\WINDOWS\system32\dupetnkq.exe
2006-08-18 10:36 204,800 C:\WINDOWS\system32\IVIresizeW7.dll
2006-08-18 10:36 200,704 C:\WINDOWS\system32\IVIresizeA6.dll
2006-08-18 10:36 20,480 C:\WINDOWS\system32\IVIresize.dll
2006-08-18 10:36 192,512 C:\WINDOWS\system32\IVIresizeP6.dll
2006-08-18 10:36 192,512 C:\WINDOWS\system32\IVIresizeM6.dll
2006-08-18 10:36 188,416 C:\WINDOWS\system32\IVIresizePX.dll
2006-08-18 10:25 13,844 C:\WINDOWS\system32\cweieprj.exe
2006-08-18 10:24 13,844 C:\WINDOWS\system32\wamexsnt.exe
2006-08-18 10:23 13,844 C:\WINDOWS\system32\tvorjfnm.exe
2006-08-18 10:19 110,592 C:\WINDOWS\system32\vohl.exe
2006-08-18 10:17 13,844 C:\WINDOWS\system32\moqgldlw.exe
2006-08-18 10:14 13,844 C:\WINDOWS\system32\ggyqleid.exe
2006-08-18 10:04 13,844 C:\WINDOWS\system32\opdckhxn.exe
2006-08-17 14:13 934,290 C:\WINDOWS\system32\ccbeg.ini2
2006-08-07 13:47 8,704 C:\WINDOWS\system32\SpOrder.dll
2006-08-07 12:29 40,973 C:\WINDOWS\system32\ljjjghe.dll
2006-08-01 15:19 933,881 C:\WINDOWS\system32\ccbeg.bak2
2006-07-28 11:37 364,457 C:\WINDOWS\system32\ccbeg.bak1
2006-07-28 11:36 573,492 C:\WINDOWS\system32\gebcc.dll
2006-07-28 11:32 155,136 C:\WINDOWS\system32\oins.exe
2006-07-28 11:29 18,944 C:\WINDOWS\system32\winozn32.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-21 09:50 934341 ---hs---- C:\WINDOWS\system32\ccbeg.ini2
2006-08-21 09:48 933881 ---hs---- C:\WINDOWS\system32\ccbeg.bak2
2006-08-21 09:45 -------- d-------- C:\Program Files\Common Files
2006-08-21 09:42 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-21 08:48 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-18 10:44 13844 --a------ C:\WINDOWS\system32\crnoadbk.exe
2006-08-18 10:41 13844 --a------ C:\WINDOWS\system32\ydioiwvj.exe
2006-08-18 10:38 13844 --a------ C:\WINDOWS\system32\dupetnkq.exe
2006-08-18 10:36 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-18 10:36 -------- d-------- C:\Program Files\InterVideo
2006-08-18 10:25 13844 --a------ C:\WINDOWS\system32\cweieprj.exe
2006-08-18 10:24 13844 --a------ C:\WINDOWS\system32\wamexsnt.exe
2006-08-18 10:23 13844 --a------ C:\WINDOWS\system32\tvorjfnm.exe
2006-08-18 10:17 13844 --a------ C:\WINDOWS\system32\moqgldlw.exe
2006-08-18 10:14 13844 --a------ C:\WINDOWS\system32\ggyqleid.exe
2006-08-18 10:07 -------- d-------- C:\Documents and Settings\JN\Application Data\InterVideo
2006-08-18 10:04 13844 --a------ C:\WINDOWS\system32\opdckhxn.exe
2006-08-17 14:03 110592 --a------ C:\WINDOWS\system32\vohl.exe
2006-08-17 02:37 -------- d-------- C:\Program Files\Common Files\rowf
2006-08-16 23:34 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-16 23:34 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-09 16:47 -------- d-------- C:\Program Files\Cain
2006-08-08 11:29 -------- d-------- C:\Program Files\Sunbelt Software
2006-08-07 15:58 -------- d-------- C:\Program Files\WS_FTP Pro
2006-08-07 14:58 -------- d-------- C:\Program Files\Internet Explorer
2006-08-07 13:54 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
2006-08-07 12:29 40973 --------- C:\WINDOWS\system32\ljjjghe.dll
2006-08-02 10:47 155136 --a------ C:\WINDOWS\system32\oins.exe
2006-07-31 23:39 364457 ---hs---- C:\WINDOWS\system32\ccbeg.bak1
2006-07-28 11:37 573492 ---hs---- C:\WINDOWS\system32\gebcc.dll
2006-07-28 11:31 -------- d---s---- C:\Documents and Settings\JN\Application Data\Microsoft
2006-07-28 11:29 18944 --a------ C:\WINDOWS\system32\winozn32.dll
2006-07-26 14:10 -------- d-------- C:\Documents and Settings\JN\Application Data\AdobeUM
2006-07-18 12:02 91672 --a------ C:\WINDOWS\system32\drivers\khips.sys
2006-07-18 12:02 284184 --a------ C:\WINDOWS\system32\drivers\fwdrv.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"\\\\EFS\\EPSON Stylus CX6600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P32 \"\\\\EFS\\EPSON Stylus CX6600 Series\" /O6 \"USB001\" /M \"Stylus CX6600\""
"Auto EPSON Stylus CX6600 Series on EFS"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P38 \"Auto EPSON Stylus CX6600 Series on EFS\" /O14 \"\\\\EFS\\EPSONSty\" /M \"Stylus CX6600\""
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\G001-1.0.25.0\\gnotify.exe"
"Auto EPSON Stylus CX6600 Series on TED"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P38 \"Auto EPSON Stylus CX6600 Series on TED\" /O15 \"\\\\TED\\EPSONS_ME\" /M \"Stylus CX6600\""
"EPSON Stylus CX6600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P26 \"EPSON Stylus CX6600 Series\" /O5 \"LPT1:\" /M \"Stylus CX6600\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"\\\\EFS\\EPSON Stylus CX7800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAFA.EXE /P32 \"\\\\EFS\\EPSON Stylus CX7800 Series\" /O6 \"USB002\" /M \"Stylus CX7800\""
"\\\\TED\\EPSON Stylus CX7800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAFA.EXE /P32 \"\\\\TED\\EPSON Stylus CX7800 Series\" /O6 \"USB004\" /M \"Stylus CX7800\""
"Auto EPSON Stylus CX7800 Series on TED"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAFA.EXE /P38 \"Auto EPSON Stylus CX7800 Series on TED\" /O18 \"\\\\TED\\StylusCX7800\" /M \"Stylus CX7800\""
"319b36c8.exe"="C:\\WINDOWS\\system32\\319b36c8.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\EFS\\EPSON Stylus CX6600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P32 \"\\\\EFS\\EPSON Stylus CX6600 Series\" /M \"Stylus CX6600\" /EF \"HKCU\""
"Auto EPSON Stylus CX6600 Series on TED"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P38 \"Auto EPSON Stylus CX6600 Series on TED\" /M \"Stylus CX6600\" /EF \"HKCU\""
"319b36c8.exe"="C:\\Documents and Settings\\JN\\Local Settings\\Application Data\\319b36c8.exe"
"rowf"="C:\\PROGRA~1\\COMMON~1\\rowf\\rowfm.exe"
"Qkhkrj"="C:\\WINDOWS\\system32\\vohl.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5A3E97DD-2A08-48BC-8F43-C0DEABC90266}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Matrox Powerdesk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDesk"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\PDesk\\PDesk.exe /Autolaunch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gnotify"
"hkey"="HKLM"
"command"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjghe
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winozn32


Completion time: Mon 08/21/2006 9:51:07.61
ComboFix.txt


End

#6 Agent0013

Agent0013
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 21 August 2006 - 10:14 AM

Ewido logs, from multiple partial runs
----------------------------------------------------------
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:07:32 PM 8/18/2006

+ Scan result:



HKLM\SOFTWARE\Clickspring -> Adware.PurityScan : Cleaned with backup (quarantined).
[1192] C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup (quarantined).


::Report end




---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:13:15 PM 8/18/2006

+ Scan result:



HKU\S-1-5-21-1390067357-1844237615-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-1390067357-1844237615-682003330-1005\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4} -> Adware.Generic : Cleaned with backup (quarantined).
C:\backup\software\chess\KasparovChessmate-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
[1192] C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Error during cleaning.
C:\Documents and Settings\JN\Local Settings\Application Data\319b36c8.exe -> Downloader.Obfuscated.a : Cleaned with backup (quarantined).


::Report end


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:26:03 PM 8/18/2006

+ Scan result:



[1192] C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Error during cleaning.
C:\Program Files\Common Files\Y1123OA.exe -> Downloader.PurityScan.cq : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{C4D94116-095F-1033-0627-031212010001}\Update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).


::Report end


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:34:10 PM 8/18/2006

+ Scan result:



C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\WinNB58.dll -> Adware.Mirar : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ljjjghe.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\mljhhhi.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__d_m_o_n_w_v_._d_l_l_ -> Downloader.Agent.agw : Cleaned with backup (quarantined).
[1192] C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Error during cleaning.
C:\WINDOWS\system32\xxlaj.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\anbwbqop.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\anwugplv.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\brlstfif.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\byatibqt.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ohqarclh.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pipetswr.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\puykpnhx.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rtsfsmuj.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned with backup (quarantined).
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup (quarantined).


::Report end






new hijackthis log file
------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:11:29 AM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\WINDOWS\system32\vohl.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\System32\mdm.exe
C:\Documents and Settings\JN\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:3128
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P32 "\\EFS\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on EFS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38 "Auto EPSON Stylus CX6600 Series on EFS" /O14 "\\EFS\EPSONSty" /M "Stylus CX6600"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on TED] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38 "Auto EPSON Stylus CX6600 Series on TED" /O15 "\\TED\EPSONS_ME" /M "Stylus CX6600"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32 "\\EFS\EPSON Stylus CX7800 Series" /O6 "USB002" /M "Stylus CX7800"
O4 - HKLM\..\Run: [\\TED\EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32 "\\TED\EPSON Stylus CX7800 Series" /O6 "USB004" /M "Stylus CX7800"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX7800 Series on TED] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P38 "Auto EPSON Stylus CX7800 Series on TED" /O18 "\\TED\StylusCX7800" /M "Stylus CX7800"
O4 - HKLM\..\Run: [319b36c8.exe] C:\WINDOWS\system32\319b36c8.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136579410214
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)






It seems that I still have something. As I was pasting these logs into this forum, the WinAntivirus popup window was popping up and wanting to scan the computer. Man this spyware can be a pain!

#7 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:57 PM

Posted 21 August 2006 - 10:28 AM

Hi

Rename HijackThis.exe to HJT.exe

Open HijackThis, click do a system scan only and checkmark this:

O4 - HKLM\..\Run: [319b36c8.exe] C:\WINDOWS\system32\319b36c8.exe

Close all windows including browser and press fix checked.

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*) on Desktop

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"319b36c8.exe"=-
"rowf"=-
"Qkhkrj"=-

Doubleclick fix.reg, press Yes and ok.

Please download the Killbox.
Unzip it to the desktop.

Please run Killbox.

Select "Delete on Reboot" and "All files"

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\crnoadbk.exe
C:\WINDOWS\system32\ydioiwvj.exe
C:\WINDOWS\system32\dupetnkq.exe
C:\WINDOWS\system32\cweieprj.exe
C:\WINDOWS\system32\wamexsnt.exe
C:\WINDOWS\system32\tvorjfnm.exe
C:\WINDOWS\system32\vohl.exe
C:\WINDOWS\system32\moqgldlw.exe
C:\WINDOWS\system32\ggyqleid.exe
C:\WINDOWS\system32\opdckhxn.exe
C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\oins.exe
C:\WINDOWS\system32\winozn32.dll
C:\WINDOWS\system32\319b36c8.exe
C:\PROGRA~1\COMMON~1\rowf\rowfm.exe

Go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Empty this folder -> C:\!KillBox
  • Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.[/list]
Re-run combofix

Send:

- a fresh HijackThis log
- combofix report
- C:\vundofix.txt

Edited by Shaba, 21 August 2006 - 10:30 AM.

Microsoft MVP Consumer Security
Posted Image

Posted Image

#8 Agent0013

Agent0013
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 21 August 2006 - 12:22 PM

Latest Logs.

New HijackThis log
---------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:15:22 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\JN\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:3128
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\ljjjghe.dll (file missing)
O2 - BHO: (no name) - {F26B0CA5-8586-4931-B9C0-1F3585F12970} - C:\WINDOWS\system32\gebcc.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P32 "\\EFS\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on EFS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38 "Auto EPSON Stylus CX6600 Series on EFS" /O14 "\\EFS\EPSONSty" /M "Stylus CX6600"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on TED] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38 "Auto EPSON Stylus CX6600 Series on TED" /O15 "\\TED\EPSONS_ME" /M "Stylus CX6600"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32 "\\EFS\EPSON Stylus CX7800 Series" /O6 "USB002" /M "Stylus CX7800"
O4 - HKLM\..\Run: [\\TED\EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32 "\\TED\EPSON Stylus CX7800 Series" /O6 "USB004" /M "Stylus CX7800"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX7800 Series on TED] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P38 "Auto EPSON Stylus CX7800 Series on TED" /O18 "\\TED\StylusCX7800" /M "Stylus CX7800"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136579410214
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winozn32 - winozn32.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)





Last Combofix Report
---------------------------------------------
JN - 06-08-21 12:16:24.21
ComboFix 06.08.18 - Running from: C:\Documents and Settings\JN\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Program Files\SKS~1


((((((((((((((((((((((((((((((( Files Created from 2006-07-21 to 2006-08-21 ))))))))))))))))))))))))))))))))))


2006-08-21 11:44 9,216 C:\WINDOWS\system32\VundoFixSVC.exe
2006-08-18 10:36 204,800 C:\WINDOWS\system32\IVIresizeW7.dll
2006-08-18 10:36 200,704 C:\WINDOWS\system32\IVIresizeA6.dll
2006-08-18 10:36 20,480 C:\WINDOWS\system32\IVIresize.dll
2006-08-18 10:36 192,512 C:\WINDOWS\system32\IVIresizeP6.dll
2006-08-18 10:36 192,512 C:\WINDOWS\system32\IVIresizeM6.dll
2006-08-18 10:36 188,416 C:\WINDOWS\system32\IVIresizePX.dll
2006-08-07 13:47 8,704 C:\WINDOWS\system32\SpOrder.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-21 12:14 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-21 11:44 9216 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2006-08-21 09:45 -------- d-------- C:\Program Files\Common Files
2006-08-21 08:48 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-18 10:36 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-18 10:36 -------- d-------- C:\Program Files\InterVideo
2006-08-18 10:07 -------- d-------- C:\Documents and Settings\JN\Application Data\InterVideo
2006-08-17 02:37 -------- d-------- C:\Program Files\Common Files\rowf
2006-08-16 23:34 777472 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-08-16 23:34 27904 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-08-09 16:47 -------- d-------- C:\Program Files\Cain
2006-08-08 11:29 -------- d-------- C:\Program Files\Sunbelt Software
2006-08-07 15:58 -------- d-------- C:\Program Files\WS_FTP Pro
2006-08-07 14:58 -------- d-------- C:\Program Files\Internet Explorer
2006-08-07 13:54 -------- d-------- C:\Program Files\Common Files\Autodesk Shared
2006-07-28 11:31 -------- d---s---- C:\Documents and Settings\JN\Application Data\Microsoft
2006-07-26 14:10 -------- d-------- C:\Documents and Settings\JN\Application Data\AdobeUM
2006-07-18 12:02 91672 --a------ C:\WINDOWS\system32\drivers\khips.sys
2006-07-18 12:02 284184 --a------ C:\WINDOWS\system32\drivers\fwdrv.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"\\\\EFS\\EPSON Stylus CX6600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P32 \"\\\\EFS\\EPSON Stylus CX6600 Series\" /O6 \"USB001\" /M \"Stylus CX6600\""
"Auto EPSON Stylus CX6600 Series on EFS"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P38 \"Auto EPSON Stylus CX6600 Series on EFS\" /O14 \"\\\\EFS\\EPSONSty\" /M \"Stylus CX6600\""
"{0228e555-4f9c-4e35-a3ec-b109a192b4c2}"="C:\\Program Files\\Google\\Gmail Notifier\\G001-1.0.25.0\\gnotify.exe"
"Auto EPSON Stylus CX6600 Series on TED"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P38 \"Auto EPSON Stylus CX6600 Series on TED\" /O15 \"\\\\TED\\EPSONS_ME\" /M \"Stylus CX6600\""
"EPSON Stylus CX6600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P26 \"EPSON Stylus CX6600 Series\" /O5 \"LPT1:\" /M \"Stylus CX6600\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"\\\\EFS\\EPSON Stylus CX7800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAFA.EXE /P32 \"\\\\EFS\\EPSON Stylus CX7800 Series\" /O6 \"USB002\" /M \"Stylus CX7800\""
"\\\\TED\\EPSON Stylus CX7800 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAFA.EXE /P32 \"\\\\TED\\EPSON Stylus CX7800 Series\" /O6 \"USB004\" /M \"Stylus CX7800\""
"Auto EPSON Stylus CX7800 Series on TED"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATIAFA.EXE /P38 \"Auto EPSON Stylus CX7800 Series on TED\" /O18 \"\\\\TED\\StylusCX7800\" /M \"Stylus CX7800\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\EFS\\EPSON Stylus CX6600 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P32 \"\\\\EFS\\EPSON Stylus CX6600 Series\" /M \"Stylus CX6600\" /EF \"HKCU\""
"Auto EPSON Stylus CX6600 Series on TED"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_FATI9EA.EXE /P38 \"Auto EPSON Stylus CX6600 Series on TED\" /M \"Stylus CX6600\" /EF \"HKCU\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{5A3E97DD-2A08-48BC-8F43-C0DEABC90266}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Matrox Powerdesk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PDesk"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\PDesk\\PDesk.exe /Autolaunch"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\j2re1.4.2_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\{0228e555-4f9c-4e35-a3ec-b109a192b4c2}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="gnotify"
"hkey"="HKLM"
"command"="C:\\Program Files\\Google\\Gmail Notifier\\gnotify.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winozn32


Completion time: Mon 08/21/2006 12:17:38.67
ComboFix.txt
ComboFix2.txt





VundoFix Report
----------------------------------------

VundoFix V6.1.1

Checking Java version...

Java version is 1.4.2.5

Scan started at 11:30:37 AM 8/21/2006

Listing files found while scanning....

C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\ccbeg.tmp
C:\WINDOWS\system32\ljjjghe.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gebcc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\ccbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\ccbeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ccbeg.tmp
C:\WINDOWS\system32\ccbeg.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjjghe.dll
C:\WINDOWS\system32\ljjjghe.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.1.1

Checking Java version...

Java version is 1.4.2.5

Scan started at 11:42:30 AM 8/21/2006

Listing files found while scanning....

C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\ljjjghe.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\gebcc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ljjjghe.dll
C:\WINDOWS\system32\ljjjghe.dll Has been deleted!

Performing Repairs to the registry.
Done!





Nothing has popped up yet, so maybe it has been eradicated!? One can hope!
And thanks for the help, it is amazing how difficult this has been to clean. In the past I have usually been able to clean system using spyware scanners or once in a while I would need a special cleaner for something that spybot or adaware could not remove, but this one has been really tough! Thanks again!

#9 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:57 PM

Posted 21 August 2006 - 12:29 PM

Hi

Yes, looking better :thumbsup:

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {5A3E97DD-2A08-48BC-8F43-C0DEABC90266} - C:\WINDOWS\system32\ljjjghe.dll (file missing)
O2 - BHO: (no name) - {F26B0CA5-8586-4931-B9C0-1F3585F12970} - C:\WINDOWS\system32\gebcc.dll (file missing)
O20 - Winlogon Notify: winozn32 - winozn32.dll (file missing)


Close all windows including browser and press fix checked

Reboot

Delete this folder -> C:\Program Files\Common Files\rowf

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Send:

- a fresh HijackThis log
- kaspersky report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#10 Agent0013

Agent0013
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 21 August 2006 - 02:45 PM

Wow, Kaspersky has found a lot of infected files. I think that some of them are from another person's outlook email folders that I have on my hard drive from when his was crashing and I was going to move it to another drive. But there are quite a few in there. Most of them say they were skipped though. Does the Kaspersky scanner not clean them?

Kaspersky report
------------------------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, August 21, 2006 2:39:23 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/08/2006
Kaspersky Anti-Virus database records: 216927
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 84100
Number of viruses found: 32
Number of infected objects: 166 / 0
Number of suspicious objects: 28
Duration of the scan process: 00:58:41

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC30.zip/MTE3MTk6ODoxNg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC30.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\JN\.housecall\Quarantine\319b36c8.exe.bac_a01888 Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\Documents and Settings\JN\.housecall\Quarantine\Abel.exe.bac_a01888 Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Documents and Settings\JN\.housecall\Quarantine\Cain.exe.bac_a01888 Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
C:\Documents and Settings\JN\.housecall\Quarantine\winantiviruspro2006freeinstall[1].exe.bac_a01888 Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\JN\.housecall\Quarantine\wind32[1].exe.bac_a01888/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\Documents and Settings\JN\.housecall\Quarantine\wind32[1].exe.bac_a01888 NSIS: infected - 1 skipped
C:\Documents and Settings\JN\.housecall\Quarantine\wind32[1].exe.bac_a01888 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\JN\.housecall\Quarantine\winozn32.dll.bac_a01888 Infected: Packed.Win32.Klone.g skipped
C:\Documents and Settings\JN\.housecall\Quarantine\wlzip32[1].exe.bac_a01888 Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\Documents and Settings\JN\.housecall\Quarantine\YazzleActiveX.ocx.bac_a01888 Infected: not-a-virus:AdWare.Win32.MediaTickets.w skipped
C:\Documents and Settings\JN\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\JN\Application Data\Microsoft\Outlook\outitems.log Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\history.dat Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\parent.lock Object is locked skipped
C:\Documents and Settings\JN\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\JN\Desktop\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\JN\Desktop\OiUninstaller.exe NSIS: infected - 1 skipped
C:\Documents and Settings\JN\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\JN\Desktop\vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/14 Jun 2005 16:10 to Jerry Szerszen:vnc/vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Outlook\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JN\ntuser.dat Object is locked skipped
C:\Documents and Settings\JN\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\pedriver.txt Object is locked skipped
C:\Program Files\Cain\Abel.dll Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Program Files\Cain\Abel.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Program Files\Cain\Cain.exe Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped
C:\QooBox\ijnbx.exe.qoo Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\QooBox\kiixe.exe.qoo Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\QooBox\sawwxn.exe.qoo Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\QooBox\tfufisx.exe.qoo Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\QooBox\xxlaj.dat.qoo Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\QooBox\yhvwovj.dll.qoo Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP544\A0116690.exe Infected: not-a-virus:AdWare.Win32.MediaTickets.w skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP547\A0116835.exe Infected: not-a-virus:AdWare.Win32.MediaTickets.w skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP547\A0116853.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP547\A0116854.exe Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP550\A0117931.dll Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP551\A0117984.exe Infected: Trojan-Downloader.Win32.Zlob.aef skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120272.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120284.exe Infected: not-a-virus:AdWare.Win32.PurityScan.et skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120285.exe Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120303.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120314.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120338.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120340.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120349.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120350.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120352.exe Infected: not-virus:Hoax.Win32.Renos.eg skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120362.exe Infected: not-a-virus:AdWare.Win32.Agent.ag skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120363.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120367.dll Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120372.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120373.exe Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120374.exe Infected: not-a-virus:AdWare.Win32.Trymedia.a skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120375.exe Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120377.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120378.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120379.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120380.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120381.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120382.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120383.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120384.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120385.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120386.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120387.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120388.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120412.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120413.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120414.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120415.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120416.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120491.dll Infected: Packed.Win32.Klone.g skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120507.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120508.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120509.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120510.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120535.dll Infected: Packed.Win32.Klone.g skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\change.log Object is locked skipped
C:\temp\tmp1D.tmp Object is locked skipped
C:\temp\~DF9F0.tmp Object is locked skipped
C:\temp\~DF9FB.tmp Object is locked skipped
C:\VundoFix Backups\gebcc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\VundoFix Backups\ljjjghe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\__delete_on_reboot__d_m_o_n_w_v_._d_l_l_ Infected: Trojan-Downloader.Win32.Agent.agw skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Shared\jk\avoid.exe Infected: not-virus:BadJoke.Win32.Delf.af skipped
D:\Shared\Tunnel\vnc-4_1_1-x86_win32.exe/data0001 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
D:\Shared\Tunnel\vnc-4_1_1-x86_win32.exe Inno: infected - 1 skipped
D:\Downloads\cain&abel_setup.exe/WISE0017.BIN Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
D:\Downloads\cain&abel_setup.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
D:\Downloads\cain&abel_setup.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
D:\Downloads\cain&abel_setup.exe WiseSFX: infected - 3 skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From dmarofskejr <dmarofskejr@grandproductsinc.com>][Date Thu, 25 Apr 2002 11:01:26 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From dmarofskejr <dmarofskejr@grandproductsinc.com>][Date Thu, 25 Apr 2002 11:01:26 -0500]/UNNAMED/for.exe Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From dmarofskejr <dmarofskejr@grandproductsinc.com>][Date Thu, 25 Apr 2002 11:01:26 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From mhernandez <mhernandez@grandproductsinc.co>][Date Thu, 25 Apr 2002 10:50:25 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From mhernandez <mhernandez@grandproductsinc.co>][Date Thu, 25 Apr 2002 10:50:25 -0500]/UNNAMED/for.bat Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From mhernandez <mhernandez@grandproductsinc.co>][Date Thu, 25 Apr 2002 10:50:25 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 10:30:42 -0501]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 10:30:42 -0501]/UNNAMED/form Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 10:30:42 -0501]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From janelle <janelle@jamesindustriesinc.com>][Date Thu, 25 Apr 2002 09:49:19 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From janelle <janelle@jamesindustriesinc.com>][Date Thu, 25 Apr 2002 09:49:19 -0500]/UNNAMED/from Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From janelle <janelle@jamesindustriesinc.com>][Date Thu, 25 Apr 2002 09:49:19 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From pakok312 <pakok312@attbi.com>][Date Thu, 25 Apr 2002 13:07:18 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From pakok312 <pakok312@attbi.com>][Date Thu, 25 Apr 2002 13:07:18 -0500]/UNNAMED/to Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From pakok312 <pakok312@attbi.com>][Date Thu, 25 Apr 2002 13:07:18 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From dmarofskesr <dmarofskesr@grandproductsinc.com>][Date Thu, 25 Apr 2002 14:09:11 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From dmarofskesr <dmarofskesr@grandproductsinc.com>][Date Thu, 25 Apr 2002 14:09:11 -0500]/UNNAMED/ody.scr Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From dmarofskesr <dmarofskesr@grandproductsinc.com>][Date Thu, 25 Apr 2002 14:09:11 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From lzidron <lzidron@arrow.com>][Date Thu, 25 Apr 2002 14:11:08 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From lzidron <lzidron@arrow.com>][Date Thu, 25 Apr 2002 14:11:08 -0500]/UNNAMED/frunlog.exe Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From lzidron <lzidron@arrow.com>][Date Thu, 25 Apr 2002 14:11:08 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 15:41:15 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 15:41:15 -0500]/UNNAMED/gp-005.scr Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 15:41:15 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From mlezcano <mlezcano@wellsgardner.com>][Date Fri, 26 Apr 2002 07:39:39 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From mlezcano <mlezcano@wellsgardner.com>][Date Fri, 26 Apr 2002 07:39:39 -0500]/UNNAMED/name.bat Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From mlezcano <mlezcano@wellsgardner.com>][Date Fri, 26 Apr 2002 07:39:39 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From ebender <ebender@tlcind.com>][Date Fri, 26 Apr 2002 15:21:06 -0500]/UNNAMED/picacu.exe Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From ebender <ebender@tlcind.com>][Date Fri, 26 Apr 2002 15:21:06 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From pmriley <pmriley@grandproductsinc.com>][Date Fri, 26 Apr 2002 14:41:03 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From pmriley <pmriley@grandproductsinc.com>][Date Fri, 26 Apr 2002 14:41:03 -0500]/UNNAMED/for.pif Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From pmriley <pmriley@grandproductsinc.com>][Date Fri, 26 Apr 2002 14:41:03 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From postmaster <postmaster@grandproductsinc.com>][Date Mon, 29 Apr 2002 07:41:08 -0500]/UNNAMED/section.scr Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From postmaster <postmaster@grandproductsinc.com>][Date Mon, 29 Apr 2002 07:41:08 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From jtontodo <jtontodo@wmsgaming.com>][Date Mon, 29 Apr 2002 10:54:00 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From jtontodo <jtontodo@wmsgaming.com>][Date Mon, 29 Apr 2002 10:54:00 -0500]/UNNAMED/for.bat Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From jtontodo <jtontodo@wmsgaming.com>][Date Mon, 29 Apr 2002 10:54:00 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From kdrunke <kdrunke@tlcindustries.com>][Date Mon, 29 Apr 2002 09:16:18 -0500]/UNNAMED/for Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From kdrunke <kdrunke@tlcindustries.com>][Date Mon, 29 Apr 2002 09:16:18 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From mhernandez <mhernandez@grandproductsinc.com>][Date Tue, 30 Apr 2002 13:30:54 -0501]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From mhernandez <mhernandez@grandproductsinc.com>][Date Tue, 30 Apr 2002 13:30:54 -0501]/UNNAMED/to Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From mhernandez <mhernandez@grandproductsinc.com>][Date Tue, 30 Apr 2002 13:30:54 -0501]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From acortez <acortez@grandproductsinc.com>][Date Tue, 30 Apr 2002 15:33:43 -0501]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From acortez <acortez@grandproductsinc.com>][Date Tue, 30 Apr 2002 15:33:43 -0501]/UNNAMED/frunlog.exe Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From acortez <acortez@grandproductsinc.com>][Date Tue, 30 Apr 2002 15:33:43 -0501]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From mmarofske <mmarofske@grandproductsinc.com>][Date Tue, 30 Apr 2002 14:11:37 -0500]/UNNAMED/demo.exe Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From mmarofske <mmarofske@grandproductsinc.com>][Date Tue, 30 Apr 2002 14:11:37 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From postmaster <postmaster@grandproductsinc.com>][Date Tue, 30 Apr 2002 15:19:58 -0501]/UNNAMED/frunlog.scr Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx/[From postmaster <postmaster@grandproductsinc.com>][Date Tue, 30 Apr 2002 15:19:58 -0501]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Deleted Items.mbx Mail MS Internet Mail: infected - 36, suspicious - 13 skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From janelle <janelle@jamesindustriesinc.com>][Date Thu, 25 Apr 2002 09:49:19 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From janelle <janelle@jamesindustriesinc.com>][Date Thu, 25 Apr 2002 09:49:19 -0500]/UNNAMED/from Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From janelle <janelle@jamesindustriesinc.com>][Date Thu, 25 Apr 2002 09:49:19 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 10:30:42 -0501]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 10:30:42 -0501]/UNNAMED/form Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 10:30:42 -0501]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From mhernandez <mhernandez@grandproductsinc.co>][Date Thu, 25 Apr 2002 10:50:25 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From mhernandez <mhernandez@grandproductsinc.co>][Date Thu, 25 Apr 2002 10:50:25 -0500]/UNNAMED/for.bat Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From mhernandez <mhernandez@grandproductsinc.co>][Date Thu, 25 Apr 2002 10:50:25 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From dmarofskejr <dmarofskejr@grandproductsinc.com>][Date Thu, 25 Apr 2002 11:01:26 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From dmarofskejr <dmarofskejr@grandproductsinc.com>][Date Thu, 25 Apr 2002 11:01:26 -0500]/UNNAMED/for.exe Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From dmarofskejr <dmarofskejr@grandproductsinc.com>][Date Thu, 25 Apr 2002 11:01:26 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From pakok312 <pakok312@attbi.com>][Date Thu, 25 Apr 2002 13:07:18 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From pakok312 <pakok312@attbi.com>][Date Thu, 25 Apr 2002 13:07:18 -0500]/UNNAMED/to Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From pakok312 <pakok312@attbi.com>][Date Thu, 25 Apr 2002 13:07:18 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From dmarofskesr <dmarofskesr@grandproductsinc.com>][Date Thu, 25 Apr 2002 14:09:11 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From dmarofskesr <dmarofskesr@grandproductsinc.com>][Date Thu, 25 Apr 2002 14:09:11 -0500]/UNNAMED/ody.scr Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From dmarofskesr <dmarofskesr@grandproductsinc.com>][Date Thu, 25 Apr 2002 14:09:11 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From lzidron <lzidron@arrow.com>][Date Thu, 25 Apr 2002 14:11:08 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From lzidron <lzidron@arrow.com>][Date Thu, 25 Apr 2002 14:11:08 -0500]/UNNAMED/frunlog.exe Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From lzidron <lzidron@arrow.com>][Date Thu, 25 Apr 2002 14:11:08 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 15:41:15 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 15:41:15 -0500]/UNNAMED/gp-005.scr Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From tbarnes <tbarnes@grandproductsinc.com>][Date Thu, 25 Apr 2002 15:41:15 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From mlezcano <mlezcano@wellsgardner.com>][Date Fri, 26 Apr 2002 07:39:39 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From mlezcano <mlezcano@wellsgardner.com>][Date Fri, 26 Apr 2002 07:39:39 -0500]/UNNAMED/name.bat Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From mlezcano <mlezcano@wellsgardner.com>][Date Fri, 26 Apr 2002 07:39:39 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From pmriley <pmriley@grandproductsinc.com>][Date Fri, 26 Apr 2002 14:41:03 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From pmriley <pmriley@grandproductsinc.com>][Date Fri, 26 Apr 2002 14:41:03 -0500]/UNNAMED/for.pif Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From pmriley <pmriley@grandproductsinc.com>][Date Fri, 26 Apr 2002 14:41:03 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From ebender <ebender@tlcind.com>][Date Fri, 26 Apr 2002 15:21:06 -0500]/UNNAMED/picacu.exe Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From ebender <ebender@tlcind.com>][Date Fri, 26 Apr 2002 15:21:06 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From postmaster <postmaster@grandproductsinc.com>][Date Mon, 29 Apr 2002 07:41:08 -0500]/UNNAMED/section.scr Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From postmaster <postmaster@grandproductsinc.com>][Date Mon, 29 Apr 2002 07:41:08 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From kdrunke <kdrunke@tlcindustries.com>][Date Mon, 29 Apr 2002 09:16:18 -0500]/UNNAMED/for Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From kdrunke <kdrunke@tlcindustries.com>][Date Mon, 29 Apr 2002 09:16:18 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From jtontodo <jtontodo@wmsgaming.com>][Date Mon, 29 Apr 2002 10:54:00 -0500]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From jtontodo <jtontodo@wmsgaming.com>][Date Mon, 29 Apr 2002 10:54:00 -0500]/UNNAMED/for.bat Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From jtontodo <jtontodo@wmsgaming.com>][Date Mon, 29 Apr 2002 10:54:00 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From mhernandez <mhernandez@grandproductsinc.com>][Date Tue, 30 Apr 2002 13:30:54 -0501]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From mhernandez <mhernandez@grandproductsinc.com>][Date Tue, 30 Apr 2002 13:30:54 -0501]/UNNAMED/to Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From mhernandez <mhernandez@grandproductsinc.com>][Date Tue, 30 Apr 2002 13:30:54 -0501]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From mmarofske <mmarofske@grandproductsinc.com>][Date Tue, 30 Apr 2002 14:11:37 -0500]/UNNAMED/demo.exe Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From mmarofske <mmarofske@grandproductsinc.com>][Date Tue, 30 Apr 2002 14:11:37 -0500]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From postmaster <postmaster@grandproductsinc.com>][Date Tue, 30 Apr 2002 15:19:58 -0501]/UNNAMED/frunlog.scr Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From postmaster <postmaster@grandproductsinc.com>][Date Tue, 30 Apr 2002 15:19:58 -0501]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From acortez <acortez@grandproductsinc.com>][Date Tue, 30 Apr 2002 15:33:43 -0501]/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From acortez <acortez@grandproductsinc.com>][Date Tue, 30 Apr 2002 15:33:43 -0501]/UNNAMED/frunlog.exe Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx/[From acortez <acortez@grandproductsinc.com>][Date Tue, 30 Apr 2002 15:33:43 -0501]/UNNAMED Infected: Email-Worm.Win32.Klez.h skipped
F:\Chris Backup\Outlook Express\Mail\Inbox.mbx Mail MS Internet Mail: infected - 36, suspicious - 13 skipped
F:\Chris Backup\Outlook Express\Mail\Outbox.mbx/[From "Chris Marofske" <cmarofske@grandproductsinc.com>][Date Wed, 1 May 2002 15:43:46 -0500]/UNNAMED/GrandProducts.xls Infected: Virus.MSExcel.Laroux.cs skipped
F:\Chris Backup\Outlook Express\Mail\Outbox.mbx/[From "Chris Marofske" <cmarofske@grandproductsinc.com>][Date Wed, 1 May 2002 15:43:46 -0500]/UNNAMED Infected: Virus.MSExcel.Laroux.cs skipped
F:\Chris Backup\Outlook Express\Mail\Outbox.mbx Mail MS Internet Mail: infected - 2 skipped
F:\Chris Backup\Outlook Express\Mail\Sent Items.mbx/[From "Chris Marofske" <cmarofske@grandproductsinc.com>][Date Wed, 1 May 2002 15:43:46 -0500]/UNNAMED/GrandProducts.xls Infected: Virus.MSExcel.Laroux.cs skipped
F:\Chris Backup\Outlook Express\Mail\Sent Items.mbx/[From "Chris Marofske" <cmarofske@grandproductsinc.com>][Date Wed, 1 May 2002 15:43:46 -0500]/UNNAMED Infected: Virus.MSExcel.Laroux.cs skipped
F:\Chris Backup\Outlook Express\Mail\Sent Items.mbx Mail MS Internet Mail: infected - 2 skipped
F:\Rich Backup\rpetrenco\Local Settings\Application Data\Microsoft\Outlook\outlook.pst/Personal Folders/Deleted Items/03 Mar 2006 21:12 from lahillier@aol.com:Re: Old photos/old_photos_rpetrenko.pif Infected: Email-Worm.Win32.NetSky.q skipped
F:\Rich Backup\rpetrenco\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Mail MS Mail: infected - 1 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.




Fresh HijackThis report
--------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 2:44:05 PM, on 8/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Documents and Settings\JN\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:3128
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P32 "\\EFS\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on EFS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38 "Auto EPSON Stylus CX6600 Series on EFS" /O14 "\\EFS\EPSONSty" /M "Stylus CX6600"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on TED] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38 "Auto EPSON Stylus CX6600 Series on TED" /O15 "\\TED\EPSONS_ME" /M "Stylus CX6600"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32 "\\EFS\EPSON Stylus CX7800 Series" /O6 "USB002" /M "Stylus CX7800"
O4 - HKLM\..\Run: [\\TED\EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32 "\\TED\EPSON Stylus CX7800 Series" /O6 "USB004" /M "Stylus CX7800"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX7800 Series on TED] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P38 "Auto EPSON Stylus CX7800 Series on TED" /O18 "\\TED\StylusCX7800" /M "Stylus CX7800"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136579410214
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#11 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:57 PM

Posted 22 August 2006 - 01:20 AM

Hi

No, kaspersky doesn't delete/disinfect anything unfortunately :thumbsup:

Empty these folders

C:\Documents and Settings\JN\.housecall\Quarantine\
F:\Chris Backup\Outlook Express\

Delete this:

D:\Shared\jk\avoid.exe

Re-scan with kaspersky

Send:

- a fresh HijackThis log
- kaspersky report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#12 Agent0013

Agent0013
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 22 August 2006 - 10:08 AM

Fresh HijackThis log
----------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 10:04:24 AM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Documents and Settings\JN\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:3128
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P32 "\\EFS\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on EFS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38 "Auto EPSON Stylus CX6600 Series on EFS" /O14 "\\EFS\EPSONSty" /M "Stylus CX6600"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on TED] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38 "Auto EPSON Stylus CX6600 Series on TED" /O15 "\\TED\EPSONS_ME" /M "Stylus CX6600"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32 "\\EFS\EPSON Stylus CX7800 Series" /O6 "USB002" /M "Stylus CX7800"
O4 - HKLM\..\Run: [\\TED\EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32 "\\TED\EPSON Stylus CX7800 Series" /O6 "USB004" /M "Stylus CX7800"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX7800 Series on TED] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P38 "Auto EPSON Stylus CX7800 Series on TED" /O18 "\\TED\StylusCX7800" /M "Stylus CX7800"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136579410214
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)





Kaspersky Report
--------------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 22, 2006 10:03:08 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/08/2006
Kaspersky Anti-Virus database records: 216927
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
N:\

Scan Statistics:
Total number of scanned objects: 125848
Number of viruses found: 27
Number of infected objects: 240 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:26:15

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC30.zip/MTE3MTk6ODoxNg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC30.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\JN\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\JN\Application Data\Microsoft\Outlook\outitems.log Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\cert8.db Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\formhistory.dat Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\history.dat Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\key3.db Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\parent.lock Object is locked skipped
C:\Documents and Settings\JN\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\JN\Desktop\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\JN\Desktop\OiUninstaller.exe NSIS: infected - 1 skipped
C:\Documents and Settings\JN\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\JN\Desktop\vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/14 Jun 2005 16:10 to Jerry Szerszen:vnc/vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Outlook\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JN\ntuser.dat Object is locked skipped
C:\Documents and Settings\JN\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\pedriver.txt Object is locked skipped
C:\Program Files\Cain\Abel.dll Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Program Files\Cain\Abel.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Program Files\Cain\Cain.exe Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped
C:\RECYCLER\S-1-5-21-1390067357-1844237615-682003330-1005\Dc10.bac_a01888 Infected: Packed.Win32.Klone.g skipped
C:\RECYCLER\S-1-5-21-1390067357-1844237615-682003330-1005\Dc11.bac_a01888 Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\RECYCLER\S-1-5-21-1390067357-1844237615-682003330-1005\Dc12.bac_a01888 Infected: not-a-virus:AdWare.Win32.MediaTickets.w skipped
C:\RECYCLER\S-1-5-21-1390067357-1844237615-682003330-1005\Dc2.bac_a01888 Infected: Trojan-Downloader.Win32.Obfuscated.a skipped
C:\RECYCLER\S-1-5-21-1390067357-1844237615-682003330-1005\Dc3.bac_a01888 Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\RECYCLER\S-1-5-21-1390067357-1844237615-682003330-1005\Dc4.bac_a01888 Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
C:\RECYCLER\S-1-5-21-1390067357-1844237615-682003330-1005\Dc8.bac_a01888 Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\RECYCLER\S-1-5-21-1390067357-1844237615-682003330-1005\Dc9.bac_a01888/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\RECYCLER\S-1-5-21-1390067357-1844237615-682003330-1005\Dc9.bac_a01888 NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1390067357-1844237615-682003330-1005\Dc9.bac_a01888 CryptFF.b: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP544\A0116690.exe Infected: not-a-virus:AdWare.Win32.MediaTickets.w skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP547\A0116835.exe Infected: not-a-virus:AdWare.Win32.MediaTickets.w skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP547\A0116853.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP547\A0116854.exe Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP550\A0117931.dll Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP551\A0117984.exe Infected: Trojan-Downloader.Win32.Zlob.aef skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120272.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120284.exe Infected: not-a-virus:AdWare.Win32.PurityScan.et skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120303.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120314.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120338.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120349.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120350.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120352.exe Infected: not-virus:Hoax.Win32.Renos.eg skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120362.exe Infected: not-a-virus:AdWare.Win32.Agent.ag skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120367.dll Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120374.exe Infected: not-a-virus:AdWare.Win32.Trymedia.a skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120378.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120379.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120380.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120381.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120382.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120383.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120384.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120385.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120386.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120387.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120388.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120507.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120508.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120509.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120510.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\change.log Object is locked skipped
C:\temp\~DF9F0.tmp Object is locked skipped
C:\temp\~DF9FB.tmp Object is locked skipped
C:\VundoFix Backups\gebcc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\VundoFix Backups\ljjjghe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\RECYCLED\Dd1.exe Infected: not-virus:BadJoke.Win32.Delf.af skipped
D:\Shared\Tunnel\vnc-4_1_1-x86_win32.exe/data0001 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
D:\Shared\Tunnel\vnc-4_1_1-x86_win32.exe Inno: infected - 1 skipped
D:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\change.log Object is locked skipped
D:\Downloads\cain&abel_setup.exe/WISE0017.BIN Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
D:\Downloads\cain&abel_setup.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
D:\Downloads\cain&abel_setup.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
D:\Downloads\cain&abel_setup.exe WiseSFX: infected - 3 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\change.log Object is locked skipped
N:\Backup\Software\CombiMovie\xvid activate_crack.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.SideSearch.g skipped
N:\Backup\Software\CombiMovie\xvid activate_crack.exe/stream Infected: not-a-virus:AdWare.Win32.SideSearch.g skipped
N:\Backup\Software\CombiMovie\xvid activate_crack.exe NSIS: infected - 2 skipped
N:\Backup\Software\wsFtp\Kazaa Lite 4.0 new.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Britney Spears Sexy archive.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Kazaa new.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Britney Spears porn.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Harry Potter all e.book.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Britney sex xxx.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Harry Potter 1-6 book.txt.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Britney Spears blowjob.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Harry Potter e book.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Britney Spears cumshot.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Harry Potter.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Britney Spears bleep.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Harry Potter game.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Britney Spears.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Harry Potter 5.mpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Britney Spears and Eminem porn.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Matrix.mpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Britney Spears Song text archive.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Britney Spears full album.mp3.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Eminem.mp3.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Britney Spears.mp3.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Eminem Song text archive.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Eminem Sexy archive.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Eminem full album.mp3.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Eminem Spears porn.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Ringtones.mp3.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Eminem sex xxx.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Ringtones.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Eminem blowjob.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Altkins Diet.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Eminem Poster.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\American Idol.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Cloning.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Saddam Hussein.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Arnold Schwarzenegger.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Windows 2003 crack.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Windows XP crack.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Adobe Photoshop 10 crack.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Microsoft WinXP Crack full.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Teen Porn 15.jpg.pif Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Adobe Premiere 10.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Adobe Photoshop 10 full.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Best Matrix Screensaver new.scr Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Porno Screensaver britney.scr Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Dark Angels new.pif Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\XXX hardcore pics.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Microsoft Office 2003 Crack best.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Serials edition.txt.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Screensaver2.scr Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Full album all.mp3.pif Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Ahead Nero 8.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\netsky source code.scr Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\E-Book Archive2.rtf.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Doom 3 release 2.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\How to hack new.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Learn Programming 2004.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\WinXP eBook newest.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Win Longhorn re.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Dictionary English 2004 - France.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\RFC compilation.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\1001 Sex and more.rtf.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\3D Studio Max 6 3dsmax.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Keygen 4 all new.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Windows 2000 Sourcecode.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Norton Antivirus 2005 beta.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Gimp 1.8 Full with Key.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Partitionsmagic 10 beta.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Star Office 9.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Magix Video Deluxe 5 beta.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Clone DVD 6.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\MS Service Pack 6.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\ACDSee 10.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Visual Studio Net Crack all.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Cracks & Warez Archiv.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\WinAmp 13 full.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\DivX 8.0 final.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Opera 11.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Internet Explorer 9 setup.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Smashing the stack full.rtf.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Ulead Keygen 2004.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\Lightwave 9 Update.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\wsFtp\The Sims 4 beta.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.zip ZIP: infected - 4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
N:\Electrical\JERRY\Download\Kazaa Lite 4.0 new.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Britney Spears Sexy archive.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Kazaa new.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Britney Spears porn.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Harry Potter all e.book.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Britney sex xxx.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Harry Potter 1-6 book.txt.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Britney Spears blowjob.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Harry Potter e book.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Britney Spears cumshot.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Harry Potter.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Britney Spears bleep.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Harry Potter game.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Britney Spears.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Harry Potter 5.mpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Britney Spears and Eminem porn.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Matrix.mpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Britney Spears Song text archive.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Britney Spears full album.mp3.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Eminem.mp3.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Britney Spears.mp3.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Eminem Song text archive.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Eminem Sexy archive.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Eminem full album.mp3.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Eminem Spears porn.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Ringtones.mp3.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Eminem sex xxx.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Ringtones.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Eminem blowjob.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Altkins Diet.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Eminem Poster.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\American Idol.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Cloning.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Saddam Hussein.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Arnold Schwarzenegger.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Windows 2003 crack.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Windows XP crack.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Adobe Photoshop 10 crack.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Microsoft WinXP Crack full.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Teen Porn 15.jpg.pif Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Adobe Premiere 10.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Adobe Photoshop 10 full.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Best Matrix Screensaver new.scr Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Porno Screensaver britney.scr Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Dark Angels new.pif Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\XXX hardcore pics.jpg.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Microsoft Office 2003 Crack best.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Serials edition.txt.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Screensaver2.scr Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Full album all.mp3.pif Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Ahead Nero 8.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\netsky source code.scr Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\E-Book Archive2.rtf.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Doom 3 release 2.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\How to hack new.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Learn Programming 2004.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\WinXP eBook newest.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Win Longhorn re.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Dictionary English 2004 - France.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\RFC compilation.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\1001 Sex and more.rtf.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\3D Studio Max 6 3dsmax.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Keygen 4 all new.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Windows 2000 Sourcecode.doc.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Norton Antivirus 2005 beta.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Gimp 1.8 Full with Key.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Partitionsmagic 10 beta.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Star Office 9.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Magix Video Deluxe 5 beta.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Clone DVD 6.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\MS Service Pack 6.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\ACDSee 10.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Visual Studio Net Crack all.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Cracks & Warez Archiv.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\WinAmp 13 full.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\DivX 8.0 final.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Opera 11.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Internet Explorer 9 setup.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Smashing the stack full.rtf.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Ulead Keygen 2004.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\Lightwave 9 Update.exe Infected: Email-Worm.Win32.NetSky.q skipped
N:\Electrical\JERRY\Download\The Sims 4 beta.exe Infected: Email-Worm.Win32.NetSky.q skipped

Scan process completed.

#13 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:57 PM

Posted 22 August 2006 - 10:26 AM

Hi

Empty these folders:

N:\Backup\Software\wsFtp
N:\Electrical\JERRY\Download

Empty Recycle bin

Re-scan with kaspersky

Send:

- a fresh HijackThis log
- kaspersky report
Microsoft MVP Consumer Security
Posted Image

Posted Image

#14 Agent0013

Agent0013
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:09:57 AM

Posted 22 August 2006 - 12:14 PM

New Kasparsky Report
-----------------------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 22, 2006 12:12:08 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/08/2006
Kaspersky Anti-Virus database records: 216927
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
N:\

Scan Statistics:
Total number of scanned objects: 125675
Number of viruses found: 22
Number of infected objects: 67 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:26:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC30.zip/MTE3MTk6ODoxNg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC30.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\JN\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\JN\Application Data\Microsoft\Outlook\outitems.log Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\cert8.db Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\formhistory.dat Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\history.dat Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\key3.db Object is locked skipped
C:\Documents and Settings\JN\Application Data\Mozilla\Firefox\Profiles\default.8v9\parent.lock Object is locked skipped
C:\Documents and Settings\JN\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\JN\Desktop\OiUninstaller.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\Documents and Settings\JN\Desktop\OiUninstaller.exe NSIS: infected - 1 skipped
C:\Documents and Settings\JN\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/14 Jun 2005 16:10 to Jerry Szerszen:vnc/vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Outlook\archive.pst Mail MS Mail: infected - 1 skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Outlook\outlook.pst Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Application Data\Mozilla\Firefox\Profiles\default.8v9\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\JN\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JN\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\JN\ntuser.dat Object is locked skipped
C:\Documents and Settings\JN\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\pedriver.txt Object is locked skipped
C:\Program Files\Cain\Abel.dll Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Program Files\Cain\Abel.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\Program Files\Cain\Cain.exe Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\debug.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\error.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\hips.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\ids.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\network.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\system.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\warning.log.idx Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log Object is locked skipped
C:\Program Files\Sunbelt Software\Personal Firewall\logs\web.log.idx Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP544\A0116690.exe Infected: not-a-virus:AdWare.Win32.MediaTickets.w skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP547\A0116835.exe Infected: not-a-virus:AdWare.Win32.MediaTickets.w skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP547\A0116853.exe Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP547\A0116854.exe Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP550\A0117931.dll Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP551\A0117984.exe Infected: Trojan-Downloader.Win32.Zlob.aef skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120272.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120284.exe Infected: not-a-virus:AdWare.Win32.PurityScan.et skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120303.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120314.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120338.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120349.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120350.exe Infected: Trojan-Downloader.Win32.Zlob.yj skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120352.exe Infected: not-virus:Hoax.Win32.Renos.eg skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120362.exe Infected: not-a-virus:AdWare.Win32.Agent.ag skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120367.dll Infected: not-a-virus:AdWare.Win32.Softomate.q skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120374.exe Infected: not-a-virus:AdWare.Win32.Trymedia.a skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120378.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120379.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120380.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120381.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120382.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120383.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120384.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120385.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120386.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120387.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP555\A0120388.exe Infected: not-a-virus:Downloader.Win32.WinFixer.i skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120507.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120508.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120509.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0120510.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0122345.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\change.log Object is locked skipped
C:\temp\~DF9F0.tmp Object is locked skipped
C:\temp\~DF9FB.tmp Object is locked skipped
C:\vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\VundoFix Backups\gebcc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.da skipped
C:\VundoFix Backups\ljjjghe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Shared\Tunnel\vnc-4_1_1-x86_win32.exe/data0001 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4110 skipped
D:\Shared\Tunnel\vnc-4_1_1-x86_win32.exe Inno: infected - 1 skipped
D:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\change.log Object is locked skipped
D:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\A0122336.exe Infected: not-virus:BadJoke.Win32.Delf.af skipped
D:\Downloads\cain&abel_setup.exe/WISE0017.BIN Infected: not-a-virus:PSWTool.Win32.Cain.288 skipped
D:\Downloads\cain&abel_setup.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
D:\Downloads\cain&abel_setup.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.284 skipped
D:\Downloads\cain&abel_setup.exe WiseSFX: infected - 3 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\System Volume Information\_restore{6A64D125-25C3-44A2-A8F1-8BAE03E037F7}\RP556\change.log Object is locked skipped
N:\Backup\Software\CombiMovie\xvid activate_crack.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.SideSearch.g skipped
N:\Backup\Software\CombiMovie\xvid activate_crack.exe/stream Infected: not-a-virus:AdWare.Win32.SideSearch.g skipped
N:\Backup\Software\CombiMovie\xvid activate_crack.exe NSIS: infected - 2 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.zip/vnc-4.0-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.zip ZIP: infected - 4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32_viewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.exe/data0006 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
N:\Backup\Software\vnc\vnc-4.0-x86_win32.exe Inno: infected - 3 skipped
N:\Electrical\Dance Dance Revolution\DDR WIRING DIAGRAM 1.dwg Object is locked skipped
N:\Electrical\JUKEBOX\C-Swt&Outlet.dwg Object is locked skipped

Scan process completed.



New HijackThis Log
---------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:12:22 PM, on 8/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
C:\WINDOWS\System32\mgabg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Sunbelt Software\Personal Firewall\kpf4gui.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\MICROS~2\Office\OUTLOOK.EXE
C:\Documents and Settings\JN\Desktop\HJT.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.2:3128
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P32 "\\EFS\EPSON Stylus CX6600 Series" /O6 "USB001" /M "Stylus CX6600"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on EFS] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38 "Auto EPSON Stylus CX6600 Series on EFS" /O14 "\\EFS\EPSONSty" /M "Stylus CX6600"
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.25.0\gnotify.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus CX6600 Series on TED] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P38 "Auto EPSON Stylus CX6600 Series on TED" /O15 "\\TED\EPSONS_ME" /M "Stylus CX6600"
O4 - HKLM\..\Run: [EPSON Stylus CX6600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9EA.EXE /P26 "EPSON Stylus CX6600 Series" /O5 "LPT1:" /M "Stylus CX6600"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [\\EFS\EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32 "\\EFS\EPSON Stylus CX7800 Series" /O6 "USB002" /M "Stylus CX7800"
O4 - HKLM\..\Run: [\\TED\EPSON Stylus CX7800 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P32 "\\TED\EPSON Stylus CX7800 Series" /O6 "USB004" /M "Stylus CX7800"
O4 - HKLM\..\Run: [Auto EPSON Stylus CX7800 Series on TED] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAFA.EXE /P38 "Auto EPSON Stylus CX7800 Series on TED" /O18 "\\TED\StylusCX7800" /M "Stylus CX7800"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1136579410214
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O17 - HKLM\System\CS1\Services\Tcpip\..\{20D62392-B207-4133-B7D6-1D2E37F2A50D}: NameServer = 192.168.1.2,65.106.1.196
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Sunbelt Kerio Personal Firewall 4 (KPF4) - Sunbelt Software - C:\Program Files\Sunbelt Software\Personal Firewall\kpf4ss.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\System32\mgabg.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)

#15 Shaba

Shaba

    Koutsi


  • Members
  • 7,872 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:04:57 PM

Posted 22 August 2006 - 12:17 PM

Hi

Logs look good.

Do you still have problems?
Microsoft MVP Consumer Security
Posted Image

Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users