Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijacked By Porn And Poker


  • Please log in to reply
10 replies to this topic

#1 holtz73

holtz73

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 23 September 2006 - 09:15 AM

Here is my log. An addtional explorer window opens with either a pornsite or a poker site.

Thanks in advance!!

Logfile of HijackThis v1.99.1
Scan saved at 9:11:39 AM, on 9/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\lxamsp32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - C:\Program Files\Hewlett-Packard\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remoteweb.tasksunlimited.org/msrdp.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 23 September 2006 - 09:56 AM

Hi holtz73 and Welcome to the Bleeping Computer!


Download combofix.exe but dont use it just yet.
http://download.bleepingcomputer.com/sUBs/combofix.exe


Go to Add\Remove Programs and Remove Party Poker if you did not install it and dont use it.


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\System32\vbsys2.dll

  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Select Delete on Reboot and Unregister .dll before Deleting
  • then Click on the All Files button.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.


Reboot into SAFE MODE(Tap F8 when restarting)


Open HijackThis-> Click "Do a System Scan Only" and put a check by these but DO NOT hit the Fix Checked button yet

O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)

O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button


Locate and Delete this folder--> C:\Program Files\PartyPoker


Still in Safe Mode--> Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you,please save that log and post it in the next reply.

Do not mouseclick combofix's window whilst it's running. That may cause it to stall



Restart Normal and Scan fresh with HijackThis.

Post back with the HijackThis log and the log from ComboFix.

#3 holtz73

holtz73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 24 September 2006 - 10:37 AM

Combofix Log and Hijack This Log:

[/b]COMBOFIX LOG

Owner - 06-09-24 10:16:31.93 Service Pack 1
ComboFix 06.09.23.2 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-08-24 to 2006-09-24 ))))))))))))))))))))))))))))))))))


2006-08-28 12:47 90,112 --a------ C:\vbsys2.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-24 10:08 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-24 10:07 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-24 10:07 -------- d-------- C:\Program Files\Common Files
2006-09-23 17:44 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-09-23 09:43 -------- d-------- C:\Program Files\Bodog Poker
2006-08-29 09:38 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-29 09:14 -------- d-------- C:\Program Files\Lavasoft
2006-08-29 09:14 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-08-17 02:21 43672 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2006-08-17 02:07 5337 --a------ C:\Documents and Settings\Owner\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
2006-08-15 17:50 -------- d-------- C:\Program Files\Java
2006-08-15 17:50 -------- d-------- C:\Program Files\Common Files\Java
2006-08-15 17:50 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-08-03 00:23 -------- d-------- C:\Program Files\Savings Bond Wizard


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"BackupNotify"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\backupnotify.exe"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPHUPD05"="c:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"ccRegVfy"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"lxamsp32.exe"="lxamsp32.exe"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sun 09/24/2006 10:17:03.17
ComboFix.txt




HIJACK THIS LOG






Logfile of HijackThis v1.99.1
Scan saved at 10:25:35 AM, on 9/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\lxamsp32.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remoteweb.tasksunlimited.org/msrdp.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 24 September 2006 - 11:04 AM

Use Killbox again,just as before and remove the file listed below,please.

C:\vbsys2.dll


Restart Normal and Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.


#5 holtz73

holtz73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 25 September 2006 - 10:26 AM

Here is the report. Also I have been getting a runner error upon start up that says: Invalid BackWeb application id "137903". Not sure exactly what that is either. Here is the report.


Result: 24 malware found
Backdoor.Win32.ForBot.l (virus)

* C:\WINDOWS\SYSTEM32\MSPRC.EXE (Renamed & Submitted)

Backdoor.Win32.SdBot.yx (virus)

* C:\WINDOWS\SYSTEM32\QPWS32.EXE (Renamed & Submitted)

Text/BotFTP.gen (virus)

* C:\WINDOWS\SYSTEM32\EQ (Submitted)

Trojan-Clicker.Win32.Agent.ac (virus)

* C:\!KILLBOX\VBSYS2.DLL (Renamed)

Trojan-Clicker.Win32.Small.dv (virus)

* C:\WINDOWS\SYSTEM32\107468.EXE (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\126765.EXE (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\129375.EXE (Renamed)
* C:\WINDOWS\SYSTEM32\132000.EXE (Renamed)
* C:\WINDOWS\SYSTEM32\178250.EXE (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\179015.EXE (Renamed)
* C:\WINDOWS\SYSTEM32\21678781.EXE (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\25002890.EXE (Renamed)
* C:\WINDOWS\SYSTEM32\70343.EXE (Renamed)
* C:\WINDOWS\SYSTEM32\70640.EXE (Renamed & Submitted)
* C:\WINDOWS\SYSTEM32\72875.EXE (Renamed)
* C:\WINDOWS\SYSTEM32\9739109.EXE (Renamed)

Trojan-Downloader.Win32.Petrolin.a (virus)

* C:\PROGRAM FILES\INTERNET EXPLORER\TVIYHWOS.EXE (Renamed)

Virus.Win32.Bayan-based (virus)

* C:\WINDOWS\SYSTEM32\ADSLKADP.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\CMDIRSES.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\DMIN0850.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\IGFXUPNP.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\MCD3ACLS.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\PNCRMCTL.DLL (Submitted)
* C:\WINDOWS\SYSTEM32\PRODFXDO.DLL (Submitted)

Statistics
Scanned:

* Files: 32624
* System: 5411
* Not scanned: 10

Actions:

* Disinfected: 0
* Renamed: 16
* Deleted: 0
* None: 8
* Submitted: 15

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL
* C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\EA563F5ED0B8EA72081A19B9B561DD25_E1B056D7-1C4B-48F4-AA7E-77631EA68A76

Options
Scanning engines:

* F-Secure AVP: 6.0.171, 2006-09-25
* F-Secure Libra: 2.4.1, 2006-09-25
* F-Secure Orion: 1.2.37, 2006-09-21
* F-Secure Blacklight: 1.0.31, 0000-00-00
* F-Secure Pegasus: 1.19.0, 2006-08-14
* F-Secure Draco: 1.0.35, 0259-24-212

Scanning options:

* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB LNK WSF {* PDF ZL? XML ZIP XXX
* Use Advanced heuristics

#6 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 25 September 2006 - 12:48 PM

The error is probably associated with this entry in HijackThis

O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe

That the HP updates and some of the BackWeb-137903.exe may have been flagged as infected,so the file is probably missing.

You cam go to the Program folder and see if the file is there?


Download this program:

Submit Files Packer
http://www.safer-networking.org/files/sfp.zip

Highlight the entries listed below in bold and right-click,then select Copy.


C:\WINDOWS\SYSTEM32\ADSLKADP.DLL
C:\WINDOWS\SYSTEM32\CMDIRSES.DLL
C:\WINDOWS\SYSTEM32\DMIN0850.DLL
C:\WINDOWS\SYSTEM32\IGFXUPNP.DLL
C:\WINDOWS\SYSTEM32\MCD3ACLS.DLL
C:\WINDOWS\SYSTEM32\PNCRMCTL.DLL
C:\WINDOWS\SYSTEM32\PRODFXDO.DLL



Then start the file packer program and right click in the white box and select paste to paste the copied file names in the field.

Then press the Continue button.

It will create an archive with these files and a small log on your Desktop that starts with a name like requested-file[date].cab.

Rename this file to yourmembername.cab (for example Monster.cab).

Then go to:
http://www.uploadmalware.com/
and fill in the required fields and browse to this file on your desktop. Finally click on the Send File button.



Go to Safe Mode and be sure Windows is Showing Hidden Files
http://www.bleepingcomputer.com/tutorials/...al62.html#winxp


F-Secure renamed some files I would like you to locate and remove please.

These files will have an added extension to them now,similar to:

C:\WINDOWS\SYSTEM32\MSPRC.EXE.old

C:\WINDOWS\SYSTEM32\MSPRC.EXE.bak

C:\WINDOWS\SYSTEM32\MSPRC.EXE.vir



C:\WINDOWS\SYSTEM32\MSPRC.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\QPWS32.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\107468.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\126765.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\129375.EXE (Renamed)
C:\WINDOWS\SYSTEM32\132000.EXE (Renamed)
C:\WINDOWS\SYSTEM32\178250.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\179015.EXE (Renamed)
C:\WINDOWS\SYSTEM32\21678781.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\25002890.EXE (Renamed)
C:\WINDOWS\SYSTEM32\70343.EXE (Renamed)
C:\WINDOWS\SYSTEM32\70640.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\72875.EXE (Renamed)
C:\WINDOWS\SYSTEM32\9739109.EXE (Renamed)
C:\PROGRAM FILES\INTERNET EXPLORER\TVIYHWOS.EXE (Renamed)



C:\WINDOWS\SYSTEM32\EQ (Submitted)<--- Delete if found.


Keep track of any files you can find or delete.


After deleting all these files,Id like see if you can locate all of the following

C:\WINDOWS\SYSTEM32\ADSLKADP.DLL
C:\WINDOWS\SYSTEM32\CMDIRSES.DLL
C:\WINDOWS\SYSTEM32\DMIN0850.DLL
C:\WINDOWS\SYSTEM32\IGFXUPNP.DLL
C:\WINDOWS\SYSTEM32\MCD3ACLS.DLL
C:\WINDOWS\SYSTEM32\PNCRMCTL.DLL
C:\WINDOWS\SYSTEM32\PRODFXDO.DLL


Restart Normal and run the F-Secure scanner once more please.

Post the report from that scan in the next reply.

#7 holtz73

holtz73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 30 September 2006 - 12:48 PM

I could not find the backweb id that comes up upon start up. Should I delete it via hijack this? Thanks for your help.


NOT FOUND:
C:\WINDOWS\SYSTEM32\MSPRC.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\QPWS32.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\107468.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\126765.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\129375.EXE (Renamed)
C:\WINDOWS\SYSTEM32\132000.EXE (Renamed)
C:\WINDOWS\SYSTEM32\178250.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\179015.EXE (Renamed)
C:\WINDOWS\SYSTEM32\21678781.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\25002890.EXE (Renamed)
C:\WINDOWS\SYSTEM32\70343.EXE (Renamed)
C:\WINDOWS\SYSTEM32\70640.EXE (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\72875.EXE (Renamed)
C:\WINDOWS\SYSTEM32\9739109.EXE (Renamed)
C:\PROGRAM FILES\INTERNET EXPLORER\TVIYHWOS.EXE (Renamed)


FOUND & DELETED:
C:\WINDOWS\SYSTEM32\EQ (Submitted)


FOUND:
C:\WINDOWS\SYSTEM32\ADSLKADP.DLL
C:\WINDOWS\SYSTEM32\CMDIRSES.DLL
C:\WINDOWS\SYSTEM32\DMIN0850.DLL
C:\WINDOWS\SYSTEM32\IGFXUPNP.DLL
C:\WINDOWS\SYSTEM32\MCD3ACLS.DLL
C:\WINDOWS\SYSTEM32\PNCRMCTL.DLL
C:\WINDOWS\SYSTEM32\PRODFXDO.DLL





Result: 10 malware found
Text/BotFTP.gen (virus)

* C:\RECYCLER\S-1-5-21-3283024624-3087211417-4239643465-1003\DC3

Tracking Cookie (spyware)

* System (Disinfected)
* System

Virus.Win32.Bayan-based (virus)

* C:\WINDOWS\SYSTEM32\ADSLKADP.DLL
* C:\WINDOWS\SYSTEM32\CMDIRSES.DLL
* C:\WINDOWS\SYSTEM32\DMIN0850.DLL
* C:\WINDOWS\SYSTEM32\IGFXUPNP.DLL
* C:\WINDOWS\SYSTEM32\MCD3ACLS.DLL
* C:\WINDOWS\SYSTEM32\PNCRMCTL.DLL
* C:\WINDOWS\SYSTEM32\PRODFXDO.DLL

Statistics
Scanned:

* Files: 32885
* System: 5431
* Not scanned: 11

Actions:

* Disinfected: 1
* Renamed: 0
* Deleted: 0
* None: 9
* Submitted: 0

Files not scanned:

* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{53CF7DF3-018D-49BB-A7FB-E36E8B9706DD}.BIN
* C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
* C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
* C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
* C:\WINDOWS\$NTUNINSTALLKB828035$\MSGSVC.DLL
* C:\WINDOWS\$NTUNINSTALLKB824141$\USER32.DLL
* C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\MICROSOFT\CRYPTO\RSA\MACHINEKEYS\EA563F5ED0B8EA72081A19B9B561DD25_E1B056D7-1C4B-48F4-AA7E-77631EA68A76

#8 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 30 September 2006 - 02:05 PM

Use Killbox again--> Delete on Reboot and Unregister .dll

C:\WINDOWS\SYSTEM32\ADSLKADP.DLL
C:\WINDOWS\SYSTEM32\CMDIRSES.DLL
C:\WINDOWS\SYSTEM32\DMIN0850.DLL
C:\WINDOWS\SYSTEM32\IGFXUPNP.DLL
C:\WINDOWS\SYSTEM32\MCD3ACLS.DLL
C:\WINDOWS\SYSTEM32\PNCRMCTL.DLL
C:\WINDOWS\SYSTEM32\PRODFXDO.DLL



Copy all the above and use the Paste from Clipboard option in Killbox.


Restart in Safe Mode and Scan with ComboFix again,Save the log.


Restart Normal and post a fresh HijackThis log and the log from ComboFix.


After posting those 2 logs,Please run the Bit Defender Online Scan
http://www.bitdefender.com/scan8/ie.html

You must use Internet Explorer for this scanner.

Install the ActiveX and Click on "Click here to Scan"

Allow it to update and Scan the Machine.

It should disinfect or delete whatever it finds that is infected.

Save the report in generates in a text format please and post it in the next reply.

#9 holtz73

holtz73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:10:10 PM

Posted 15 October 2006 - 07:44 PM

Thank you for your help!!


Logfile of HijackThis v1.99.1
Scan saved at 7:39:58 PM, on 10/15/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Norton Personal Firewall\NISUM.EXE
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\lxamsp32.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Microsoft Money\System\mnyexpr.exe
C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
C:\Program Files\LexmarkX63\ACMonitor_X63.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet /keeploaded /nodetect
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [lxamsp32.exe] lxamsp32.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: AcBtnMgr_X63.exe.lnk = C:\Program Files\LexmarkX63\AcBtnMgr_X63.exe
O4 - Global Startup: ACMonitor_X63.exe.lnk = C:\Program Files\LexmarkX63\ACMonitor_X63.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: customize__IE.lnk = C:\hp\region\customizeIe.wsf
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: MsnFixer.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Bodog Poker - {F47C1DB5-ED21-4dc1-853E-D1495792D4C5} - C:\Program Files\Bodog Poker\BPGame.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://remoteweb.tasksunlimited.org/msrdp.cab
O16 - DPF: {85D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin class) - http://secure2.comned.com/signuptemplates/...login-devel.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols3/fscax.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/...ro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe





Owner - 06-10-15 19:35:40.50 Service Pack 1
ComboFix 06.09.23.2 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-15 to 2006-10-15 ))))))))))))))))))))))))))))))))))


2006-09-25 22:00 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-09-25 22:00 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-09-25 22:00 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-09-25 22:00 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2006-09-25 22:00 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-09-25 22:00 127,256 --a------ C:\WINDOWS\system32\wucltui.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-15 19:30 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-15 19:30 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-15 19:30 -------- d-------- C:\Program Files\Common Files
2006-10-15 19:28 762243 --a------ C:\WINDOWS\system32\msdrs.dll
2006-10-15 19:28 236267 --a------ C:\WINDOWS\system32\ntrshp.dll
2006-10-13 10:08 -------- d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2006-09-25 22:00 -------- d--h----- C:\Program Files\WindowsUpdate
2006-09-25 10:22 -------- d-------- C:\Program Files\Internet Explorer
2006-09-23 09:43 -------- d-------- C:\Program Files\Bodog Poker
2006-08-29 09:38 -------- d-------- C:\Program Files\SpywareBlaster
2006-08-29 09:14 -------- d-------- C:\Program Files\Lavasoft
2006-08-29 09:14 -------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-08-17 02:21 43672 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2006-08-17 02:07 5337 --a------ C:\Documents and Settings\Owner\Application Data\GdiplusUpgrade_MSIApproach_Wrapper.log
2006-08-15 17:50 -------- d-------- C:\Program Files\Java
2006-08-15 17:50 -------- d-------- C:\Program Files\Common Files\Java
2006-08-15 17:50 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVIEW"="rundll32.exe nview.dll,nViewLoadHook"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"BackupNotify"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\bin\\backupnotify.exe"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"StorageGuard"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"nwiz"="nwiz.exe /installquiet /keeploaded /nodetect"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"MimBoot"="C:\\PROGRA~1\\MUSICM~1\\MUSICM~1\\mimboot.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HPHUPD05"="c:\\Program Files\\Hewlett-Packard\\{45B6180B-DCAB-4093-8EE8-6164457517F0}\\hphupd05.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"ccRegVfy"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"CamMonitor"="c:\\Program Files\\Hewlett-Packard\\Digital Imaging\\\\Unload\\hpqcmon.exe"
"AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"lxamsp32.exe"="lxamsp32.exe"
"PrinTray"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\printray.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sun 10/15/2006 19:36:55.68
ComboFix.txt
ComboFix2.txt

#10 holtz73

holtz73
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  

Posted 15 October 2006 - 09:06 PM

BitDefender Online Scanner







Scan report generated at: Sun, Oct 15, 2006 - 21:00:32









Scan path: A:\;C:\;D:\;E:\;G:\;H:\;I:\;J:\;K:\;L:\;















Statistics

Time


01:14:40

Files


499827

Folders


5094

Boot Sectors


3

Archives


19382

Packed Files


52689







Results

Identified Viruses


14

Infected Files


55

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


55







Engines Info

Virus Definitions


476385

Engine build


AVCORE v1.0 (build 2310) (i386) (Apr 17 2006 16:24:38)

Scan plugins


13

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\!KillBox\igfxupnp.dll


Infected with: GenPack:Generic.Malware.SFYBV.A4294D0B

C:\!KillBox\igfxupnp.dll


Disinfection failed

C:\!KillBox\igfxupnp.dll


Deleted

C:\!KillBox\mcd3acls.dll


Infected with: GenPack:Generic.Malware.SFYBV.3C18E60F

C:\!KillBox\mcd3acls.dll


Disinfection failed

C:\!KillBox\mcd3acls.dll


Deleted

C:\!KillBox\pncrmctl.dll


Infected with: GenPack:Generic.Malware.SFYBV.DA7C24B3

C:\!KillBox\pncrmctl.dll


Disinfection failed

C:\!KillBox\pncrmctl.dll


Deleted

C:\!KillBox\VBSYS2.0LL


Infected with: Trojan.Clicker.Agent.GQ

C:\!KillBox\VBSYS2.0LL


Disinfection failed

C:\!KillBox\VBSYS2.0LL


Deleted

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-5644dd9d.zip=>javainstaller/InstallerApplet.class


Infected with: Java.Trojan.Downloader.OpenStream.T

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-5644dd9d.zip=>javainstaller/InstallerApplet.class


Disinfection failed

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-5644dd9d.zip=>javainstaller/InstallerApplet.class


Deleted

C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-5644dd9d.zip


Updated

C:\Documents and Settings\Owner\Desktop\clipartfree.exe=>wise0044


Infected with: Dropped:Application.Adware.NewDotNet.A

C:\Documents and Settings\Owner\Desktop\clipartfree.exe=>wise0044


Disinfection failed

C:\Documents and Settings\Owner\Desktop\clipartfree.exe=>wise0044


Deleted

C:\Documents and Settings\Owner\Desktop\clipartfree.exe


Update failed

C:\Documents and Settings\Owner\Desktop\clipartfree.exe=>wise0045


Detected with: Application.Adware.NewDotNet.B.Dropper

C:\Documents and Settings\Owner\Desktop\clipartfree.exe=>wise0045


Deleted

C:\Documents and Settings\Owner\Desktop\clipartfree.exe


Update failed

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\igfxupnp.dll


Infected with: GenPack:Generic.Malware.SFYBV.A4294D0B

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\igfxupnp.dll


Disinfection failed

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\igfxupnp.dll


Deleted

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab


Update failed

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\mcd3acls.dll


Infected with: GenPack:Generic.Malware.SFYBV.3C18E60F

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\mcd3acls.dll


Disinfection failed

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\mcd3acls.dll


Deleted

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab


Update failed

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\pncrmctl.dll


Infected with: GenPack:Generic.Malware.SFYBV.DA7C24B3

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\pncrmctl.dll


Disinfection failed

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\pncrmctl.dll


Deleted

C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab


Update failed

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\igfxupnp.dll


Infected with: GenPack:Generic.Malware.SFYBV.A4294D0B

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\igfxupnp.dll


Disinfection failed

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\igfxupnp.dll


Deleted

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab


Update failed

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\mcd3acls.dll


Infected with: GenPack:Generic.Malware.SFYBV.3C18E60F

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\mcd3acls.dll


Disinfection failed

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\mcd3acls.dll


Deleted

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab


Update failed

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\pncrmctl.dll


Infected with: GenPack:Generic.Malware.SFYBV.DA7C24B3

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\pncrmctl.dll


Disinfection failed

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab=>C:\WINDOWS\SYSTEM32\pncrmctl.dll


Deleted

C:\Documents and Settings\Owner\Recent\holtz73.cab.lnk=>C:\Documents and Settings\Owner\Desktop\holtz73.cab.cab


Update failed

C:\hp\bin\Terminator.exe


Infected with: Trojan.Killapp.30208.A

C:\hp\bin\Terminator.exe


Disinfection failed

C:\hp\bin\Terminator.exe


Deleted

C:\Program Files\Internet Explorer\TVIYHWOS.0XE


Infected with: Trojan.Downloader.Petrolin.A

C:\Program Files\Internet Explorer\TVIYHWOS.0XE


Disinfection failed

C:\Program Files\Internet Explorer\TVIYHWOS.0XE


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP486\A0038833.dll


Infected with: Trojan.Clicker.Agent.GQ

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP486\A0038833.dll


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP486\A0038833.dll


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038887.dll


Infected with: Trojan.Clicker.Agent.GQ

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038887.dll


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038887.dll


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038901.exe


Infected with: Trojan.Clicker.Small.DV

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038901.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038901.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038902.exe


Infected with: Trojan.Clicker.Small.DV

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038902.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038902.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038903.exe


Infected with: Trojan.Clicker.Small.DV

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038903.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038903.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038904.exe


Infected with: Trojan.Clicker.Small.DV

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038904.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038904.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038905.exe


Infected with: Trojan.Clicker.Small.DV

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038905.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038905.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038906.exe


Infected with: Trojan.Clicker.Small.DV

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038906.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038906.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038907.exe


Infected with: Trojan.Clicker.Small.DV

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038907.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038907.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038908.exe


Infected with: Trojan.Clicker.Small.DV

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038908.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038908.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038909.exe


Infected with: Trojan.Clicker.Small.DV

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038909.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038909.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038910.exe


Infected with: Trojan.PWS.Ldpinch.AK

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038910.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038910.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038911.exe


Infected with: Trojan.Clicker.Small.DV

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038911.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038911.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038912.exe


Infected with: Trojan.Clicker.Small.DV

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038912.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038912.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038913.exe


Infected with: Backdoor.Forbot.L

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038913.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038913.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038914.exe


Infected with: Generic.Sdbot.C6E21634

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038914.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038915.exe


Infected with: Trojan.Downloader.Petrolin.A

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038915.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038915.exe


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038916.dll


Infected with: Trojan.Clicker.Agent.GQ

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038916.dll


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP487\A0038916.dll


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039579.dll


Infected with: GenPack:Generic.Malware.SFYBV.A4294D0B

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039579.dll


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039579.dll


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039580.dll


Infected with: GenPack:Generic.Malware.SFYBV.3C18E60F

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039580.dll


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039580.dll


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039581.dll


Infected with: GenPack:Generic.Malware.SFYBV.DA7C24B3

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039581.dll


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039581.dll


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039624.dll


Infected with: GenPack:Generic.Malware.SFYBV.A4294D0B

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039624.dll


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039624.dll


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039625.dll


Infected with: GenPack:Generic.Malware.SFYBV.3C18E60F

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039625.dll


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039625.dll


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039626.dll


Infected with: GenPack:Generic.Malware.SFYBV.DA7C24B3

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039626.dll


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039626.dll


Deleted

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039627.exe


Infected with: Trojan.Killapp.30208.A

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039627.exe


Disinfection failed

C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP503\A0039627.exe


Deleted

C:\WINDOWS\system32\107468.0XE


Infected with: Trojan.Clicker.Small.DV

C:\WINDOWS\system32\107468.0XE


Disinfection failed

C:\WINDOWS\system32\107468.0XE


Deleted

C:\WINDOWS\system32\126765.0XE


Infected with: Trojan.Clicker.Small.DV

C:\WINDOWS\system32\126765.0XE


Disinfection failed

C:\WINDOWS\system32\126765.0XE


Deleted

C:\WINDOWS\system32\129375.0XE


Infected with: Trojan.Clicker.Small.DV

C:\WINDOWS\system32\129375.0XE


Disinfection failed

C:\WINDOWS\system32\129375.0XE


Deleted

C:\WINDOWS\system32\132000.0XE


Infected with: Trojan.Clicker.Small.DV

C:\WINDOWS\system32\132000.0XE


Disinfection failed

C:\WINDOWS\system32\132000.0XE


Deleted

C:\WINDOWS\system32\178250.0XE


Infected with: Trojan.Clicker.Small.DV

C:\WINDOWS\system32\178250.0XE


Disinfection failed

C:\WINDOWS\system32\178250.0XE


Deleted

C:\WINDOWS\system32\179015.0XE


Infected with: Trojan.Clicker.Small.DV

C:\WINDOWS\system32\179015.0XE


Disinfection failed

C:\WINDOWS\system32\179015.0XE


Deleted

C:\WINDOWS\system32\21678781.0XE


Infected with: Trojan.Clicker.Small.DV

C:\WINDOWS\system32\21678781.0XE


Disinfection failed

C:\WINDOWS\system32\21678781.0XE


Deleted

C:\WINDOWS\system32\25002890.0XE


Infected with: Trojan.Clicker.Small.DV

C:\WINDOWS\system32\25002890.0XE


Disinfection failed

C:\WINDOWS\system32\25002890.0XE


Deleted

C:\WINDOWS\system32\70343.0XE


Infected with: Trojan.Clicker.Small.DV

C:\WINDOWS\system32\70343.0XE


Disinfection failed

C:\WINDOWS\system32\70343.0XE


Deleted

C:\WINDOWS\system32\70640.0XE


Infected with: Trojan.PWS.Ldpinch.AK

C:\WINDOWS\system32\70640.0XE


Disinfection failed

C:\WINDOWS\system32\70640.0XE


Deleted

C:\WINDOWS\system32\72875.0XE


Infected with: Trojan.Clicker.Small.DV

C:\WINDOWS\system32\72875.0XE


Disinfection failed

C:\WINDOWS\system32\72875.0XE


Deleted

C:\WINDOWS\system32\9739109.0XE


Infected with: Trojan.Clicker.Small.DV

C:\WINDOWS\system32\9739109.0XE


Disinfection failed

C:\WINDOWS\system32\9739109.0XE


Deleted

C:\WINDOWS\system32\MSPRC.0XE


Infected with: Backdoor.Forbot.L

C:\WINDOWS\system32\MSPRC.0XE


Disinfection failed

C:\WINDOWS\system32\MSPRC.0XE


Deleted

C:\WINDOWS\system32\open32_uninstall.exe


Infected with: Trojan.Small.DL

C:\WINDOWS\system32\open32_uninstall.exe


Disinfection failed

C:\WINDOWS\system32\open32_uninstall.exe


Deleted

C:\WINDOWS\system32\QPWS32.0XE


Infected with: Generic.Sdbot.C6E21634

C:\WINDOWS\system32\QPWS32.0XE


Deleted

#11 Guest_Cretemonster_*

Guest_Cretemonster_*

  • Guests
  • OFFLINE
  •  

Posted 16 October 2006 - 04:00 AM

Looks like Bit Defender did a good job! :thumbsup:


Hows the computer acting today?


Please Install these 2 to add to the Security of the PC

SpywareBlaster:
http://www.javacoolsoftware.com/downloads.html
Update Immediatly!

WinHelp2002 Hosts File
http://www.mvps.org/winhelp2002/hosts2.htm




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users