Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Unknown Infection Getting Into Everything.


  • Please log in to reply
20 replies to this topic

#1 rsh9116

rsh9116

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 09 October 2006 - 02:46 AM

I hope someone out there can help me get whatever this thing is out of my PC. This PC is not normally used for general web browsing, until my son decided to surf against orders. I have needed to maintain it at SP1 because of a work related application that won't run in SP2, but I'll upgrade once the system is clean.

I have frantic popups that come in waves, but this is a little different than infections I've seen in the past. This one has also disabled Safe Mode, (explorer starts briefly then shuts down), and interferes with other processes like cleanmgr, which just hangs. Adaware finds but cant remove registry entries for Command Service and Win32.Agent.I, Spybot S&D and Eweido each return different things, but they are all unable to remove some of what they find, even running after a reboot. There are obvious problems that show up in HiJackThis, like savtb.exe and the Userinit.exe,evcxmuj.exe lines but the files and processes hide themselves like I have never seen before.

I tried running Housecall, but well into the scan, the PC went nuts and closed all the browser windows. Stinger found nothing.

Any ideas? HJT log follows and Thanks in advance!

Logfile of HijackThis v1.99.1
Scan saved at 2:10:35 AM, on 10/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\AOL\1148688497\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\savtb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,evcxmuj.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148688497\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mom\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {416792D8-F532-493A-BECC-1C99A1501FF9} (vmLaunch Class) - http://media2.comcast.net/anon.comcastonli...vmLauncher2.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

BC AdBot (Login to Remove)

 


#2 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 09 October 2006 - 04:56 AM

Hi rsh9116, :thumbsup:

We're studying your log right now and will be back to you a.s.a.p.

Thanks for your patience. :flowers:

Edited by Falu, 09 October 2006 - 04:57 AM.


#3 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 09 October 2006 - 11:45 AM

Hi rsh9116, :thumbsup:

Welcome to BleepingComputer Forums and thanks again for your patience.

1. Please download, install, and update Ewido anti-spyware
  • Load Ewido and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close Ewido. Do not run it yet.
2. Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to, click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
3. RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcan worm remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

4. Please reboot your computer into Safe Mode. To boot into Safe Mode, please restart your computer. Tap F8 a few times before Windows loads. Select Safe Mode on the screen that appears.

5. Once in Safe Mode, please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Next to the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
  • Press Execute and let it do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.
6. Ewido Scan
  • Then run Ewido and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • Ewido will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Restart back into Normal Mode.
7. Go to your Hijackthis folder present in C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis and rename Hijackthis.exe to Analyse.exe and than reboot.
After reboot, run Analyse.exe (which is hijackthis of course) and post the log it creates in your next reply.

Please post the contents of the Ewido text report that you saved and a new HijackThis log.

#4 rsh9116

rsh9116
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 09 October 2006 - 02:26 PM

Thank You for your quick response. I had to run BFU and Ewido from the Task Manager in Safe Mode because I have no desktop in that mode. After following your instructions, I had to fight through a flurry of pop-up ads to get to the forum, so it's still not fixed.


Here are the Ewido and HJT logs.

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:06:35 PM 10/9/2006

+ Scan result:



C:\WINDOWS\SYSTEM32\iiffcyy.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\backups\backup-20061008-223000-906-uxqqi.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\__delete_on_reboot__i_x_e_p_s_x_u_._d_l_l_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\iotsn.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
[856] C:\WINDOWS\System32\ixepsxu.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@adrevolver[3].txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@as-us.falkag[1].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@bs.serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@serving-sys[1].txt -> TrackingCookie.Serving-sys : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Mom\Cookies\mom@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@zedo[1].txt -> TrackingCookie.Zedo : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\__delete_on_reboot__r_m_g_c_u_m_l_q_._d_l_l_ -> Trojan.BHO.g : Cleaned with backup (quarantined).


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 2:19:31 PM, on 10/9/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\AOL\1148688497\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\savtb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,evcxmuj.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {450C6F2F-C040-48D1-998E-855D2AA4BC65} - C:\WINDOWS\System32\jkhff.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\rmgcumlq.dll (file missing)
O2 - BHO: (no name) - {C6E00DDA-FEAF-4D28-ADC4-055240E8F907} - C:\WINDOWS\System32\iiffcyy.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148688497\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mom\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {416792D8-F532-493A-BECC-1C99A1501FF9} (vmLaunch Class) - http://media2.comcast.net/anon.comcastonli...vmLauncher2.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O20 - Winlogon Notify: iiffcyy - C:\WINDOWS\SYSTEM32\iiffcyy.dll
O20 - Winlogon Notify: jkhff - C:\WINDOWS\System32\jkhff.dll
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\pcintui.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE

#5 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 10 October 2006 - 02:53 PM

Hi rsh9116, :thumbsup:

1. Download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

2. Run HijackThis, click Scan and checkmark the following entries:

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\savtb.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,evcxmuj.exe
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {450C6F2F-C040-48D1-998E-855D2AA4BC65} - C:\WINDOWS\System32\jkhff.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - (no file)
O2 - BHO: (no name) - {849B9523-785F-4014-9CAF-079FB4A74C61} - C:\WINDOWS\System32\rmgcumlq.dll (file missing)
O2 - BHO: (no name) - {C6E00DDA-FEAF-4D28-ADC4-055240E8F907} - C:\WINDOWS\System32\iiffcyy.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O20 - Winlogon Notify: iiffcyy - C:\WINDOWS\SYSTEM32\iiffcyy.dll
O20 - Winlogon Notify: jkhff - C:\WINDOWS\System32\jkhff.dll
O20 - Winlogon Notify: SharedDLLs - C:\WINDOWS\system32\pcintui.dll (file missing)


Weatherbug is a program that sits in your System Tray (next to the clock) and delivers the weather. It used to come with spyware, and whilst the latest version is spyware free, it is an advertisment-supported program which many users find annoying. There is a very good ad-free alternative: Weather Pulse!

Right-click the Weatherbug icon on your taskbar and delete it. Then click Start > All Programmes and search the list for Weatherbug: click Uninstall Weatherbug. Checkmark the following entries:

O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?


Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

3. Download ATF Cleaner by Atribune. Do not run it yet.

4. Make sure you can view all files. Click Start >My Computer > Tools > Folder Options >View. Check "Show hidden files and folders", uncheck "Hide protected operating system files" and "Hide extensions for known file types". Click "Apply to all folders" >Apply then OK.

5. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

6. Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete the following files in bold if listed:

C:\WINDOWS\System32\savtb.exe
C:\WINDOWS\SYSTEM32\evcxmuj.exe
C:\WINDOWS\system32\pcintui.dll

Let me know if you had problems with this step.

7. Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

8. Reboot to go back into Normal mode.

9. You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 5.0 Update 9). Please update and remove the older versions. Do the following:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )

    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:
    Java Runtime Environment (JRE) 5.0 Update 9
10. Do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Please post the Kaspersky report along with the C:\vundofix.txt and a new HijackThis log.

#6 rsh9116

rsh9116
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 10 October 2006 - 10:45 PM

Thanks for your reply, I thought I'd lost you for a moment...

I followed your instructions and attach the logs below.

Kaspersky Log

Tuesday, October 10, 2006 10:04:36 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/10/2006
Kaspersky Anti-Virus database records: 230502


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\

Scan Statistics
Total number of scanned objects 115463
Number of viruses found 35
Number of infected objects 138 / 0
Number of suspicious objects 4
Duration of the scan process 01:30:50

Infected Object Name Virus Name Last Action
C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc15\uninstall.xex Infected: Trojan-Clicker.Win32.Small.ja skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc25.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc25.exe NSIS: infected - 1 skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe/data0002 Infected: Trojan.Win32.VB.tg skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe/data0005 Infected: Trojan.Win32.VB.tg skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe/data0006 Infected: Trojan.Win32.VB.tg skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe NSIS: infected - 3 skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc30.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc30.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc30.exe NSIS: infected - 2 skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc38.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc38.exe NSIS: infected - 1 skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe/data0002 Infected: Trojan.Win32.VB.tg skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe/data0005 Infected: Trojan.Win32.VB.tg skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe/data0006 Infected: Trojan.Win32.VB.tg skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe NSIS: infected - 3 skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc46.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc46.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc46.exe NSIS: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\09f80a7ed65b5a1eeea0630b399ea171_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\512220e318e0fda8093c9f18135549e5_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8601c6ed7ac2fd564995bf0f5f5de3d4_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea11ef27bae3527bb535e6a6aed54bbe_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/vxgame6.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos.zip/stub_sca4.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Dad\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped

C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\backups\backup-20061010-145231-899.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\backups\backup-20061010-161357-892.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\backups\backup-20061010-170219-677.dll Infected: Trojan.Win32.BHO.g skipped

C:\Documents and Settings\Dad\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Dad\Local Settings\History\History.IE5\MSHist012006101020061011\index.dat Object is locked skipped

C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Dad\ntuser.dat Object is locked skipped

C:\Documents and Settings\Dad\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Ian\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5CNW7W7\aff_0006[1].exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped

C:\Documents and Settings\Ian\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5CNW7W7\aff_0006[1].exe CAB: infected - 1 skipped

C:\Documents and Settings\Ian\Local Settings\Temp\Temporary Internet Files\Content.IE5\YTKB692P\motorsix[1].ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.r skipped

C:\Documents and Settings\Ian\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped

C:\Documents and Settings\Ian\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.r skipped

C:\Documents and Settings\Ian\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped

C:\Documents and Settings\Ian\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped

C:\Documents and Settings\Ian\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe WiseSFX: infected - 4 skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Application Data\f74d7926.xex Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\Documents and Settings\Mom\Local Settings\Temp\hsperfdata_Mom\1508 Object is locked skipped

C:\Documents and Settings\Mom\Local Settings\Temp\s1uk..xex/stream/data0001 Infected: not-a-virus:AdWare.Win32.TrafficSol.c skipped

C:\Documents and Settings\Mom\Local Settings\Temp\s1uk..xex/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.c skipped

C:\Documents and Settings\Mom\Local Settings\Temp\s1uk..xex NSIS: infected - 2 skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\TalkingBuddy\includesearchbar.EXE/WISE0011.BIN Infected: not-a-virus:AdWare.Win32.AdvancedSearchBar skipped

C:\Program Files\TalkingBuddy\includesearchbar.EXE/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.AdvancedSearchBar skipped

C:\Program Files\TalkingBuddy\includesearchbar.EXE WiseSFX: infected - 2 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc12.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc12.exe CAB: infected - 1 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe/data.rar/whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe/data.rar/whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe/data.rar/whCC-GIANT2.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe RarSFX: infected - 4 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc15.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.r skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe CAB: infected - 5 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc26\PSDream.exe Infected: not-a-virus:AdWare.Win32.PurityScan.ew skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc30\hancerextramm\whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc30\hancerextramm\whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc30\hancerextramm\whCC-GIANT2.exe RarSFX: infected - 2 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe/data.rar/whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe/data.rar/whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe/data.rar/whCC-GIANT2.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe RarSFX: infected - 4 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc35.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.r skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc36.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc36.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc36.exe NSIS: infected - 2 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc38.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc38.exe CAB: infected - 1 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc43.exe Infected: Trojan-Downloader.Win32.Agent.azc skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc47.exe Infected: Trojan-Dropper.Win32.Delf.aad skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc48.exe/deskbar.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc48.exe/deskbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc48.exe/deskbar.exe Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc48.exe ZIP: infected - 3 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc49.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc49.exe CAB: infected - 1 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc52.exe Infected: Trojan-Dropper.Win32.Mudrop.bq skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc56.exe Infected: Trojan-Downloader.Win32.Adload.gg skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc57.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc57.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc57.exe NSIS: infected - 2 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc60.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc60.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc60.exe NSIS: infected - 2 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc61.exe Infected: Trojan-Downloader.Win32.Adload.gg skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc63.exe Infected: Trojan-Downloader.Win32.Adload.gg skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe CAB: infected - 5 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc8.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ew skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc8.exe NSIS: infected - 1 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc15\uninstall.xex Infected: Trojan-Clicker.Win32.Small.ja skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc25.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc25.exe NSIS: infected - 1 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe/data0002 Infected: Trojan.Win32.VB.tg skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe/data0005 Infected: Trojan.Win32.VB.tg skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe/data0006 Infected: Trojan.Win32.VB.tg skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe NSIS: infected - 3 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc30.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc30.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc30.exe NSIS: infected - 2 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc38.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc38.exe NSIS: infected - 1 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe/data0002 Infected: Trojan.Win32.VB.tg skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe/data0005 Infected: Trojan.Win32.VB.tg skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe/data0006 Infected: Trojan.Win32.VB.tg skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe NSIS: infected - 3 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc46.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc46.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc46.exe NSIS: infected - 2 skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped

C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe CAB: infected - 5 skipped

C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped

C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped

C:\System Volume Information\catalog.wci\00010010.ci Object is locked skipped

C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped

C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped

C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped

C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped

C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped

C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped

C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped

C:\WINDOWS\ast_4_mm.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.AdWast.a skipped

C:\WINDOWS\ast_4_mm.exe/WISE0007.BIN Infected: Trojan-Downloader.Win32.VB.ah skipped

C:\WINDOWS\ast_4_mm.exe WiseSFX: infected - 2 skipped

C:\WINDOWS\cpr_mm2.exe/WISE0008.BIN Infected: Trojan-Downloader.Win32.Adroar skipped

C:\WINDOWS\cpr_mm2.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.Adroar skipped

C:\WINDOWS\cpr_mm2.exe WiseSFX: infected - 2 skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{12212592-76A0-4DEC-B91E-520A79B2E940}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\acdp.lld Infected: Trojan.Win32.Agent.wc skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\SYSTEM32\dpks.lld Infected: Trojan.Win32.Agent.wc skipped

C:\WINDOWS\SYSTEM32\f74d7926.xex Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\icon_justin.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BHO.ao skipped

C:\WINDOWS\SYSTEM32\icon_justin.exe/stream Infected: not-a-virus:AdWare.Win32.BHO.ao skipped

C:\WINDOWS\SYSTEM32\icon_justin.exe NSIS: infected - 2 skipped

C:\WINDOWS\SYSTEM32\iiffcyy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\WINDOWS\SYSTEM32\kernels8.xex Infected: Packed.Win32.Tibs skipped

C:\WINDOWS\SYSTEM32\mscdaux.lld Infected: Backdoor.Win32.Delf.aml skipped

C:\WINDOWS\SYSTEM32\nyfbkbca.dll Infected: Trojan.Win32.BHO.g skipped

C:\WINDOWS\SYSTEM32\ts_justin.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.SideFind.a skipped

C:\WINDOWS\SYSTEM32\ts_justin.exe/stream Infected: not-a-virus:AdWare.Win32.SideFind.a skipped

C:\WINDOWS\SYSTEM32\ts_justin.exe NSIS: infected - 2 skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\xxxf74d7926xxx.exe Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

C:\WINDOWS\SYSTEM32\xxxslx.exe์าูZ์าูZxxx Infected: Packed.Win32.Tibs skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


VundoFix Log

VundoFix V6.2.1

Checking Java version...

Java version is 1.5.0.7

Scan started at 3:57:07 PM 10/10/2006

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\bxlquxmt.exe
C:\WINDOWS\SYSTEM32\fbcjnepy.exe
C:\WINDOWS\System32\jkhff.dll
C:\WINDOWS\System32\ffhkj.ini
C:\WINDOWS\System32\ffhkj.bak1
C:\WINDOWS\System32\ffhkj.bak2
C:\WINDOWS\System32\ffhkj.ini2
C:\WINDOWS\System32\ffhkj.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\bxlquxmt.exe
C:\WINDOWS\SYSTEM32\bxlquxmt.exe Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\fbcjnepy.exe
C:\WINDOWS\SYSTEM32\fbcjnepy.exe Has been deleted!

Attempting to delete C:\WINDOWS\System32\jkhff.dll
C:\WINDOWS\System32\jkhff.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ffhkj.ini
C:\WINDOWS\System32\ffhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ffhkj.bak1
C:\WINDOWS\System32\ffhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ffhkj.bak2
C:\WINDOWS\System32\ffhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ffhkj.ini2
C:\WINDOWS\System32\ffhkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ffhkj.tmp
C:\WINDOWS\System32\ffhkj.tmp Has been deleted!

Performing Repairs to the registry.
Done!

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 10:33:23 PM, on 10/10/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\AOL\1148688497\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\Analyze.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148688497\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09

\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mom\Start

Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!

\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!

\Messenger\YahooMessenger.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/

kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-

europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {416792D8-F532-493A-BECC-1C99A1501FF9} (vmLaunch Class) - http://media2.comcast.net/anon.comcastonline2/onleng/

downloads/VideoMail/vmLauncher2.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/

gamemanager/DIGGameManager.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.

exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.

com\vso\mcvsrte.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE



The 3 files to delete in the Windows\system32\ folder were not found so I couldn't delete them. These are the executables that I could see briefly on starting Process Explorer, or as running processes attached to everything, but they were hidden from the file system then. Maybe they still are.

I have regained my Safe Mode desktop, and performance has improved greatly. No more popups. Let me know what I have to do to get completely clean so I can risk the SP2 upgrade.

Again, Thanks for your help!

#7 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 11 October 2006 - 10:36 AM

Hi rsh9116, :thumbsup:

Thanks for your reply, I thought I'd lost you for a moment...


Don't worry but we are all volunteers and it takes time to come up with a solution.

Okay let's clean up.

1. Reboot and as the computer starts up, just before Windows starts to load, tap the F8 key a few times and then choose Safe Mode from the menu that will appear.

2. Using Windows Explorer, please delete the following files in bold:

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc15\uninstall.xex
C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc25.exe
C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe
C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc30.exe
C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc38.exe
C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe
C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc46.exe
C:\Documents and Settings\Mom\Local Settings\Application Data\f74d7926.xex
C:\Program Files\TalkingBuddy\includesearchbar.EXE
C:\WINDOWS\ast_4_mm.exe
C:\WINDOWS\cpr_mm2.exe
C:\WINDOWS\SYSTEM32\acdp.lld
C:\WINDOWS\SYSTEM32\dpks.lld
C:\WINDOWS\SYSTEM32\f74d7926.xex
C:\WINDOWS\SYSTEM32\icon_justin.exe
C:\WINDOWS\SYSTEM32\iiffcyy.dll
C:\WINDOWS\SYSTEM32\kernels8.xex
C:\WINDOWS\SYSTEM32\mscdaux.lld
C:\WINDOWS\SYSTEM32\nyfbkbca.dll
C:\WINDOWS\SYSTEM32\ts_justin.exe
C:\WINDOWS\SYSTEM32\xxxf74d7926xxx.exe
C:\WINDOWS\SYSTEM32\xxxslx.exe

Let me know if you had problems with this step.

3. * Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

* Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

4. Run HijackThis, click Scan and checkmark the following entries:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Close all browsers and windows, except for HijackThis and click the Fix Checked button; close HijackThis!

5.

The 3 files to delete in the Windows\system32\ folder were not found so I couldn't delete them.


They don't show in your log anymore so it's safe to assume they're gone.

6. Run another Kaspersky scan to see if something is left behind.

Please post the Kaspersky report along with a fresh HijackThis log.

#8 rsh9116

rsh9116
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 11 October 2006 - 05:14 PM

Falu,

I've done as you requested, however there is something more serious still working here.

In Safe Mode, Windows Explorer, the \S-1-5-21... Sub folder of c:\Deletme is not visible, however the properties listing for the c:\Deleteme directlry shows that it contains 64 files in 38 folders. And yes, I've set file manager to display hidden and system files. I tried Safe Mode Command Prompt and again the \S-1-5-21... folder is invisible. However, if I specifically type in the path, I can see what is really there, several small .dat, .ini and .txt files along with Directories labelled DC1, DC2, up to DC20 all created on the same date at different times. In these directories are files like sf.txt, Uninstall.exe, License.txt, Uninstaller.exe and more.

Using the command prompt, I was able to delete the files you listed, but the rest of the structure remains.

Cleanmgr will not run in any mode, it shows disk activity for 30 seconds then hangs.

Additional observations: Any attempt to start a program, causes the desktop to disappear, then repopulate. Starting the File Manager brings up a directory tree, then you can watch as something ripples through the entire listing. Hijack this, still renamed, now takes a very long time to scan, about 20 seconds to generate a scan.

Here are the logs you requested.

HJT Log.

Logfile of HijackThis v1.99.1
Scan saved at 5:06:33 PM, on 10/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Common Files\AOL\1148688497\ee\AOLSoftware.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SYSTEM32\cleanmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\Showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148688497\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09

\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mom\Start

Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!

\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!

\Messenger\YahooMessenger.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/

kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-

europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {416792D8-F532-493A-BECC-1C99A1501FF9} (vmLaunch Class) - http://media2.comcast.net/anon.comcastonline2/onleng/

downloads/VideoMail/vmLauncher2.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/

gamemanager/DIGGameManager.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.

exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.

com\vso\mcvsrte.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE


Kaspersky Log

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 11, 2006 3:49:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 11/10/2006
Kaspersky Anti-Virus database records: 230794
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 115557
Number of viruses found: 25
Number of infected objects: 94 / 0
Number of suspicious objects: 4
Duration of the scan process: 02:08:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\09f80a7ed65b5a1eeea0630b399ea171_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\511a0f3f9e960fa97de3d0b74adfc574_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\512220e318e0fda8093c9f18135549e5_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\8601c6ed7ac2fd564995bf0f5f5de3d4_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea11ef27bae3527bb535e6a6aed54bbe_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/vxgame6.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos.zip/stub_sca4.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\VcodecStarVideos.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\UserData\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\backups\backup-20061010-145231-899.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\backups\backup-20061010-161357-892.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped
C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\backups\backup-20061010-170219-677.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\History\History.IE5\MSHist012006101120061012\index.dat Object is locked skipped
C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat Object is locked skipped
C:\Documents and Settings\Dad\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ian\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5CNW7W7\aff_0006[1].exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\Documents and Settings\Ian\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5CNW7W7\aff_0006[1].exe CAB: infected - 1 skipped
C:\Documents and Settings\Ian\Local Settings\Temp\Temporary Internet Files\Content.IE5\YTKB692P\motorsix[1].ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.r skipped
C:\Documents and Settings\Ian\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\Ian\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\Documents and Settings\Ian\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\Ian\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\Ian\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe WiseSFX: infected - 4 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mom\Local Settings\Temp\hsperfdata_Mom\1508 Object is locked skipped
C:\Documents and Settings\Mom\Local Settings\Temp\s1uk..xex/stream/data0001 Infected: not-a-virus:AdWare.Win32.TrafficSol.c skipped
C:\Documents and Settings\Mom\Local Settings\Temp\s1uk..xex/stream Infected: not-a-virus:AdWare.Win32.TrafficSol.c skipped
C:\Documents and Settings\Mom\Local Settings\Temp\s1uk..xex NSIS: infected - 2 skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc12.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc12.exe CAB: infected - 1 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe/data.rar/whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe/data.rar/whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe/data.rar/whCC-GIANT2.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe RarSFX: infected - 4 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc15.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.r skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe CAB: infected - 5 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc26\PSDream.exe Infected: not-a-virus:AdWare.Win32.PurityScan.ew skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc30\hancerextramm\whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc30\hancerextramm\whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc30\hancerextramm\whCC-GIANT2.exe RarSFX: infected - 2 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe/data.rar/whCC-GIANT2.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe/data.rar/whCC-GIANT2.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe/data.rar/whCC-GIANT2.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe RarSFX: infected - 4 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc35.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.r skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc36.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc36.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc36.exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc38.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc38.exe CAB: infected - 1 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc43.exe Infected: Trojan-Downloader.Win32.Agent.azc skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc47.exe Infected: Trojan-Dropper.Win32.Delf.aad skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc48.exe/deskbar.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc48.exe/deskbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc48.exe/deskbar.exe Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc48.exe ZIP: infected - 3 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc49.exe/AutoSearch.dll Infected: not-a-virus:AdWare.Win32.AutoSearch.b skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc49.exe CAB: infected - 1 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc52.exe Infected: Trojan-Dropper.Win32.Mudrop.bq skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc56.exe Infected: Trojan-Downloader.Win32.Adload.gg skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc57.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc57.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc57.exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc60.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc60.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc60.exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc61.exe Infected: Trojan-Downloader.Win32.Adload.gg skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc63.exe Infected: Trojan-Downloader.Win32.Adload.gg skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe CAB: infected - 5 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc8.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.ew skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc8.exe NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc25.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc25.exe NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe NSIS: infected - 3 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc30.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc30.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc30.exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc38.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.es skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc38.exe NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe NSIS: infected - 3 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc46.exe/stream/data0002 Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc46.exe/stream Infected: not-a-virus:AdWare.Win32.EZula.cc skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc46.exe NSIS: infected - 2 skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.az skipped
C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe CAB: infected - 5 skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\0001000A.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5733919F-EEB8-4FD8-9608-8402C464FB9D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\xxxslx.exe์าูZ์าูZxxx Infected: Packed.Win32.Tibs skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#9 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 12 October 2006 - 10:37 AM

Hi rsh9116, :thumbsup:

1.

In Safe Mode, Windows Explorer, the \S-1-5-21... Sub folder of c:\Deletme is not visible, however the properties listing for the c:\Deleteme directlry shows that it contains 64 files in 38 folders.


Okay don't worry about the C:Deleteme folder. The important thing is you could delete all the bad files as indicated.

2.

Cleanmgr will not run in any mode, it shows disk activity for 30 seconds then hangs.



One explanation may be that Windows isn't up to date. Once you're clean you should update to SP2 anyhow; I will let you know.

The freeze may also be due to a corrupted temporary file on your computer.

Open Notepad and copy and paste the following text in the quotebox into it:

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\Compress old files]


Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Let me know whether or not you can use Cleanmgr now and we will restore this function then.

If it still doesn't run I want you to run ATF cleaner again in safe mode which is by the way a more effective cleaner than Cleanmanager.

3. HijackThis log looks clean and Kaspersky comes up almost clean.

Empty your Temporary and Temp Internet files once more (step 3 in my previous post).

4. Using Windows Explorer, please delete the following file in bold:

C:\WINDOWS\SYSTEM32\xxxslx.exe

If you have problems with that reboot into safe mode and try again. Reboot afterwards to go back into Normal Mode.

Please let me know how this went and how things are running now.

#10 rsh9116

rsh9116
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 12 October 2006 - 12:04 PM

Falu,

1. That pesky C:/Deletme/S-!-5-21... folder now shows up in all modes with a recycle bin icon, which explains why it's not accessible. It has grown to 57 files in 48 folders, but its "empty recycle bin" choice is greyed out.

2. After applying your fix.reg file, Cleanmgr now won't run at all... It did work prior to this blowup so I don't think it's because Windows isn't up to date.

3. Done

4. Done

Performance seems OK, although booting up took over a minute. It is usually much shorter than that. No popups, HJT scan time is normal.

I've done all the checks from my user setup, but ther are 3 other users set up on this machine. Do I have to do anything to ensure that they are all clean as well?

One more thing. Spybot S&D lists some registry entries that it can't fix. Win32.Agent.I HKEY_USERS\DEFAULT\Software\Irismon and HKEY_USERS\S-1-5-18\Software\Irismon, and Command Service HKEY_Local_Machine\System\ControlSet001\Services\cmdService , same in \ControlSet\.

Regedit shows the Irismon entries, but not the cmdService ones. Spybot S&D keeps finding them both, but was always clean prior to this infection.

Thanks for your patience, I truly appreciate your efforts!

rsh9116

#11 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 13 October 2006 - 03:56 AM

Hi rsh9116, :thumbsup:

1. To begin with:

Thanks for your patience, I truly appreciate your efforts!


You're very welcome.

2.

Performance seems OK, although booting up took over a minute. It is usually much shorter than that. No popups, HJT scan time is normal.


Good news.

3.

After applying your fix.reg file, Cleanmgr now won't run at all... It did work prior to this blowup so I don't think it's because Windows isn't up to date.


Okay if you want me to I will search for other ways to restore Cleanmanager but for the moment use ATF cleaner which, as I explained earlier, is a better tool anyhow.

4. As far as I can see you don't have a firewall installed. Please do since it's your first defence against all kinds of threats. There are several good but for free programmes available like:

Sygate
Kerio
Zone alarm

For a tutorial on Firewalls click: Understanding and Using Firewalls!

5. Download GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop (right click anc choose Extract all).

Open the program and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
Click on Scan.
When the scan has run click Copy and paste the results (if any) into this thread.

#12 rsh9116

rsh9116
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 13 October 2006 - 05:11 AM

Falu,

It certainly seems like the performance is completely back to normal... :thumbsup:

I use ZoneAlarm on my other PC, so I added it to this one also.

Here is the GMER Log.

GMER 1.0.11.11390 - http://www.gmer.net
Rootkit 2006-10-13 05:01:45
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.11 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Devices - GMER 1.0.11 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [EE59F2A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [EE59F2A0] vsdatant.sys
Device \FileSystem\Fastfat \Fat IRP_MJ_CREATE ED2FF143
Device \FileSystem\Fastfat \Fat IRP_MJ_CLOSE ED2FF1BD
Device \FileSystem\Fastfat \Fat IRP_MJ_READ ED2FB8A5
Device \FileSystem\Fastfat \Fat IRP_MJ_WRITE ED2FB627
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION ED2FFE1E
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION ED303081
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA ED313AC6
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_EA ED31349A
Device \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS ED310D7B
Device \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION ED2FFB3F
Device \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION ED31ACCC
Device \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL ED3016C8
Device \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL ED2FE90C
Device \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL ED310526
Device \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN ED31A219
Device \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL ED319996
Device \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP ED2FEF94
Device \FileSystem\Fastfat \Fat IRP_MJ_PNP ED308411
Device \FileSystem\Fastfat \Fat FastIoCheckIfPossible ED3159C6

---- Files - GMER 1.0.11 ----

ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c457ccc4c6e3.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c457ccc4c6e3.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c472d2594c7c.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c472d2594c7c.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c47336b0f830.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\Inbox\401c47336b0f830.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS ...

---- EOF - GMER 1.0.11 ----


I guess all that VSDATANT.SYS stuff is from ZoneAlarm. Maybe I should have installed it after the scan.

RSH9116

#13 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 13 October 2006 - 02:01 PM

Hi rsh9116,

It certainly seems like the performance is completely back to normal...


That's good to hear.

I guess all that VSDATANT.SYS stuff is from ZoneAlarm.


Yes it is as you can see here.

No hidden processes active on your computer so that good news as well.

I would like to perform one more scan with Panda: Panda Online

- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a few minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report together with a fresh HijackThis log.

#14 rsh9116

rsh9116
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:07:22 PM

Posted 13 October 2006 - 04:11 PM

Falu,

By the time the Panda Scan had finished, I had 6 ad popups on the desktop... so something is still going on, or has managed to return... :thumbsup:

I notice that a lot of the stuff Panda found is in that odd C:\deleteme\S-1-5... subdirectory. Who puts clandestine files in a directory named "Deleteme" anyway? I haven't used Earthlink in years and it was uninstalled, but I was never able to delete some of its files.


Here are the logs you requested:



Panda Log


Incident Status Location

Adware:Adware/MediaTickets Not disinfected C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc2\uninstaller.exe
Spyware:Spyware/7r7t Not disinfected C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc4\Uninstall.exe
Adware:Adware/Mytoolbar Not disinfected C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc6\Activate.exe
Adware:Adware/IconAds Not disinfected C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc6\Uninst.exe
Spyware:Spyware/7r7t Not disinfected C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc7\Uninstall.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@2o7[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@ads.pointroll[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@atdmt[2].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@ct.360i[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@fastclick[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@go[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@media.fastclick[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@perf.overture[1].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@questionmarket[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Dad\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\dad@zedo[2].txt
Adware:adware/tvmedia Not disinfected C:\Documents and Settings\Dad\Application Data\tvmcwrd.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\backups\backup-20061010-145231-899.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\backups\backup-20061010-161357-892.dll
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\backups\backup-20061010-170219-677.dll
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Ssk.log
Spyware:Cookie/Gorillanation Not disinfected C:\Documents and Settings\Ian\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\ian@ads.gorillanation[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Ian\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\ian@atwola[2].txt
Spyware:Cookie/Centralmedia Not disinfected C:\Documents and Settings\Ian\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\ian@centralmedia[2].txt
Spyware:Cookie/Go Not disinfected C:\Documents and Settings\Ian\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\ian@go[1].txt
Spyware:Cookie/Rightmedia Not disinfected C:\Documents and Settings\Ian\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\ian@rightmedia[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\Ian\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\ian@toplist[1].txt
Spyware:Cookie/CaptainCode Not disinfected C:\Documents and Settings\Ian\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\ian@www.captaincode[1].txt
Spyware:Cookie/MyWay Not disinfected C:\Documents and Settings\Ian\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\ian@www.xzoomy[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Ian\Application Data\Earthlink\6.0\rshoffman911@earthlink.net\Cookies\ian@xiti[1].txt
Adware:Adware/ActiveSearch Not disinfected C:\Documents and Settings\Ian\Local Settings\Temp\Temporary Internet Files\Content.IE5\S5CNW7W7\dfndrff_e_uit[1].exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Ian\Local Settings\Temp\Temporary Internet Files\Content.IE5\YTKB692P\YazzleBundle-1281[1].exe
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\Ian\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Ian\Local Settings\Temp\YazzleBundle-1281.exe
Potentially unwanted tool:Application/PRScheduler Not disinfected C:\Documents and Settings\Ian\Start Menu\Programs\Startup\PowerReg Scheduler.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Mom\Local Settings\Temp\YazzleBundle-1281.xex
Possible Virus. Renamed C:\Documents and Settings\Mom\My Documents\?racle\?srss.exe
Adware:Adware/PurityScan Not disinfected C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe[whCC-GIANT2.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe[whCC-GIANT2.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe[whCC-GIANT2.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc14.exe[whCC-GIANT2.exe][whiehlpr.dll]
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc22.exe
Adware:Adware/DeluxeComunications Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc23.exe
Spyware:Spyware/7r7t Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc26\Uninstall.exe
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc30\hancerextramm\whCC-GIANT2.exe[whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc30\hancerextramm\whCC-GIANT2.exe[whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc30\hancerextramm\whCC-GIANT2.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc30\hancerextramm\whCC-GIANT2.exe[whiehlpr.dll]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe[whCC-GIANT2.exe][whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe[whCC-GIANT2.exe][whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe[whCC-GIANT2.exe][webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc34.exe[whCC-GIANT2.exe][whiehlpr.dll]
Virus:Trj/PayClicker.EC Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc36.exe[ฒํว]
Adware:Adware/DigInk Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc4.exe
Adware:Adware/ISearch Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc43.exe
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc48.exe[deskbar.exe]
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc48.exe[deskbar.exe][deskbar.dll]
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc54.exe
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc55.exe
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc57.exe
Adware:Adware/DigInk Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc6.exe
Adware:Adware/ActiveSearch Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc60.exe
Adware:Adware/ISearch Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc61.exe
Adware:Adware/DeluxeComunications Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc67.exe
Spyware:Spyware/7r7t Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-1008\Dc8.exe
Adware:Adware/MediaTickets Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc2\uninstaller.exe
Spyware:Spyware/7r7t Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc25.exe
Adware:Adware/DigInk Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc27.exe
Virus:Trj/PayClicker.EC Disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc30.exe
Spyware:Spyware/7r7t Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc38.exe
Spyware:Spyware/7r7t Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc4\Uninstall.exe
Adware:Adware/DigInk Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc42.exe
Virus:Trj/PayClicker.EC Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc46.exe[ฒํว]
Adware:Adware/Mytoolbar Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc6\Activate.exe
Adware:Adware/IconAds Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc6\Uninst.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc68.exe
Spyware:Spyware/7r7t Not disinfected C:\RECYCLER\S-1-5-21-572201350-1196351673-2954818783-500\Dc7\Uninstall.exe
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\bxlquxmt.exe.bad
Potentially unwanted tool:Application/VSToolbar Not disinfected C:\VundoFix Backups\fbcjnepy.exe.bad
Adware:adware/popper Not disinfected C:\WINDOWS\offun.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\RGFk\l3I4.vbs
Adware:adware/searchtheweb Not disinfected C:\WINDOWS\SYSTEM32\Cache\mswinstall.exe
Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\SYSTEM32\xmltok.dll
Spyware:spyware/media-motor Not disinfected C:\WINDOWS\ubber60.ini
Adware:Adware/DigInk Not disinfected C:\WINDOWS\uni_e6h.exe
Spyware:spyware/adclicker Not disinfected C:\WINDOWS\usta33.ini



HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 3:43:28 PM, on 10/13/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\AOL\1148688497\ee\AOLSoftware.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Sony Corporation\Image Transfer\SonyTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg4.EXE
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Adobe\Acrobat 6.0\Reader\AcroRd32.exe
C:\Documents and Settings\Dad\Desktop\trouble\Hijackthis\Showme.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Comcast
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\Program Files\McAfee.com\Agent\mcagent.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1148688497\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [IPHSend] C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Image Transfer.lnk = ?
O4 - Global Startup: Kodak EasyShare software.lnk.disabled
O4 - Global Startup: MA111 Configuration Utility.lnk = C:\Program Files\NETGEAR\MA111 Configuration Utility\wlancfg.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: ComcastHSI - {669B269B-0D4E-41FB-A3D8-FD67CA94F646} - http://www.comcast.net/ (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mom\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://www.support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0441781A-3075-4C8F-9FDB-A6BCAE8769A1} (vmLaunch Class) - http://downloads.comcast.net/videomail/vmLauncher.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.5) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {416792D8-F532-493A-BECC-1C99A1501FF9} (vmLaunch Class) - http://media2.comcast.net/anon.comcastonli...vmLauncher2.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - https://disney.go.com/games/downloads/gamem...GameManager.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Maybe we've got this thing on the run... ???

Rich

#15 Falu

Falu

  • Security Colleague
  • 3,001 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:The Netherlands
  • Local time:07:22 PM

Posted 14 October 2006 - 01:33 PM

Hi rsh9116, :thumbsup:

HijackThis log is as clean as can be.

1. * Clean your Cache and Cookies in IE:

* Close all instances of Outlook Express and Internet Explorer
* Go to Control Panel > Internet Options > General tab
* Click the "Delete Cookies" button
* Next to it, Click the "Delete Files" button
* When prompted, place a check in: "Delete all offline content", click OK

* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):

* Go to Tools > Options.
* Click Privacy in the menu on the left side of the Options window.
* Click the Clear button located to the right of each option (History, Cookies, Cache).
* Click OK to close the Options window
Alternatively, you can clear all information stored while browsing by clicking Clear All.
A confirmation dialog box will be shown before clearing the information.

* Clean other Temporary files + Recycle bin

* Go to start > run and type: cleanmgr and click ok.
* Let it scan your system for files to remove.
* Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
* Press OK to remove them.

2. With hidden files still disabled reboot into safe mode and delete the following folders in bold using Windows Explorer:

C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc2
C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc4
C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc6
C:\Deleteme\S-1-5-21-572201350-1196351673-2954818783-500\Dc7
C:\Documents and Settings\Mom\My Documents\?racle<<foldername ends with racle
C:\WINDOWS\RGFk

...... and files in bold:

C:\Documents and Settings\Ian\Start Menu\Programs\Startup\PowerReg Scheduler.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\SYSTEM32\xmltok.dll
C:\WINDOWS\ubber60.ini
C:\WINDOWS\uni_e6h.exe
C:\WINDOWS\usta33.ini

3. Reboot to go back into Normal mode.

4. Run HijackThis, click the Config... button, then go to the Misc Tools section and click Open Uninstall Manager. You'll see a list of programs; click on Save List...

The file "uninstall_list.txt" will be created. Copy and paste the contents of this file to your next reply.

5. It's clear there could still be something active on your computer, so let's dig deeper:

Download Silent Runners.zip and extract it to a new folder on your Desktop.
  • Run the Silent Runners.vbs file.
  • You will receive a prompt: "Do you want to skip supplementary searches?" - click "NO."
  • If your antivirus has a script blocker, you will get a warning asking if you want to allow Silent Runners.vbs to run.
  • This script is not malicious so please allow it.
  • A text file will appear in the folder - it's not done, let it run. (It won't appear to be doing anything!)
  • Once the "All Done!" prompt flashes up, open the text file, and copy & paste it in your next reply.
Please post Silent runners report along with the uninstall_list.txt.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users