Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Terrible Infection, Winxp Pro Work Computer


  • This topic is locked This topic is locked
6 replies to this topic

#1 spent

spent

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 31 January 2007 - 10:45 AM

Hey guys, we have a computer at work hooked up to a fairly sensitive machine [we are a lab and use this machine to test asphalts.] Latley a few in the lab have taken to using this computer despite others being available, and now it is infected and I can't seem to get it clean. Scanned with Ad Aware & Spybot, no luck getting rid of the main problem. Included is the highjack this log as well as the Panda activescan log, respectively. Any help would be much appreciated!


=======
=======
Logfile of HijackThis v1.99.1
Scan saved at 10:33:19 AM, on 1/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\zatkinson\Desktop\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [adminwarndeadgrid] C:\Documents and Settings\All Users\Application Data\Internet Locks Admin Warn\Vc mail.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.golder.ca
O15 - Trusted Zone: http://*.golder.com
O15 - Trusted Zone: http://*.golder.gds
O15 - Trusted Zone: http://*.datagrabber.ca (HKLM)
O15 - Trusted Zone: http://*.golder.ca (HKLM)
O15 - Trusted Zone: http://*.golder.com (HKLM)
O15 - Trusted Zone: http://*.golder.gds (HKLM)
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://intranet.flemingc.on.ca/nps/portal/...t/LocalExec.CAB
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://bst.golder.com/AuroraWeb/BSTeReportsCE9.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by120w.bay120.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {90C8812D-81C2-45EA-8101-6C6F29835AE8} (BST Installer) - http://bst.golder.com/AuroraWeb/BSTeInstaller.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (BST Enterprise Reports 7.7) - http://bst.golder.com/AuroraWeb/BSTeReports.CAB
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://bst.golder.com/AuroraWeb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://bst.golder.com/AuroraWeb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = golder.gds
O17 - HKLM\Software\..\Telephony: DomainName = golder.gds
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = golder.gds
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = golder.gds
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)

======
======


Incident Status Location

Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\adelosreyes\Cookies\adelosreyes@2o7[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\adelosreyes\Cookies\adelosreyes@adultfriendfinder[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\adelosreyes\Cookies\adelosreyes@as-eu.falkag[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\adelosreyes\Cookies\adelosreyes@azjmp[1].txt
Spyware:Cookie/Casinotropez Not disinfected C:\Documents and Settings\adelosreyes\Cookies\adelosreyes@casinotropez[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\adelosreyes\Cookies\adelosreyes@com[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\adelosreyes\Cookies\adelosreyes@perf.overture[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\adelosreyes\Cookies\adelosreyes@searchportal.information[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\adelosreyes\Cookies\adelosreyes@xiti[1].txt
Adware:Adware/Lop Not disinfected C:\Documents and Settings\All Users\Application Data\Internet Locks Admin Warn\Vc mail.exe
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@ad.yieldmanager[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@adultfriendfinder[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@azjmp[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@burstnet[1].txt
Spyware:Cookie/Ccbill Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@ccbill[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@cgi-bin[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@drivecleaner[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@searchportal.information[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@stats1.reliablestats[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@toplist[1].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@www.burstbeacon[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\dbenipal\Cookies\dbenipal@yadro[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\gmcielwain\Cookies\gmcielwain@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\gmcielwain\Cookies\gmcielwain@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\gmcielwain\Cookies\gmcielwain@dist.belnk[2].txt
Spyware:Cookie/BurstBeacon Not disinfected C:\Documents and Settings\gmcielwain\Cookies\gmcielwain@www.burstbeacon[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\JBall\Cookies\jball@com[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\jcellis\Application Data\Mozilla\Firefox\Profiles\xhxz2qcn.default\cookies.txt[.atdmt.com/]
Adware:Adware/Lop Not disinfected C:\Documents and Settings\jcellis\Application Data\roam mess love\Body Site Load.exe
Adware:Adware/Lop Not disinfected C:\Documents and Settings\jcellis\Application Data\roam mess love\icfikvzr.exe
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@2o7[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@ad.yieldmanager[1].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@advertising[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@as-eu.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@azjmp[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@c5.zedo[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@hitbox[2].txt
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@lop[1].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@tribalfusion[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\jcellis\Cookies\jcellis@zedo[2].txt
Adware:Adware/Lop Not disinfected C:\Documents and Settings\jcellis\Local Settings\Temp\bis1A.exe
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\jproulx\Cookies\jproulx@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\jproulx\Cookies\jproulx@belnk[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\jproulx\Cookies\jproulx@com[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\jproulx\Cookies\jproulx@dist.belnk[2].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\jtimms\Cookies\jtimms@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\jtimms\Cookies\jtimms@ad.yieldmanager[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\jtimms\Cookies\jtimms@adultfriendfinder[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\jtimms\Cookies\jtimms@atwola[2].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\jtimms\Cookies\jtimms@azjmp[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\jwenborn\Cookies\jwenborn@did-it[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\jwenborn\Cookies\jwenborn@i.screensavers[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\mvanlonden\Application Data\Mozilla\Firefox\Profiles\swq44z3k.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\mvanlonden\Application Data\Mozilla\Firefox\Profiles\swq44z3k.default\cookies.txt[.2o7.net/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\mvanlonden\Application Data\Mozilla\Firefox\Profiles\swq44z3k.default\cookies.txt[.advertising.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\mvanlonden\Application Data\Mozilla\Firefox\Profiles\swq44z3k.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\mvanlonden\Application Data\Mozilla\Firefox\Profiles\swq44z3k.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mvanlonden\Application Data\Mozilla\Firefox\Profiles\swq44z3k.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/Mammamediasolutions Not disinfected C:\Documents and Settings\mvanlonden\Application Data\Mozilla\Firefox\Profiles\swq44z3k.default\cookies.txt[.targetnet.com/]
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mvanlonden\Application Data\Mozilla\Firefox\Profiles\swq44z3k.default\cookies.txt[.as-us.falkag.net/]
Spyware:Cookie/BurstNet Not disinfected C:\Documents and Settings\mvanlonden\Application Data\Mozilla\Firefox\Profiles\swq44z3k.default\cookies.txt[.burstnet.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@2o7[1].txt
Spyware:Cookie/888 Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@888[2].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@ad.yieldmanager[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@adrevolver[1].txt
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@adrevolver[2].txt
Spyware:Cookie/PointRoll Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@ads.pointroll[2].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@adultfriendfinder[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@advertising[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@as-eu.falkag[2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@atwola[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@azjmp[1].txt
Spyware:Cookie/Bfast Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@bfast[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@c5.zedo[1].txt
Spyware:Cookie/Casinotropez Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@casinotropez[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@doubleclick[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@fastclick[1].txt
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@hitbox[2].txt
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@lop[2].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@media.fastclick[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@questionmarket[1].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@searchportal.information[1].txt
Spyware:Cookie/Toplist Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@toplist[2].txt
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@tribalfusion[1].txt
Spyware:Cookie/Lop Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@www.lop[1].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\mvanlonden\Cookies\mvanlonden@zedo[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\zatkinson\Application Data\Mozilla\Firefox\Profiles\ckrsi5vt.default\cookies.txt[searchportal.information.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\zatkinson\Cookies\zatkinson@2o7[1].txt
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\zatkinson\Cookies\zatkinson@adultfriendfinder[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\zatkinson\Cookies\zatkinson@as-eu.falkag[1].txt
Spyware:Cookie/Azjmp Not disinfected C:\Documents and Settings\zatkinson\Cookies\zatkinson@azjmp[1].txt
Spyware:Cookie/Casinotropez Not disinfected C:\Documents and Settings\zatkinson\Cookies\zatkinson@casinotropez[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\RECYCLER\S-1-5-21-1791958624-738914330-1306219403-43847\Dc1.txt
Spyware:Cookie/2o7 Not disinfected C:\RECYCLER\S-1-5-21-1791958624-738914330-1306219403-43847\Dc7.txt
Adware:Adware/Secure32 Not disinfected C:\RECYCLER\S-1-5-21-1791958624-738914330-1306219403-64027\Dc6.zip[crack.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\SmitfraudFix\Process.exe

BC AdBot (Login to Remove)

 


m

#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 31 January 2007 - 12:54 PM

Hello spent, and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
You're using an outdated version of Java (latest one is Java Runtime Environment (JRE) 6). Please update and remove the older versions. Do the following:
Go to Start | Control Panel | Add/Remove Programs
Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
It should have this icon next to it: Posted Image
Select it and click Remove.
Then download and install the newest version from here:
Java Runtime Environment (JRE) 6

Please download NoLop to your Desktop.
First close any other programs you have running; this will need you to reboot.
Double click NoLop.exe to run it
Now click the button labelled Search and Destroy
<<Your computer will now be scanned for infected files>>
When scanning is finished you will be prompted to reboot only if infected, click OK.
Now click the REBOOT button.
A message should popup from NoLop. If not, double click the program again and it will finish. Please post the contents of C:\NoLop.log in your next reply.

Note: If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered", please download mscomctl.ocx to your System32 folder then re-run the program.

Please move HijackThis to a permanent folder. Anywhere is fine, other than your Desktop or a temporary folder. If it is in one of these locations, there is a risk that you may accidentally delete the backups; which may be needed if we fix something we're not meant to.
If you use Windows XP it may be that you just double clicked on the HijackThis.exe file, but this only extracts the file to a temporary folder. If you right click on it and select Extract, you can choose a folder to place it in.

How to make a permanent folder:
Click Start | My Computer | Local Disk (C: ) | Program Files.
In the menu bar at the top, go to File | New | Folder.
That will create a folder named "New Folder", which you can rename to "HijackThis". You have now created C:\Program Files\HijackThis.
Now get your HijackThis.exe file and place it in your folder.

Please post me back the NoLop log, along with a new HijackThis log.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 spent

spent
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 02 February 2007 - 09:54 AM

Thank you very much!

Ok, here included is the NoLop logfile as well as the Hijack this, which i moved to root C:\





===
===
NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\zatkinson\Desktop
[2/2/2007]
[9:37:41 AM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\Adelosreyes\Application Data\Adobe
C:\Documents and Settings\Adelosreyes\Application Data\Adobeaum
C:\Documents and Settings\Adelosreyes\Application Data\Adobeum
C:\Documents and Settings\Adelosreyes\Application Data\Google
C:\Documents and Settings\Adelosreyes\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Adelosreyes\Application Data\Identities
C:\Documents and Settings\Adelosreyes\Application Data\Intertrust
C:\Documents and Settings\Adelosreyes\Application Data\Lavasoft
C:\Documents and Settings\Adelosreyes\Application Data\Leadertech
C:\Documents and Settings\Adelosreyes\Application Data\Macromedia
C:\Documents and Settings\Adelosreyes\Application Data\Media Player Classic -- EMPTY Directory
C:\Documents and Settings\Adelosreyes\Application Data\Microsoft
C:\Documents and Settings\Adelosreyes\Application Data\Mozilla
C:\Documents and Settings\Adelosreyes\Application Data\Nikon
C:\Documents and Settings\Adelosreyes\Application Data\Pc Tools
C:\Documents and Settings\Adelosreyes\Application Data\Roxio
C:\Documents and Settings\Adelosreyes\Application Data\Sun
C:\Documents and Settings\Adelosreyes\Application Data\U3
C:\Documents and Settings\Adelosreyes\Application Data\Vlc
C:\Documents and Settings\All Users\Application Data\Adobe
C:\Documents and Settings\All Users\Application Data\Google
C:\Documents and Settings\All Users\Application Data\Internet Locks Admin Warn
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Pure Networks
C:\Documents and Settings\All Users\Application Data\Quicktime
C:\Documents and Settings\All Users\Application Data\Sophos
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\U3
C:\Documents and Settings\Dbenipal\Application Data\Adobe
C:\Documents and Settings\Dbenipal\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Dbenipal\Application Data\Google
C:\Documents and Settings\Dbenipal\Application Data\Identities
C:\Documents and Settings\Dbenipal\Application Data\Macromedia
C:\Documents and Settings\Dbenipal\Application Data\Microsoft
C:\Documents and Settings\Dbenipal\Application Data\Nikon
C:\Documents and Settings\Dbenipal\Application Data\Roxio
C:\Documents and Settings\Dbenipal\Application Data\Sun
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Dguillet\Application Data\Adobe
C:\Documents and Settings\Dguillet\Application Data\Identities
C:\Documents and Settings\Dguillet\Application Data\Microsoft
C:\Documents and Settings\Gmcielwain\Application Data\Adobe
C:\Documents and Settings\Gmcielwain\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Gmcielwain\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Gmcielwain\Application Data\Identities
C:\Documents and Settings\Gmcielwain\Application Data\Macromedia
C:\Documents and Settings\Gmcielwain\Application Data\Microsoft
C:\Documents and Settings\Gmcielwain\Application Data\Mozilla
C:\Documents and Settings\Hd_drange\Application Data\Identities
C:\Documents and Settings\Hd_drange\Application Data\Microsoft
C:\Documents and Settings\Jcellis\Application Data\Adobe
C:\Documents and Settings\Jcellis\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Jcellis\Application Data\Google
C:\Documents and Settings\Jcellis\Application Data\Identities
C:\Documents and Settings\Jcellis\Application Data\Macromedia
C:\Documents and Settings\Jcellis\Application Data\Microsoft
C:\Documents and Settings\Jcellis\Application Data\Mozilla
C:\Documents and Settings\Jcellis\Application Data\Pc Tools
C:\Documents and Settings\Jcellis\Application Data\Roam Mess Love
C:\Documents and Settings\Jrose\Application Data\Adobe
C:\Documents and Settings\Jrose\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Jrose\Application Data\Google
C:\Documents and Settings\Jrose\Application Data\Identities
C:\Documents and Settings\Jrose\Application Data\Macromedia
C:\Documents and Settings\Jrose\Application Data\Microsoft
C:\Documents and Settings\Jtimms\Application Data\Adobe
C:\Documents and Settings\Jtimms\Application Data\Adobeum -- EMPTY Directory
C:\Documents and Settings\Jtimms\Application Data\Google
C:\Documents and Settings\Jtimms\Application Data\Identities
C:\Documents and Settings\Jtimms\Application Data\Macromedia
C:\Documents and Settings\Jtimms\Application Data\Microsoft
C:\Documents and Settings\Jwatkins\Application Data\Identities
C:\Documents and Settings\Jwatkins\Application Data\Microsoft
C:\Documents and Settings\Localservice\Application Data\Identities
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Mvanlonden\Application Data\Adobe
C:\Documents and Settings\Mvanlonden\Application Data\Adobeaum
C:\Documents and Settings\Mvanlonden\Application Data\Adobeum
C:\Documents and Settings\Mvanlonden\Application Data\Google
C:\Documents and Settings\Mvanlonden\Application Data\Identities
C:\Documents and Settings\Mvanlonden\Application Data\Leadertech
C:\Documents and Settings\Mvanlonden\Application Data\Macromedia
C:\Documents and Settings\Mvanlonden\Application Data\Media Player Classic
C:\Documents and Settings\Mvanlonden\Application Data\Microsoft
C:\Documents and Settings\Mvanlonden\Application Data\Mozilla
C:\Documents and Settings\Mvanlonden\Application Data\Nikon
C:\Documents and Settings\Mvanlonden\Application Data\Pc Tools
C:\Documents and Settings\Mvanlonden\Application Data\Sun
C:\Documents and Settings\Mvanlonden\Application Data\Vlc
C:\Documents and Settings\Networkservice\Application Data\Microsoft
C:\Documents and Settings\Sabu-eledam\Application Data\Adobe
C:\Documents and Settings\Sabu-eledam\Application Data\Leadertech
C:\Documents and Settings\Sabu-eledam\Application Data\Microsoft
C:\Documents and Settings\Zatkinson\Application Data\Adobe
C:\Documents and Settings\Zatkinson\Application Data\Google
C:\Documents and Settings\Zatkinson\Application Data\Identities
C:\Documents and Settings\Zatkinson\Application Data\Lavasoft
C:\Documents and Settings\Zatkinson\Application Data\Macromedia
C:\Documents and Settings\Zatkinson\Application Data\Microsoft
C:\Documents and Settings\Zatkinson\Application Data\Mozilla
C:\Documents and Settings\Zatkinson\Application Data\Pc Tools
C:\Documents and Settings\Zatkinson\Application Data\Smartftp
C:\Documents and Settings\Zatkinson\Application Data\Sun
C:\Documents and Settings\Zatkinson\Application Data\Vlc

===
===

Logfile of HijackThis v1.99.1
Scan saved at 9:39:35 AM, on 2/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe
C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
C:\Program Files\Sophos\Remote Management System\RouterNT.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sophos\AutoUpdate\ALMon.exe
C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\hijack this\HijackThis.exe

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-ca\msntb.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [adminwarndeadgrid] C:\Documents and Settings\All Users\Application Data\Internet Locks Admin Warn\Vc mail.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: AutoUpdate Monitor.lnk = C:\Program Files\Sophos\AutoUpdate\ALMon.exe
O4 - Global Startup: NkbMonitor.exe.lnk = C:\Program Files\Nikon\PictureProject\NkbMonitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.golder.ca
O15 - Trusted Zone: http://*.golder.com
O15 - Trusted Zone: http://*.golder.gds
O15 - Trusted Zone: http://*.datagrabber.ca (HKLM)
O15 - Trusted Zone: http://*.golder.ca (HKLM)
O15 - Trusted Zone: http://*.golder.com (HKLM)
O15 - Trusted Zone: http://*.golder.gds (HKLM)
O16 - DPF: {2B1AA38D-2D12-11D5-AAD0-00C04FA03D78} (LocalExec Control) - https://intranet.flemingc.on.ca/nps/portal/...t/LocalExec.CAB
O16 - DPF: {2DEF4530-8CE6-41c9-84B6-A54536C90213} (BST Enterprise Reports 8.1) - http://bst.golder.com/AuroraWeb/BSTeReportsCE9.CAB
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by120w.bay120.mail.live.com/mail/re...es/MsnPUpld.cab
O16 - DPF: {90C8812D-81C2-45EA-8101-6C6F29835AE8} (BST Installer) - http://bst.golder.com/AuroraWeb/BSTeInstaller.CAB
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.photolab.ca/en/Photo/ImageUploader3.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C4847596-972C-11D0-9567-00A0C9273C2A} (BST Enterprise Reports 7.7) - http://bst.golder.com/AuroraWeb/BSTeReports.CAB
O16 - DPF: {DB797690-40E0-11D2-9BD5-0060082AE372} (Xceed Zip Control v5.0) - http://bst.golder.com/AuroraWeb/BSTeDepFiles.CAB
O16 - DPF: {E6671596-1F52-11D3-8162-00C04F8DF62C} (BST Enterprise 8.0) - http://bst.golder.com/AuroraWeb/AuroraShell.CAB
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = golder.gds
O17 - HKLM\Software\..\Telephony: DomainName = golder.gds
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = golder.gds
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = golder.gds
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Sophos Anti-Virus status reporter (SAVAdminService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SAVAdminService.exe
O23 - Service: Sophos Anti-Virus (SAVService) - Sophos Plc - C:\Program Files\Sophos\Sophos Anti-Virus\SavService.exe
O23 - Service: Sophos Agent - Unknown owner - C:\Program Files\Sophos\Remote Management System\ManagementAgentNT.exe" -service -name Agent (file missing)
O23 - Service: Sophos AutoUpdate Service - Sophos Plc - C:\Program Files\Sophos\AutoUpdate\ALsvc.exe
O23 - Service: Sophos Message Router - Unknown owner - C:\Program Files\Sophos\Remote Management System\RouterNT.exe" -service -name Router -ORBListenEndpoints iiop://:8193/ssl_port=8194 (file missing)

Edited by spent, 02 February 2007 - 10:05 AM.


#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 02 February 2007 - 10:21 AM

Hey there,
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [adminwarndeadgrid] C:\Documents and Settings\All Users\Application Data\Internet Locks Admin Warn\Vc mail.exe


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.

Set your system to show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Next, please find and delete the following folders (if present):

C:\Documents and Settings\All Users\Application Data\Internet Locks Admin Warn
C:\Documents and Settings\Jcellis\Application Data\Roam Mess Love

Reboot into Normal Mode again.

Please do an online scan with Kaspersky WebScanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on Next
Select a target to scan; click on My Computer
The scan will take a while so be patient and let it run.
Once the scan is complete choose the option to Save as Text
Post these results in your next reply.

Please post me back the Kaspersky report, and let me know- how are things running?
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 spent

spent
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:12:53 PM

Posted 02 February 2007 - 01:23 PM

Thanks so much, the pop ups seem to be gone, but I think this kaspersky has found some other things:

---
===
---

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, February 02, 2007 1:20:43 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 2/02/2007
Kaspersky Anti-Virus database records: 249460
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 105219
Number of viruses found: 1
Number of infected objects: 2 / 0
Number of suspicious objects: 0
Duration of the scan process: 01:19:01

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7b25ed98d55b3d2813ef029a08689a31_f6adaa97-bd53-465c-af86-0d93d4cfbbcf Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\Config\interchk.chk Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sophos\Sophos Anti-Virus\logs\SAV.txt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\zatkinson\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\zatkinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\zatkinson\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\zatkinson\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\zatkinson\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\zatkinson\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\zatkinson\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Sophos\Remote Management System\Agent\Logs\Agent-20070202-153446.log Object is locked skipped
C:\Program Files\Sophos\Remote Management System\Router\Logs\Router-20070202-153447.log Object is locked skipped
C:\RECYCLER\S-1-5-21-1791958624-738914330-1306219403-64027\Dc6.zip/crack.exe Infected: Trojan-Downloader.Win32.Harnig.bg skipped
C:\RECYCLER\S-1-5-21-1791958624-738914330-1306219403-64027\Dc6.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7862705D-6011-4856-B5C3-BD03223A7062}\RP666\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833998$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB833998$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1a0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 02 February 2007 - 03:58 PM

Hey,

Thanks so much, the pop ups seem to be gone, but I think this kaspersky has found some other things:

Actually, the Kaspersky report doesn't really show anything infected, which is obviously a good sign.
Please download ATF Cleaner.
Double click ATF-Cleaner.exe to run the program.
Under Main choose Select All
Click the Empty Selected button.

If you use Firefox browser
Click Firefox at the top and choose Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
Note: If you would like to keep your saved passwords, please click "No" at the prompt.

Click Exit on the main menu to close the program.

Great job! Now that you're free from malware, please follow these simple steps to decrease the likelihood of getting re-infected again:

We need to purge your infected system restore points.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Check Turn off System Restore, click Apply, and then click OK.
More information on how to disable your system restore can be found here.

We want to create a new, clean restore point. Please first reboot your computer.
On the Desktop, right-click My Computer, then click Properties.
Click the System Restore tab near the top of the window.
Uncheck "Turn off System Restore", click Apply, and then click OK.

Click Start > All Programs > Accessories > System Tools, and select System Restore.
In the System Restore wizard, select the box next the text labeled "Create a restore point" and click the Next button.
Type a description for your new restore point - Something like "After trojan/spyware cleanup".
Click Create, and after it has created the restore point, click "Close".
Further instructions on creating a restore point can be found here

Set your system to not show all files.
Navigate to Start | My Computer | Tools | Folder Options.
Select the View tab. Under the "Hidden Files and Folders" heading, select "Show hidden files and folders".
Check: Hide file extensions for known file types
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please navigate to http://windowsupdate.microsoft.com and download all the "critical updates" for Windows. This can patch many of the security holes through which attackers can gain access to your computer.
Either enable 'Automatic Updates' under Start | Control Panel | Automatic Updates, or get into the habit of checking for Windows updates regularly. I cannot stress enough how important this is.

In order to protect yourself against spyware, you should consider installing and running the following free programs:
Ad-Aware SE
A tutorial on using Ad-Aware to remove spyware from your computer may be found here.
Spybot-Search & Destroy
A tutorial on using Spybot to remove spyware from your computer may be found here. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features.
SpywareBlaster
A tutorial on using SpywareBlaster to prevent spyware from ever installing on your computer may be found here.
Make sure to keep these programs up-to-date and to run them regularly, as this can prevent a great deal of spyware hassle.

Please also read Tony Klein's excellent article: How I got Infected in the First Place
If, of course, you encounter any more problems, please let me know and I'll try my best to sort them out for you.
Thanks and happy computing,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:05:53 PM

Posted 08 February 2007 - 05:45 AM

Since this issue appears resolved, this topic is now closed.

If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter.

Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users