Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Warning! Spyware Threat Detected On Your Pc -- Pasted On My Wallpaper


  • This topic is locked This topic is locked
14 replies to this topic

#1 spamkill

spamkill

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 09 March 2007 - 11:55 AM

Warning! Spyware threat detected on your PC -- pasted on my wallpaper
Here is the log gnerated bySmitFraudFix please help as this is annoyance to the greatest.
Thanks in advance.

Logfile of HijackThis v1.99.1
Scan saved at 3:22:14 PM, on 3/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SYSTEM32\notepad.exe
C:\PROGRA~1\WinZip\winzip32.exe
C:\DOCUME~1\Guest\LOCALS~1\Temp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
O1 - Hosts: 192.9.200.68 termsrv
O1 - Hosts: 172.17.1.138 nfs_server
O1 - Hosts: 172.16.4.211 drids02.am.root.local
O1 - Hosts: 172.16.4.211 drids02
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: cdromdrv32.shell_plugin - {0D708714-CF29-488B-98BE-24D1B96230AA} - C:\WINDOWS\system32\cdromdrv32.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [PrvDef3.0] C:\Program Files\PrvDef3.0\PrvDef3.0.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: ImageFox.lnk = ?
O4 - Global Startup: Map Network Drives.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start 3DxWare.lnk = C:\3DxWare\3DxSrv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstal...MetaStream3.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\Program Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = designers.local
O17 - HKLM\Software\..\Telephony: DomainName = designers.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{33E53389-6AD3-49E9-AD95-05F8E2A289EF}: NameServer = 216.47.22.66,216.47.224.68
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = designers.local
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unknown owner - C:\WINDOWS\System32\spool\ugplot\ugiipqd.exe
O23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - C:\Program Files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe

BC AdBot (Login to Remove)

 


m

#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:43 PM

Posted 11 March 2007 - 01:23 PM

Hi,

Hijackthis is still in your temp-folder, so I strongly advise to create a permanent folder and move hijackthis.exe into it. The reason is because hijackthis creates backups and when it's in your temp-folder it can be accidentally deleted.
How do you make a permanent folder:

Click My Computer, then C:\ and then on Program Files.
In the menu bar, File->New->Folder.
That will create a folder named New Folder, which you can rename to "HJT" or "HijackThis".
Now you have C:\Program Files\HijackThis. Put your HijackThis.exe there.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file, select it and click ok:

C:\WINDOWS\system32\cdromdrv32.dll

Then click the Send File button below.

actually, Your system is terribly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
You are most probably also dealing with a file infector that infects every exe and rar file.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

It's important you perform above steps first before proceeding with the next steps!

Then, we'll have to run a few more scans, because I have the feeling that your current Antivirus installed wasn't much of a help.

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Please download, install, and update AVG Anti-Spyware
  • Load AVG Anti-Spyware and then click the Update tab at the top. Under Manual Update click Start update.
  • After the update finishes (the status bar at the bottom will display "Update successful")
  • Close AVG Anti-Spyware. Do not run it yet.
---------------------

* Download SDFix and save it to your Desktop.

* Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

---------------------------

* Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
do not use the scan yet

--------------------------

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Windows Safe Mode, restart your computer and, just before Windows starts to load, tap the F8 key a few times.
Choose Safe Mode from the menu that will appear and press Enter.

---------------------------

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present (some entries won't be present anymore):


O2 - BHO: cdromdrv32.shell_plugin - {0D708714-CF29-488B-98BE-24D1B96230AA} - C:\WINDOWS\system32\cdromdrv32.dll
O2 - BHO: Setup.Setup1 - {2E65A557-173C-4DE9-860B-28FC5CACA542} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\Setup\Setup.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O4 - HKLM\..\Run: [sysinter] C:\WINDOWS\system32\adirss.exe
O4 - HKLM\..\Run: [lnwin.exe] C:\WINDOWS\system32\lnwin.exe
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstal...MetaStream3.cab


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

--------------------------
  • load AVG Anti-Spyware and click on the Scanner tab at the top. Click the "Settings" tab and then change the recommended action to Quarantine and click Automatically generate report after every scan. Click back to the "Scan" tab and then click on Complete System Scan. This scan can take quite a while to run, so be prepared.
  • AVG Anti-Spyware will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG Anti-Spyware will display "All actions have been applied" on the right hand side.
  • Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).
  • Close AVG Anti-Spyware.
-----------------------
  • Doubleclick the drweb-cureit.exe, Click Start and Allow to run the express scan.
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
  • Once the short scan has finished, Click Options > Change settings
  • Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
-------------------------
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
Since your winsock got corrupted as well and you're having XP SP2 installed, do next..

Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
hit enter.
Reboot.

Then,

Post the following logs in your next reply:

* Log from DrWeb CureIt
* Log from AVG Antispyware
* Log from SDFix
* New HijackThislog
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 spamkill

spamkill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 13 March 2007 - 08:42 AM

miekiemoes thanks a bunch for all your help.

While following your instructions and while downloading AVG I got the BSOD and I had to reboot with only last few minutes of download left.
Now there is another problem of BSOD?

The error on the BSOD is very generic and really have no way of knowing what really is going on.

Any Ideas.

Thanks once again

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:43 PM

Posted 13 March 2007 - 08:58 AM

Hi,

The error on the BSOD is very generic and really have no way of knowing what really is going on.

The fact that your system is terribly infected explains why you are getting the BSODs. Keep in mind, malware damages A LOT as I already said before. Also the fact that you are most probably dealing with a file infector on top explains why you are having so many problems.
That's why I already recommended in my previous post that a format and reinstall is the fastest and especially safest solution, but it looks like you want to proceed with manual removal after all, so you have to understand that you would have to have a lot of patience and that we can't solve this with a couple of instructions. Also, the damage it already caused cannot always be repaired if you want to proceed with this manually. So you cannot expect afterwards that your system will run smoothly again and all problems are resolved, because after such a terrible infection; a lot of damage will still be present.

By the way,

While following your instructions and while downloading AVG I got the BSOD and I had to reboot with only last few minutes of download left.
Now there is another problem of BSOD?

You said you followed instructions, however, my first instruction was to upload that file C:\WINDOWS\system32\cdromdrv32.dll. I see you didn't upload it yet. I cannot stress enough how important it is you perform all my steps in the right order.
Try to download AVG again and if that still causes a BSOD because of the malware present, skip that step and proceed with the next steps.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:43 PM

Posted 13 March 2007 - 03:12 PM

Hi,

You uploaded your Hijackthislog. I guess you misunderstood my instructions.
You were not supposed to upload your HijackThislog, but this file: C:\WINDOWS\system32\cdromdrv32.dll

Please read my instructions again:

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to it and browse to next file, select it and click ok:

C:\WINDOWS\system32\cdromdrv32.dll

Then click the Send File button below.


this is what you posted as a comment there:

Comments: Hi miekiemoes I have followed the outlined instruction and all the files are attached.
While I want to go the long route there are some important files I need to get once I am sure I can tansfer I will think about reformating the drive and begin afresh.

You can transfer your important files (pictures, movies, documents, whatever) on a cd/usbstick.
But, keep in mind, as I already said, there's a possibility here that all your exe files are infected+rar files. Which means, also legit files. So don't backup/transfer any exe files, otherwise when you want to transfer them afterwards again, you'll get infected again.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:43 PM

Posted 13 March 2007 - 03:24 PM

Hi, skip the step with uploading that file - we received it already from another thread. :thumbsup:

Let me know how you want to proceed with this. In case you want to format and reinstall, read this page here with clear instructions+screenshots how to do this:
http://www.winsupersite.com/showcase/windowsxp_sg_clean.asp

In case you want to proceed with manual removal, perform my steps I already posted previously in the right order and post the logs I asked afterwards.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 spamkill

spamkill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 13 March 2007 - 03:45 PM

[quote name='miekiemoes' date='Mar 13 2007, 03:24 PM' post='472814']
Hi, skip the step with uploading that file - we received it already from another thread. :thumbsup:

Let me know how you want to proceed with this. In case you want to format and reinstall, read this page here with clear instructions+screenshots how to do this:
http://www.winsupersite.com/showcase/windowsxp_sg_clean.asp

In case you want to proceed with manual removal, perform my steps I already posted previously in the right order and post the logs I asked afterwards.

quote]

Here are the logs sorry I misunderstood abot the file and the posting of logs:

Here are the logs:
DrWeb:

Process.exe;C:\Documents and Settings\Administrator\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Administrator\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Guest\Desktop\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Guest\Desktop\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
sm[1]._;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\678RSBUD;Trojan.Packed.34;Deleted.;
sc[1]._;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9J6DLIWX;Trojan.Packed.47;Deleted.;
sm[1]._;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\9J6DLIWX;Trojan.Packed.40;Deleted.;
dd[1]._;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E5KLXKYP;Trojan.Packed.40;Deleted.;
msi[4]._;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E5KLXKYP;Trojan.Packed.40;Deleted.;
via[2]._;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E5KLXKYP;Trojan.Packed.48;Deleted.;
msi[2]._;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J2OY3FMK;Trojan.Packed.40;Deleted.;
sc[1]._;C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J2OY3FMK;Trojan.Packed.40;Deleted.;
srvany.exe;C:\LSE0900\setup;Program.SrvAny;Incurable.Moved.;
adeimywg.exe;C:\WINDOWS\SYSTEM32;Trojan.Spambot;Deleted.;
crgycrrr.exe;C:\WINDOWS\SYSTEM32;Trojan.Packed.45;Deleted.;
kpqdbnpt.exe;C:\WINDOWS\SYSTEM32;Trojan.Spambot;Deleted.;
m22.exe;C:\WINDOWS\SYSTEM32;Trojan.Spambot;Deleted.;
msi.exe;C:\WINDOWS\SYSTEM32;Trojan.Packed.40;Deleted.;
Process.exe;C:\WINDOWS\SYSTEM32;Tool.Prockill;Incurable.Moved.;
rwwqhshn.exe;C:\WINDOWS\SYSTEM32;Trojan.Spambot;Deleted.;
sc.exe.tmp;C:\WINDOWS\SYSTEM32;Trojan.Packed.47;Deleted.;
zu.exe;C:\WINDOWS\SYSTEM32;Trojan.Packed.33;Deleted.;

AVG-Log:
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:31:38 PM 3/13/2007

+ Scan result:



HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Antispyware Soldier_is1 -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-279745338-1137051371-1382438446-500\Software\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666} -> Adware.Generic : Cleaned with backup (quarantined).
HKU\S-1-5-21-279745338-1137051371-1382438446-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5929CD6E-2062-44A4-B2C5-2C7E78FBAB38} -> Adware.Generic : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SpywareSheriff_is1 -> Adware.SpywareSheriff : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\google.png.exe -> Downloader.Small.dam : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\leeqonls.exe -> Downloader.VB.ajp : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\pnbribdk.exe -> Downloader.VB.ajp : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\asgp32.dll -> Downloader.VB.apq : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\user_32.dll -> Downloader.VB.asx : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\cssknzte.exe -> Downloader.VB.att : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\gghfcyns.mrp -> Hijacker.Small.js : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\msdtc_32.exe -> Not-A-Virus.Hoax.Win32.Renos.hg : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\rsvp32_2.dll3f2tj -> Proxy.Agent.ly : Cleaned with backup (quarantined).
C:\Documents and Settings\johnevans\Cookies\johnevans@247realmedia[2].txt -> TrackingCookie.247realmedia : Cleaned.
C:\Documents and Settings\administrator.DESIGNERS.000\Cookies\administrator@microsoftwga.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\jevans\Cookies\jevans@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@buycom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@mathworks.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@meetupcom.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@adbrite[3].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@z1.adserver[1].txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@bluestreak[2].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@news.com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@dealtime[1].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@stat.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@www.dealtime[2].txt -> TrackingCookie.Dealtime : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wfk4kmd5klo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wfkowmdjcdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wfl4qoajsdo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wfl4wjcjgdp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wfliehcpibo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wflouhdzsdq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjkoeoazkeq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjkygndjwao.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjl4qkcjaep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjlysgdpcaq.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjlywldpiep.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjmiglcjskp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjny-1gcjcd.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjny-1lczsb.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjnychdpweo.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjnycjc5ogq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjnygic5gdq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjnyglazeko.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjnyolcjmfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@e-2dj6wjnyqkcpmhp.stats.esomniture[1].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@e-2dj6wjkogjajsap.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@e-2dj6wjloeid5wfp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@e-2dj6wjlyuhajoaq.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@as1.falkag[1].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@sales.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@server.iad.liveperson[3].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\administrator.DESIGNERS.000\Cookies\administrator@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@overture[2].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@qksrv[2].txt -> TrackingCookie.Qksrv : Cleaned.
C:\Documents and Settings\administrator.DESIGNERS.000\Cookies\administrator@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@realmedia[1].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@realmedia[2].txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@revsci[2].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@www.smartadserver[2].txt -> TrackingCookie.Smartadserver : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\johnevans\Cookies\johnevans@weborama[1].txt -> TrackingCookie.Weborama : Cleaned.
C:\Documents and Settings\jevans.old\Cookies\jevans@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\SYSTEM32\intr32.dll -> Trojan.AntiSpySoldier.a : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\678RSBUD\setup[1]._ -> Worm.Zhelatin.aj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\setup.exe.tmp -> Worm.Zhelatin.aj : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O6H6PWQ8\via[1]._ -> Worm.Zhelatin.ba : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ma.exe.exe -> Worm.Zhelatin.ba : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\pp.exe.exe -> Worm.Zhelatin.ba : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\zu.exe.exe -> Worm.Zhelatin.ba : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\O6H6PWQ8\dd[1]._ -> Worm.Zhelatin.bb : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\E5KLXKYP\sm[1]._ -> Worm.Zhelatin.bc : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J2OY3FMK\dd[1]._ -> Worm.Zhelatin.bc : Cleaned with backup (quarantined).
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\SXAJET6L\via[1]._ -> Worm.Zhelatin.bc : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\adirss.old -> Worm.Zhelatin.bc : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\dd.exe -> Worm.Zhelatin.bc : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\lnwin.old -> Worm.Zhelatin.bc : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\sm.exe -> Worm.Zhelatin.bc : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\J2OY3FMK\via[1]._ -> Worm.Zhelatin.bd : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\adirka.exe -> Worm.Zhelatin.bd : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\via.exe -> Worm.Zhelatin.bd : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\wincom32.sys -> Worm.Zhelatin.d : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\678RSBUD\ab[1]._ -> Worm.Zhelatin.x : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\678RSBUD\ag[1]._ -> Worm.Zhelatin.x : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ab.exe -> Worm.Zhelatin.x : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ac.exe -> Worm.Zhelatin.x : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ad.exe -> Worm.Zhelatin.x : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ae.exe -> Worm.Zhelatin.x : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\ag.exe -> Worm.Zhelatin.x : Cleaned with backup (quarantined).


::Report end

Log-SDFix:
SDFix: Version 1.71

Run by Administrator - Tue 03/13/2007 / 15:28:36.51

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
wincom32

Path:
\??\C:\WINDOWS\system32\wincom32.sys

wincom32 Deleted



Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\paars.ini - Deleted
C:\WINDOWS\system32\wincom32.ini - Deleted
C:\WINDOWS\system32\zlbw.dll - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe"="C:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe:*:Enabled:xtop"
"C:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe"="C:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe:*:Enabled:pro_comm_msg"
"C:\\Program Files\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe"="C:\\Program Files\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe:*:Enabled:nmsd"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\flexlm\\i486_nt\\obj\\lmtools.exe"="C:\\Program Files\\flexlm\\i486_nt\\obj\\lmtools.exe:*:Enabled:PTC License Server tools"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\WINDOWS\\SYSTEM32\\ae.exe"="C:\\WINDOWS\\SYSTEM32\\ae.exe:*:Enabled:enable"
"C:\\WINDOWS\\SYSTEM32\\ab.exe"="C:\\WINDOWS\\SYSTEM32\\ab.exe:*:Enabled:enable"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\ugnx2\\UGII\\ugraf.exe"="C:\\ugnx2\\UGII\\ugraf.exe:*:Disabled:Unigraphics Component"
"C:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe"="C:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\pro_comm_msg.exe:*:Disabled:pro_comm_msg"
"C:\\Program Files\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe"="C:\\Program Files\\proeWildfire 2.0\\i486_nt\\nms\\nmsd.exe:*:Disabled:nmsd"
"C:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe"="C:\\Program Files\\proeWildfire 2.0\\i486_nt\\obj\\xtop.exe:*:Disabled:xtop"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Documents and Settings\jevans.old\NetHood\ftp.delcoremy.com\Desktop.ini
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Documents and Settings\johnevans\My Documents\~WRL3320.tmp
C:\WINDOWS\Temp\2on5cifv.TMP
C:\WINDOWS\Temp\rthx2g58.TMP

Finished
Hijackthis-log:

Logfile of HijackThis v1.99.1
Scan saved at 11:18:05 AM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HJT\HijackThis.exe

O1 - Hosts: 192.9.200.68 termsrv
O1 - Hosts: 172.17.1.138 nfs_server
O1 - Hosts: 172.16.4.211 drids02.am.root.local
O1 - Hosts: 172.16.4.211 drids02
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: cdromdrv32.shell_plugin - {0D708714-CF29-488B-98BE-24D1B96230AA} - C:\WINDOWS\system32\cdromdrv32.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: ImageFox.lnk = ?
O4 - Global Startup: Map Network Drives.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start 3DxWare.lnk = C:\3DxWare\3DxSrv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstal...MetaStream3.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\Program Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = designers.local
O17 - HKLM\Software\..\Telephony: DomainName = designers.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{33E53389-6AD3-49E9-AD95-05F8E2A289EF}: NameServer = 216.47.22.66,216.47.224.68
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = designers.local
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unknown owner - C:\WINDOWS\System32\spool\ugplot\ugiipqd.exe
O23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - C:\Program Files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe

Hope the above helps sorry for the misunderstanding but again thanks for all your help.

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:43 PM

Posted 13 March 2007 - 04:17 PM

Hi,

The good news is, as far as I can see, you're not dealing with the File infector version here.

It looks like above HijackThislog was made in Safe mode and you forgot to check and fix some entries in it.

Also, you forgot to perform this step:

Go to start > run and type cmd
A dos Window will appear.
Type next in the dos window: netsh winsock reset
hit enter.
Reboot.

So please perform above step first.

Then,

I see you have Windows Defender running.
The real-time protection may interfere with the fixes, that's why I want you to turn it off.

To turn real-time protection off
Open Windows Defender. (Click Start, click Programs, and then click Windows Defender.)
Click Tools, and then click General Settings.
Under Real-time protection options, Uncheck the Turn on real-time protection (recommended) check box.
Then click Save.

When your hijackthislog is clean again, please turn on the realtime protection again.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: cdromdrv32.shell_plugin - {0D708714-CF29-488B-98BE-24D1B96230AA} - C:\WINDOWS\system32\cdromdrv32.dll
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} (MetaStreamCtl Class) - http://components.metastream.com/MTSInstal...MetaStream3.cab


Check next entries if you didn't add them to your hosts file:

O1 - Hosts: 192.9.200.68 termsrv
O1 - Hosts: 172.17.1.138 nfs_server
O1 - Hosts: 172.16.4.211 drids02.am.root.local
O1 - Hosts: 172.16.4.211 drids02

* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Delete the contents of this folder:

C:\Windows\temp <== contents of this folder

Do NOT delete the folder itself!

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\SYSTEM32\\ae.exe"=-
"C:\\WINDOWS\\SYSTEM32\\ab.exe"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

* Download Combofix to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Edited by miekiemoes, 13 March 2007 - 04:17 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 spamkill

spamkill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 13 March 2007 - 05:23 PM

Hi once again thanks and you are good.

I did do the netsh reset and fixed I thought all of the entries. Having run the HJT I did not find any entries listed in your list here it is:

Logfile of HijackThis v1.99.1
Scan saved at 6:01:43 PM, on 3/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Promise\Utility\MsgAgt.exe
C:\WINDOWS\System32\spool\ugplot\ugiipqd.exe
C:\Program Files\flexlm\i486_nt\obj\ptc_d.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe
C:\Program Files\ViRobotXP\vrmonsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\Program Files\UGS\License Servers\UGNXFLEXlm\uglmd.exe
C:\Program Files\ViRobotXP\vrmonnt.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\PRISMSVR.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\VISION~1\ONETOU~2.EXE
C:\Program Files\ViRobotXP\Vrres.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\ACD Systems\ImageFox\ImageFox.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\Program Files\HJT\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [CTDVDDet] C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] REGSVR32.EXE /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [OneTouch Monitor] C:\PROGRA~1\VISION~1\ONETOU~2.EXE
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\ViRobotXP\vrmonnt.exe Main
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\ViRobotXP\Vrres.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: ImageFox.lnk = ?
O4 - Global Startup: Map Network Drives.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Start 3DxWare.lnk = C:\3DxWare\3DxSrv.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\Program Files\proeWildfire 2.0\i486_nt\obj\pvx_install.exe
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = designers.local
O17 - HKLM\Software\..\Telephony: DomainName = designers.local
O17 - HKLM\System\CCS\Services\Tcpip\..\{33E53389-6AD3-49E9-AD95-05F8E2A289EF}: NameServer = 216.47.22.66,216.47.224.68
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = designers.local
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: FLEXlm server for PTC - Macrovision Corporation - C:\Program Files\flexlm\i486_nt\obj\lmgrd.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Promise RAID message agent (RAIDmAgt) - Unknown owner - C:\Program Files\Promise\Utility\MsgAgt.exe
O23 - Service: Unigraphics Plot Server (ugiipqd) (ugiipqd) - Unknown owner - C:\WINDOWS\System32\spool\ugplot\ugiipqd.exe
O23 - Service: Unigraphics License Server (uglmd) - Macrovision Corporation - C:\Program Files\UGS\License Servers\UGNXFLEXlm\lmgrd.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\ViRobotXP\vrmonsvc.exe

Here is the conbofix entries:

"Administrator" - 07-03-13 18:09:51 Service Pack 2
ComboFix 07-03-14.1 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-02-13 to 2007-03-13 ))))))))))))))))))))))))))))))))))


2007-03-13 12:33 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-03-13 11:12 <DIR> d-------- C:\Program Files\HJT
2007-03-13 10:56 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-03-12 17:08 <DIR> d-------- C:\AVG
2007-03-12 16:33 20,224 --a------ C:\WINDOWS\vxddsk.exe
2007-03-11 17:34 786,432 --ah----- C:\DOCUME~1\jevans\NTUSER.DAT
2007-03-11 17:34 <DIR> d-------- C:\DOCUME~1\jevans\APPLIC~1\Sun
2007-03-11 17:34 <DIR> d-------- C:\DOCUME~1\jevans\APPLIC~1\Creative
2007-03-11 17:02 29,440 --a------ C:\WINDOWS\salm.exe
2007-03-11 17:02 21,248 --a------ C:\WINDOWS\updatetc.exe
2007-03-11 17:02 17,152 --a------ C:\WINDOWS\180ax.exe
2007-03-11 17:02 16,640 --a------ C:\WINDOWS\2020search2.dll
2007-03-11 12:12 <DIR> d-------- C:\Program Files\Windows Defender
2007-03-11 12:09 <DIR> d--h----- C:\WINDOWS\PIF
2007-03-11 11:36 <DIR> d-------- C:\WINDOWS\pss
2007-03-11 10:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Dell
2007-03-09 12:25 <DIR> d-------- C:\DOCUME~1\ADMINI~1.000\APPLIC~1\ImageFox
2007-03-09 11:58 13,568 --a------ C:\WINDOWS\2020search.dll
2007-03-09 10:29 1,835,008 --ah----- C:\DOCUME~1\ADMINI~1.000\NTUSER.DAT
2007-03-09 10:29 <DIR> d-------- C:\DOCUME~1\ADMINI~1.000\APPLIC~1\Sun
2007-03-09 10:29 <DIR> d-------- C:\DOCUME~1\ADMINI~1.000\APPLIC~1\Creative
2007-03-08 18:29 524,288 --ah----- C:\DOCUME~1\ADMINI~1.DES\NTUSER.DAT
2007-03-08 18:29 <DIR> d-------- C:\DOCUME~1\ADMINI~1.DES\APPLIC~1\Sun
2007-03-08 18:29 <DIR> d-------- C:\DOCUME~1\ADMINI~1.DES\APPLIC~1\Creative
2007-03-07 17:35 3,296 --a------ C:\WINDOWS\SYSTEM32\tmp.reg
2007-03-07 16:07 79,360 --a------ C:\WINDOWS\SYSTEM32\swxcacls.exe
2007-03-07 16:07 51,200 --a------ C:\WINDOWS\SYSTEM32\dumphive.exe
2007-03-07 16:07 40,960 --a------ C:\WINDOWS\SYSTEM32\swsc.exe
2007-03-07 16:07 288,417 --a------ C:\WINDOWS\SYSTEM32\SrchSTS.exe
2007-03-07 16:07 135,168 --a------ C:\WINDOWS\SYSTEM32\swreg.exe
2007-03-07 11:52 <DIR> d-------- C:\Spyware7-03-07
2007-03-06 20:50 9,216 --a------ C:\WINDOWS\saiemod.dll
2007-03-06 20:50 31,744 --a------ C:\WINDOWS\mssvr.exe
2007-03-06 20:50 31,232 --a------ C:\WINDOWS\bjam.dll
2007-03-06 20:50 30,208 --a------ C:\WINDOWS\mspphe.dll
2007-03-06 20:50 24,320 --a------ C:\WINDOWS\SYSTEM32\WER8274.DLL
2007-03-06 20:50 24,064 --a------ C:\WINDOWS\SYSTEM32\vxddsk.exe
2007-03-06 20:50 22,272 --a------ C:\WINDOWS\SYSTEM32\MSIXU.DLL
2007-03-06 20:50 22,016 --a------ C:\WINDOWS\wml.exe
2007-03-06 20:50 14,336 --a------ C:\WINDOWS\SYSTEM32\wml.exe
2007-03-06 17:37 <DIR> d-------- C:\aatest
2007-02-24 16:16 <DIR> d-------- C:\LSE0900
2007-02-24 16:10 <DIR> d-------- C:\IMAN9


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-13 17:59 288 --a------ C:\WINDOWS\SYSTEM32\dvcstatebkp-{00000005-00000000-0000000e-00001102-00000004-10031102}.dat
2007-03-13 17:59 288 --a------ C:\WINDOWS\SYSTEM32\dvcstate-{00000005-00000000-0000000e-00001102-00000004-10031102}.dat
2007-03-11 11:04 -------- d--h----- C:\Program Files\installshield installation information
2007-03-11 11:04 -------- d-------- C:\Program Files\dell
2007-03-10 18:02 -------- d-------- C:\Program Files\virobotxp
2007-03-06 20:59 3332192 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vrcore.sys
2007-02-10 17:52 -------- d-------- C:\Program Files\theshielddeluxe
2007-02-10 17:42 40025 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\vrfil.sys
2007-02-09 19:50 8704 --a------ C:\WINDOWS\SYSTEM32\sporder.dll
2007-02-09 19:50 52 --a------ C:\WINDOWS\SYSTEM32\ymsgsmx.dll
2007-02-09 19:50 52 --a------ C:\WINDOWS\SYSTEM32\gtalsmx.dll
2007-02-09 19:50 52 --a------ C:\WINDOWS\SYSTEM32\aosmx.dll
2007-02-09 19:50 52 --a------ C:\WINDOWS\SYSTEM32\aimsmx.dll
2007-01-08 20:01 17408 --a------ C:\WINDOWS\SYSTEM32\corpol.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"Logitech Utility"="Logi_MwX.Exe"
"PRISMSVR.EXE"="\"C:\\WINDOWS\\System32\\PRISMSVR.EXE\" /APPLY"
"DVDSentry"="C:\\WINDOWS\\System32\\DSentry.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe"
"CTDVDDet"="C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE"
"CTHelper"="CTHELPER.EXE"
"AsioReg"="REGSVR32.EXE /S CTASIO.DLL"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"OneTouch Monitor"="C:\\PROGRA~1\\VISION~1\\ONETOU~2.EXE"
"Vrmon"="C:\\Program Files\\ViRobotXP\\vrmonnt.exe Main"
"VrSchedule"="C:\\Program Files\\ViRobotXP\\Vrres.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lnwin.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lnwin"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\lnwin.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysinter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="adirss"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\adirss.exe"
"inimapping"="0"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"adirka"="C:\\WINDOWS\\system32\\adirka.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"adirka"="C:\\WINDOWS\\system32\\adirka.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_VRFIL


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-13 18:13:57

Again I cannot thank you enough.
look forward to your advice.
Thanks

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:43 PM

Posted 13 March 2007 - 06:09 PM

Hi,

We made improvement here... your Hijackthislog looks clean again..

But we still need to get rid of some files and keys..

Browse to and delete next files:

C:\WINDOWS\vxddsk.exe
C:\WINDOWS\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search2.dll
C:\WINDOWS\2020search.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\SYSTEM32\WER8274.DLL
C:\WINDOWS\SYSTEM32\vxddsk.exe
C:\WINDOWS\SYSTEM32\MSIXU.DLL
C:\WINDOWS\wml.exe
C:\WINDOWS\SYSTEM32\wml.exe
C:\WINDOWS\SYSTEM32\ymsgsmx.dll
C:\WINDOWS\SYSTEM32\gtalsmx.dll
C:\WINDOWS\SYSTEM32\aosmx.dll
C:\WINDOWS\SYSTEM32\aimsmx.dll

Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lnwin.exe]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sysinter]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"adirka"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"adirka"=-

Save this as fix2.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.0.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation, Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
As a final checkup, Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found - if found, so don't worry it tells that there were no files found.
In case hidden files were found, Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
I need the log later.

Please perform this online scan: Kaspersky Webscan (This scan may take a while, but I want to be sure here that we deal with any leftover it may find)
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply together with the log from Blacklight.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 spamkill

spamkill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 14 March 2007 - 01:14 PM

Hi
Sorry it took some time but have followed your instruction here are the logs requested.

I also need advise once this is resolved what is best way to protect my computer from this thing ever happening again.

Again I would like to thank you for all your help patience and your most accurate instructions.

Here are the logs:

kaspersky log:

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 14, 2007 1:54:18 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 14/03/2007
Kaspersky Anti-Virus database records: 265664
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
E:\

Scan Statistics:
Total number of scanned objects: 195504
Number of viruses found: 3
Number of infected objects: 2 / 0
Number of suspicious objects: 208
Duration of the scan process: 01:11:09

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFFB45.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\~DFFBCD.tmp Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-03112007-121204.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Prism\5cc8d6b9 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch1.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch10.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch11.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch12.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch12.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch13.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch13.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch14.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch14.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch15.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch15.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch16.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch16.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch17.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch17.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch18.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch18.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch2.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch3.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch4.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch4.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch5.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch6.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch6.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch7.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch8.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch8.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch9.zip/notepad32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\CoolWWWSearchSmartSearch9.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC115.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC115.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC121.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC121.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC122.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC122.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC124.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC124.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC131.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC131.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC137.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC137.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC138.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC138.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC140.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC140.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC147.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC147.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC153.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC153.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC154.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC154.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC156.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC156.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC163.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC163.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC169.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC169.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC170.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC170.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC172.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC172.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC179.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC179.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC185.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC185.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC186.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC186.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC188.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC188.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC195.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC195.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC201.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC201.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC202.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC202.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC204.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC204.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC211.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC211.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC217.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC217.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC218.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC218.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC220.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC220.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC227.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC227.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC239.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC239.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC245.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC245.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC246.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC246.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC248.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC248.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC257.zip/winmuse.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC257.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC259.zip/VXH8JKDQ6.EXE Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC259.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC260.zip/VXH8JKDQ2.EXE Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC260.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC311.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC311.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC317.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC317.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC318.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC318.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC320.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC320.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC335.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC335.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC341.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC341.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC342.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC342.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC344.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC344.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC351.zip/kernels64.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC351.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC353.zip/winmuse.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC353.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC36.zip/iewd.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC36.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC39.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC39.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC402.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC402.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC408.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC408.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC409.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC409.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC411.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC411.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC418.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC418.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC424.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC424.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC425.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC425.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC427.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC427.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC434.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC434.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC440.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC440.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC441.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC441.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC443.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC443.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC45.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC45.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC453.zip/anti_troj.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC453.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC457.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC457.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC46.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC46.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC463.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC463.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC464.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC464.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC466.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC466.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC478.zip/vxgamet1.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC478.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC48.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC48.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC527.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC527.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC533.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC533.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC534.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC534.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC536.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC536.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC543.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC543.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC549.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC549.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC550.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC550.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC552.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC552.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC564.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC564.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC570.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC570.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC571.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC571.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC573.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC573.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC580.zip/runwin32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC580.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC586.zip/y.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC586.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC587.zip/waol.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC587.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC589.zip/wininet32.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC589.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\jevans.old\Local Settings\Temp\tmpg9anfk Object is locked skipped
C:\Documents and Settings\jevans.old\Local Settings\Temp\tmpjz53ns Object is locked skipped
C:\Documents and Settings\jevans.old\Local Settings\Temp\tmplbdgfm Object is locked skipped
C:\Documents and Settings\jevans.old\Local Settings\Temp\tmpv8t3vf Object is locked skipped
C:\Documents and Settings\jevans.old\Local Settings\Temp\tmpx4iuk5 Object is locked skipped
C:\Documents and Settings\jevans.old\Local Settings\Temp\tmpz5celh Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\flexlm\licensing\ptclmgrd.log Object is locked skipped
C:\Program Files\flexlm\licensing\ptcreport.log Object is locked skipped
C:\Program Files\HJT\backups\backup-20070313-112804-241.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\Program Files\UGS\License Servers\UGNXFLEXlm\ugflexlm.log Object is locked skipped
C:\Temp\ugsF.tmp Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\default.htm Infected: not-virus:Hoax.Win32.Renos.hg skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\ugiipqd.exe4bcb74f0.syslog Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000005-00000000-0000000E-00001102-00000004-10031102}.CDF Object is locked skipped

Scan process completed.

Blacklight log:

03/14/07 10:35:20 [Info]: BlackLight Engine 1.0.55 initialized
03/14/07 10:35:20 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/14/07 10:35:21 [Note]: 7019 4
03/14/07 10:35:21 [Note]: 7005 0
03/14/07 10:35:26 [Note]: 7006 0
03/14/07 10:35:26 [Note]: 7011 1740
03/14/07 10:35:26 [Note]: 7026 0
03/14/07 10:35:26 [Note]: 7026 0
03/14/07 10:35:32 [Note]: FSRAW library version 1.7.1021
03/14/07 10:42:49 [Note]: 7007 0

Thanks look forward to your feedback.

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:43 PM

Posted 14 March 2007 - 02:38 PM

Hi,

Delete this file:

C:\WINDOWS\default.htm

The rest what Kaspersky found is in the quarantine/restore folder of Spybot S&D.
To get rid of them, open Spybot S&D, choose the option quarantine/restore and let it delete anything in there (don't choose to restore the items there, but to delete :thumbsup: )

The rest looks ok.

Also, change all your passwords, because they are known.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 spamkill

spamkill
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:06:43 AM

Posted 14 March 2007 - 02:53 PM

Hey:

THANKS A BUNCH WAS A GREAT LEARNING CURVE.

REGARDS

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:43 PM

Posted 14 March 2007 - 03:25 PM

You're most welcome. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:12:43 PM

Posted 15 March 2007 - 04:37 PM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users