Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

My Pc Is Riddled With All Sorts Of Nasties !


  • This topic is locked This topic is locked
25 replies to this topic

#1 shred1970

shred1970

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 25 May 2007 - 02:59 AM

Hi, Please help :thumbsup: Somehow I've managed to pick up a few nasties, (Smitfraud-c, coolwwwsearch, coolwwwsearch.badzonemap, coolwwwsearch.googlems, neededware and avenueA.inc. I've run all the anti-spy stuff Iv've got (in safe mode) to get rid of what I could and then did a hijackthis scan so that hopefully someone could tell me how to totally clean up and the log is here. Please help.


Logfile of HijackThis v1.99.1
Scan saved at 4:53:50 PM, on 25/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\Explorer.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dmcs.com.au/home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\avg\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\avg\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

BC AdBot (Login to Remove)

 


#2 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:47 AM

Posted 25 May 2007 - 10:09 PM

Hello shred1970,

I am SifuMike and I will be helping you. :thumbsup:


I've managed to pick up a few nasties, (Smitfraud-c, coolwwwsearch, coolwwwsearch.badzonemap, coolwwwsearch.googlems, neededware and avenueA.inc.


What is finding these nasties? Please tell me the nasties locations.


You will need to use Internet Explorer for this scan.
Disable your antivirus program and go here to run BitDefender Online Scan.
Click on I Agree.
Avoid clicking on other links as you don't need to try out the full install at this point, just the online scanner.

When the ActiveX Control has loaded, click on "Click here to scan".
Please be patient, as this scan may take a few hours. It all depends on the number of files on your computer.

NOTE: If you are running XP SP2, you may need to click on the Information Bar to allow the ActiveX to install and may need to repeat the BitDefender Online Scan.


When BitDefender completes the scan, select the "Detected Problems" tab.
Click on "Click here to export scan".
Save the file as an HTML to your Desktop.
Then click on the saved file and allow it to open with your browser.
Go to Edit - Select All then copy/paste that log back here.
Post the BitDefender log.


******************

Download ATF (Atribune Temp File) Cleaner© by Atribune DO NOT run it yet.

Download and install AVG Anti-Spyware 7.5 (formerly Ewido)
This is a 30 day trial of the program

AVG Anti-Spyware is designed to be used to both scan for and remove malicious files and also to run in real-time alongside, but not replace, your existing anti-virus program to give an added layer of protection.
Both the Resident Shield and Automatic Updates will only be available for the thirty day trial period, after that AVG Anti-Spyware will revert to a stand-alone scanner which you can keep and manually update for free and use in a similar way to Ad-Aware SE Personal, Spybot S&D etc.


1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept the default installation path: C:\Program Files\AVG Anti-Spyware 7.5 and click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. You can select "Change state" to inactivate 'Resident Sheild' and 'Automatic Updates'. If you choose to do this, then right click on AVG antispyware in the system tray and uncheck "Start with Windows".
7. Select the "Update" button and click "Start update".
If you are having problems with the updater, manually update with the AVG Antispyware Full database installer from here.
8. Exit AVG Anti-Spyware 7.5 when done - DO NOT perform a scan yet.

Reboot your computer in "SAFE MODE" using the F8 method so Windows will start with minimal drivers and running processes.
To do this restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly.
A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

1.) Double-click the small BLUE Garbage Can ATF-Cleaner.exe file to run the program.
2.) At the top, under Main choose: Select All
3.) Click the Empty Selected button.

If you use the Firefox browser:
1.) At the top, click Firefox and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use the Opera browser:
1.) At the top, click Opera and choose: Select All
2.) Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.


Scan with AVG Anti-Spyware 7.5 as follows:

1. Launch AVG Anti-Spyware 7.5, click on the "Scanner" button and choose the "Settings" tab.

Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.

Under "How to Scan?" check all (default).

Under "Possibly unwanted software" check all (default).

Under "What to Scan?" make sure "Scan every file" is selected (default).

Under "Reports" select "Automatically generate report after every scan" and UNcheck "Only if threats were found".

2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.

4. IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.

Make sure that Set all elements to: shows Quarantine
(1)
, if not click on the link and choose Quarantine from the popup menu.
(2) At the bottom of the window click on the Apply all Actions button.
(3) When done, click the Save Scan Report button.
(4) Click the Save Report as button.
Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt.
Save to your desktop.
A copy of each report will also be saved in C:\Program Files\AVG Anti-Spyware 7.5\Reports\
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot to Normal Mode.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.


It looks like you ran you Hijackthis log from the Safe Mode, as it is not showing all the running processes. Please run it in the Normal Mode.


When done, submit the BitDefender log, the AVG Anti-Spyware 7.5 log, the Smitfruadfix log and a fresh [b]Hijackthis
log. You may have to use seperate posts if they will not fit into one post.

Edited by SifuMike, 25 May 2007 - 10:16 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 shred1970

shred1970
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 27 May 2007 - 04:42 AM

Hi SifuMike, Thanks for the reply and help so far, I'd have to say that I'm a bit of a novice user. I've had a quick look at the bitdefender scan and I saw that there is a lot of infection from my old Java as well as Norton. I uninstalled both of these programs a couple of months ago. I guess I couldn't find all the old java extensions to delete ? With the Norton antivirus I have no idea what is up with that because there is some components of it left over as I get little messages now and then like "norton does not support the repair/install feature etc" (a friend of mine put in his norton on my pc which i think was dodgy ) I already have the AVG anti-spyware program so I'm not sure if the log results of it will show "old" quarantined objects here. the bitdefender log is massive so I will post that first, then the avg and hijackthis logs immediatly after in a separate reply if thats ok ?. I'll say here that my pc is partitioned if that is relevent?
Thanks again for your help SifuMike.


BitDefender Online Scanner



Scan report generated at: Sun, May 27, 2007 - 16:51:29





Scan path: A:\;C:\;D:\;E:\;F:\;







Statistics

Time
01:21:54

Files
531039

Folders
3808

Boot Sectors
3

Archives
8128

Packed Files
61633




Results

Identified Viruses
7

Infected Files
152

Suspect Files
0

Warnings
0

Disinfected
0

Deleted Files
299




Engines Info

Virus Definitions
508775

Engine build
AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Shredder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-470ba4fe-2b406ce9.zip=>BnnnnBaa.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Shredder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-470ba4fe-2b406ce9.zip=>BnnnnBaa.class
Disinfection failed

C:\Documents and Settings\Shredder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-470ba4fe-2b406ce9.zip=>BnnnnBaa.class
Deleted

C:\Documents and Settings\Shredder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-470ba4fe-2b406ce9.zip
Updated

C:\Documents and Settings\Shredder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-470ba4fe-2b406ce9.zip=>Dnnny.class
Infected with: Java.Trojan.Exploit.Bytverify

C:\Documents and Settings\Shredder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-470ba4fe-2b406ce9.zip=>Dnnny.class
Disinfection failed

C:\Documents and Settings\Shredder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-470ba4fe-2b406ce9.zip=>Dnnny.class
Deleted

C:\Documents and Settings\Shredder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\cnte-dhncgts.jar-470ba4fe-2b406ce9.zip
Updated

C:\Program Files\MSN Messenger\msimg32.dll
Detected with: Adware.Mywebsearch.G

C:\Program Files\MSN Messenger\msimg32.dll
Disinfection failed

C:\Program Files\MSN Messenger\msimg32.dll
Delete failed

C:\Program Files\Norton AntiVirus\Quarantine\005E6D4F.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\005E6D4F.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\081837DE.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\081837DE.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0AC2441B.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\0AC2441B.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0CA96124.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\0CA96124.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\0FA36550.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\0FA36550.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\10745F7F.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\10745F7F.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\10D8392B.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\10D8392B.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\159A0F5F.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\159A0F5F.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\1804587A.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\1804587A.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\187D37E8.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\187D37E8.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\19616B76.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\19616B76.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\1B9A79C5.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\1B9A79C5.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\1C644D1B.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\1C644D1B.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\1EFB1466.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\1EFB1466.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\1F797656.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\1F797656.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\21C2412A.dll=>(Quarantine-2)
Infected with: Trojan.Spy.VBStat.B

C:\Program Files\Norton AntiVirus\Quarantine\21C2412A.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\22383815.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\22383815.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\22477A06.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\22477A06.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\225062BC.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\225062BC.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\23EF2CC5.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\23EF2CC5.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\29740799.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\29740799.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\29810B32.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\29810B32.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\2B663294.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\2B663294.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\30A43B78.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\30A43B78.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\30BE08E4.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\30BE08E4.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\3130220F.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\3130220F.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\325161F5.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\325161F5.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\32934B64.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\32934B64.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\363E0676.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\363E0676.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\37E81EB3.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\37E81EB3.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\38C4399D.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\38C4399D.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\38EB3F4F.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\38EB3F4F.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\39FD74BE.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\39FD74BE.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\3D9C153B.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\3D9C153B.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\3E7408CB.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\3E7408CB.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\3F0C4AF0.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\3F0C4AF0.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\41AF267F.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\41AF267F.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\42D02165.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\42D02165.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\45FA38A8.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\45FA38A8.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\50376B3C.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\50376B3C.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\518425CD.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\518425CD.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\519C1FCB.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\519C1FCB.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\53C4344E.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\53C4344E.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\558B7766.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\558B7766.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\57316BFA.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\57316BFA.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\577D0D22.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\577D0D22.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\59C85C61.dll=>(Quarantine-2)
Infected with: Trojan.Spy.VBStat.B

C:\Program Files\Norton AntiVirus\Quarantine\59C85C61.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\5A370552.dll=>(Quarantine-2)
Infected with: Trojan.Spy.VBStat.B

C:\Program Files\Norton AntiVirus\Quarantine\5A370552.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\5A5569C6.exe=>(Quarantine-2)
Infected with: Trojan.Agent.ACL

C:\Program Files\Norton AntiVirus\Quarantine\5A5569C6.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\5A5569C6.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\5AC15617.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\5AC15617.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\5B8D6397.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\5B8D6397.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\5F864C44.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\5F864C44.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\600B7424.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\600B7424.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\60C06C67.dll=>(Quarantine-2)
Infected with: Trojan.Spy.VBStat.B

C:\Program Files\Norton AntiVirus\Quarantine\60C06C67.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\636E3A7E.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\636E3A7E.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\64AE10E4.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\64AE10E4.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\653714F5.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\653714F5.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\67E91A69.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\67E91A69.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\68032CD8.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\68032CD8.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\6AFF7D64.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\6AFF7D64.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\6BA80ED9.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\6BA80ED9.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\703C3635.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\703C3635.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\705C0C4A.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\705C0C4A.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\70F17753.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\70F17753.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\71864A7A.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\71864A7A.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\7226399F.exe=>(Quarantine-2)
Infected with: Backdoor.976

C:\Program Files\Norton AntiVirus\Quarantine\7226399F.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\7226399F.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\74603AF5.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\74603AF5.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\74CF197A.dll=>(Quarantine-2)
Infected with: Trojan.Spy.VBStat.B

C:\Program Files\Norton AntiVirus\Quarantine\74CF197A.dll=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\750D3DDC.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\750D3DDC.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\76BA3627.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\76BA3627.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\76F1028B.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\76F1028B.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\79133B33.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\79133B33.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\7BCE7239.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\7BCE7239.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\7F326312.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\Program Files\Norton AntiVirus\Quarantine\7F326312.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016398.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016398.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016399.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016399.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016400.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016400.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016401.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016401.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016402.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016402.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016403.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016403.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016404.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016404.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016405.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016405.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016406.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016406.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016407.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016407.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016408.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016408.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016409.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016409.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016410.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016410.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016411.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016411.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016412.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016412.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016413.dll=>(Quarantine-2)
Infected with: Trojan.Spy.VBStat.B

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016413.dll=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016414.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016414.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016415.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016415.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016416.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016416.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016417.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016417.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016418.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016418.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016419.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016419.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016420.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016420.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016421.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016421.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016422.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016422.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016423.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016423.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016424.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016424.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016425.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016425.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016426.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016426.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016427.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016427.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016428.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016428.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016429.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016429.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016430.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016430.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016431.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016431.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016432.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016432.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016433.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016433.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016434.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016434.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016435.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016435.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016436.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016436.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016437.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016437.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016438.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016438.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016439.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016439.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016440.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016440.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016441.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016441.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016442.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016442.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016443.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016443.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016444.dll=>(Quarantine-2)
Infected with: Trojan.Spy.VBStat.B

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016444.dll=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016445.dll=>(Quarantine-2)
Infected with: Trojan.Spy.VBStat.B

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016445.dll=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016446.exe=>(Quarantine-2)
Infected with: Trojan.Agent.ACL

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016446.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016446.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016447.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016447.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016448.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016448.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016449.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016449.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016450.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016450.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016451.dll=>(Quarantine-2)
Infected with: Trojan.Spy.VBStat.B

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016451.dll=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016452.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016452.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016453.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016453.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016454.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016454.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016455.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016455.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016456.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016456.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016457.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016457.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016458.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016458.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016459.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016459.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016460.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016460.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016461.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016461.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016462.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016462.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016463.exe=>(Quarantine-2)
Infected with: Backdoor.976

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016463.exe=>(Quarantine-2)
Disinfection failed

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016463.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016464.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016464.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016465.dll=>(Quarantine-2)
Infected with: Trojan.Spy.VBStat.B

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016465.dll=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016466.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016466.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016467.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016467.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016468.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016468.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016469.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016469.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016470.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016470.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016471.exe=>(Quarantine-2)
Infected with: Win32.Worm.VB.DW

C:\System Volume Information\_restore{BF3876D0-5FDB-46AD-ACF9-B6ECA250C2BD}\RP50\A0016471.exe=>(Quarantine-2)
Deleted

D:\Install\Internet\FilterGate 5.17.exe=>wise0015
Infected with: Trojan.Spy.Agent.ED

D:\Install\Internet\FilterGate 5.17.exe=>wise0015
Disinfection failed

D:\Install\Internet\FilterGate 5.17.exe=>wise0015
Deleted

D:\Install\Internet\FilterGate 5.17.exe
Update failed




---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:05:43 PM 27/05/2007

+ Scan result:



Nothing found.


::Report end


Logfile of HijackThis v1.99.1
Scan saved at 7:21:50 PM, on 27/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\NOTEPAD.EXE
D:\avg\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\Explorer.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dmcs.com.au/home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\avg\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\avg\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

#4 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:47 AM

Posted 27 May 2007 - 10:36 AM

Hi shred1970,

We only have a few items to remove in your log and those are just for cleanup. :thumbsup:

Please disable Spybot TeaTimer install as it will prevent Hijckthis registry changes.
To disable Spybot's Teatimer:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

After we have your computer clean, then you can enable Teatimer.


Download CCleaner and install it. (default location is best). Do not run it yet!

CCleaner Tutorial


*******************************************

In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -

These are optinal fixes. The following are not necessarily spyware/malware, but I suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
(Description: A small program that reminds you to register your Creative Labs product (i.e. sound card, video card). Unnecessary. Removing this will free up a small amount of system resources.)

O4 - HKLM\..\Run: [SunJavaUpdateSched] \"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe\"
(Description: Sun Java update scheduler. Checks for updates. Not necessary. Removing this entry will free up a small amount of system resources.)

*******************************************

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders and does not make backups.

Let's empty the temp files:

Run CCleaner.

CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation.
IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbarfree Basic version instead of the Standard Build.


2. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"

3. Then select the items you wish to clean up.

In the Windows Tab:
• Clean all entries in the "Internet Explorer" section except Cookies.
• Clean all the entries in the "Windows Explorer" section.
• Clean all entries in the "System" section.
• Clean all entries in the "Advanced" section.
• Clean any others that you choose.

In the Applications Tab:
• Clean all except cookies in the Firefox/Mozilla section if you use it.
• Clean all in the Opera section if you use it.
• Clean Sun Java in the Internet Section.
• Clean any others that you choose.

4. Click the "Run Cleaner" button.
5. A pop up box will appear advising this process will permanently delete files from your system.
6. Click "OK" and it will scan and clean your system.
7. Click "exit" when done.

If it asks you to reboot at the end, click NO.

CCleaner should be run with the above settings for each User Account!

*******************************************


Reboot your computer.

To get rid of leftover Norton stuff, let first try the Norton Removal Tool. It will remove a failed installation or a damaged Norton product.

The Norton Removal Tool uninstalls all Norton 2007/2006/2005/2004/2003 products from your computer.

http://service1.symantec.com/SUPPORT/tsgen...005033108162039


Post a new Hijackthis log, and tell me how your computer is running.

Edited by SifuMike, 27 May 2007 - 10:38 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 shred1970

shred1970
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 27 May 2007 - 11:45 PM

Hi SifuMike
My pc feels a little "smoother" and more responsive. Startup is a little quicker too. The norton removal tool worked a real treat :thumbsup: I do have a question though. I have the number "14" appearing just to the left and down from center on my welcome screen, its not there all the time, it seems to appear at random. Could this be a sign of something going wrong or other infection ? I'm using a downloaded welcome screen from Tune up utilites. But the "number hasn't always been there.
Anyways here's the new log and thanks again for all your help.


Logfile of HijackThis v1.99.1
Scan saved at 2:09:28 PM, on 28/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\avg\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
D:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\WINDOWS\Explorer.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dmcs.com.au/home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB9AA6A8-755D-498A-8E1B-BD9D37CF5FD4}: NameServer = 203.194.56.150 203.194.27.57
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\avg\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

#6 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:47 AM

Posted 28 May 2007 - 10:24 AM

Hi shred1970,

We only have a few items to remove in your log and those are just for cleanup.

Please disable Spybot TeaTimer install as it will prevent Hijckthis registry changes.
To disable Spybot's Teatimer:
1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts

After we have your computer clean, then you can enable Teatimer.



*******************************************

In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -


Run CCleaner.

Reboot your computer.

I have the number "14" appearing just to the left and down from center on my welcome screen, its not there all the time, it seems to appear at random. Could this be a sign of something going wrong or other infection ?I'm using a downloaded welcome screen from Tune up utilites.



I dont think it is a virus. The online antivirus scanner and antimalware scan would have found it.
Is the number always 14? Or does it change? Is it only on the Tune Up Utilities screen?

We will dig deeper.

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall
Disable script blocking if you have Norton Antivirus installed so it will not interfere with the fix.

To disable Norton AntiVirus Script Blocking
Start Norton AntiVirus. If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
Click Options. If you see a menu, click Norton AntiVirus.
In the left pane, click Script Blocking.
In the right pane, uncheck Enable Script Blocking (recommended).
Click OK

Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.




Post a new Hijackthis log, the ComboFix log.

Edited by SifuMike, 28 May 2007 - 10:26 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 shred1970

shred1970
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 28 May 2007 - 10:50 PM

Hi SifuMike,
Yeah it does seem that the number is always 14 that pops up on my welcome screen. But it hasn't always been there and sometimes it will go for awhile then weeks later it will make a reappearance ..... wierd. After I log on and just before my programs start starting up my "time" and "start buttons" at the far right and left on the bottom of my screen are blacked out. I have no idea what that is about. Anyways at the end of the Combofix scan my Comodo BOClean program decided to call Combo fix a trojan virus, I still got a log from it though. Should I disable BOClean and scan again ?

Thanks again for your time and help SifuMike, here are the logs you asked for,


"Shredder" - 07-05-29 13:04:54 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\Shredder\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))


2007-05-28 12:25 <DIR> d-------- C:\Program Files\CCleaner
2007-05-27 14:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-28 13:49 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-05-22 13:42 -------- d-------- C:\DOCUME~1\Shredder\APPLIC~1\winmx music
2007-05-17 18:33 -------- d-------- C:\Program Files\tuneup utilities 2006
2007-04-29 17:09 -------- d-------- C:\Program Files\gamehouse
2007-04-29 13:01 -------- d-------- C:\Program Files\winamp
2007-04-27 22:12 -------- d-------- C:\Program Files\comodo
2007-04-19 17:35 240368 --a------ C:\WINDOWS\unboc.exe
2007-04-19 02:12 2854400 --a------ C:\WINDOWS\system32\msi.dll
2007-04-17 21:36 -------- d-------- C:\Program Files\spywareblaster
2007-04-13 22:09 -------- dr-h----- C:\DOCUME~1\Shredder\APPLIC~1\yahoo!
2007-04-13 21:46 -------- d-------- C:\Program Files\yahoo!
2007-04-10 13:42 -------- d-------- C:\Program Files\symantec
2007-04-06 17:28 51328 --a------ C:\WINDOWS\system32\drivers\inspect.sys
2007-04-04 17:19 -------- d-------- C:\Program Files\java
2007-04-03 02:29 2230 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 22:18 -------- d-------- C:\Program Files\lavasoft
2007-03-30 22:18 -------- d-------- C:\DOCUME~1\Shredder\APPLIC~1\lavasoft
2007-03-29 14:56 -------- d-------- C:\DOCUME~1\Shredder\APPLIC~1\symantec
2007-03-24 06:33 229376 --a------ C:\WINDOWS\cmdlic.dll
2007-03-17 23:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-09 01:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-09 01:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-09 01:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 23:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"nwiz"="nwiz.exe /install"
"COMODO Firewall Pro"="\"D:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"BOC-423"="C:\\PROGRA~1\\Comodo\\CBOClean\\BOC423.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{70A5CF26-C5AB-4B4F-81BE-380CA621AABB}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoSMMyDocs"=dword:00000001
"NoSMMyPictures"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command F:\CDStart.Exe
Shell\Install\Command F:\navsetup.exe



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070529-124645-574
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
backup-20070529-124645-594
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
backup-20070528-122937-491
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
backup-20070528-122937-711
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
backup-20070528-122937-856
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
backup-20070403-010519-924
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZR
backup-20070403-010519-834
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070403-010519-657
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\bqedckfu.dll",setvm
backup-20070403-010519-373
O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - (no file)
backup-20070403-010519-153
O2 - BHO: (no name) - {70A5CF26-C5AB-4B4F-81BE-380CA621AABB} - (no file)
backup-20070403-010519-456
O2 - BHO: (no name) - {1B6ED180-526C-49A6-BEBA-D62C77F18A61} - (no file)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-29 13:06:59



------------------------------------------------------------------------------------------------------------------------------



Logfile of HijackThis v1.99.1
Scan saved at 1:14:02 PM, on 29/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\avg\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
D:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dmcs.com.au/home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB9AA6A8-755D-498A-8E1B-BD9D37CF5FD4}: NameServer = 203.194.56.150 203.194.27.57
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\avg\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

#8 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:47 AM

Posted 28 May 2007 - 10:55 PM

Should I disable BOClean and scan again ?


Yes, disable it an run it again.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 shred1970

shred1970
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 28 May 2007 - 11:28 PM

Man that was fast SifuMike ! Spybot S&D is still picking up " Avenue A, Inc. " anyways here's the new combofix and hijack logs. I must be becoming a real pain.


"Shredder" - 07-05-29 14:14:04 Service Pack 2
ComboFix 07-03-27.4.2 - Running from: "C:\Documents and Settings\Shredder\Desktop"


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-29 ))))))))))))))))))))))))))))))))))


2007-05-29 13:04 <DIR> d-------- C:\rename_this_folder_back_to_ComboFix_
2007-05-28 12:25 <DIR> d-------- C:\Program Files\CCleaner
2007-05-27 14:37 <DIR> d-------- C:\WINDOWS\BDOSCAN8


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-05-28 13:49 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-05-22 13:42 -------- d-------- C:\DOCUME~1\Shredder\APPLIC~1\winmx music
2007-05-17 18:33 -------- d-------- C:\Program Files\tuneup utilities 2006
2007-04-29 17:09 -------- d-------- C:\Program Files\gamehouse
2007-04-29 13:01 -------- d-------- C:\Program Files\winamp
2007-04-27 22:12 -------- d-------- C:\Program Files\comodo
2007-04-19 17:35 240368 --a------ C:\WINDOWS\unboc.exe
2007-04-19 02:12 2854400 --a------ C:\WINDOWS\system32\msi.dll
2007-04-17 21:36 -------- d-------- C:\Program Files\spywareblaster
2007-04-13 22:09 -------- dr-h----- C:\DOCUME~1\Shredder\APPLIC~1\yahoo!
2007-04-13 21:46 -------- d-------- C:\Program Files\yahoo!
2007-04-10 13:42 -------- d-------- C:\Program Files\symantec
2007-04-06 17:28 51328 --a------ C:\WINDOWS\system32\drivers\inspect.sys
2007-04-04 17:19 -------- d-------- C:\Program Files\java
2007-04-03 02:29 2230 --a------ C:\WINDOWS\system32\tmp.reg
2007-03-30 22:18 -------- d-------- C:\Program Files\lavasoft
2007-03-30 22:18 -------- d-------- C:\DOCUME~1\Shredder\APPLIC~1\lavasoft
2007-03-29 14:56 -------- d-------- C:\DOCUME~1\Shredder\APPLIC~1\symantec
2007-03-24 06:33 229376 --a------ C:\WINDOWS\cmdlic.dll
2007-03-17 23:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-09 01:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-09 01:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-09 01:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 23:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"nwiz"="nwiz.exe /install"
"COMODO Firewall Pro"="\"D:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"BOC-423"="C:\\PROGRA~1\\Comodo\\CBOClean\\BOC423.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"diagent"="\"C:\\Program Files\\Creative\\SBLive\\Diagnostics\\diagent.exe\" startup"
"nwiz"="nwiz.exe /install"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{70A5CF26-C5AB-4B4F-81BE-380CA621AABB}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoSMMyDocs"=dword:00000001
"NoSMMyPictures"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

hklm\software\Microsoft\Windows NT\CurrentVersion\Svchost *netsvcs*
UxTuneUp


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
Shell\AutoRun\command F:\CDStart.Exe
Shell\Install\Command F:\navsetup.exe



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070529-124645-574
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
backup-20070529-124645-594
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
backup-20070528-122937-491
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
backup-20070528-122937-711
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
backup-20070528-122937-856
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
backup-20070403-010519-924
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...arch.jhtml?p=ZR
backup-20070403-010519-834
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20070403-010519-657
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\bqedckfu.dll",setvm
backup-20070403-010519-373
O2 - BHO: ContextualAds Class - {3AAC4C68-AFC8-11DB-80EF-8AF955D89593} - (no file)
backup-20070403-010519-153
O2 - BHO: (no name) - {70A5CF26-C5AB-4B4F-81BE-380CA621AABB} - (no file)
backup-20070403-010519-456
O2 - BHO: (no name) - {1B6ED180-526C-49A6-BEBA-D62C77F18A61} - (no file)

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\1-Click Maintenance.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-29 14:15:09



Logfile of HijackThis v1.99.1
Scan saved at 2:16:25 PM, on 29/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
D:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dmcs.com.au/home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EB9AA6A8-755D-498A-8E1B-BD9D37CF5FD4}: NameServer = 203.194.56.150 203.194.27.57
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\avg\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

#10 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:47 AM

Posted 28 May 2007 - 11:51 PM

Hi shred1970,

It looks like you have three registry protectors running: Spybot teatimer, AVG Anti-Spyware guard, and BOClean.

Running more than one registry protector will slow your computer, so I recommend you disable two of them.

To disable Teatimer:
Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.

To disable AVG antispyware Guard:
Open AVG Antispyware and in the main window click "Resident Shield", then toggle the AVG Anti-Spyware active protection 'off' by clicking 'Change state' which will then change the protection status to 'inactive'.
When you reboot, AVG Anti-Spyware will prompt you as to whether you would like to "Restart the guard?".
Reply 'No' and set it to 'inactive'


You have some suspicious files we need to check.

You will need to configure Windows to show Hidden files.

Go to next site: http://www.virustotal.com/en/indexf.html
On top you'll find 'Browse'
Click the browse button and browse to next file:

C:\WINDOWS\unboc.exe

Click open.
Then click the 'Send' button next to it.
This will scan the file. Please be patient.
Save the results in notepad.

Perform the same for next files:

C:\WINDOWS\system32\msi.dll
C:\WINDOWS\cmdlic.dll


Once scanned, copy and paste the results also in your next reply.

I usually enter my email address at virus total so they can send me the scan results. They usually only take a couple minutes to reply.
You can copy/paste the results of scan results here.

Edited by SifuMike, 28 May 2007 - 11:54 PM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 shred1970

shred1970
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 29 May 2007 - 03:14 AM

Hi SifuMike,
Here are the scan results .... the first one is the unboc one the rest are labelled ...


Antivirus Version Update Result
AhnLab-V3 2007.5.29.0 05.28.2007 no virus found
AntiVir 7.4.0.27 05.28.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.28.2007 no virus found
AVG 7.5.0.467 05.28.2007 no virus found
BitDefender 7.2 05.29.2007 no virus found
CAT-QuickHeal 9.00 05.28.2007 no virus found
ClamAV devel-20070416 05.29.2007 no virus found
DrWeb 4.33 05.28.2007 no virus found
eSafe 7.0.15.0 05.28.2007 no virus found
eTrust-Vet 30.7.3670 05.28.2007 no virus found
Ewido 4.0 05.28.2007 no virus found
FileAdvisor 1 05.29.2007 No threat detected
Fortinet 2.85.0.0 05.29.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.29.2007 no virus found
Ikarus T3.1.1.8 05.29.2007 no virus found
Kaspersky 4.0.2.24 05.29.2007 no virus found
McAfee 5040 05.28.2007 no virus found
Microsoft 1.2503 05.29.2007 no virus found
NOD32v2 2294 05.28.2007 no virus found
Norman 5.80.02 05.28.2007 no virus found
Panda 9.0.0.4 05.28.2007 no virus found
Prevx1 V2 05.29.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.29.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.28.2007 no virus found
Webwasher-Gateway 6.0.1 05.29.2007 no virus found


Aditional Information
File size: 240368 bytes
MD5: 35ef756664a24d5248957521413f39f0
SHA1: a5730ad6cff2e9cf9f50d533e452e5d18aadeca8
Bit9 info: http://fileadvisor.bit9.com/services/extin...8957521413f39f0

VirusTotal is a free service offered by Hispasec Sistemas. There are no guarantees about the availability and continuity of this service. Although the detection rate afforded by the use of multiple antivirus engines is far superior to that offered by just one product, these results DO NOT guarantee the harmlessness of a file. Currently, there is not any solution that offers a 100% effectiveness rate for detecting viruses and malware.
> Go to: Home Contactar En Español
--------------------------------------------------------------------------------
www.virustotal.com :: ©Hispasec Sistemas 2004-07:: e-mail info@virustotal.com


Complete scanning result of "msi.dll", received in VirusTotal at 05.29.2007, 09:16:04 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.29.1 05.29.2007 no virus found
AntiVir 7.4.0.27 05.29.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.28.2007 no virus found
AVG 7.5.0.467 05.28.2007 no virus found
BitDefender 7.2 05.29.2007 no virus found
CAT-QuickHeal 9.00 05.28.2007 no virus found
ClamAV devel-20070416 05.29.2007 no virus found
DrWeb 4.33 05.29.2007 no virus found
eSafe 7.0.15.0 05.28.2007 no virus found
eTrust-Vet 30.7.3672 05.29.2007 no virus found
Ewido 4.0 05.28.2007 no virus found
FileAdvisor 1 05.29.2007 Not analyzed yet
Fortinet 2.85.0.0 05.29.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.29.2007 no virus found
Ikarus T3.1.1.8 05.29.2007 no virus found
Kaspersky 4.0.2.24 05.29.2007 no virus found
McAfee 5040 05.28.2007 no virus found
Microsoft 1.2503 05.29.2007 no virus found
NOD32v2 2294 05.28.2007 no virus found
Norman 5.80.02 05.28.2007 no virus found
Panda 9.0.0.4 05.28.2007 no virus found
Prevx1 V2 05.29.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.29.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.28.2007 no virus found
Webwasher-Gateway 6.0.1 05.29.2007 Win32.Malware.gen!32 (suspicious


Complete scanning result of "CMDLIC.DLL", received in VirusTotal at 05.29.2007, 09:36:01 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.29.1 05.29.2007 no virus found
AntiVir 7.4.0.27 05.29.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 05.28.2007 no virus found
AVG 7.5.0.467 05.28.2007 no virus found
BitDefender 7.2 05.29.2007 no virus found
CAT-QuickHeal 9.00 05.28.2007 no virus found
ClamAV devel-20070416 05.29.2007 no virus found
DrWeb 4.33 05.29.2007 no virus found
eSafe 7.0.15.0 05.28.2007 no virus found
eTrust-Vet 30.7.3672 05.29.2007 no virus found
Ewido 4.0 05.28.2007 no virus found
FileAdvisor 1 05.29.2007 No threat detected
Fortinet 2.85.0.0 05.29.2007 no virus found
F-Prot 4.3.2.48 05.25.2007 no virus found
F-Secure 6.70.13030.0 05.29.2007 no virus found
Ikarus T3.1.1.8 05.29.2007 no virus found
Kaspersky 4.0.2.24 05.29.2007 no virus found
McAfee 5040 05.28.2007 no virus found
Microsoft 1.2503 05.29.2007 no virus found
NOD32v2 2294 05.28.2007 no virus found
Norman 5.80.02 05.28.2007 no virus found
Panda 9.0.0.4 05.28.2007 no virus found
Prevx1 V2 05.29.2007 no virus found
Sophos 4.18.0 05.28.2007 no virus found
Sunbelt 2.2.907.0 05.26.2007 no virus found
Symantec 10 05.29.2007 no virus found
TheHacker 6.1.6.124 05.28.2007 no virus found
VBA32 3.12.0 05.28.2007 no virus found
VirusBuster 4.3.23:9 05.28.2007 no virus found
Webwasher-Gateway 6.0.1 05.29.2007 no virus found
" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

#12 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:47 AM

Posted 29 May 2007 - 10:32 AM

Hi shred1970,

Those three file are OK, so now we do some minor cleanup.

Make sure your registry protector(s) are disabled, as they will prevent Hijackthis from removing registry entries.

In Normal Mode, select the following with HijackThis.
With all windows (including this one!) closed (close browser/explorer windows), please select "fix."

O2 - BHO: (no name) - {BDF3E430-B101-42AD-A544-FADC6B084872} - (no file)
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} -


Run CCleaner.

Reboot your computer, post a fresh Hijackthis log.

Edited by SifuMike, 29 May 2007 - 10:33 AM.

If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 shred1970

shred1970
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 29 May 2007 - 10:48 PM

Hi SifuMike,
My whole pc almost bit the dust. I could dial up but I couldnt get to any web pages, diagnostics was trying to tell me that my modem might be screwed and my memory was fading fast... oh the horror :thumbsup: . A few system restores and unrestores and a disk cleanup getting rid of all of those points, everything is now fine. So here's the latest Hijack log.
Thanks SifuMike,

Logfile of HijackThis v1.99.1
Scan saved at 1:24:38 PM, on 30/05/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\avg\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
D:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dmcs.com.au/home
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [COMODO Firewall Pro] "D:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BOC-423] C:\PROGRA~1\Comodo\CBOClean\BOC423.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall.trendmicro-europe.com/...ivex/hcImpl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\avg\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - D:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.

#14 SifuMike

SifuMike

    malware expert


  • Staff Emeritus
  • 15,385 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Vancouver (not BC) WA (Not DC) USA
  • Local time:02:47 AM

Posted 29 May 2007 - 10:54 PM

Hi shred1970,

Your log looks clean! :thumbsup: Good job on the cleanup!

Let's reset you files so they are hidden and protected.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading deselect Show hidden files and folders.
Check the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK




Please read and follow How did I get infected?, With steps so it does not happen again!

If you want to improve speed/system performance after malware removal, take a look here.
If I've saved you time & money,
please make a donation so I can keep helping people just like you! You can donate using a credit card and PayPal. Thank you!



Posted Image

Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 shred1970

shred1970
  • Topic Starter

  • Members
  • 105 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:07:47 PM

Posted 30 May 2007 - 01:23 AM

Hi SifuMike,

The unimagineable has happened. EVERYTHING ( except for internet explorer ) has turned into a .lnk type file ! Just before it happed I just started to run an Adaware scan just after completing a spybot scan which picked up Avenue A again. I then clicked on Adwatch pro and it informed me that the rigistry has been altered. I have no idea where to start ... even system restore is affected .... oh man this is bad !
" Those who wander from the way of understanding will surely rest in the assembly of the dead." - Author unknown.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users