Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win32:hupigon-el


  • Please log in to reply
19 replies to this topic

#1 Lady_Of_Chaos

Lady_Of_Chaos

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 28 May 2007 - 06:25 PM

I use Avast and have run several other programs such as panda , adaware , housecall , ewindo , windows defender , etc . And I cant seem to get rid of this problem .

HJT log :

Logfile of HijackThis v1.99.1
Scan saved at 6:12:30 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Chad Kugel\Desktop\kugs\mIRC\mirc.exe
C:\Documents and Settings\Chad Kugel\Desktop\kugs\erderrirc\Shb3\SHB\mirc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\system32\autosys.exe
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\muouakhd.dll",realset
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe


can someone tell me how to fix this ?

BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 28 May 2007 - 06:48 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Lady_Of_Chaos :thumbsup:

Launch/start Hijackthis.
Click on the 'Open Misc Tools section' button.
Click on the button labeled 'Delete a file on reboot...'.
A new window will open asking you to select the file that you would like to delete on reboot.
Navigate to the file:
C:\WINDOWS\system32\autosys.exe
Click on it once, and then click on the 'Open' button.
You will now be asked if you would like to reboot your computer to delete the file.
Click on the 'Yes' button if you would like to reboot now.

*******************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

*******************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


*******************************

Now go to:
C:\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 Lady_Of_Chaos

Lady_Of_Chaos
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 28 May 2007 - 07:43 PM

Launch/start Hijackthis.
Click on the 'Open Misc Tools section' button.
Click on the button labeled 'Delete a file on reboot...'.
A new window will open asking you to select the file that you would like to delete on reboot.
<<< When I try to do this , I am able to click it , but then HJT cleses completely and doesnt open a window

Navigate to the file:
C:\WINDOWS\system32\autosys.exe
Click on it once, and then click on the 'Open' button.
You will now be asked if you would like to reboot your computer to delete the file.
Click on the 'Yes' button if you would like to reboot now.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 28 May 2007 - 07:57 PM

Do the following instead then please.

Download KillBox,unzip/extract it to your desktop.
http://download.bleepingcomputer.com/spyware/KillBox.zip
Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:

C:\WINDOWS\system32\autosys.exe

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.
Posted Image
Posted Image

#5 Lady_Of_Chaos

Lady_Of_Chaos
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 28 May 2007 - 08:29 PM

VundoFix V6.4.1

Checking Java version...
Sun Java not detected
Scan started at 8:05:12 PM 5/28/2007

Listing files found while scanning....

C:\WINDOWS\system32\cbxwwuu.dll
C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\dhkauoum.ini
C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\muouakhd.dll
C:\WINDOWS\system32\nnnmlli.dll
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\vtuuvtu.dll
C:\WINDOWS\system32\vtuuvuv.dll
C:\WINDOWS\system32\wvurrqn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cbxwwuu.dll
C:\WINDOWS\system32\cbxwwuu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak1
C:\WINDOWS\system32\ddeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.bak2
C:\WINDOWS\system32\ddeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddeeg.ini
C:\WINDOWS\system32\ddeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dhkauoum.ini
C:\WINDOWS\system32\dhkauoum.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedd.dll
C:\WINDOWS\system32\geedd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\muouakhd.dll
C:\WINDOWS\system32\muouakhd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnmlli.dll
C:\WINDOWS\system32\nnnmlli.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmkjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtuuvtu.dll
C:\WINDOWS\system32\vtuuvtu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtuuvuv.dll
C:\WINDOWS\system32\vtuuvuv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvurrqn.dll
C:\WINDOWS\system32\wvurrqn.dll Has been deleted!

Performing Repairs to the registry.
Done!
--------------------------------------------------
2007-05-26 05:42	  18944	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\winwly32.dll.vir
2007-05-26 05:54	  50745	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\bqfbgnwg.dll.vir


Folder PATH listing
Volume serial number is D060-E32B
C:\QOOBOX
\---Quarantine
	+---C
	|   \---WINDOWS
	|	   \---system32
	|			   bqfbgnwg.dll.vir
	|			   winwly32.dll.vir
	|			   
	\---Registry_backups
---------------------------------------------------
When this log popped up , virus warning went off again as well Win32:Alphabet

"Chad Kugel" - 2007-05-28 20:13:34 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Chad Kugel\Desktop\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bqfbgnwg.dll
C:\WINDOWS\system32\winwly32.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))


2007-05-28 20:05 <DIR> d-------- C:\VundoFix Backups
2007-05-28 19:58 <DIR> d-------- C:\!KillBox
2007-05-28 18:02 <DIR> d-------- C:\HijackThis
2007-05-28 15:57 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-26 15:37 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-26 15:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-26 15:35 <DIR> d-------- C:\WINDOWS\pss
2007-05-26 14:10 <DIR> d-------- C:\Program Files\CCleaner
2007-05-26 05:45 22,016 --a------ C:\WINDOWS\system32\winsys32.dll
2007-05-19 15:27 <DIR> d-------- C:\Program Files\RealVNC
2007-05-19 06:43 <DIR> d-------- C:\Program Files\DivX
2007-05-11 03:41 1,782 --a------ C:\Program Files\illusion.reg
2007-05-11 03:33 <DIR> d-------- C:\Program Files\illusion
2007-05-05 04:28 <DIR> d-------- C:\Program Files\plugins
2007-05-05 04:18 <DIR> d-------- C:\WINDOWS\Celsys
2007-05-05 04:06 <DIR> d-------- C:\DOCUME~1\CHADKU~1\APPLIC~1\e frontier
2007-05-05 03:54 <DIR> d-------- C:\Program Files\e frontier
2007-05-04 04:37 <DIR> d-------- C:\DOCUME~1\CHADKU~1\APPLIC~1\Opera
2007-05-03 03:59 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Ahead
2007-05-02 03:38 <DIR> d-------- C:\Program Files\QuickTime
2007-04-29 20:09 <DIR> d---s---- C:\Documents and Settings\CHADKU~1\UserData
2007-04-29 20:09 <DIR> d---s---- C:\DOCUME~1\CHADKU~1\UserData
2007-04-29 03:43 <DIR> d-------- C:\Program Files\MySpace
2007-04-29 03:43 <DIR> d-------- C:\DOCUME~1\CHADKU~1\APPLIC~1\MySpace
2007-04-28 00:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
2007-04-28 00:48 <DIR> d-------- C:\Program Files\Bonjour
2007-04-28 00:44 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-27 12:17:46 -------- d-----w C:\DOCUME~1\CHADKU~1\APPLIC~1\uTorrent
2007-05-26 10:50:34 -------- d-----w C:\Program Files\uTorrent
2007-05-26 10:43:40 -------- d-----w C:\Program Files\Winamp
2007-05-02 08:33:31 -------- d-----w C:\Program Files\Apple Software Update
2007-05-01 08:00:18 -------- d-----w C:\DOCUME~1\CHADKU~1\APPLIC~1\Ahead
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-04-27 11:39:18 -------- d-----w C:\Program Files\Broderbund
2007-04-27 11:37:42 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-27 11:36:54 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-04-23 03:16:22 -------- d-----w C:\DOCUME~1\CHADKU~1\APPLIC~1\Lavasoft
2007-04-23 03:16:19 -------- d-----w C:\Program Files\Lavasoft
2007-04-23 03:16:12 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-04-23 00:14:42 -------- d-----w C:\Program Files\MSXML 4.0
2007-04-23 00:06:18 -------- d-----w C:\Program Files\Analog Devices
2007-04-23 00:03:40 -------- d-----w C:\Program Files\S3
2007-04-23 00:01:11 -------- d-----w C:\Program Files\VIA
2007-04-22 23:59:18 -------- d-----w C:\Program Files\AMD
2007-04-22 23:53:40 -------- d-----w C:\Program Files\Common Files\Ahead
2007-04-22 23:52:27 -------- d-----w C:\Program Files\Nero
2007-04-22 23:37:25 -------- d-----w C:\Program Files\MSN Messenger
2007-04-22 23:15:54 -------- d-----w C:\Program Files\Common Files\Adobe Systems Shared
2007-04-22 22:29:19 -------- d-----w C:\Program Files\Messenger
2007-04-22 22:07:06 -------- d-----w C:\Program Files\Alwil Software
2007-04-22 21:52:23 -------- d-----w C:\Program Files\microsoft frontpage
2007-04-22 21:52:20 0 --sha-r C:\MSDOS.SYS
2007-04-22 21:52:20 0 --sha-r C:\IO.SYS
2007-04-22 21:52:20 0 ----a-w C:\CONFIG.SYS
2007-04-22 21:52:20 0 ----a-w C:\AUTOEXEC.BAT
2007-04-22 21:51:24 -------- d--h--w C:\Program Files\WindowsUpdate
2007-04-22 21:50:21 -------- d-----w C:\Program Files\Common Files\MSSoap
2007-04-22 21:50:09 -------- d-----w C:\Program Files\Movie Maker
2007-04-22 21:49:37 21,640 ----a-w C:\WINDOWS\system32\emptyregdb.dat
2007-04-22 21:49:20 -------- d-----w C:\Program Files\Online Services
2007-04-22 21:49:13 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-04-22 21:49:02 -------- d-----w C:\Program Files\Windows NT
2007-04-22 16:44:34 -------- d-----w C:\Program Files\Common Files\ODBC
2007-04-22 16:44:31 -------- d-----w C:\Program Files\Common Files\SpeechEngines
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-15 00:27:58 972,336 ----a-w C:\WINDOWS\UNRecode.exe
2007-03-15 00:19:56 95,864 ----a-w C:\WINDOWS\system32\NeroCo.dll
2007-03-15 00:19:26 972,336 ----a-w C:\WINDOWS\UNNeroBackItUp.exe
2007-03-12 18:51:08 972,336 ----a-w C:\WINDOWS\UNNeroMediaHome.exe
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-01 01:53:50 972,336 ----a-w C:\WINDOWS\UNNeroVision.exe
2007-02-28 20:41:02 972,336 ----a-w C:\WINDOWS\UNNeroShowTime.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0777FDE1-50AB-4E2F-8DC8-23548E111F93}=C:\WINDOWS\system32\vtuuvuv.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{6EF1FC3F-7D32-4F05-8148-A8A26C951149}=C:\WINDOWS\system32\geedd.dll []
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 10:42]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-09 18:53]
"RaidTool"="C:\Program Files\VIA\RAID\raid_tool.exe" [2005-11-22 21:12]
"VTTimer"="VTTimer.exe" [2005-03-07 14:33 C:\WINDOWS\system32\VTTimer.exe]
"S3Trayp"="S3trayp.exe" [2005-04-04 16:49 C:\WINDOWS\system32\S3Trayp.exe]
"High Definition Audio Property Page Shortcut"="HDAShCut.exe" [2004-10-27 15:21 C:\WINDOWS\system32\HdAShCut.exe]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2005-05-19 20:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2005-09-07 15:35]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-03-12 13:49]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [2007-03-07 00:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{0777FDE1-50AB-4E2F-8DC8-23548E111F93}"="C:\WINDOWS\system32\vtuuvuv.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys32]
C:\WINDOWS\system32\winsys32.dll

*Newly Created Service* -PROCEXP90

Contents of the 'Scheduled Tasks' folder
2007-05-23 02:40:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-29 01:12:51 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-28 20:15:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-05-28 20:15:43
C:\ComboFix-quarantined-files.txt ... 2007-05-28 20:15

--- E O F ---
------------------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 8:20:44 PM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Documents and Settings\Chad Kugel\Desktop\kugs\mIRC\mirc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {0777FDE1-50AB-4E2F-8DC8-23548E111F93} - C:\WINDOWS\system32\vtuuvuv.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6EF1FC3F-7D32-4F05-8148-A8A26C951149} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys32 - C:\WINDOWS\system32\winsys32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

Edited by Lady_Of_Chaos, 28 May 2007 - 08:38 PM.


#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 28 May 2007 - 08:41 PM

Start up Killbox and place a check in 'Delete on Reboot'.
In the 'Full path of file to delete' box,copy and paste:

C:\WINDOWS\system32\winsys32.dll

Then press the red button with the white cross.
It will then provide a window for you to confirm the delete.
Next it will ask if you now wish to reboot,select YES.
Allow it to reboot.
If it does'nt reboot automatically,reboot manually.

****************************

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {0777FDE1-50AB-4E2F-8DC8-23548E111F93} - C:\WINDOWS\system32\vtuuvuv.dll (file missing)
O2 - BHO: (no name) - {6EF1FC3F-7D32-4F05-8148-A8A26C951149} - C:\WINDOWS\system32\geedd.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O20 - Winlogon Notify: winsys32 - C:\WINDOWS\system32\winsys32.dll


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

**************************

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Post the AVG Anti Spyware report,the BitDefender Online Scanner log,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Posted Image
Posted Image

#7 Lady_Of_Chaos

Lady_Of_Chaos
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 29 May 2007 - 12:24 AM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:10:49 PM 5/28/2007

+ Scan result:



C:\Documents and Settings\Chad Kugel\My Documents\OiUninstaller.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\VundoFix Backups\vtuuvuv.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\!KillBox\autosys.exe -> Logger.Agent.pn : Cleaned with backup (quarantined).
C:\Documents and Settings\Chad Kugel\Cookies\chad kugel@aavalue[1].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Chad Kugel\Cookies\chad kugel@arn.aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\Chad Kugel\Cookies\chad kugel@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Chad Kugel\Cookies\chad kugel@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Chad Kugel\Cookies\chad kugel@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Chad Kugel\Cookies\chad kugel@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Chad Kugel\Cookies\chad kugel@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Chad Kugel\Cookies\chad kugel@www.paypal[2].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Chad Kugel\Cookies\chad kugel@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\system32\winwly32.dll.vir -> Trojan.Dialer.qn : Cleaned with backup (quarantined).


::Report end

--------------------------------
BitDefender Online Scanner







Scan report generated at: Mon, May 28, 2007 - 23:51:47









Scan path: A:\;C:\;D:\;E:\;















Statistics

Time


01:21:40

Files


412527

Folders


6351

Boot Sectors


3

Archives


1624

Packed Files


37937







Results

Identified Viruses


2

Infected Files


2

Suspect Files


0

Warnings


0

Disinfected


0

Deleted Files


2







Engines Info

Virus Definitions


509129

Engine build


AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

Scan plugins


14

Archive plugins


38

Unpack plugins


6

E-mail plugins


6

System plugins


1







Scan Settings

First Action


Disinfect

Second Action


Delete

Heuristics


Yes

Enable Warnings


Yes

Scanned Extensions


*;

Exclude Extensions




Scan Emails


Yes

Scan Archives


Yes

Scan Packed


Yes

Scan Files


Yes

Scan Boot


Yes








Scanned File


Status

C:\QooBox\Quarantine\C\WINDOWS\system32\bqfbgnwg.dll.vir


Infected with: Trojan.Virtumod.ALZ

C:\QooBox\Quarantine\C\WINDOWS\system32\bqfbgnwg.dll.vir


Disinfection failed

C:\QooBox\Quarantine\C\WINDOWS\system32\bqfbgnwg.dll.vir


Deleted

C:\VundoFix Backups\muouakhd.dll.bad


Infected with: Trojan.Vundo.AY

C:\VundoFix Backups\muouakhd.dll.bad


Disinfection failed

C:\VundoFix Backups\muouakhd.dll.bad


Deleted
---------------------------------------------
Logfile of HijackThis v1.99.1
Scan saved at 12:17:45 AM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [S3Trayp] S3trayp.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" /tray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe







computer still seems to be freezing at different times and I am still getting warnings for hupigon-el virus

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 29 May 2007 - 06:42 AM

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O20 - Winlogon Notify: winwly32 - winwly32.dll (file missing)

Exit Hijackthis.

**************************

Run this online virus/spyware scan using Internet Explorer:
Kaspersky WebScanner
Next click Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will start the program and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste the contents of that file into your next reply.

**************************

Download AVG Anti-Rootkit and save to your desktop
1. Double click avgarkt-setup-1.1.0.42.exe to install. By default it will install to C:\Program Files\GRISOFT\AVG Anti-Rootkit.
2. Accept the license and follow the prompts to install.
3. You will be asked to reboot to finish the installation so click "Finish".
4. After rebooting, double-click the icon for AVG Anti-Rootkit on your desktop.
5. You will see a window with four buttons at the bottom.
6. Click "Search For Rootkits" and the scan will begin.
7. You will see the progress bar moving from left to right. The scan will take some so be patient and let it finish.
8. When the scan has finished, a small window will open so you can view the results.
9. Right click and select "Save Result To File".
10. By default the file will be saved with a .csv extension. (You can use notepad to open the .cvs file). Copy and paste the results in your next reply.
11. If anything was found, click "Remove selected items"
12. If nothing was found, please click the "Perform in-depth Search" saving anything found to file as before.
Posted Image
Posted Image

#9 Lady_Of_Chaos

Lady_Of_Chaos
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 29 May 2007 - 05:32 PM

KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 29, 2007 3:00:45 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 29/05/2007
Kaspersky Anti-Virus database records: 313097
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
A:\
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 87650
Number of viruses found 0
Number of infected objects 0
Number of suspicious objects 0
Duration of the scan process 00:57:14

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Chad Kugel\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Identities\{E4BB0032-F346-4B31-BC83-585B91A6BB5B}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Identities\{E4BB0032-F346-4B31-BC83-585B91A6BB5B}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Microsoft\Messenger\fuzzybeaver007@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Microsoft\Messenger\fuzzybeaver007@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Microsoft\Messenger\fuzzybeaver007@hotmail.com\SharingMetadata\Working\database_56D0_60FB_D060_E32B\dfsr.db Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Microsoft\Messenger\fuzzybeaver007@hotmail.com\SharingMetadata\Working\database_56D0_60FB_D060_E32B\fsr.log Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Microsoft\Messenger\fuzzybeaver007@hotmail.com\SharingMetadata\Working\database_56D0_60FB_D060_E32B\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Microsoft\Messenger\fuzzybeaver007@hotmail.com\SharingMetadata\Working\database_56D0_60FB_D060_E32B\tmp.edb Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Microsoft\Windows Live Contacts\fuzzybeaver007@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Application Data\Microsoft\Windows Live Contacts\fuzzybeaver007@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\History\History.IE5\MSHist012007052920070530\index.dat Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Temp\~DF33FA.tmp Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Temp\~DFC5D4.tmp Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Temp\~DFC852.tmp Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Temp\~DFE20C.tmp Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Temp\~DFE25B.tmp Object is locked skipped
C:\Documents and Settings\Chad Kugel\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Chad Kugel\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Chad Kugel\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_61c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
--------------------------------
performed both scans on AVG , in depth scan as well , had no log file to save cause nothing was found on either

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 29 May 2007 - 05:48 PM

Clear your 'System Restore' points by doing the following:
Right-click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Select 'Turn Off System Restore On All Drives'.
Select 'Apply'.
You will then get the following warning:
"You have chosen to turn off System Restore.
If you continue,all existing restore points will be deleted,and you will not be able to track or undo changes to your computer.
Do you want to turn off System Restore?".
Then select 'Yes',your 'System Restore' directories will be purged.

Restart your pc.

Turn 'System Restore' back on:
Right click on 'My Computer' and select 'Properties'.
Select 'System Restore'.
Unselect 'Turn Off System Restore On All Drives'.
Select 'Apply',then click 'Ok'.

Create a new 'System Restore' point:
Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description,then click on 'Create',then click 'Close'.
The date and time is created automatically.

Let me know if you're still having problems after doing the above.
Posted Image
Posted Image

#11 Lady_Of_Chaos

Lady_Of_Chaos
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 30 May 2007 - 01:52 PM

I dont use the system restore , have had it shut off since I formatted a few weeks ago , would you prefer I turn it back on ?

As for problems , still getting the hupigon-el virus warning :

5/29/2007 12:20:07 AM Chad Kugel 1564 Sign of "Win32:Hupigon-EL [Trj]" has been found in "C:\DOCUME~1\CHADKU~1\LOCALS~1\Temp\AAWTMP\C7606359\2270DF\turbo.exe" file.
5/30/2007 8:52:41 AM Chad Kugel 1464 Sign of "Win32:Hupigon-EL [Trj]" has been found in "C:\DOCUME~1\CHADKU~1\LOCALS~1\Temp\AAWTMP\C63907578\38610D\turbo.exe" file.
5/30/2007 1:44:35 PM Chad Kugel 1464 Sign of "Win32:Hupigon-EL [Trj]" has been found in "C:\DOCUME~1\CHADKU~1\LOCALS~1\Temp\AAWTMP\C81430843\2B28DA\turbo.exe" file.

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 30 May 2007 - 03:41 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Folders to delete:
C:\DOCUME~1\CHADKU~1\LOCALS~1\Temp\AAWTMP

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

***********************

If that did'nt work do the following:

Make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Now reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Find and delete:
C:\Documents and Settings\CHADKU~1\Local Settings\Temp\AAWTMP
Restart your pc normally.

Post the Avenger output.txt in your next reply.
Let me know whats happening now.
Posted Image
Posted Image

#13 Lady_Of_Chaos

Lady_Of_Chaos
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 31 May 2007 - 02:35 AM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ahybvqpd

*******************

Script file located at: \??\C:\Program Files\nxtjaols.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



Folder C:\DOCUME~1\CHADKU~1\LOCALS~1\Temp\AAWTMP not found!
Deletion of folder C:\DOCUME~1\CHADKU~1\LOCALS~1\Temp\AAWTMP failed!

Could not process line:
C:\DOCUME~1\CHADKU~1\LOCALS~1\Temp\AAWTMP
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


----------------------------------------------------------------------------------------------
also did that 2nd portion , but cannot locate the file anywhere to manually delete it .

virus warning is still popping up

5/31/2007 1:53:42 AM Chad Kugel 1464 Sign of "Win32:Hupigon-EL [Trj]" has been found in "C:\DOCUME~1\CHADKU~1\LOCALS~1\Temp\AAWTMP\C34518515\17DA61\turbo.exe" file.
5/31/2007 2:25:54 AM Chad Kugel 1460 Sign of "Win32:Hupigon-EL [Trj]" has been found in "C:\DOCUME~1\CHADKU~1\LOCALS~1\Temp\AAWTMP\C44750\3CCB3B\turbo.exe" file.

Edited by Lady_Of_Chaos, 31 May 2007 - 02:42 AM.


#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:48 AM

Posted 31 May 2007 - 06:53 AM

Download the free 30 day trial of Kaspersky Anti-Virus 6.0:
http://usa.kaspersky.com/downloads/trial-versions.php
Do not install it just yet.

Click on Start/Control Panel/Add or Remove Programs and remove/uninstall Avast4,then restart your pc.

Now install Kaspersky Anti-Virus 6.0
Once installed update Kaspersky's virus definitions.
Disconnect from the internet and do a full system virus scan.
Post back when you've done that.
Let me know if Kaspersky detected and removed anything.
Posted Image
Posted Image

#15 Lady_Of_Chaos

Lady_Of_Chaos
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:10:48 PM

Posted 02 June 2007 - 11:53 PM

Scan
----
Scanned: 127899
Detected: 6
Untreated: 0
Start time: 6/2/2007 8:21:48 PM
Duration: 01:46:12
Finish time: 6/2/2007 10:08:00 PM


Detected
--------
Status Object
------ ------
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.jp File: C:\VundoFix Backups\cbxwwuu.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.fp File: C:\VundoFix Backups\geedd.dll.bad//PE_Patch.PECompact
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.jp File: C:\VundoFix Backups\nnnmlli.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.fp File: C:\VundoFix Backups\pmkjj.dll.bad//PE_Patch.PECompact
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.jp File: C:\VundoFix Backups\vtuuvtu.dll.bad
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.jp File: C:\VundoFix Backups\wvurrqn.dll.bad


Events
------
Time Name Status Reason
---- ---- ------ ------
6/2/2007 8:21:48 PM Logical disk sector: C ok scanned
6/2/2007 8:21:48 PM Physical disk sector: \Device\Harddisk0\DR0 ok scanned
6/2/2007 8:21:48 PM File: C:\-798956757 ok iSwift
6/2/2007 8:21:48 PM File: C:\AUTOEXEC.BAT ok iSwift
6/2/2007 8:21:48 PM File: C:\avenger.txt ok iSwift
6/2/2007 8:21:48 PM File: C:\boot.ini ok iSwift
6/2/2007 8:21:48 PM File: C:\ComboFix-quarantined-files.txt ok iSwift
6/2/2007 8:21:48 PM File: C:\ComboFix.txt ok iSwift
6/2/2007 8:21:48 PM File: C:\CONFIG.SYS ok iSwift
6/2/2007 8:21:48 PM File: C:\IO.SYS ok iSwift
6/2/2007 8:21:48 PM File: C:\MSDOS.SYS ok iSwift
6/2/2007 8:21:48 PM File: C:\NTDETECT.COM ok iSwift
6/2/2007 8:21:48 PM File: C:\ntldr ok iSwift
6/2/2007 8:21:48 PM File: C:\pagefile.sys skipped locked
6/2/2007 8:21:48 PM File: C:\VundoFix.txt ok iSwift
6/2/2007 8:21:48 PM File: C:\!KillBox\winsys32.dll ok iSwift
6/2/2007 8:21:48 PM File: C:\!KillBox\Logs\kb.log ok iSwift
6/2/2007 8:21:48 PM File: C:\Application Data\Microsoft\Internet Explorer\Quick Launch\MySpaceIM.lnk ok iSwift
6/2/2007 8:21:48 PM File: C:\avenger\backup.zip ok iSwift
6/2/2007 8:21:48 PM File: C:\Documents and Settings\Administrator\NTUSER.DAT ok iSwift
6/2/2007 8:21:48 PM File: C:\Documents and Settings\Administrator\NTUSER.DAT.LOG ok iSwift
6/2/2007 8:21:48 PM File: C:\Documents and Settings\Administrator\ntuser.ini ok iSwift
6/2/2007 8:21:48 PM File: C:\Documents and Settings\Administrator\Application Data\desktop.ini ok iSwift
6/2/2007 8:21:48 PM File: C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\description.ini ok iSwift
6/2/2007 8:21:48 PM File: C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\settings.awc ok iSwift
6/2/2007 8:21:48 PM File: C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\stats.awd ok iSwift
6/2/2007 8:21:48 PM File: C:\Documents and Settings\Administrator\Application Data\Lavasoft\Ad-Aware\Quarantine\auto-quarantine- 2007-05-26 15-38-59.bckp ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Application Data\Microsoft\HTML Help\hh.dat ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.bak ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\brndlog.txt ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\MySpaceIM.lnk ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Cookies\index.dat ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Desktop\avg report.txt ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Application Data\IconCache.db ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_59R.wmdb ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.DTD ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Media\9.0\WMSDKNS.XML ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\History\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007052820070529\index.dat ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007053120070601\index.dat ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\4163WLUN\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5MH3EAM9\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8D4MFD8K\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8XMVGD6Z\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Recent\avg report.lnk ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Recent\Desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\SendTo\Compressed (zipped) Folder.ZFSendToTarget ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\SendTo\Desktop (create shortcut).DeskLink ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\SendTo\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\SendTo\Mail Recipient.MAPIMail ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Remote Assistance.lnk ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Windows Media Player.lnk ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Command Prompt.lnk ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Notepad.lnk ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Synchronize.lnk ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Tour Windows XP.lnk ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Windows Explorer.lnk ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\desktop.ini ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk ok iSwift
6/2/2007 8:21:49 PM File: C:\Documents and Settings\Administrator\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk ok iSwift


Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------


Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Show detected threats on "Detected" tab Yes



Deleted what it asked me to delete , uninstalled Kapersky , reinstalled Avast and rebooted , my system crashed , rebooted and froze (twice), 3rd boot up everything seemed to be ok but Avast had uninstalled itself , redownloaded Avast , installed and everything seems to be good now , no virus warning , no more crashes now but it is constantly freezing .

Edited by Lady_Of_Chaos, 03 June 2007 - 12:05 AM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users