Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Win32.SillyDL.AGC [RESOLVED]

Started by Robnobs , Sep 21 2006 02:26 PM

This topic is locked

#1
Robnobs

Posted 21 September 2006 - 02:26 PM

New Member

Member
8 posts

Logfile of HijackThis v1.99.1
Scan saved at 12:14:54 PM, on 9/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\ZoneLabs\vsmon.exe
J:\WINDOWS\system32\LEXBCES.EXE
J:\WINDOWS\system32\spoolsv.exe
J:\WINDOWS\system32\LEXPPS.EXE
J:\WINDOWS\Explorer.EXE
J:\WINDOWS\System32\nvsvc32.exe
J:\WINDOWS\System32\svchost.exe
J:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
J:\WINDOWS\system32\ZoneLabs\isafe.exe
J:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
J:\Documents and Settings\Dad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cyberallies.com/
O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - J:\WINDOWS\system32\unaoakg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - J:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [Zone Labs Client] "J:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "J:\Program Files\QuickTime\qttask.exe" -atboottime
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156579067611
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156580002795
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - J:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - J:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - J:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuqw32 - J:\WINDOWS\SYSTEM32\winuqw32.dll
O23 - Service: Adobe LM Service - Unknown owner - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - J:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - J:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - J:\WINDOWS\system32\ZoneLabs\vsmon.exe

Not sure if I got rid of this thing just running a spybot scan or not...don't think so by reading other posts about it.Any help greatly appreciated.

#2
Trevuren

Posted 21 September 2006 - 02:49 PM

Old Dog

Retired Staff
18,699 posts

Hi Robnobs and welcome to the Geeks to Go Forums.

My name is Trevuren and I will be helping you with your log.

A. Please download the Killbox by Option^Explicit.

Note:In the event you already have Killbox, this is a new version that I need you to download.

Save it to your desktop.

B. Please RUN HijackThis.

. Click the SCAN button to produce a log.
Place a check mark beside the following item:

O2 - BHO: (no name) - {278B661A-14A8-D8B0-6AF4-03088B866149} - J:\WINDOWS\system32\unaoakg.dll
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O20 - Winlogon Notify: winuqw32 - J:\WINDOWS\SYSTEM32\winuqw32.dll
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.

C. Please double-click Killbox.exe to run it.

Select
- "Delete on Reboot
- Then click on the "All Files" button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C

J:\WINDOWS\system32\unaoakg.dll
J:\WINDOWS\SYSTEM32\winuqw32.dll
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

D. Please run HJT again, click Scan, produce a log and post it in your reply.

E.
First download Ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

Once you have downloaded Ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
Once the setup is complete, run Ewido and update the definition files.
On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

Close Ewido anti-spyware, Do Not run a scan just yet, we will shortly.

Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
ewido will now begin the scanning process, be patient this may take a little time.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Next select the "Reports" icon at the top.
Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
Close Ewido and reboot your system back into Normal Mode and post the results of the ewido report scan. .

Regards,

Trevuren

#3
Robnobs

Posted 21 September 2006 - 04:46 PM

New Member

Topic Starter
Member
8 posts

Logfile of HijackThis v1.99.1
Scan saved at 3:44:52 PM, on 9/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\ZoneLabs\vsmon.exe
J:\WINDOWS\system32\LEXBCES.EXE
J:\WINDOWS\system32\spoolsv.exe
J:\WINDOWS\system32\LEXPPS.EXE
J:\WINDOWS\Explorer.EXE
J:\Program Files\ewido anti-spyware 4.0\guard.exe
J:\WINDOWS\System32\nvsvc32.exe
J:\WINDOWS\System32\svchost.exe
J:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
J:\Program Files\ewido anti-spyware 4.0\ewido.exe
J:\WINDOWS\system32\ZoneLabs\isafe.exe
J:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
J:\Documents and Settings\Dad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cyberallies.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - J:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "J:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "J:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "J:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156579067611
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156580002795
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - J:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - J:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - J:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - J:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - J:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - J:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - J:\WINDOWS\system32\ZoneLabs\vsmon.exe

Let's hope for the best here. :whistling:

#4
Trevuren

Posted 21 September 2006 - 05:22 PM

Old Dog

Retired Staff
18,699 posts

A. You need to update the version of Java that is currently on your system

Download the latest version of Java Runtime Environment (JRE) 5.0 Update 8 from HERE
- Scroll down to where it says "Windows Offline Installation"
- Click the "Download" button to the right.
Once the program has finished downloading:
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
- Check any item with Java Runtime Environment (JRE or J2SE) in the name.
- Click the Remove or Change/Remove button.
- Repeat as many times as necessary to remove each Java versions.
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-1_5_0_06-windowsi586-p.exe to install the newest version.
Go back into the Control Panel and double-click the Java Icon.
- Under Temporary Internet Files, click the Delete Files button.
- There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
  Downloaded Applications
  Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

B. Please disable Ewido Anti-Spyware by opening the program and on the Status page - beside "Resident Shield" click on "change status" so that it says "inactive" for it may interfere with our HJT fix.

Remember to reactivate this feature when all our work is finished.

Please RUN HijackThis

Click the SCAN button to produce a log.
Place a check mark beside each one of the following items:

O20 - Winlogon Notify: winuqw32 - winuqw32.dll (file missing)
Now with all the items selected, and all windows closed except for HJT, delete them by clicking the FIX checked button. Close the HijackThis window.
Reboot Your System
Now, RUN Hijackthis again and produce a new HJT log. Post it in this thread so we can check how everything looks now. In addition, please tell me if there are any more malware problems that you are aware of.

C. Finally, please do an online scan with Kaspersky Online Virus Scanner (Use Internet Explorer as your Browser)

Note: If you have used this particular scanner before, you MAY HAVE YO UNINSTALL the program through Add/Remove Programs before downloading the new ActiveX component

Next Click on Free Virus Scanner, then Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Standard
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information into your next post along with your new HJT log requested above.

Regards

Trevuren

#5
Robnobs

Posted 21 September 2006 - 06:09 PM

New Member

Topic Starter
Member
8 posts

Logfile of HijackThis v1.99.1
Scan saved at 5:03:15 PM, on 9/21/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
J:\WINDOWS\System32\smss.exe
J:\WINDOWS\system32\winlogon.exe
J:\WINDOWS\system32\services.exe
J:\WINDOWS\system32\lsass.exe
J:\WINDOWS\system32\svchost.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\ZoneLabs\vsmon.exe
J:\WINDOWS\Explorer.EXE
J:\WINDOWS\system32\LEXBCES.EXE
J:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
J:\Program Files\ewido anti-spyware 4.0\ewido.exe
J:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
J:\WINDOWS\system32\spoolsv.exe
J:\WINDOWS\system32\LEXPPS.EXE
J:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
J:\Program Files\ewido anti-spyware 4.0\guard.exe
J:\WINDOWS\System32\nvsvc32.exe
J:\WINDOWS\System32\svchost.exe
J:\WINDOWS\system32\ZoneLabs\isafe.exe
J:\WINDOWS\system32\wuauclt.exe
J:\Documents and Settings\Dad\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cyberallies.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - J:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - J:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O4 - HKLM\..\Run: [Zone Labs Client] "J:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE J:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "J:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [!ewido] "J:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "J:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - J:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - J:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1156579067611
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1156580002795
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - J:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - J:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - J:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - J:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - J:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - J:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - J:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - J:\WINDOWS\System32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - J:\WINDOWS\system32\ZoneLabs\vsmon.exe

This is a brand new computer with a fresh hard drive that I installed, it is like 3 weeks old now.First thing I did was install Zonealarm Virus/Firewall and while re-instaling programs I hit a questionable site and ignored the warnings from Zone Alarm and this is how I know I got this program...this version of Zone Alarm gives me so manay alerts I inadvertently did not pay close enough attention to the warning It was giving me about this particular web site...and Viola...I ended up with this annoying thing..I appreciate your help so much I did not want to have to format if I did not have to.Need I still goto the online web site or just run a deep scan on my own Zonealarm Virus scan?

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:30:47 PM 9/21/2006

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winuqw32 -> Adware.Generic : Cleaned with backup (quarantined).

::Report end

Edited by Robnobs, 21 September 2006 - 06:13 PM.

#6
Trevuren

Posted 21 September 2006 - 07:18 PM

Old Dog

Retired Staff
18,699 posts

Please scan as requested.

Trevuren

#7
Robnobs

Posted 21 September 2006 - 08:47 PM

New Member

Topic Starter
Member
8 posts

KASPERSKY ONLINE SCANNER REPORT
Thursday, September 21, 2006 7:40:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 22/09/2006
Kaspersky Anti-Virus database records: 212304

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
L:\
Z:\

Scan Statistics
Total number of scanned objects 156024
Number of viruses found 2
Number of infected objects 3 / 0
Number of suspicious objects 0
Duration of the scan process 01:05:00

Infected Object Name Virus Name Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{B2BB3C49-E636-4C82-8204-B6F818B9448A}\RP105\change.log Object is locked skipped

I:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

I:\System Volume Information\_restore{B2BB3C49-E636-4C82-8204-B6F818B9448A}\RP105\change.log Object is locked skipped

J:\!KillBox\winuqw32.dll Infected: Packed.Win32.Klone.g skipped

J:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

J:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

J:\Documents and Settings\Dad\Cookies\index.dat Object is locked skipped

J:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

J:\Documents and Settings\Dad\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

J:\Documents and Settings\Dad\Local Settings\History\History.IE5\index.dat Object is locked skipped

J:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

J:\Documents and Settings\Dad\Local Settings\Temporary Internet Files\Content.IE5\SD034VWF\desertcombat0[1].7fullinstall.exe Object is locked skipped

J:\Documents and Settings\Dad\ntuser.dat Object is locked skipped

J:\Documents and Settings\Dad\ntuser.dat.LOG Object is locked skipped

J:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

J:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

J:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

J:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

J:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

J:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

J:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

J:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

J:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

J:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

J:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

J:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

J:\System Volume Information\_restore{B2BB3C49-E636-4C82-8204-B6F818B9448A}\RP105\change.log Object is locked skipped

J:\System Volume Information\_restore{B2BB3C49-E636-4C82-8204-B6F818B9448A}\RP99\A0031629.dll Infected: Packed.Win32.Klone.g skipped

J:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

J:\WINDOWS\SchedLgU.Txt Object is locked skipped

J:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

J:\WINDOWS\Sti_Trace.log Object is locked skipped

J:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

J:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

J:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

J:\WINDOWS\system32\config\default Object is locked skipped

J:\WINDOWS\system32\config\default.LOG Object is locked skipped

J:\WINDOWS\system32\config\SAM Object is locked skipped

J:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

J:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

J:\WINDOWS\system32\config\SECURITY Object is locked skipped

J:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

J:\WINDOWS\system32\config\software Object is locked skipped

J:\WINDOWS\system32\config\software.LOG Object is locked skipped

J:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

J:\WINDOWS\system32\config\system Object is locked skipped

J:\WINDOWS\system32\config\system.LOG Object is locked skipped

J:\WINDOWS\system32\h323log.txt Object is locked skipped

J:\WINDOWS\system32\ismini.exe Infected: Trojan-Downloader.Win32.Zlob.uf skipped

J:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

J:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

J:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

J:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

J:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

J:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

J:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

J:\WINDOWS\wiadebug.log Object is locked skipped

J:\WINDOWS\wiaservc.log Object is locked skipped

J:\WINDOWS\WindowsUpdate.log Object is locked skipped

L:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

L:\System Volume Information\_restore{B2BB3C49-E636-4C82-8204-B6F818B9448A}\RP105\change.log Object is locked skipped

Scan process completed.

#8
Trevuren

Posted 21 September 2006 - 09:17 PM

Old Dog

Retired Staff
18,699 posts

Please go into Safe Mode and DELETE the following files:

J:\!KillBox\winuqw32.dll
J:\WINDOWS\system32\ismini.exe

Restart your system and please tell me if there are any more malware related problems that you are aware of.

Trevuren

#9
Robnobs

Posted 21 September 2006 - 09:20 PM

New Member

Topic Starter
Member
8 posts

This is all...but go into safe mode and delete them from Dos? or go into the folder itself when it boots up in safe mode?

#10
Robnobs

Posted 21 September 2006 - 09:30 PM

New Member

Topic Starter
Member
8 posts

OK Deleted.... :whistling:

"Deleted in Safe Mode"

Edited by Robnobs, 21 September 2006 - 09:32 PM.

#11
Trevuren

Posted 21 September 2006 - 09:35 PM

Old Dog

Retired Staff
18,699 posts

please tell me if there are any more malware related problems that you are aware of.

If there aren't any, we can start the final cleanup procedures.

Trevuren

#12
Robnobs

Posted 21 September 2006 - 09:35 PM

New Member

Topic Starter
Member
8 posts

THat was it

#13
Trevuren

Posted 21 September 2006 - 09:40 PM

Old Dog

Retired Staff
18,699 posts

Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

1. Please DELETE Malicious Items from the Ewido v4 Quarantine

A. Open Ewido by double clicking its icon located in the System Tray down by the clock.

B. Click on "Infections" on the Ewido Toolbar, then select the "Quarantine Tab"

C. Choose "Select All" at the bottom of the Ewido window, then click on the "Remove Finally" button and EXIT the program.

2. Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

3. Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE

Right-click "My Computer", and then left click "Properties".
Left click on "System Restore Tab"
Check box beside "Turn Off System Restore"
Left click on "Apply"

Reboot your System

TO ENABLE SYSTEM RESTORE

Remove check mark from "Turn Off System Restore"
Click on "Apply"

Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
How to use Ad-Aware to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Ad-Aware.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)

Regards,

Trevuren

#14
Robnobs

Posted 21 September 2006 - 10:03 PM

New Member

Topic Starter
Member
8 posts

Thank you very very much for your help today.I will run a few more complete scans this evening to verify all is well and post them if i have a question, otherwise I will post once more to acknowledge our success.Thank you so much once again and I see the link to donate to you guys and I will after I am done as this is really the best way to show appreciation I know.