Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

HJT log

Started by raucher1989 , Oct 19 2006 10:20 AM

  • This topic is locked This topic is locked

#1
raucher1989
Posted 19 October 2006 - 10:20 AM

raucher1989

    Member

  • Member
  • PipPip
  • 35 posts
I need some help with my computer. I've ran many scans, but I keep having the same problems. The scans always find the same viruses, spyware, and malware, as if they aren't deleted or just come back. The computer freezes up frequently, I get a lot of pop ups, and the task manager and registry editor have been disabled by the "administrator"--really by a virus. Also, explorer doesnt load when I boot my computer into safe mode; when I type it in via the task manager, it comes up quickly and then goes away within seconds. I need to know what to delete on my HJT log and what other scans to run.
Thanks for the help
Chad

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 12:17:56 PM, on 10/19/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\spoolsrvc.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\spoolsrvc.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [ms05960871-1127] C:\WINDOWS\ms05960871-1127.exe
O4 - HKLM\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe
O4 - HKLM\..\Run: [Ms Java for Windows NT] MS32.exe
O4 - HKLM\..\Run: [es Java Update For Windows NT/XP] esijavaupdt32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTFM0N] C:\WINDOWS\System32\spoolsrvc.exe
O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe
O4 - HKCU\..\Run: [Ms Java for Windows NT] MS32.exe
O4 - HKCU\..\Run: [es Java Update For Windows NT/XP] esijavaupdt32.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 71.242.0.12 68.237.161.12
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINDOWS\system\msidll.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Microsoft Windows Internet Connections Manager (net32b) - Unknown owner - C:\WINDOWS\System32\net32b.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows Register Control - Unknown owner - C:\WINDOWS\register.exe (file missing)
O23 - Service: Winlogin messenger - Unknown owner - C:\WINDOWS\system\winlogin.exe (file missing)
  • 0

Advertisements

#2
Armodeluxe
Posted 24 October 2006 - 06:50 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop. Don't use it yet.

Please save these instructions on Notepad as a text file, cause you will be doing some copy/paste in safe mode.

Update Ewido
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close Ewido, Do Not run a scan just yet, we will shortly.

Open HijackThis and click Scan. Put a check next to these:

R3 - Default URLSearchHook is missing
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\System32\spoolsrvc.exe
O4 - HKLM\..\Run: [ms05960871-1127] C:\WINDOWS\ms05960871-1127.exe
O4 - HKLM\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe
O4 - HKLM\..\Run: [Ms Java for Windows NT] MS32.exe
O4 - HKLM\..\Run: [es Java Update For Windows NT/XP] esijavaupdt32.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [CTFM0N] C:\WINDOWS\System32\spoolsrvc.exe
O4 - HKLM\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - HKCU\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe
O4 - HKCU\..\Run: [Ms Java for Windows NT] MS32.exe
O4 - HKCU\..\Run: [es Java Update For Windows NT/XP] esijavaupdt32.exe
O4 - HKCU\..\RunServices: [Asus MotherBoard Utility] asus.exe
O4 - HKCU\..\RunServices: [Windows Kernel System Service] wkssvr.exe
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINDOWS\system\msidll.exe (file missing)
O23 - Service: Microsoft Windows Internet Connections Manager (net32b) - Unknown owner - C:\WINDOWS\System32\net32b.exe (file missing)
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Windows Register Control - Unknown owner - C:\WINDOWS\register.exe (file missing)
O23 - Service: Winlogin messenger - Unknown owner - C:\WINDOWS\system\winlogin.exe (file missing)



Close all other windows except HijackThis and click Fix Checked.


Reboot your computer into SafeMode. You can do this by restarting your computer and tapping the F8 key just before Windows starts to load, until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINDOWS\System32\spoolsrvc.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab.

IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
  • Launch Ewido by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido and reboot your system back into Normal Mode and post the results of the Ewido report scan and a new HijackThis log.
Also please go here and upload the requested-files[Date/Time].cab file.

The Spy Killer Forum
  • Click on "New Topic"
  • Put your name, e-mail address, and this as the title: "put file path here"
  • Put a link to this Geeks to Go topic in the description box.
  • Then next to the file box, at the bottom, click the browse button, then navigate to this file:
    • requested-files[Date/Time].cab on your desktop
  • Click Open.
  • Click Post.
Thank you![/list]
  • 0

#3
raucher1989
Posted 24 October 2006 - 03:51 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Ewido Log

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:43:11 PM 10/24/2006

+ Scan result:



C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106532.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106533.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106534.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106535.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106536.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106537.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106538.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106539.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106540.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106541.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106542.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106543.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106544.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106545.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106546.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106547.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106548.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106549.dll -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP16\A0141739.dll -> Adware.Searchcolours : Cleaned with backup (quarantined).
C:\Program Files\Deskbar -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\about.html -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\basis.xml -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\deskbar.crc -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\deskbar.inf -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\icons.bmp -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\inst.bat -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\mbback.bmp -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\mbbigopen.bmp -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\mbclose.bmp -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\mbfwd.bmp -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\mblogo.bmp -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\mbsep.bmp -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\options.html -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\softomate.gif -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Deskbar\version.txt -> Adware.Softomate : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DBTB00001.DBTB00001Deskbar -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP15\A0140712.exe -> Backdoor.IRCBot.st : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP15\A0141707.exe -> Backdoor.IRCBot.st : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP16\A0141732.exe -> Backdoor.IRCBot.st : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP17\A0145751.exe -> Backdoor.IRCBot.st : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP17\A0146757.exe -> Backdoor.IRCBot.st : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP17\A0147783.exe -> Backdoor.IRCBot.st : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP17\A0147784.exe -> Backdoor.IRCBot.st : Cleaned with backup (quarantined).
C:\WINDOWS\system32\.exe -> Backdoor.IRCBot.st : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__n_e_t_3_2_b_._e_x_e_ -> Backdoor.IRCBot.st : Cleaned with backup (quarantined).
C:\WINDOWS\system32\net32b.exe -> Backdoor.IRCBot.st : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106530.exe -> Backdoor.Rbot.biu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP3\A0008112.exe -> Backdoor.Rbot.biu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP4\A0014141.exe -> Backdoor.Rbot.biu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP7\A0037299.exe -> Backdoor.Rbot.biu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP8\A0040306.exe -> Backdoor.Rbot.biu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP8\A0043324.exe -> Backdoor.Rbot.biu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP8\A0045335.exe -> Backdoor.Rbot.biu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP36\A0250068.exe -> Backdoor.Rbot.bkj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\iexplorere.exe -> Backdoor.Rbot.bkj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0056439.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0057437.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0058437.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0058465.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0059467.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0060462.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0061462.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0063462.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0064462.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0065469.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0066462.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0067466.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0069462.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0069479.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0070479.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0072475.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP11\A0075475.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP11\A0084476.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP11\A0085478.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP11\A0086484.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP11\A0088483.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP11\A0089486.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP11\A0090483.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP11\A0090490.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP11\A0092494.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106521.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106522.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106523.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106524.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP15\A0140711.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0158869.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP21\A0167207.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP25\A0187356.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP8\A0045334.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP8\A0045345.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP8\A0045353.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP9\A0046355.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP9\A0046364.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP9\A0047375.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP9\A0048373.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\WINDOWS\system\msidll.exe -> Backdoor.SdBot.awj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP21\A0166358.exe -> Backdoor.SdBot.aya : Cleaned with backup (quarantined).
C:\WINDOWS\lsass.exe_tobedeleted -> Backdoor.SdBot.aya : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP36\A0250067.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP36\A0250090.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\WINDOWS\system32\x.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\WINDOWS\system\dllhost.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\WINDOWS\system\winlogon.exe -> Backdoor.SdBot.xd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106519.exe -> Downloader.Adload.ep : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106520.exe -> Downloader.Adload.ep : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0098494.exe -> Downloader.Agent.awg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0100494.exe -> Downloader.Agent.awg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0104507.exe -> Downloader.Agent.awg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP16\A0141724.dll -> Downloader.Agent.awg : Cleaned with backup (quarantined).
[776] VM_007D0000 -> Downloader.Agent.uj : Error during cleaning.
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106529.exe -> Downloader.Dyfuca.ey : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\cvvrc.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106513.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106514.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106552.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106561.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP13\A0107552.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP13\A0107553.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP13\A0113619.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP15\A0140709.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP16\A0141731.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP17\A0147782.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0159968.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP25\A0187355.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP30\A0219442.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP31\A0231583.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP31\A0231585.dll -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP31\A0231586.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\__delete_on_reboot__j_o_j_q_u_n_._e_x_e_ -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\jojqun.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\pmyth.dat -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP30\A0221479.vbs -> Downloader.Small.az : Cleaned with backup (quarantined).
C:\Program Files\Common Files\uqrk\uqrkd\vocabulary -> Downloader.TSUpdate.j : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP3\A0008129.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP4\A0016153.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP10\A0059468.exe -> Not-A-Virus.SpamTool.Win32.Agent.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP12\A0106550.exe -> Not-A-Virus.SpamTool.Win32.Agent.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP4\A0016136.sys -> Rootkit.Agent.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP4\A0016152.sys -> Rootkit.Agent.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP5\A0027231.sys -> Rootkit.Agent.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP9\A0048377.sys -> Rootkit.Agent.l : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP33\A0240760.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP36\A0250089.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\dmbrl.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).


::Report end


HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 5:50:03 PM, on 10/24/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Ms Update WinServices NT/XP] winservnt32.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.114.36,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.114.36 85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.36 85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.114.36,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.36 85.255.112.23
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: COM+ System Service (DLLHOST) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Microsoft information dll service (msidll) - Unknown owner - C:\WINDOWS\system\msidll.exe (file missing)
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Microsoft Windows Internet Connections Manager (net32b) - Unknown owner - C:\WINDOWS\System32\net32b.exe (file missing)
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Microsoft sdk core (sdk) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Windows NT Logon Application (WINLOGON) - Unknown owner - C:\WINDOWS\system\winlogon.exe (file missing)


Thanks alot
  • 0

#4
raucher1989
Posted 24 October 2006 - 03:58 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
I put my name in as Chad, not raucher1989, on Spykiller

Thanks
  • 0

#5
Armodeluxe
Posted 25 October 2006 - 05:32 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Ok, good. Now let's proceed with cleaning the IRCBot infections, but after that there are still quite a few other infections we have to clean.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.
  • Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log

  • 0

#6
raucher1989
Posted 25 October 2006 - 12:58 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
SDFix Log


SDFix: Version 1.32
-------------------

Scan run on:
Wed 10/25/2006

Time:
02:47 PM


Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Owner\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

DLLHOST
msidll
net32b
sdk
Windows Register Control
Winlogin messenger
WINLOGON

Path:
----

"C:\WINDOWS\system\dllhost.exe"
"C:\WINDOWS\system\msidll.exe"
C:\WINDOWS\System32\net32b.exe
"C:\WINDOWS\lsass.exe"
"C:\WINDOWS\register.exe"
"C:\WINDOWS\system\winlogin.exe"
"C:\WINDOWS\system\winlogon.exe"


DLLHOST Deleted...
msidll Deleted...
net32b Deleted...
sdk Deleted...
Windows Register Control Deleted...
Winlogin messenger Deleted...
WINLOGON Deleted...

Repairing Registry...




Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\WINDOWS\system32\77541_netapi.exe
C:\WINDOWS\system32\85434_netapi.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\spoolsrvc.exe

Backing Up and Removing any Files Found...

Final Check:

Services:
---------




Files:
------



Any files removed are saved to the SDFix\backups Folder

FINISHED

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 2:57:53 PM, on 10/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.114.36,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.114.36 85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.36 85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.114.36,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.36 85.255.112.23
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Thank you
  • 0

#7
Armodeluxe
Posted 25 October 2006 - 02:57 PM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Nice job. :whistling:

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

O17 - HKLM\System\CCS\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.114.36,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.114.36 85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.114.36 85.255.112.23
O17 - HKLM\System\CS1\Services\Tcpip\..\{291772FA-81F2-468B-A9A7-DA2EAD895494}: NameServer = 85.255.114.36,85.255.112.23
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.114.36 85.255.112.23

Click FIX CHECKED. Close HijackThis.

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.

Only if you have connection problems after the fix, do this:

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems


Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)
  • 0

#8
raucher1989
Posted 25 October 2006 - 03:57 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Fixwareout Log


Fixwareout ver 1.003
Last edited 8/11/2006
Post this report in the forums please

Reg Entries that were deleted
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\}ED087EECFDBA-6F4A-EF74-7CC7-C5F17488{
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ruins\rzfmd
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\0mdm
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls\1mdm
...

PLEASE NOTE, There WILL be LEGITIMATE FILES LISTED. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.

»»»»» Searching by size/names...

»»»»»
Search five digit cs, dm and jb files.
This WILL/CAN also list Legit Files, Submit them at Virustotal
C:\WINDOWS\SYSTEM32\CSLDP.EXE 51,764 2006-10-21

Other suspects.
Directory of C:\WINDOWS\system32

»»»»» Misc files.

»»»»» Checking for older varients covered by the Rem3 tool.
Microsoft ® Windows Script Host Version 5.6
Random Runs removed from HKLM
"dmfzr.exe"=-
...


HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 5:56:23 PM, on 10/25/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thanks
  • 0

#9
Armodeluxe
Posted 26 October 2006 - 05:37 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
One more down and I see a clean log there. :whistling:

Now let's check for any leftovers. Please post the following two logs in seperate replies to make sure the logs don't get cut off, they both may not fit into one post.

1) Please do an online scan with Kaspersky WebScanner. If you have any quarantined items in your antivirus, please delete those archives before the scan.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
2)

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
  • 0

#10
Armodeluxe
Posted 26 October 2006 - 05:47 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
I forgot to mention, please delete this file:

C:\WINDOWS\SYSTEM32\CSLDP.EXE
  • 0

Advertisements

#11
raucher1989
Posted 26 October 2006 - 02:06 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
Kapersky Log

KASPERSKY ONLINE SCANNER REPORT
Thursday, October 26, 2006 3:55:14 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 26/10/2006
Kaspersky Anti-Virus database records: 235264


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\

Scan Statistics
Total number of scanned objects 31402
Number of viruses found 32
Number of infected objects 300 / 0
Number of suspicious objects 10
Duration of the scan process 00:28:45

Infected Object Name Virus Name Last Action
C:\deskbar.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\deskbar.exe/stream Infected: not-a-virus:AdWare.Win32.Softomate.r skipped

C:\deskbar.exe NSIS: infected - 2 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/MTE3NDI6ODoxNg.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/drsmartload849a849f.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/drsmartload46a46f.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip/drsmartload45a45f.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\Awful Abigail\Desktop\sinstaller2.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.Comet.ac skipped

C:\Documents and Settings\Awful Abigail\Desktop\sinstaller2.exe/stream Infected: not-a-virus:AdWare.Win32.Comet.ac skipped

C:\Documents and Settings\Awful Abigail\Desktop\sinstaller2.exe NSIS: infected - 2 skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip/backups/i Infected: Trojan-Downloader.BAT.Ftp.ab skipped

C:\Documents and Settings\Owner\Desktop\SDFix\backups\backups.zip ZIP: infected - 1 skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Program Files\MyWebSearchWB\bar\1.bin\NPMYSRWB.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.i skipped

C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped

C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped

C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped

C:\Program Files\Verizon Online\SupportCenter\SmartBridge\AlertFilter.log Object is locked skipped

C:\Program Files\Verizon Online\SupportCenter\SmartBridge\log\httpclient.log Object is locked skipped

C:\Program Files\Verizon Online\SupportCenter\SmartBridge\SmartBridge.log Object is locked skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0159999.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160000.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160005.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160006.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160019.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160020.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160045.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160053.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160064.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160113.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160114.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160115.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160116.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160117.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160118.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160119.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160120.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160121.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP20\A0160122.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP21\A0166208.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP21\A0166209.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP21\A0166210.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP21\A0166211.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP22\A0170260.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP30\A0218444.exe Infected: Packed.Win32.PolyCrypt.a skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP30\A0219443.exe Infected: Packed.Win32.PolyCrypt.a skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP30\A0219444.dll Infected: Packed.Win32.Klone.k skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP30\A0222488.exe Infected: Packed.Win32.PolyCrypt.a skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP31\A0231568.dll Infected: Trojan.Win32.BHO.g skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP36\A0250106.exe Infected: Backdoor.Win32.Hupigon.cj skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP36\A0250107.exe Infected: Backdoor.Win32.SdBot.xd skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255216.exe Infected: Backdoor.Win32.VanBot.a skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255217.exe Infected: Backdoor.Win32.Agent.mo skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255218.exe Infected: Backdoor.Win32.Agent.mo skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255219.exe Infected: Backdoor.Win32.Agent.mo skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255220.exe Infected: Backdoor.Win32.Agent.mo skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255221.exe Infected: Backdoor.Win32.Small.eo skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255222.exe Infected: Backdoor.Win32.Small.eo skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255223.exe Infected: Backdoor.Win32.Agent.mo skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255224.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255225.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255226.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255227.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255228.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255229.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255230.exe Infected: Virus.Win32.Virut.a skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255231.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255232.exe Infected: Virus.Win32.Virut.b skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255233.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255234.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255235.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255236.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255237.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255238.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255239.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255240.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255241.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255242.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255243.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255244.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255245.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255246.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255247.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255248.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255249.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255250.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255251.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255252.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255253.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255254.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255255.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255256.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255257.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255258.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255259.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255260.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255261.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255262.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255263.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255264.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255265.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255266.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255267.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255268.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255269.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255270.exe Infected: Backdoor.Win32.VanBot.x skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255271.exe Infected: Backdoor.Win32.VanBot.x skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255272.exe Infected: Backdoor.Win32.IRCBot.wd skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255273.exe Infected: Backdoor.Win32.VanBot.x skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255274.exe Infected: Backdoor.Win32.IRCBot.wd skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255275.exe Infected: Backdoor.Win32.VanBot.x skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255276.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255277.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255278.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255279.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255280.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255281.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255282.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255283.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255284.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255285.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255286.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255287.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255288.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255289.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255290.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255291.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255292.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255293.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255294.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255295.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255296.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255297.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255298.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255299.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255300.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255301.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255302.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255303.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255304.exe Infected: Virus.Win32.Virut.b skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255305.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255306.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255307.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255308.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255309.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255310.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255311.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255312.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255313.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255314.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255315.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255316.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255317.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255318.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255319.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255320.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255321.exe Infected: Backdoor.Win32.PcClient.qf skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255322.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255323.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255324.exe Infected: Backdoor.Win32.Rbot.bkw skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255325.exe Infected: Backdoor.Win32.SdBot.awj skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255326.exe Infected: Backdoor.Win32.SdBot.awj skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255327.exe Infected: Backdoor.Win32.SdBot.xd skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255328.exe Infected: Backdoor.Win32.Rbot.gen skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255329.exe Infected: Backdoor.Win32.Rbot.gen skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255330.exe Infected: Backdoor.Win32.Rbot.gen skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255331.exe Infected: Virus.Win32.Virut.b skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255332.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255333.exe Infected: Backdoor.Win32.Rbot.bgy skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255334.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255335.exe Infected: Backdoor.Win32.Rbot.gen skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255336.exe Infected: Backdoor.Win32.Rbot.gen skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255337.exe Infected: Backdoor.Win32.Rbot.gen skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255338.exe Infected: Backdoor.Win32.Rbot.gen skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255339.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255340.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255341.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255342.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255343.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255344.exe Infected: Backdoor.Win32.Rbot.bie skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255345.exe Infected: Backdoor.Win32.IRCBot.wd skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255346.exe Infected: Backdoor.Win32.IRCBot.wd skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255347.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255348.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255349.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255350.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255351.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255352.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255353.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255354.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255355.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255356.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255357.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255358.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255359.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255360.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255361.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255362.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255363.exe Infected: Backdoor.Win32.Rbot.bhq skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255364.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255365.exe Infected: Trojan-Clicker.Win32.VB.pg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255366.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255367.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255368.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255369.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255370.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255371.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255372.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255373.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255374.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255375.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255376.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255377.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255378.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255379.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255380.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255381.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255382.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255383.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255384.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255385.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255386.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255387.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255388.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255389.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255390.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255391.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255392.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255393.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255394.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255395.exe Infected: Trojan-Downloader.Win32.Agent.awg skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255396.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255397.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255398.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255399.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255400.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255401.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255402.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255403.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255404.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255405.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255406.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255407.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255408.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255409.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255410.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255411.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255412.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255413.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255414.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255415.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255416.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255417.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255418.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255419.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255420.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255421.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255422.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255423.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255424.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255425.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255426.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255427.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255428.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255429.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255430.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255431.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255432.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255433.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255434.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255435.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255436.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255437.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255438.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255439.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255440.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255441.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255442.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255443.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255444.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255445.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255446.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255447.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255448.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255449.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255450.exe Infected: Backdoor.Win32.VanBot.x skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255451.exe Infected: Backdoor.Win32.VanBot.x skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255452.exe Infected: Backdoor.Win32.VanBot.x skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255453.exe Infected: Backdoor.Win32.VanBot.x skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255454.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255455.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255456.exe Infected: Virus.Win32.Virut.a skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255457.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255458.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255459.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255460.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255461.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255462.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255463.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255464.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255465.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255466.exe Infected: Backdoor.Win32.IRCBot.vm skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255467.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.de skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\A0255468.exe Infected: Backdoor.Win32.Agent.mo skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP37\change.log Object is locked skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP4\A0017153.exe Infected: Backdoor.Win32.SdBot.xd skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP9\A0049391.exe Infected: SpamTool.Win32.Agent.i skipped

C:\System Volume Information\_restore{426FD903-708C-4867-9AFE-30F76C364197}\RP9\A0049392.exe Infected: SpamTool.Win32.Agent.i skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\ipv7.exe Suspicious: Packed.Win32.CryptExe skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20060822-020010-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20060822-020010-00.mdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20060824-035911-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20060824-035911-00.mdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20060828-131509-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20060907-003048-00.hdmp Object is locked skipped

C:\WINDOWS\PCHealth\ErrorRep\UserDumps\svchost.exe.20060907-003048-00.mdmp Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\axbuu.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\sam Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\security Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\irlgtvrx.dll Infected: Trojan.Win32.BHO.g skipped

C:\WINDOWS\system32\setup_22388.exe Suspicious: Packed.Win32.CryptExe skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.
  • 0

#12
raucher1989
Posted 26 October 2006 - 02:08 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
ComboFix Log

Owner - 06-10-26 15:57:08.43 Service Pack 1
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Awful Abigail\Application Data\Sskcwrd.dll
C:\Documents and Settings\Awful Abigail\Application Data\Sskknwrd.dll
C:\Documents and Settings\Owner\Application Data\Sskdmns.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\deskbar.exe


((((((((((((((((((((((((((((((( Files Created from 2006-09-26 to 2006-10-26 ))))))))))))))))))))))))))))))))))


2006-10-25 17:33 51,764 --a------ C:\WINDOWS\system32\csldp.exe
2006-10-24 16:19 28,672 --a------ C:\WINDOWS\system32\axbuu.exe
2006-10-24 06:49 14,208 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2006-10-14 23:42 143,380 --a------ C:\WINDOWS\system32\lbrximpk.exe
2006-10-06 15:49 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-10-05 16:20 762,864 ---hs---- C:\WINDOWS\system32\cbadd.bak2
2006-10-05 00:28 771 ---hs---- C:\WINDOWS\system32\cbadd.ini2
2006-10-04 20:23 61,279 --a------ C:\WINDOWS\system32\setup_22388.exe
2006-10-04 18:25 61,279 -r-hs---- C:\WINDOWS\ipv7.exe
2006-09-29 14:33 86,068 --a------ C:\WINDOWS\system32\irlgtvrx.dll
2006-09-29 14:32 836,440 --ahs---- C:\WINDOWS\system32\cbadd.bak1
2006-09-29 14:32 577,588 --ahs---- C:\WINDOWS\system32\ddabc.dll
2006-09-29 14:32 143,380 --a------ C:\WINDOWS\system32\rodritqv.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-26 14:18 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-10-26 14:15 -------- d-------- C:\Program Files\Common Files
2006-10-24 14:50 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-10-24 14:20 -------- d-------- C:\Documents and Settings\Owner\Application Data\WeatherBug
2006-10-24 06:49 -------- d-------- C:\Program Files\Lexmark X74-X75
2006-10-19 11:58 338 --a------ C:\WINDOWS\ijqwm.dll
2006-10-06 15:49 -------- d-------- C:\Program Files\Internet Explorer
2006-10-06 15:45 -------- d-------- C:\Documents and Settings\Owner\Application Data\Sun
2006-10-06 15:41 -------- d-------- C:\Program Files\Java
2006-10-06 15:13 -------- d-------- C:\Program Files\Norton AntiVirus
2006-10-06 15:13 -------- d-------- C:\Documents and Settings\Owner\Application Data\Help
2006-10-06 00:18 -------- d---s---- C:\Documents and Settings\Owner\Application Data\Microsoft
2006-10-05 15:54 -------- d-------- C:\Documents and Settings\Owner\Application Data\Apple Computer
2006-10-05 15:47 -------- d-------- C:\Program Files\QuickTime
2006-10-05 15:39 -------- d-------- C:\Program Files\Apple Software Update
2006-09-25 18:59 -------- d-------- C:\Program Files\MyWebSearchWB
2006-09-25 18:58 -------- d-------- C:\Program Files\AWS
2006-09-21 17:40 37888 --a------ C:\WINDOWS\system32\omgs.exe
2006-09-20 20:52 0 --a------ C:\WINDOWS\system32\ftpupd.exe
2006-09-19 15:33 -------- d-------- C:\Documents and Settings\Owner\Application Data\Symantec
2006-09-19 15:16 -------- d-------- C:\Program Files\Symantec
2006-09-17 15:11 0 --a------ C:\WINDOWS\system32\directxbt.exe
2006-09-15 23:52 91904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-15 23:52 124016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-07 14:35 -------- d-------- C:\Documents and Settings\Owner\Application Data\Real
2006-09-07 14:33 -------- d-------- C:\Program Files\Common Files\xing shared
2006-09-07 14:33 -------- d-------- C:\Program Files\Common Files\Real
2006-08-27 21:59 89088 --a------ C:\WINDOWS\system32\setup_36130.exe
2006-08-27 21:04 -------- d-------- C:\Program Files\Common Files\uqrk
2006-08-27 20:11 89088 --a------ C:\WINDOWS\system32\setup_31872.exe
2006-08-27 19:34 89088 --a------ C:\WINDOWS\system32\setup_47646.exe
2006-08-27 18:44 89088 -rahs---- C:\WINDOWS\cplmgmt.exe
2006-08-27 16:15 20480 --a------ C:\WINDOWS\system32\mssave.exe
2006-08-18 02:58 57344 --a------ C:\WINDOWS\uneng.exe
2006-08-18 02:38 45056 --a------ C:\WINDOWS\system32\PCTKRNT.SYS
2006-08-18 02:20 126976 --a------ C:\WINDOWS\system32\unzdll.dll
2006-08-18 02:02 0 -rahs---- C:\MSDOS.SYS
2006-08-18 02:02 0 -rahs---- C:\IO.SYS
2006-08-18 02:02 0 --a------ C:\CONFIG.SYS
2006-08-18 02:02 0 --a------ C:\AUTOEXEC.BAT
2006-08-17 20:55 62 --ahs---- C:\Documents and Settings\Owner\Application Data\desktop.ini
2006-08-04 11:37 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-04 11:37 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-07-26 22:05 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-07-26 22:05 109568 --a------ C:\WINDOWS\system32\pxinsi64.exe
2006-07-26 22:05 108544 --a------ C:\WINDOWS\system32\pxcpyi64.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SFP"="C:\\Program Files\\Common Files\\Verizon Online\\SFP\\vzSFPWin.EXE /s"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"Weather"="C:\\Program Files\\AWS\\WeatherBug\\Weather.exe 1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PROMon.exe"="PROMon.exe"
"IgfxTray"="C:\\WINDOWS\\System32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"GWMDMMSG"="GWMDMMSG.exe"
"GWMDMpi"="C:\\WINDOWS\\GWMDMpi.exe"
"ccApp"="C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe"
"ccRegVfy"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"Lexmark X74-X75"="\"C:\\Program Files\\Lexmark X74-X75\\lxbbbmgr.exe\""
"Motive SmartBridge"="C:\\PROGRA~1\\VERIZO~1\\SUPPOR~1\\SMARTB~1\\MotiveSB.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,75,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,23,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"uqrk"="C:\\PROGRA~1\\COMMON~1\\uqrk\\uqrkm.exe"
"fdujw"="C:\\WINDOWS\\System32\\jojqun.exe reg_run"
"Microsoft Directx click"="directxclick.exe"
"SrvC"="C:\\WINDOWS\\system32\\a.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Microsoft Directx click"="directxclick.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"uqrk"="C:\\PROGRA~1\\COMMON~1\\uqrk\\uqrkm.exe"
"fdujw"="C:\\WINDOWS\\System32\\jojqun.exe reg_run"
"Microsoft Directx click"="directxclick.exe"
"SrvC"="C:\\WINDOWS\\system32\\a.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"Microsoft Directx click"="directxclick.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{68676EFE-9B30-4EBD-B842-7ED9B3460C53}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddabc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggeecy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WLogon

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-10-26 15:59:21.46
C:\ComboFix.txt ... 06-10-26 15:59

Thanks
  • 0

#13
Armodeluxe
Posted 27 October 2006 - 06:06 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
You got a new vundo infection, before posting a new HijackThis log please rename HijackThis.exe to something else, such as water.exe or food.exe.

Now please copy the following text in the code box to Notepad. Make sure there is no empty line above REGEDIT4. In Notepad go to File > Save As. Name it Fixit.reg, in the drop down box at the bottom choose "All Files", and save it on your desktop. Then double click on Fixit.reg and let it merge with the registry.. 

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"uqrk"=-
"fdujw"=-
"Microsoft Directx click"=-
"SrvC"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Microsoft Directx click"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"uqrk"=-
"fdujw"=-
"Microsoft Directx click"=-
"SrvC"=-

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runservices]
"Microsoft Directx click"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{68676EFE-9B30-4EBD-B842-7ED9B3460C53}"=-

Please download the Killbox.

1) Please run Killbox.

2) Select "Delete on Reboot". Click on "All Files".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Documents and Settings\Awful Abigail\Desktop\sinstaller2.exe
C:\Program Files\MyWebSearchWB\bar\1.bin\NPMYSRWB.DLL
C:\Program Files\MyWebSearchWB\bar\1.bin\W6PLUGIN.DLL
C:\WINDOWS\system32\axbuu.exe
C:\WINDOWS\system32\irlgtvrx.dll
C:\WINDOWS\ipv7.exe
C:\WINDOWS\system32\setup_22388.exe
C:\WINDOWS\system32\csldp.exe
C:\WINDOWS\system32\lbrximpk.exe
C:\WINDOWS\system32\rodritqv.exe
C:\WINDOWS\ijqwm.dll
C:\WINDOWS\system32\omgs.exe
C:\WINDOWS\system32\ftpupd.exe
C:\WINDOWS\system32\setup_36130.exe
C:\WINDOWS\system32\setup_47646.exe
C:\WINDOWS\cplmgmt.exe
C:\WINDOWS\system32\mssave.exe

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the Do You Want to Reboot Now prompt.

Next,

Please download VundoFix.exe
to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.
  • 0

#14
raucher1989
Posted 27 October 2006 - 01:43 PM

raucher1989

    Member

  • Topic Starter
  • Member
  • PipPip
  • 35 posts
VundoFix Log

VundoFix V6.2.6

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 3:29:01 PM 10/27/2006

Listing files found while scanning....

C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.bak1
C:\WINDOWS\system32\cbadd.bak2
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cbadd.tmp
C:\WINDOWS\System32\ddabc.dll
C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.bak1
C:\WINDOWS\system32\cbadd.bak2
C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cbadd.tmp
C:\WINDOWS\System32\cbadd.ini
C:\WINDOWS\System32\cbadd.bak1
C:\WINDOWS\System32\cbadd.bak2
C:\WINDOWS\System32\cbadd.ini2
C:\WINDOWS\System32\cbadd.tmp

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddabc.dll
C:\WINDOWS\system32\ddabc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbadd.ini
C:\WINDOWS\system32\cbadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbadd.bak1
C:\WINDOWS\system32\cbadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbadd.bak2
C:\WINDOWS\system32\cbadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbadd.ini2
C:\WINDOWS\system32\cbadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cbadd.tmp
C:\WINDOWS\system32\cbadd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 3:42:06 PM, on 10/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\GWMDMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Owner\Desktop\VundoFix.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\water.exe.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gatewaybiz.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {68676EFE-9B30-4EBD-B842-7ED9B3460C53} - C:\WINDOWS\System32\hggeecy.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {83752AC5-AB60-477F-865F-621EA793D2C5} - C:\WINDOWS\System32\ddabc.dll (file missing)
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\System32\irlgtvrx.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [GWMDMpi] C:\WINDOWS\GWMDMpi.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\VERIZO~1\SUPPOR~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [SFP] C:\Program Files\Common Files\Verizon Online\SFP\vzSFPWin.EXE /s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - Global Startup: Verizon Online Support Center.lnk = C:\Program Files\Verizon Online\SupportCenter\bin\matcli.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {0F04992B-E661-4DB9-B223-903AB628225D} (DoMoreRunExe.DoMoreRun) - file://C:\Program Files\Gateway\Do More\DoMoreRunExe.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.114.36 85.255.112.23
O20 - Winlogon Notify: hggeecy - hggeecy.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WLogon - srvc.dll (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\System32\PCTKRNT.SYS
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


Thanks
  • 0

#15
Armodeluxe
Posted 28 October 2006 - 06:20 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
We will have to rerun fixwareout, if you had deleted it download it again.

First, go to Control Panel Add/Remove Programs and uninstall MyWebSearchWB

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.sub.../Fixwareout.exe
http://www.bleepingc.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

Once the desktop loads a text file will open (report.txt), you can close it - the file has already been saved.

Run HijackThis. Click "Do a System Scan Only", and place a check next to the following items (if found):

****INSERT HJT ENTRIES HERE****

Click O2 - BHO: (no name) - {68676EFE-9B30-4EBD-B842-7ED9B3460C53} - C:\WINDOWS\System32\hggeecy.dll (file missing)
O2 - BHO: (no name) - {83752AC5-AB60-477F-865F-621EA793D2C5} - C:\WINDOWS\System32\ddabc.dll (file missing)
O2 - BHO: My Web Search Bar BHO - {8EAB99C1-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\System32\irlgtvrx.dll (file missing)
O3 - Toolbar: WeatherBug Browser Bar - powered by MyWebSearch - {8EAB99C9-F9EC-4b64-A4BA-D9BCAE8779C2} - C:\Program Files\MyWebSearchWB\bar\1.bin\W6BAR.DLL
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O17 - HKLM\System\CCS\Services\Tcpip\..\{382F7B25-A939-4A93-B840-164DCDE901D1}: NameServer = 85.255.114.36 85.255.112.23
O20 - Winlogon Notify: hggeecy - hggeecy.dll (file missing)
O20 - Winlogon Notify: WLogon - srvc.dll (file missing). Close HijackThis. Don't worry if some of those entries are not found.

Finally, please post the contents of the text file that opened earlier (you can find it at C:\fixwareout\report.txt ), along with a new HijackThis log into this topic.


Only if you have connection problems after the fix:

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically

Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable one some systems


Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP