Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Windows Security/Spyware Alerts

Started by dup1998 , Feb 24 2008 12:32 AM

  • Please log in to reply

#1
dup1998
Posted 24 February 2008 - 12:32 AM

dup1998

    New Member

  • Member
  • Pip
  • 8 posts
Hi,

My dad clicked on something he shouldn't have while he was reading his email and now the computer is running incredibly slow and there are a ton of crazy security alerts that keep popping up:
1.) Fake Windows security alert message pop up about every 2-5 min. - Also with a message to download SpySoftware from the Internet
2.) Ad-Aware pop up to evaluate and buy their software
3.) Ctrl Alt Del does not work

Messages in detail:
Spyware Alert (Windows Message)
Security Warning!
Worm.Win32.NetSky detected on your machine. This virus is distributed via the Internet through e-mail and Active-X objects. The worm has its own SMTP engine which means it gathers e-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data.
This process should be removed from your system.
Type: Virus
System Affected: Windows 2000, NT, ME,XP, Vista
Securtiy Risk (0-5): 5
Recommendations: Click Yes to remove it from your PC immediately.
Yes/No

System Alert (System Tray - Blinking white cross on red background)
System detected virus activities. These may impact the performance of your computer. Please, use recomended anitspyware software to protect your system from parasite programs.

Windows Security Alert (Windows Message)
Large White cross with red circle background on left hand side).
(Text:) "Windows has detected an Internet attack attack attempt...
Somebody's trying to infect your PC with spyware or harmful viruses. Run full system scan now to protect your PC from Internet attacks, hijacking attempts and spyware! Click here to download spyware remover for total protection. OK/Cancel


Here is what I have done so far (in Windows safe mode):
- run ATF Cleaner
- run Windows Defender
- run HijackThis

Here's my HiJack This log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:57:34 PM, on 2/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SXG Advisor - {6FFDE480-14C1-43FC-BEC1-CA97A2541FFD} - C:\WINDOWS\dmdvpnslp.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [Bvocs] C:\Documents and Settings\Administrator\Application Data\?ssembly\n?pdb.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photowork...ImageEditor.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136832039984
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photowork...ropUploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{3170BF7A-A5E2-4F89-8299-B4BB26E7B220}: NameServer = 85.255.116.149,85.255.112.234
O17 - HKLM\System\CS1\Services\Tcpip\..\{3170BF7A-A5E2-4F89-8299-B4BB26E7B220}: NameServer = 85.255.116.149,85.255.112.234
O21 - SSODL: bdmanager - {99A33923-FF5D-41E8-8B3C-E61DDBE1EAEB} - C:\WINDOWS\bdmanager.dll
O21 - SSODL: admgcx - {745BAAC0-8A69-4621-AA26-9E39434B2A92} - C:\WINDOWS\admgcx.dll
O22 - SharedTaskScheduler: Reload Browse - {A1D9D3F0-8C2A-9A1D-A376-2CACFB10AB72} - (no file)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - http://www.crochetme...ges/cm_logo.gif

--
End of file - 7331 bytes



Thanks in advance for any help you can give me. This is driving me crazy!!
  • 0

Advertisements

#2
kahdah
Posted 24 February 2008 - 09:08 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Hello dup1998

Welcome to G2Go. :)
==============
First:

Please download FixWareout from here:
http://downloads.sub.../Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts. If your firewall gives an alert, (because this tool will download an additional file from the internet), please don't let your firewall block it, but allow it instead.
Then you will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
Once the desktop loads please post the text that will open (report.txt)
===============================================
Then:

Download ComboFix from one of the locations below, and save it to your Desktop.

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
dup1998
Posted 24 February 2008 - 05:23 PM

dup1998

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here is my Fixwareout log:

Username "Administrator" - 02/24/2008 14:06:00 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{3170BF7A-A5E2-4F89-8299-B4BB26E7B220}
"nameserver"="85.255.116.149,85.255.112.234" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"vptray"="C:\\PROGRA~1\\SYMANT~1\\VPTray.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"Adobe Reader Speed Launcher"="\"C:\\Program Files\\Adobe\\Reader 8.0\\Reader\\Reader_sl.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"SpybotSD TeaTimer"="C:\\Program Files\\Spybot - Search & Destroy\\TeaTimer.exe"
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7"
"Bvocs"="C:\\Documents and Settings\\Administrator\\Application Data\\?ssembly\\n?pdb.exe"
"DW4"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
  • 0

#4
kahdah
Posted 24 February 2008 - 05:27 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Did you run Combofix ?
  • 0

#5
dup1998
Posted 24 February 2008 - 05:37 PM

dup1998

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Yes, I ran Combofix, but there weren't any prompts and it didn't create a log. Should I run Hijackthis and post the log anyway?
  • 0

#6
kahdah
Posted 24 February 2008 - 05:42 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Try to delete your version and download it again from

Link 1
Link 2
Link 3

Double click combofix.exe and follow the prompts. Please, never rename Combofix unless instructed.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#7
dup1998
Posted 24 February 2008 - 10:21 PM

dup1998

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here's the combofix log:


ComboFix 08-02-25 - Administrator 2008-02-24 18:45:40.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.34 [GMT -9:00]Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\APPATC~1
C:\Documents and Settings\Administrator\Application Data\ASEMBL~1
C:\Documents and Settings\Administrator\Application Data\ASKS~1
C:\Documents and Settings\Administrator\Application Data\CROSOF~1
C:\Documents and Settings\Administrator\Application Data\CROSOF~1.NET
C:\Documents and Settings\Administrator\Application Data\CURITY~1
C:\Documents and Settings\Administrator\Application Data\DOBE~1
C:\Documents and Settings\Administrator\Application Data\ECURIT~1
C:\Documents and Settings\Administrator\Application Data\FNTS~1
C:\Documents and Settings\Administrator\Application Data\FNTS~2
C:\Documents and Settings\Administrator\Application Data\ICROSO~1
C:\Documents and Settings\Administrator\Application Data\ICROSO~1.NET
C:\Documents and Settings\Administrator\Application Data\MANTEC~1
C:\Documents and Settings\Administrator\Application Data\MBOLS~1
C:\Documents and Settings\Administrator\Application Data\MCROSO~1
C:\Documents and Settings\Administrator\Application Data\PPPATC~1
C:\Documents and Settings\Administrator\Application Data\RACLE~1
C:\Documents and Settings\Administrator\Application Data\RACLE~2
C:\Documents and Settings\Administrator\Application Data\SCURIT~1
C:\Documents and Settings\Administrator\Application Data\SEMBLY~1
C:\Documents and Settings\Administrator\Application Data\SMANTE~1
C:\Documents and Settings\Administrator\Application Data\SSEMBL~1
C:\Documents and Settings\Administrator\Application Data\SSTEM~1
C:\Documents and Settings\Administrator\Application Data\SSTEM3~1
C:\Documents and Settings\Administrator\Application Data\STEM~1
C:\Documents and Settings\Administrator\Application Data\STEM32~1
C:\Documents and Settings\Administrator\Application Data\WNSXS~1
C:\Documents and Settings\Administrator\Application Data\YMBOLS~1
C:\Documents and Settings\Administrator\Application Data\YSTEM~1
C:\Documents and Settings\Administrator\Desktop\Error Cleaner.url
C:\Documents and Settings\Administrator\Desktop\Privacy Protector.url
C:\Documents and Settings\Administrator\Desktop\Spyware&Malware Protection.url
C:\Documents and Settings\Administrator\Favorites\Error Cleaner.url
C:\Documents and Settings\Administrator\Favorites\Privacy Protector.url
C:\Documents and Settings\Administrator\Favorites\Spyware&Malware Protection.url
C:\Documents and Settings\Administrator\My Documents\APPATC~1
C:\Documents and Settings\Administrator\My Documents\ASKS~1
C:\Documents and Settings\Administrator\My Documents\ASKS~2
C:\Documents and Settings\Administrator\My Documents\CROSOF~1
C:\Documents and Settings\Administrator\My Documents\CROSOF~1.NET
C:\Documents and Settings\Administrator\My Documents\DOBE~1
C:\Documents and Settings\Administrator\My Documents\DOBE~2
C:\Documents and Settings\Administrator\My Documents\ECURIT~1
C:\Documents and Settings\Administrator\My Documents\FNTS~1
C:\Documents and Settings\Administrator\My Documents\FNTS~2
C:\Documents and Settings\Administrator\My Documents\ICROSO~1
C:\Documents and Settings\Administrator\My Documents\ICROSO~1.NET
C:\Documents and Settings\Administrator\My Documents\MANTEC~1
C:\Documents and Settings\Administrator\My Documents\MBOLS~1
C:\Documents and Settings\Administrator\My Documents\MCROSO~1
C:\Documents and Settings\Administrator\My Documents\MCROSO~1.NET
C:\Documents and Settings\Administrator\My Documents\PPATCH~1
C:\Documents and Settings\Administrator\My Documents\PPPATC~1
C:\Documents and Settings\Administrator\My Documents\RACLE~1
C:\Documents and Settings\Administrator\My Documents\RACLE~2
C:\Documents and Settings\Administrator\My Documents\SCURIT~1
C:\Documents and Settings\Administrator\My Documents\SEMBLY~1
C:\Documents and Settings\Administrator\My Documents\SKS~1
C:\Documents and Settings\Administrator\My Documents\SMANTE~1
C:\Documents and Settings\Administrator\My Documents\SMBOLS~1
C:\Documents and Settings\Administrator\My Documents\SSTEM~1
C:\Documents and Settings\Administrator\My Documents\SSTEM3~1
C:\Documents and Settings\Administrator\My Documents\STEM~1
C:\Documents and Settings\Administrator\My Documents\STEM32~1
C:\Documents and Settings\Administrator\My Documents\TSKS~1
C:\Documents and Settings\Administrator\My Documents\WNSXS~1
C:\Documents and Settings\Administrator\My Documents\YMBOLS~1
C:\Documents and Settings\Administrator\My Documents\YSTEM~1
C:\Documents and Settings\Administrator\My Documents\YSTEM3~1
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\appatc~1
C:\Program Files\asembl~1
C:\Program Files\asks~1
C:\Program Files\Common Files\asembl~1
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\asks~2
C:\Program Files\Common Files\companion wizard
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\curity~1
C:\Program Files\Common Files\dobe~1
C:\Program Files\Common Files\dobe~2
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\fnts~1
C:\Program Files\Common Files\fnts~2
C:\Program Files\Common Files\icroso~1
C:\Program Files\Common Files\icroso~1.net
C:\Program Files\Common Files\icroso~2
C:\Program Files\Common Files\mantec~1
C:\Program Files\Common Files\mbols~1
C:\Program Files\Common Files\mcroso~1.net
C:\Program Files\Common Files\pppatc~1
C:\Program Files\Common Files\racle~1
C:\Program Files\Common Files\racle~2
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\sembly~1
C:\Program Files\Common Files\sks~1
C:\Program Files\Common Files\sks~2
C:\Program Files\Common Files\smante~1
C:\Program Files\Common Files\smbols~1
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\sstem3~1
C:\Program Files\Common Files\stem~1
C:\Program Files\Common Files\stem32~1
C:\Program Files\Common Files\tsks~1
C:\Program Files\Common Files\wnsxs~1
C:\Program Files\Common Files\ymante~1
C:\Program Files\Common Files\ymbols~1
C:\Program Files\Common Files\ystem3~1
C:\Program Files\crosof~1
C:\Program Files\crosof~1.net
C:\Program Files\dobe~1
C:\Program Files\dobe~2
C:\Program Files\ecurit~1
C:\Program Files\fnts~1
C:\Program Files\fnts~2
C:\Program Files\icroso~1
C:\Program Files\icroso~1.net
C:\Program Files\mbols~1
C:\Program Files\mcroso~1
C:\Program Files\mcroso~1.net
C:\Program Files\ppatch~1
C:\Program Files\ppatch~2
C:\Program Files\racle~1
C:\Program Files\scurit~1
C:\Program Files\sembly~1
C:\Program Files\smante~1
C:\Program Files\ssembl~1
C:\Program Files\sstem3~1
C:\Program Files\stem~1
C:\Program Files\wnsxs~1
C:\Program Files\ymante~1
C:\Program Files\ystem~1
C:\Program Files\ystem3~1
C:\WINDOWS\appatc~1
C:\WINDOWS\asembl~1
C:\WINDOWS\crosof~1
C:\WINDOWS\crosof~1.net
C:\WINDOWS\curity~1
C:\WINDOWS\dat.txt
C:\WINDOWS\dobe~1
C:\WINDOWS\dobe~2
C:\WINDOWS\ecurit~1
C:\WINDOWS\fnts~1
C:\WINDOWS\icroso~1
C:\WINDOWS\icroso~1.net
C:\WINDOWS\mantec~1
C:\WINDOWS\mbols~1
C:\WINDOWS\mcroso~1
C:\WINDOWS\mcroso~1.net
C:\WINDOWS\ppatch~1
C:\WINDOWS\ppatch~2
C:\WINDOWS\pppatc~1
C:\WINDOWS\pppatc~2
C:\WINDOWS\racle~1
C:\WINDOWS\rs.txt
C:\WINDOWS\scurit~1
C:\WINDOWS\search_res.txt
C:\WINDOWS\sks~1
C:\WINDOWS\sks~1\SKS~1\ctxad-503.0000
C:\WINDOWS\sks~1\SKS~1\ctxad-503.0001
C:\WINDOWS\sks~1\SKS~1\ctxad-503.0002
C:\WINDOWS\sks~2
C:\WINDOWS\smante~1
C:\WINDOWS\smbols~1
C:\WINDOWS\sstem~1
C:\WINDOWS\stem~1
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\appatc~1
C:\WINDOWS\system32\asembl~1
C:\WINDOWS\system32\asks~1
C:\WINDOWS\system32\crosof~1.net
C:\WINDOWS\system32\curity~1
C:\WINDOWS\system32\dobe~1
C:\WINDOWS\system32\dobe~2
C:\WINDOWS\system32\ecurit~1
C:\WINDOWS\system32\fnts~1
C:\WINDOWS\system32\fnts~2
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\icroso~1.net
C:\WINDOWS\system32\mantec~1
C:\WINDOWS\system32\mbols~1
C:\WINDOWS\system32\mcroso~1
C:\WINDOWS\system32\mcroso~1.net
C:\WINDOWS\system32\ppatch~1
C:\WINDOWS\system32\ppatch~1\??pPatch\
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\pppatc~2
C:\WINDOWS\system32\racle~1
C:\WINDOWS\system32\racle~2
C:\WINDOWS\system32\sembly~1
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\smbols~1
C:\WINDOWS\system32\ssembl~1
C:\WINDOWS\system32\sstem3~1
C:\WINDOWS\system32\stem32~1
C:\WINDOWS\system32\stera.log
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\wnsxs~1
C:\WINDOWS\system32\wtsit.exe
C:\WINDOWS\system32\ymante~1
C:\WINDOWS\system32\ymbols~1
C:\WINDOWS\system32\ystem~1
C:\WINDOWS\system32\ystem3~1
C:\WINDOWS\wnsxs~1
C:\WINDOWS\ymante~1
C:\WINDOWS\ymbols~1
C:\WINDOWS\ystem~1
C:\WINDOWS\ystem3~1

----- BITS: Possible infected sites -----

hxxp://softworldnetwork.com
hxxp://onsafepro.com

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_FOPN
-------\LEGACY_FWSVC
-------\LEGACY_VSPF
-------\LEGACY_VSPF_HK


((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 17:43 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-02-24 17:43 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-02-24 14:05 . 2008-02-24 14:15 <DIR> d-------- C:\fixwareout
2008-02-23 22:54 . 2008-02-23 23:17 <DIR> d-------- C:\SDFix
2008-02-23 17:18 . 2008-02-23 17:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 13:55 . 2008-02-23 13:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-23 13:30 . 2007-05-30 03:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-23 13:29 . 2008-02-23 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-22 18:00 . 2008-02-22 18:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Anti-Virus-Pro.com
2008-02-22 17:55 . 2008-02-23 07:28 <DIR> d-------- C:\Program Files\AntiVirusPro
2008-02-21 15:10 . 2008-02-20 13:56 315,392 --a------ C:\WINDOWS\dmdvpnslp.dll
2008-02-21 15:10 . 2008-02-20 13:56 282,624 --a------ C:\WINDOWS\bdmanager.dll
2008-02-21 15:10 . 2008-02-20 13:56 262,144 --a------ C:\WINDOWS\admgcx.dll
2008-02-21 15:10 . 2008-02-20 13:56 217,088 --a------ C:\WINDOWS\emotigt.dll
2008-02-21 15:10 . 2008-02-20 13:56 90,112 --a------ C:\WINDOWS\fsxloqf.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 03:59 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-22 22:02 --------- d-----w C:\Program Files\PokerStars
2008-01-19 03:44 --------- d-----w C:\Program Files\Java
2008-01-07 01:10 --------- d-----w C:\Program Files\The Weather Channel FW
2008-01-07 01:02 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-07 01:02 --------- d-----w C:\Program Files\Common Files\Real
2008-01-07 00:55 --------- d-----w C:\Program Files\Real
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FFDE480-14C1-43FC-BEC1-CA97A2541FFD}]
2008-02-20 13:56 315392 --a------ C:\WINDOWS\dmdvpnslp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 07:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Bvocs"="C:\Documents and Settings\Administrator\Application Data\?ssembly\n?pdb.exe" [ ]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-12-20 08:10 715888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-12 18:00 282624]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-10-05 22:11 866584]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-06 15:56 185632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 09:52 34832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bdmanager"= {99A33923-FF5D-41E8-8B3C-E61DDBE1EAEB} - C:\WINDOWS\bdmanager.dll [2008-02-20 13:56 282624]
"admgcx"= {745BAAC0-8A69-4621-AA26-9E39434B2A92} - C:\WINDOWS\admgcx.dll [2008-02-20 13:56 262144]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R3 EraserUtilDrvI4;EraserUtilDrvI4;C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrvI4.sys [2007-11-14 14:11]
R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys [2001-08-17 03:19]
R3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 04:47]
R3 nv3;nv3;C:\WINDOWS\system32\DRIVERS\nv3.sys [2001-08-17 03:50]
R3 USRTI;U.S. Robotics Faxmodem Driver TI;C:\WINDOWS\system32\DRIVERS\USRTI.SYS [2001-08-17 04:28]
S3 ALABULK;Fujifilm USB MemoryCard ReaderWriter device driver;C:\WINDOWS\system32\Drivers\ALABULK2.sys [2002-09-19 16:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\CDStart.Exe
\Shell\Install\Command - D:\navsetup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-25 04:05:18 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-24 19:03:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelSlnchr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
.
**************************************************************************
.
Completion time: 2008-02-24 19:14:50 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-02-25 04:14:31
.
2007-12-23 18:20:59 --- E O F ---





And here is the hijackthis log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:23:35 PM, on 2/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SXG Advisor - {6FFDE480-14C1-43FC-BEC1-CA97A2541FFD} - C:\WINDOWS\dmdvpnslp.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [Bvocs] C:\Documents and Settings\Administrator\Application Data\?ssembly\n?pdb.exe
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photowork...ImageEditor.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136832039984
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photowork...ropUploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O21 - SSODL: bdmanager - {99A33923-FF5D-41E8-8B3C-E61DDBE1EAEB} - C:\WINDOWS\bdmanager.dll
O21 - SSODL: admgcx - {745BAAC0-8A69-4621-AA26-9E39434B2A92} - C:\WINDOWS\admgcx.dll
O22 - SharedTaskScheduler: Reload Browse - {A1D9D3F0-8C2A-9A1D-A376-2CACFB10AB72} - (no file)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - http://www.crochetme...ges/cm_logo.gif

--
End of file - 7040 bytes
  • 0

#8
kahdah
Posted 25 February 2008 - 03:23 AM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please re-open Hijackthis and click on "Do a system scan only"
Then place a check mark next to these entries below:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)


Now click on Fix Checked and then close Hijackthis.
======================================
1. Please open Notepad
  • Click Start , then Run
  • type in notepad in the Run Box then hit ok.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\dmdvpnslp.dll
C:\WINDOWS\bdmanager.dll
C:\WINDOWS\admgcx.dll
C:\WINDOWS\emotigt.dll
C:\WINDOWS\fsxloqf.exe
Folder::
C:\fixwareout
C:\SDFix
C:\Program Files\AntiVirusPro
C:\Documents and Settings\Administrator\Application Data\Anti-Virus-Pro.com
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FFDE480-14C1-43FC-BEC1-CA97A2541FFD}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Bvocs"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bdmanager"=-
"admgcx"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.

  • 0

#9
dup1998
Posted 25 February 2008 - 01:59 PM

dup1998

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here's the latest combofix log:

ComboFix 08-02-25 - Administrator 2008-02-25 10:21:54.2 - NTFSx86
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\admgcx.dll
C:\WINDOWS\bdmanager.dll
C:\WINDOWS\dmdvpnslp.dll
C:\WINDOWS\emotigt.dll
C:\WINDOWS\fsxloqf.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\Anti-Virus-Pro.com
C:\fixwareout
C:\fixwareout\dnsbak.reg
C:\fixwareout\FindT\clsid.bak
C:\fixwareout\FindT\dumphive.exe
C:\fixwareout\FindT\FixWareOut.reg
C:\fixwareout\FindT\nircmd.exe
C:\fixwareout\FindT\patterns.txt
C:\fixwareout\FindT\rbot.bat
C:\fixwareout\FindT\RestartIt.exe
C:\fixwareout\FindT\runback.txt
C:\fixwareout\FindT\runs.vbs
C:\fixwareout\FindT\swreg.exe
C:\fixwareout\FindT\vfind.exe
C:\fixwareout\FindT\XP-2K2.cmd
C:\fixwareout\FixIt.BAT
C:\fixwareout\report.txt
C:\Program Files\AntiVirusPro
C:\Program Files\AntiVirusPro\AntiVirusPro.exe
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.local
C:\Program Files\AntiVirusPro\AntiVirusPro.exe.log
C:\Program Files\AntiVirusPro\Core.dll
C:\Program Files\AntiVirusPro\database.pkg
C:\Program Files\AntiVirusPro\Localization.dll
C:\Program Files\AntiVirusPro\msvcp71.dll
C:\Program Files\AntiVirusPro\msvcr71.dll
C:\Program Files\AntiVirusPro\WndSystem.dll
C:\SDFix
C:\SDFix\apps\assosfix.reg
C:\SDFix\apps\cliptext.exe
C:\SDFix\apps\download.exe
C:\SDFix\apps\dummy.exe
C:\SDFix\apps\dummy.sys
C:\SDFix\apps\Enable_Command_Prompt.reg
C:\SDFix\apps\ERDNT.E_E
C:\SDFix\apps\ERDNTDOS.LOC
C:\SDFix\apps\ERDNTWIN.LOC
C:\SDFix\apps\ERUNT.EXE
C:\SDFix\apps\ERUNT.LOC
C:\SDFix\apps\fix.reg
C:\SDFix\apps\FixBH.reg
C:\SDFix\apps\FixComponents.reg
C:\SDFix\apps\FIXCU.reg
C:\SDFix\apps\FIXLM.reg
C:\SDFix\apps\FixPath.exe
C:\SDFix\apps\FixRedir.reg
C:\SDFix\apps\FixSchedule.reg
C:\SDFix\apps\FixWebCheck.reg
C:\SDFix\apps\fixXP.reg
C:\SDFix\apps\FixXPsp2.reg
C:\SDFix\apps\grep.exe
C:\SDFix\apps\HPFix.reg
C:\SDFix\apps\HPFix2.reg
C:\SDFix\apps\HPFix3.reg
C:\SDFix\apps\HPFix4.reg
C:\SDFix\apps\HPFix5.reg
C:\SDFix\apps\HPFix6.reg
C:\SDFix\apps\HPFix7.reg
C:\SDFix\apps\isadmin.exe
C:\SDFix\apps\leg2.txt
C:\SDFix\apps\legacy.txt
C:\SDFix\apps\legacybk.txt
C:\SDFix\apps\locate.com
C:\SDFix\apps\LS.exe
C:\SDFix\apps\MD5File.exe
C:\SDFix\apps\MyGcpvFix.reg
C:\SDFix\apps\MyGkFix2.reg
C:\SDFix\apps\Process.exe
C:\SDFix\apps\procs.exe
C:\SDFix\apps\psservice.exe
C:\SDFix\apps\RegDACL.exe
C:\SDFix\apps\regedit.exe
C:\SDFix\apps\Rem.txt
C:\SDFix\apps\Rem2.txt
C:\SDFix\apps\Replace\W2K.exe
C:\SDFix\apps\Replace\w2k\beep.sys
C:\SDFix\apps\Replace\w2k\null.sys
C:\SDFix\apps\Replace\XP.exe
C:\SDFix\apps\Replace\xp\beep.sys
C:\SDFix\apps\Replace\xp\null.sys
C:\SDFix\apps\Reset_AppInit_DLLs.reg
C:\SDFix\apps\RestartIt!.exe
C:\SDFix\apps\Restore_SecurityCenter.reg
C:\SDFix\apps\Restore_SharedAccess.reg
C:\SDFix\apps\sc.exe
C:\SDFix\apps\sed.exe
C:\SDFix\apps\SF.exe
C:\SDFix\apps\shutdown.exe
C:\SDFix\apps\srv2.txt
C:\SDFix\apps\srv2bk.txt
C:\SDFix\apps\svc.txt
C:\SDFix\apps\svcbk.txt
C:\SDFix\apps\swreg.exe
C:\SDFix\apps\swsc.exe
C:\SDFix\apps\unzip.exe
C:\SDFix\apps\vfind.exe
C:\SDFix\apps\WINMSG.EXE
C:\SDFix\apps\winsec.reg
C:\SDFix\apps\zip.exe
C:\SDFix\catchme.exe
C:\SDFix\dummy.exe
C:\SDFix\dummy.sys
C:\SDFix\RunThis.bat
C:\SDFix\SDFIX_ReadMe_Online.url
C:\WINDOWS\dmdvpnslp.dll
C:\WINDOWS\emotigt.dll
C:\WINDOWS\fsxloqf.exe

.
((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-24 17:43 . 2004-08-03 22:58 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2008-02-24 17:43 . 2004-08-03 22:58 14,848 --a--c--- C:\WINDOWS\system32\dllcache\kbdhid.sys
2008-02-23 17:18 . 2008-02-23 17:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-23 13:55 . 2008-02-23 13:55 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2008-02-23 13:30 . 2007-05-30 03:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-02-23 13:29 . 2008-02-23 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 19:13 --------- d-----w C:\Program Files\Symantec AntiVirus
2008-02-22 22:02 --------- d-----w C:\Program Files\PokerStars
2008-01-19 03:44 --------- d-----w C:\Program Files\Java
2008-01-07 01:10 --------- d-----w C:\Program Files\The Weather Channel FW
2008-01-07 01:02 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-07 01:02 --------- d-----w C:\Program Files\Common Files\Real
2008-01-07 00:55 --------- d-----w C:\Program Files\Real
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6FFDE480-14C1-43FC-BEC1-CA97A2541FFD}]
C:\WINDOWS\dmdvpnslp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 07:24 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Bvocs"="C:\Documents and Settings\Administrator\Application Data\?ssembly\n?pdb.exe" [ ]
"DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-12-20 08:10 715888]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03 36975]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2005-06-02 09:21 48752]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2005-06-23 19:27 85696]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46 57344]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-12 18:00 282624]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-10-05 22:11 866584]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06 40048]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-06 15:56 185632]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2003-11-10 09:52 34832]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 22:23:26 282624]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"bdmanager"= {99A33923-FF5D-41E8-8B3C-E61DDBE1EAEB} - C:\WINDOWS\bdmanager.dll [ ]
"admgcx"= {745BAAC0-8A69-4621-AA26-9E39434B2A92} - C:\WINDOWS\admgcx.dll [ ]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=

R3 ES1370;Creative AudioPCI (ES1370), SB PCI 64/128 (WDM);C:\WINDOWS\system32\drivers\ES1370MP.sys [2001-08-17 03:19]
R3 NtApm;NT Apm/Legacy Interface Driver;C:\WINDOWS\system32\DRIVERS\NtApm.sys [2001-08-17 04:47]
R3 nv3;nv3;C:\WINDOWS\system32\DRIVERS\nv3.sys [2001-08-17 03:50]
R3 USRTI;U.S. Robotics Faxmodem Driver TI;C:\WINDOWS\system32\DRIVERS\USRTI.SYS [2001-08-17 04:28]
S3 ALABULK;Fujifilm USB MemoryCard ReaderWriter device driver;C:\WINDOWS\system32\Drivers\ALABULK2.sys [2002-09-19 16:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\D]
\Shell\AutoRun\command - D:\CDStart.Exe
\Shell\Install\Command - D:\navsetup.exe

.
Contents of the 'Scheduled Tasks' folder
"2008-02-25 19:29:53 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 10:36:03
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-25 10:41:59
ComboFix-quarantined-files.txt 2008-02-25 19:41:38
ComboFix2.txt 2008-02-25 04:14:54
.
2007-12-23 18:20:59 --- E O F ---



And the latest hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:10 AM, on 2/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7
O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {427273CC-764E-11D3-823D-006097F90453} (Pixami Image Editor Control) - http://www.photowork...ImageEditor.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1136832039984
O16 - DPF: {C915801D-6F00-49CD-8A9A-8DE5C11ADDC1} (Pixami Drag/Drop Upload UI Control) - http://www.photowork...ropUploader.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai...l/installer.exe
O22 - SharedTaskScheduler: Reload Browse - {A1D9D3F0-8C2A-9A1D-A376-2CACFB10AB72} - (no file)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O24 - Desktop Component 0: (no name) - http://www.crochetme...ges/cm_logo.gif

--
End of file - 6584 bytes
  • 0

#10
kahdah
Posted 25 February 2008 - 08:18 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Full Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatley.
  • 0

Advertisements

#11
dup1998
Posted 26 February 2008 - 03:08 PM

dup1998

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I ran MBAM, but there is no log file listed. Should I run it again, or run hijackthis?
  • 0

#12
kahdah
Posted 26 February 2008 - 08:27 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Open Mbam again and under the Logs tab at the top see if the log is listed there.
If not then don't worry about it.

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#13
dup1998
Posted 27 February 2008 - 11:39 AM

dup1998

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Nevermind... I ran MBAM again and here is the log:

Malwarebytes' Anti-Malware 1.05
Database version: 390

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 73658
Time elapsed: 1 hour(s), 9 minute(s), 33 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 49
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 6
Files Infected: 32

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{0f63d2e1-e217-43ef-aa6d-ec2f6e9683b0} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{47d5ad4f-a86c-453a-911e-3b99f391011f} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ac221aed-1003-444c-9d63-a93d5b4a2717} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d2f31bd0-0d75-4aff-9c7f-72304834bf65} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{6361a8d7-5663-4f0f-8036-921a8d392322} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{06b30a09-5760-4994-a7f2-854644f75254} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{08001fca-2c97-41e3-9f67-596f499b725f} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{10ba262b-e944-4240-a9d6-e12accfacbc7} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{13275562-0968-4428-a926-d61a67fb25a0} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1351ed54-2094-40cf-968e-3c7f704be463} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2230f9a1-dfbb-400c-85c2-fe854d3f56bc} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{51ff5e3e-f5e7-43b5-a809-fdfbbdbe4eff} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{58dd5f8a-b280-4835-8f65-d2b3383ea4e9} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{5c3d449a-1737-4c87-929d-f3b33c32253d} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{62f2e72b-8fee-47cf-b337-36d61336e13e} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{658d9966-2eeb-47ca-abcf-1818db4fdc2d} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{7a013512-ceaf-4f5f-af1a-8b1b472e714b} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{86ecaf8e-540c-4960-82aa-1323a5578e2d} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8882515d-7e2c-45a9-ae99-ea09a9023a07} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8fe48e13-6661-444c-8b23-07623232d1f4} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{9aad0cdc-7822-4593-9e95-8c7eb256d509} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aa8a3463-c37f-4887-b3f3-380938f89a80} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{aec39567-aa5b-4cfa-a7ea-61f4dfb15fe7} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b8e5f903-290c-4422-8ef1-89f4990cd72b} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c5bcb43c-514a-4be9-a9e5-e54629f4f131} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c7d83b29-f534-484d-9cfa-66b4484cdc53} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c8897164-1ce8-45fe-8483-e93f1681f320} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d2a39c98-0833-4581-8dc9-c7223561f656} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d725ced2-7c0e-4484-aaa4-f186c659f8b8} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d847da70-508a-480f-b91e-133d9f60ced8} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da163414-a8e2-4907-85f4-b0ec9d4ebb78} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ee8df60b-01a8-4143-8d94-41a185a9691e} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{fe1ecf64-a6c0-4f3a-87f5-3135c517e4aa} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ff2de560-d35c-45d4-834f-90654d4e2e3d} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{ca77a455-9f2d-4449-8c5f-1d359e70f00d} (Rogue.Antivirus.Pro) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\emotigt.bsnd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\emotigt.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{54becb1c-d4ea-47b2-9b56-c6768144fdd5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{02a89bf5-0ca6-4a9b-8573-776d1ef0fa22} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{cdc0fc73-27c5-4818-b866-40e73c088e74} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{7c76a8e9-63be-441c-a4a8-fa523e6a0741} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{1ccc8f99-3a66-4217-bf04-d45022047b2b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9de85731-af00-4d62-875b-b2433266915f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\the weather channel desktop (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\emotigt.bsnd (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\emotigt.ToolBar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AntiVirusPro (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DW4 (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cpls\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
C:\Program Files\The Weather Channel FW (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\The Weather Channel\Desktop Weather (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover (Rogue.Anti.Virus.Pro) -> Quarantined and deleted successfully.

Files Infected:
C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelNE.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelQC.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelqx.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelSlnchr.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelUpdate.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\WiseInstallUtility.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\wxfw.dll (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\eula.html (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\INSTALL.LOG (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\TheWeatherChannelCustomUninstall.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\uninstall.bat (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\UNWISE.EXE (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Desktop Weather\UNWISE.INI (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\INSTALL.LOG (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\TheWeatherChannelSetup.exe (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\uninstall.bat (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\UNWISE.EXE (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\UNWISE.INI (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Program Files\The Weather Channel FW\Framework\wxfw.cpl (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\The Weather Channel\Desktop Weather\Help.lnk (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\The Weather Channel\Desktop Weather\Settings.lnk (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\The Weather Channel\Desktop Weather\The Weather Channel Desktop.lnk (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\The Weather Channel\Desktop Weather\Uninstall.lnk (Adware.Hotbar) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Register Anti Virus Pro spyware remover.lnk (Rogue.Anti.Virus.Pro) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Start Anti Virus Pro spyware remover.lnk (Rogue.Anti.Virus.Pro) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Start Menu\Programs\Anti Virus Pro spyware remover\Uninstall.lnk (Rogue.Anti.Virus.Pro) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Anti Virus Pro spyware remover.lnk (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ClickToFindandFixErrors.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\All Users\Desktop\Anti Virus Pro spyware remover.lnk (Rogue.AntiVirusPro) -> Quarantined and deleted successfully.

Edited by dup1998, 27 February 2008 - 03:55 PM.

  • 0

#14
kahdah
Posted 27 February 2008 - 07:06 PM

kahdah

    GeekU Teacher

  • Retired Staff
  • 15,822 posts
Great :)

Please do an online scan with Kaspersky WebScanner
(This scanner is for use with internet explorer only)
Click on "Accept"

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#15
dup1998
Posted 28 February 2008 - 11:13 AM

dup1998

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 28, 2008 8:12:58 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/02/2008
Kaspersky Anti-Virus database records: 584325
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 51514
Number of viruses found: 6
Number of infected objects: 19
Number of suspicious objects: 0
Duration of the scan process: 05:18:45

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wxd7o274.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wxd7o274.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wxd7o274.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wxd7o274.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wxd7o274.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wxd7o274.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\wxd7o274.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{EF0B424D-1AD2-4416-A967-1EB692D09C52} Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\wxd7o274.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\wxd7o274.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\wxd7o274.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\wxd7o274.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008022620080227\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008022720080228\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11062006-184546.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01400000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06E40000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07480000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\079C0000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08140000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08180000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08240000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08280000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08300000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08340000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08380000.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.bou skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08380001.VBN Infected: not-a-virus:AdWare.Win32.Vapsup.bov skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08440000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08640000.VBN Infected: Trojan.Win32.DNSChanger.as skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08640001.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08700000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09D00000.VBN Infected: Trojan-Downloader.Win32.Zlob.ea skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0273NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0334NAV~.TMP Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\AntiVirusPro\AntiVirusPro.exe.vir Infected: not-a-virus:FraudTool.Win32.AntiVirPro.b skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D53863EF-A5C6-48FD-B0AA-85A0E4AD2F67}\RP792\A0101277.exe Infected: not-a-virus:FraudTool.Win32.AntiVirPro.b skipped
C:\System Volume Information\_restore{D53863EF-A5C6-48FD-B0AA-85A0E4AD2F67}\RP796\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP