Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Please Help me remove Poison Ivy RAT [CLOSED]


  • This topic is locked This topic is locked

#1
WaRpEd

WaRpEd

    New Member

  • Member
  • Pip
  • 8 posts
I am infected with a R.A.T. (Poison Ivy version 2.3.2)I have tried many online scanners, etc. I have tried deleting the registry key, however when you reboot, the registry key is re-created. I then tried changing the value of the stubpath to Disabled so it was not a correct file path, however when I rebooted, it created another stubpath. I can not get rid of this, and have been infected for about two weeks, could someone please help me? Does anyone have any other ideas of removing this RAT other than a re-format because I have lost my windows cd. Please post any answers or ideas you may have or email me at REMOVED EMAIL ADDRESS to help me fix this, thank you.

Here is my HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:21:06 PM, on 5/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Ty\Desktop\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
F2 - REG:system.ini: Shell=Explorer.exe
O1 - Hosts: 65.75.216.6 www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.54 www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O1 - Hosts: 65.75.216.6 winmx-com.winmxgroup.com winmx-com-v30.winmxgroup.com
O1 - Hosts: 205.238.40.54 winmx-com.winmxgroup.com winmx-com-v30.winmxgroup.com
O1 - Hosts: 65.75.216.6 test0.winmxgroup.net test5.winmxgroup.net
O1 - Hosts: 65.75.216.7 test1.winmxgroup.net test6.winmxgroup.net
O1 - Hosts: 82.43.229.238 test2.winmxgroup.net
O1 - Hosts: 205.238.40.1 test3.winmxgroup.net
O1 - Hosts: 205.238.40.2 test4.winmxgroup.net
O1 - Hosts: 65.75.216.6 cache0.winmxgroup.com cache5.winmxgroup.com cache0.winmxgroup.net cache5.winmxgroup.net cache10.winmxgroup.net cache15.winmxgroup.net
O1 - Hosts: 65.75.216.7 cache1.winmxgroup.com cache6.winmxgroup.com cache1.winmxgroup.net cache6.winmxgroup.net cache11.winmxgroup.net cache16.winmxgroup.net
O1 - Hosts: 82.43.229.238 cache2.winmxgroup.com cache7.winmxgroup.com cache2.winmxgroup.net cache7.winmxgroup.net cache12.winmxgroup.net cache17.winmxgroup.net
O1 - Hosts: 205.238.40.1 cache3.winmxgroup.com cache8.winmxgroup.com cache3.winmxgroup.net cache8.winmxgroup.net cache13.winmxgroup.net cache18.winmxgroup.net
O1 - Hosts: 205.238.40.2 cache4.winmxgroup.com cache9.winmxgroup.com cache4.winmxgroup.net cache9.winmxgroup.net cache14.winmxgroup.net cache19.winmxgroup.net
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinLoader] windows.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [msnmsgr] C:\WINDOWS\system32:msnmsgr.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IRCPlus - Mad-Web Networks - C:\Program Files\IRCPlus\IRCPlus.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 11505 bytes
  • 0

Advertisements


#2
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hi there,

Welcome to GeeksToGo. My name is RatHat, and I couldn't resist this log!


OK firstly, I need you to print out each post I make so that you can refer to it while we fix your computer. This is because there will be times when you are unable to be online to read my instructions, and I will want you to do everything very carefully. I also need you to follow my instructions in the order that they are given. If however, you cannot carry out one of them, please continue on with the next and let me know what you were unsuccessful with. Please ensure you turn off word wrap in Notepad. To do this, open Notepad, choose Format, then Un-check Word Wrap. (Word Wrap makes reading your log difficult).

Next, I would like to make sure that you can view hidden files and folders;
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading SELECT Show hidden files and folders.
  • UNCHECK the Hide protected operating system files (recommended) option.
  • UNCHECK the Hide extensions for known file types option.
  • Click Yes to confirm.
  • Click OK.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O1 - Hosts: 65.75.216.6 www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.54 www.winmx.com err.winmx.com
O1 - Hosts: 65.75.216.6 cache0.winmx.com test3201.winmx.com test3206.winmx.com
O1 - Hosts: 65.75.216.7 cache1.winmx.com test3202.winmx.com test3207.winmx.com
O1 - Hosts: 82.43.229.238 cache2.winmx.com test3203.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.1 cache3.winmx.com test3204.winmx.com
O1 - Hosts: 205.238.40.2 cache4.winmx.com test3205.winmx.com
O1 - Hosts: 65.75.216.6 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 65.75.216.6 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 65.75.216.7 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 82.43.229.238 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O1 - Hosts: 65.75.216.6 winmx-com.winmxgroup.com winmx-com-v30.winmxgroup.com
O1 - Hosts: 205.238.40.54 winmx-com.winmxgroup.com winmx-com-v30.winmxgroup.com
O1 - Hosts: 65.75.216.6 test0.winmxgroup.net test5.winmxgroup.net
O1 - Hosts: 65.75.216.7 test1.winmxgroup.net test6.winmxgroup.net
O1 - Hosts: 82.43.229.238 test2.winmxgroup.net
O1 - Hosts: 205.238.40.1 test3.winmxgroup.net
O1 - Hosts: 205.238.40.2 test4.winmxgroup.net
O1 - Hosts: 65.75.216.6 cache0.winmxgroup.com cache5.winmxgroup.com cache0.winmxgroup.net cache5.winmxgroup.net cache10.winmxgroup.net cache15.winmxgroup.net
O1 - Hosts: 65.75.216.7 cache1.winmxgroup.com cache6.winmxgroup.com cache1.winmxgroup.net cache6.winmxgroup.net cache11.winmxgroup.net cache16.winmxgroup.net
O1 - Hosts: 82.43.229.238 cache2.winmxgroup.com cache7.winmxgroup.com cache2.winmxgroup.net cache7.winmxgroup.net cache12.winmxgroup.net cache17.winmxgroup.net
O1 - Hosts: 205.238.40.1 cache3.winmxgroup.com cache8.winmxgroup.com cache3.winmxgroup.net cache8.winmxgroup.net cache13.winmxgroup.net cache18.winmxgroup.net
O1 - Hosts: 205.238.40.2 cache4.winmxgroup.com cache9.winmxgroup.com cache4.winmxgroup.net cache9.winmxgroup.net cache14.winmxgroup.net cache19.winmxgroup.net

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Download the HostsXpert 4.2 - Hosts File Manager.
  • Unzip HostsXpert 4.2 - Hosts File Manager to a convenient folder such as C:\HostsXpert 4.2 - Hosts File Manager
  • Run HostsXpert 4.2 - Hosts File Manager from its new home
  • Click on "File Handling".
  • Click on "Restore MS Hosts File".
  • Click OK on the Confirmation box.
  • Now lets import a custom hosts file to block unwanted sites:
    • Right click Here and save hosts.txt to your Desktop
    • In HostsXpert 4.2 click Import Options
    • Click Replace Hosts File
    • In the Select File dialog, navigate to your Desktop and choose hosts.txt
    • Click the Open button
    • Click OK to Replace Your Hosts File
  • Click on "Make Read Only?"
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please read this Combofix tutorial before continuing, then follow the instructions below.

Please ensure you read this guide carefully and install the Recovery Console first.

Next, download ComboFix from Here or Here to your Desktop.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System.

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should see a blue screen prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:
  • Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
  • Click Yes to allow ComboFix to continue scanning for malware.
When the tool is finished, it will produce a report for you. Save this log to your desktop as Combofix.txt and post it in your next reply.

(Note: Combofix will also save the report to C:\Combofix.txt)

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


So in your next reply, please include the following logs:
  • The contents of Combofix.txt
  • A fresh HijackThis log, taken after completing the above
Regards,
RatHat
  • 0

#3
WaRpEd

WaRpEd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Hey, Thanks for responding so quickly. I followed all your steps exactly as stated above and here is my Combofix.txt:
ComboFix 08-05-24.1 - Ty 2008-05-25 10:40:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.231 [GMT -4:00]
Running from: C:\Documents and Settings\Ty\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ty\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NAVAPSVC
-------\Service_navapsvc


((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-25 09:00 . 2008-05-25 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-25 08:55 . 2008-05-25 08:55 <DIR> d-------- C:\Documents and Settings\Ty\Application Data\Lavasoft
2008-05-25 08:48 . 2008-05-25 08:48 <DIR> d-------- C:\SavedPetz
2008-05-24 21:06 . 2008-05-24 21:06 <DIR> d-------- C:\Documents and Settings\Ty\Application Data\Uniblue
2008-05-22 21:48 . 2008-05-24 21:41 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 21:54 . 2008-05-24 21:35 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-10 15:42 . 2008-05-10 15:42 <DIR> d-------- C:\Documents and Settings\Ty\Application Data\PenProtect
2008-05-10 10:55 . 2008-05-10 10:55 <DIR> d-------- C:\Documents and Settings\Ty\Incomplete
2008-05-10 10:55 . 2008-05-11 00:52 <DIR> d-------- C:\Documents and Settings\Ty\Application Data\LimeWire
2008-05-10 09:41 . 2008-05-21 18:35 <DIR> d-------- C:\Program Files\Obsidium Software Protection System
2008-05-07 22:36 . 2008-05-07 22:36 140,096 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-05-07 21:23 . 2008-05-07 21:23 0 --a------ C:\WINDOWS\game.INI
2008-05-06 19:10 . 2008-05-06 19:10 <DIR> d-------- C:\WINDOWS\BBSTORE
2008-05-06 19:10 . 2008-05-06 19:13 <DIR> d-------- C:\Program Files\The Learning Company
2008-05-06 19:10 . 2008-05-06 19:10 0 --a------ C:\WINDOWS\SETUP32.INI
2008-05-05 23:36 . 2008-05-07 22:36 389,120 ---hs---- C:\WINDOWS\system32\actskn43.ocx
2008-05-05 23:36 . 2008-05-05 23:36 147,456 --a------ C:\WINDOWS\system32\XTab.ocx
2008-05-04 20:56 . 2008-05-04 20:56 <DIR> d-------- C:\WINDOWS\Sun
2008-05-03 19:05 . 2008-05-03 19:05 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-03 19:00 . 2008-05-03 19:02 278,692 --a------ C:\upx.exe
2008-05-03 15:04 . 2008-05-03 15:04 <DIR> d-------- C:\Program Files\Hex Workshop
2008-04-29 05:26 . 2008-05-03 13:50 <DIR> d-------- C:\Documents and Settings\Ty\workspace
2008-04-29 05:25 . 2008-04-29 05:25 <DIR> d-------- C:\Program Files\Sun
2008-04-29 05:25 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-29 05:22 . 2008-04-29 05:22 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 14:51 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-25 13:44 --------- d-----w C:\Program Files\FlashGet
2008-05-25 12:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 01:33 --------- d-----w C:\Program Files\ArtMoney
2008-05-25 01:30 --------- d-----w C:\Program Files\No-IP
2008-04-29 09:25 --------- d-----w C:\Program Files\Java
2008-04-21 00:01 --------- d-----w C:\Program Files\SuperScan
2008-04-19 01:14 --------- d-----w C:\Program Files\THQ
2008-04-17 01:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 22:43 --------- d-----w C:\Program Files\IRCPlus
2008-04-14 22:33 --------- d-----w C:\Documents and Settings\Ty\Application Data\Ventrilo
2008-04-14 21:55 --------- d-----w C:\Documents and Settings\Ty\Application Data\mIRC
2008-04-14 21:53 --------- d-----w C:\Program Files\mIRC
2008-04-12 20:51 --------- d-----w C:\Documents and Settings\Ty\Application Data\Apple Computer
2008-04-12 20:50 --------- d-----w C:\Documents and Settings\Ty\Application Data\vlc
2008-04-12 03:31 --------- d-----w C:\Documents and Settings\abc\Application Data\ATI
2008-04-03 07:14 --------- d-----w C:\Documents and Settings\Ty\Application Data\ATI
2008-04-01 21:31 --------- d-----w C:\Program Files\MSN Messenger
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 10:58 16264192 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 23:22 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 23:23 34504]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"WinLoader"="windows.com" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"@"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\mIRC\\WangScript\\mirc.exe"=
"C:\\Games\\Shaiya\\Updater.exe"=
"C:\\Program Files\\IRCPlus\\IRCPlus.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Documents and Settings\\Ty\\Desktop\\New Folder\\winmx354b4.exe"=
"C:\\Documents and Settings\\Ty\\Desktop\\eclipse-java-europa-winter-win32\\eclipse\\eclipse.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Documents and Settings\\Ty\\Desktop\\RATs\\Pi_2.3.2_Unpacked\\UnPacked Poison Ivy 2.3.2.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=

S2 IRCPlus;IRCPlus;C:\Program Files\IRCPlus\IRCPlus.exe [1999-10-17 21:46]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2ED6983B-328F-E271-B6B8-A5F09F42CBA8}]
C:\WINDOWS\system32:msnmsgr.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 02:31:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-17 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-05-25 14:57:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 10:50:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


C:\WINDOWS\TEMP\~DF35A8.tmp

scan completed successfully
hidden files: 1

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\taskmgr.exe
.
**************************************************************************
.
Completion time: 2008-05-25 10:57:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-25 14:57:50

Pre-Run: 5,232,185,344 bytes free
Post-Run: 5,384,769,536 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /noexecute=optin /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

159 --- E O F --- 2008-05-16 01:33:55

As well as my new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:59:39 AM, on 5/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Documents and Settings\Ty\Desktop\HiJackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft....k/?LinkId=74005
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [WinLoader] windows.com
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewi...oOnlineScan.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/b...lineScanner.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IRCPlus - Mad-Web Networks - C:\Program Files\IRCPlus\IRCPlus.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: SecuROM User Access Service (V7) (UserAccess7) - Unknown owner - C:\WINDOWS\system32\UAService7.exe

--
End of file - 6283 bytes

Please just let me know if there's anything else I need to do :)
  • 0

#4
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\upx.exe

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uniblue RegistryBooster 2"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinLoader"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"@"=-

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Documents and Settings\\Ty\\Desktop\\RATs\\Pi_2.3.2_Unpacked\\UnPacked Poison Ivy 2.3.2.exe"=-


3. Save the above as CFScript.txt

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the Combofix log in your next reply.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy & Paste the entire report in your next reply.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~


Please run an online scan with Kaspersky WebScanner. Note: You must use Internet Explorer to run this scan.

Click the Accept button.

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display the results if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop as Kaspersky.txt.
  • Copy and paste that information in your next post.


Regards,
RatHat
  • 0

#5
WaRpEd

WaRpEd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Alright so before I drag the file onto combofix.exe am I supposed to exit all programs again and disable AV? and just to clarify, in the next post you want to see the new combofix.txt, a report from Malware bytes' Anti Malware, and Kaspersky WebScanner?
Edit: Sorry fixed problem, starting ATF now

Edited by WaRpEd, 25 May 2008 - 10:52 AM.

  • 0

#6
WaRpEd

WaRpEd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Okay so here is my second ComboFix.txt:
ComboFix 08-05-24.1 - Ty 2008-05-25 12:37:54.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.267 [GMT -4:00]
Running from: C:\Documents and Settings\Ty\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Ty\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\upx.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\upx.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_NAVAPSVC
-------\Service_navapsvc


((((((((((((((((((((((((( Files Created from 2008-04-25 to 2008-05-25 )))))))))))))))))))))))))))))))
.

2008-05-25 09:00 . 2008-05-25 09:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-25 08:55 . 2008-05-25 08:55 <DIR> d-------- C:\Documents and Settings\Ty\Application Data\Lavasoft
2008-05-25 08:48 . 2008-05-25 08:48 <DIR> d-------- C:\SavedPetz
2008-05-24 21:06 . 2008-05-24 21:06 <DIR> d-------- C:\Documents and Settings\Ty\Application Data\Uniblue
2008-05-22 21:48 . 2008-05-24 21:41 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-17 21:54 . 2008-05-24 21:35 <DIR> d-------- C:\Program Files\Common Files\Adobe
2008-05-10 15:42 . 2008-05-10 15:42 <DIR> d-------- C:\Documents and Settings\Ty\Application Data\PenProtect
2008-05-10 10:55 . 2008-05-10 10:55 <DIR> d-------- C:\Documents and Settings\Ty\Incomplete
2008-05-10 10:55 . 2008-05-11 00:52 <DIR> d-------- C:\Documents and Settings\Ty\Application Data\LimeWire
2008-05-10 09:41 . 2008-05-21 18:35 <DIR> d-------- C:\Program Files\Obsidium Software Protection System
2008-05-07 22:36 . 2008-05-07 22:36 140,096 --a------ C:\WINDOWS\system32\comdlg32.ocx
2008-05-07 21:23 . 2008-05-07 21:23 0 --a------ C:\WINDOWS\game.INI
2008-05-06 19:10 . 2008-05-06 19:10 <DIR> d-------- C:\WINDOWS\BBSTORE
2008-05-06 19:10 . 2008-05-06 19:13 <DIR> d-------- C:\Program Files\The Learning Company
2008-05-06 19:10 . 2008-05-06 19:10 0 --a------ C:\WINDOWS\SETUP32.INI
2008-05-05 23:36 . 2008-05-07 22:36 389,120 ---hs---- C:\WINDOWS\system32\actskn43.ocx
2008-05-05 23:36 . 2008-05-05 23:36 147,456 --a------ C:\WINDOWS\system32\XTab.ocx
2008-05-04 20:56 . 2008-05-04 20:56 <DIR> d-------- C:\WINDOWS\Sun
2008-05-03 19:05 . 2008-05-03 19:05 <DIR> d--h----- C:\WINDOWS\PIF
2008-05-03 15:04 . 2008-05-03 15:04 <DIR> d-------- C:\Program Files\Hex Workshop
2008-04-29 05:26 . 2008-05-03 13:50 <DIR> d-------- C:\Documents and Settings\Ty\workspace
2008-04-29 05:25 . 2008-04-29 05:25 <DIR> d-------- C:\Program Files\Sun
2008-04-29 05:25 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-04-29 05:22 . 2008-04-29 05:22 <DIR> d-------- C:\Program Files\Common Files\Java

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-25 16:46 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-25 13:44 --------- d-----w C:\Program Files\FlashGet
2008-05-25 12:48 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-25 01:33 --------- d-----w C:\Program Files\ArtMoney
2008-05-25 01:30 --------- d-----w C:\Program Files\No-IP
2008-04-29 09:25 --------- d-----w C:\Program Files\Java
2008-04-21 00:01 --------- d-----w C:\Program Files\SuperScan
2008-04-19 01:14 --------- d-----w C:\Program Files\THQ
2008-04-17 01:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-14 22:43 --------- d-----w C:\Program Files\IRCPlus
2008-04-14 22:33 --------- d-----w C:\Documents and Settings\Ty\Application Data\Ventrilo
2008-04-14 21:55 --------- d-----w C:\Documents and Settings\Ty\Application Data\mIRC
2008-04-14 21:53 --------- d-----w C:\Program Files\mIRC
2008-04-12 20:51 --------- d-----w C:\Documents and Settings\Ty\Application Data\Apple Computer
2008-04-12 20:50 --------- d-----w C:\Documents and Settings\Ty\Application Data\vlc
2008-04-12 03:31 --------- d-----w C:\Documents and Settings\abc\Application Data\ATI
2008-04-03 07:14 --------- d-----w C:\Documents and Settings\Ty\Application Data\ATI
2008-04-01 21:31 --------- d-----w C:\Program Files\MSN Messenger
.

((((((((((((((((((((((((((((( [email protected]_10.56.19.87 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 14:46:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-25 16:43:31 2,048 --s-a-w C:\WINDOWS\bootstat.dat
- 2008-05-25 14:53:33 16,384 --sha-w C:\WINDOWS\TEMP\Cookies\index.dat
+ 2008-05-25 16:47:23 16,384 --sha-w C:\WINDOWS\TEMP\Cookies\index.dat
- 2008-05-25 14:53:33 32,768 --sha-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
+ 2008-05-25 16:47:23 16,384 --sha-w C:\WINDOWS\TEMP\History\History.IE5\index.dat
- 2008-05-25 14:53:33 32,768 --sha-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-25 16:47:23 32,768 --sha-w C:\WINDOWS\TEMP\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54 5674352]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2006-09-12 10:58 16264192 C:\WINDOWS\RTHDCPL.exe]
"SkyTel"="SkyTel.EXE" [2006-05-16 12:04 2879488 C:\WINDOWS\SkyTel.exe]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 13:35 90112]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2002-08-19 23:22 50880]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2002-08-19 23:23 34504]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-12-11 11:56 286720]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"@"="" []

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=
"C:\\Program Files\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\mIRC\\WangScript\\mirc.exe"=
"C:\\Games\\Shaiya\\Updater.exe"=
"C:\\Program Files\\IRCPlus\\IRCPlus.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Documents and Settings\\Ty\\Desktop\\New Folder\\winmx354b4.exe"=
"C:\\Documents and Settings\\Ty\\Desktop\\eclipse-java-europa-winter-win32\\eclipse\\eclipse.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"C:\\Program Files\\VentSrv\\ventrilo_srv.exe"=

S2 IRCPlus;IRCPlus;C:\Program Files\IRCPlus\IRCPlus.exe [1999-10-17 21:46]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{2ED6983B-328F-E271-B6B8-A5F09F42CBA8}]
C:\WINDOWS\system32:msnmsgr.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-05-21 02:31:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-05-17 00:00:00 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2008-05-25 16:47:00 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-25 12:45:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\UAService7.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSCNo.exe
C:\Program Files\Messenger\msmsgs.exe
.
**************************************************************************
.
Completion time: 2008-05-25 12:50:53 - machine was rebooted [Ty]
ComboFix-quarantined-files.txt 2008-05-25 16:50:49
ComboFix2.txt 2008-05-25 14:57:53

Pre-Run: 5,376,176,128 bytes free
Post-Run: 5,366,403,072 bytes free

157 --- E O F --- 2008-05-16 01:33:55

And here is the Malwarebyte's Anti Malware Report:
Malwarebytes' Anti-Malware 1.12
Database version: 786

Scan type: Quick Scan
Objects scanned: 49024
Time elapsed: 8 minute(s), 0 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

Edit: here is my kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, May 25, 2008 9:04:57 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/05/2008
Kaspersky Anti-Virus database records: 800334
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 116892
Number of viruses found: 21
Number of infected objects: 593
Number of suspicious objects: 0
Duration of the scan process: 01:31:42

Infected Object Name / Virus Name / Last Action
C:\Document\Tyler\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{F78A4C01-59CA-B906-B83F-EB4F9CC3D36D}\29\29-{2B~1.FRX/Biology Lab.exe Infected: Backdoor.Win32.Optix.Pro.i skipped
C:\Document\Tyler\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\[email protected]\DFSR\Staging\CS{F78A4C01-59CA-B906-B83F-EB4F9CC3D36D}\29\29-{2B~1.FRX RAR: infected - 1 skipped
C:\Document\Tyler\Local Settings\Application Data\Mozilla\Firefox\Profiles\4vv5lo8c.default\Cache\9C931A8Dd01 Object is locked skipped
C:\Document\Tyler\Local Settings\Temp\mirc631.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Document\Tyler\Local Settings\Temp\mirc631.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.631 skipped
C:\Document\Tyler\Local Settings\Temp\mirc631.exe NSIS: infected - 2 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\229be25d612e4ed0c3356e23a30513d3_d4f3a263-6642-4f74-b7b4-4bd6a37afce1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5cc0f371f356e22ce3f0a4d7259fa78e_d4f3a263-6642-4f74-b7b4-4bd6a37afce1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\61c0c60bb2b92793a0644d6ae4080e76_d4f3a263-6642-4f74-b7b4-4bd6a37afce1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\650bb3c5d4348a4c38443f5b550189c0_d4f3a263-6642-4f74-b7b4-4bd6a37afce1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\abc45e81e5b6ca1f81631cf343a6b194_d4f3a263-6642-4f74-b7b4-4bd6a37afce1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\e1be1f72d139b232fa9cc6cb4100cfdc_d4f3a263-6642-4f74-b7b4-4bd6a37afce1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\eddd4f87b12951ce35bfeb41a96c3240_d4f3a263-6642-4f74-b7b4-4bd6a37afce1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f18beb49593862709e92be203e375321_d4f3a263-6642-4f74-b7b4-4bd6a37afce1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f602543a0dfcfbbfa669b0d5a58ca0e8_d4f3a263-6642-4f74-b7b4-4bd6a37afce1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Ty\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ty\Desktop\packed PI\Lukes\Logitech Private Edition 1.1.2.exe Infected: Backdoor.Win32.Poison.bog skipped
C:\Documents and Settings\Ty\Desktop\packed PI\Lukes\Logitech Private Webcam Servers INC.zip/Logitech Private Edition 1.1.2.exe Infected: Backdoor.Win32.Poison.bog skipped
C:\Documents and Settings\Ty\Desktop\packed PI\Lukes\Logitech Private Webcam Servers INC.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ty\Desktop\RATs\Pi_2.3.2_Unpacked\UnPacked Poison Ivy 2.3.2.exe Infected: Backdoor.Win32.PoisonIvy.ce skipped
C:\Documents and Settings\Ty\Desktop\RATs\Pi_2.3.2_Unpacked_protocol_.rar/UnPacked Poison Ivy 2.3.2.exe Infected: Backdoor.Win32.PoisonIvy.ce skipped
C:\Documents and Settings\Ty\Desktop\RATs\Pi_2.3.2_Unpacked_protocol_.rar RAR: infected - 1 skipped
C:\Documents and Settings\Ty\Desktop\RATs\Sub7 v2.1.5 Legends.zip/editserver.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Ty\Desktop\RATs\Sub7 v2.1.5 Legends.zip/server.exe Infected: Backdoor.Win32.Jokerdoor skipped
C:\Documents and Settings\Ty\Desktop\RATs\Sub7 v2.1.5 Legends.zip/SubSeven.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Ty\Desktop\RATs\Sub7 v2.1.5 Legends.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Ty\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_904C_F664_4CF6_450E\dfsr.db Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_904C_F664_4CF6_450E\fsr.log Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_904C_F664_4CF6_450E\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_904C_F664_4CF6_450E\tmp.edb Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\History\History.IE5\MSHist012008052520080526\index.dat Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Temp\BITD.tmp Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Temp\~DF996B.tmp Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Temp\~DF9976.tmp Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Temp\~DFAFCC.tmp Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Temp\~DFAFD7.tmp Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Ty\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ty\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ty\NtUser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Hillbilly Love Song.exe/windowsupdate.exe/test.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Hillbilly Love Song.exe/windowsupdate.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Hillbilly Love Song.exe StarDust: infected - 2 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Hot Chick Plays With Pussy! Webcam [Live Stream].exe/windowsupdate.exe/test.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Hot Chick Plays With Pussy! Webcam [Live Stream].exe/windowsupdate.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Hot Chick Plays With Pussy! Webcam [Live Stream].exe StarDust: infected - 2 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Limewire PRO.exe/windowsupdate.exe/test.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Limewire PRO.exe/windowsupdate.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Limewire PRO.exe StarDust: infected - 2 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Rapidshare Premium Acount Generator.exe/windowsupdate.exe/test.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Rapidshare Premium Acount Generator.exe/windowsupdate.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Rapidshare Premium Acount Generator.exe StarDust: infected - 2 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Rockband for PC.exe/windowsupdate.exe/test.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Rockband for PC.exe/windowsupdate.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Rockband for PC.exe StarDust: infected - 2 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Two girls guzzling cum and taking anal.exe/windowsupdate.exe/test.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Two girls guzzling cum and taking anal.exe/windowsupdate.exe Infected: Backdoor.Win32.SubSeven.215 skipped
C:\Documents and Settings\Tyler\My Documents\Downloads\Two girls guzzling cum and taking anal.exe StarDust: infected - 2 skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\The Used\Maybe Memories [CD & DVD] Disc 1\01 Maybe Memories [Live].m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\The Used\Maybe Memories [CD & DVD] Disc 1\03 On My Own [Live].m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\The Used\Maybe Memories [CD & DVD] Disc 1\04 Say Days Ago [Live].m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\The Used\Maybe Memories [CD & DVD] Disc 1\05 Just a Little [#].m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\The Used\Maybe Memories [CD & DVD] Disc 1\06 It Could Be a Good Excuse [Demo 1.m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\The Used\Maybe Memories [CD & DVD] Disc 1\06 It Could Be a Good Excuse [Demo V.m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\The Used\Maybe Memories [CD & DVD] Disc 1\07 Zero Mechanism [Demo Version].m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\The Used\Maybe Memories [CD & DVD] Disc 1\10 Sometimes I Just Go for It [#].m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\Theory Of A Deadman\Big Shiny Tunes 8\11 Point to Prove.m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\three days grace\Big Shiny Tunes 8\06 I Hate Everything About You 1.m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\three days grace\Big Shiny Tunes 8\06 I Hate Everything About You.m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\Trapt\Big Shiny Tunes 8\14 Headstrong 1.m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\Trapt\Big Shiny Tunes 8\14 Headstrong.m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music\Unknown Artist\Unknown Album (24_02_2003 11_53_49 PM)\19 Track 19.m4a Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\iTunes\iTunes Music Library.xml Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Sample Music.lnk Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\desktop.ini Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\01 Track 1.wma Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\02 Track 2.wma Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\03 Track 3.wma Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\04 Track 4.wma Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\05 Track 5.wma Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\06 Track 6.wma Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\07 Track 7.wma Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\08 Track 8.wma Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\09 Track 9.wma Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\10 Track 10.wma Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\11 Track 11.wma Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Music\Unknown Artist\Unknown Album (8-9-2007 11-28-04 AM)\desktop.ini Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\blackberry.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\blood drop.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\boondock saints 2.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\BoondockSaints.bmp Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\brenda an me.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-1.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-10.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-11.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-12.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-13.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-14.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-15.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-16.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-17.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-18.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-19.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-2.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-20.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-21.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-22.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-23.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-24.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-25.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-26.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-27.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-28.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-29.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-3.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-30.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-31.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-32.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-33.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-34.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-35.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-36.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-37.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-38.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-39.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-4.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-40.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-41.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-42.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-43.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-44.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-45.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-46.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-47.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-48.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-49.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-5.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-50.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-51.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-52.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-53.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-54.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-55.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-56.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-57.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-58.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-59.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-6.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-60.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-61.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-62.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-63.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-64.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-65.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-66.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-67.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-68.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-7.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-8.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csd2005-9.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg01.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg02.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg03.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg04.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg05.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg06.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg07.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg08.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg09.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg10.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg11.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg12.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg13.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg14.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg15.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg16.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg17.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg18.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg19.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg20.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg21.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg22.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg23.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg24.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg25.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg26.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg27.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg28.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg29.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg30.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg31.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg32.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg33.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg34.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg35.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg36.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg37.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg38.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg39.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg40.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg41.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg42.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg43.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg44.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg45.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg46.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg47.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg48.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg49.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg50.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg51.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg52.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg53.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg54.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg55.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg56.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg57.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg58.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg59.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg60.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg61.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg62.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg63.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg64.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg65.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg66.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg67.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg68.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg69.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg70.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg71.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg72.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg73.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg74.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg75.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg76.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg77.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg78.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg79.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg80.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg81.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg82.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg83.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg84.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg85.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg86.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg87.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg88.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg89.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg90.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg91.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg92.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg93.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg94.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbg95.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter01.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter02.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter03.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter04.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter05.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter06.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter07.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter08.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter09.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter10.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter11.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter12.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter13.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter14.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter15.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter16.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter17.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter18.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter19.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter20.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter21.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter22.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter23.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter24.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter25.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter26.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter27.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter28.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter29.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter30.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter31.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter32.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\csdbgwinter33.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\pic01.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\pic02.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\pic03.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\pic04.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\pic05.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\pic06.jpg Object is locked skipped
C:\Documents and Settings\Tyler\My Documents\My Pictures\CSD2005 - desktops\pic07.jpg Object is locked ski

Edited by WaRpEd, 25 May 2008 - 07:04 PM.

  • 0

#7
WaRpEd

WaRpEd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
So can you think of any further steps to take with my results?
  • 0

#8
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
The Kaspersky log has been cut short, could you post it again, then I will seee what else needs to be done.

Regards,
RatHat
  • 0

#9
WaRpEd

WaRpEd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
I'm at school right now, but i'll add the kaspersky log again once I get home in about 2-3 hours.
  • 0

#10
WaRpEd

WaRpEd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Edit: the kaspersky log got cut off again, so i'll just upload the file. Hopefully you can give me further info on disinfecting my computer for good :)

Attached Files


Edited by WaRpEd, 26 May 2008 - 02:58 PM.

  • 0

#11
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Please save the attached script to your desktop



2. Save the above as CFScript.txt

3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


4. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
Regards,
RatHat
  • 0

#12
WaRpEd

WaRpEd

    New Member

  • Topic Starter
  • Member
  • Pip
  • 8 posts
Here are my new ComboFix and HJT logs :)

Attached Files


  • 0

#13
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Hows the machine running now?

I would recommend uninstalling any P2P programs that you have and deleting this folder: C:\Documents and Settings\Ty\Incomplete

This is where Limewire stores incomplete files, that it will continue to download as soon as the program is started again, and is highly likely to be the source of your infection.
  • 0

#14
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Do you still require assistance with this log?

Regards,
RatHat
  • 0

#15
RatHat

RatHat

    Ex Malware Expert

  • Expert
  • 7,829 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP