Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

aurora popup


  • Please log in to reply

#1
dailyconfused

dailyconfused

    Member

  • Member
  • PipPip
  • 34 posts
Hey, Ive searched through these forums and have seen ways to get rid of it. The only thing is I dont know how to do them. Could someone tell me what programs and the steps to go through to get rid of the popup. It keeps coming back and usually shows whenever I change the website I am on. THanks in advance
  • 0

Advertisements


#2
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please read the link below in my sig (Read here before posting your ....) and do the steps there. When you get to HijackThis, don't run it yet. Do the following first:

Download Ewido Security Suite at http://www.ewido.net/en/download/

Update its database at http://www.ewido.net...wnload/updates/

Run a scan and let it clean the computer.

**Note** DO NOT REBOOT the computer during the removal process. If you do the filenames will change. If you can't leave the computer on now, I suggest not running the logs below yet. Wait until you can leave it on.

Download FindIt's.zip to your desktop: http://forums.net-in...=post&id=142443

1. Unzip/extract the files inside to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient ...
3. Then post the results here along with the new HijackThis log.
  • 0

#3
dailyconfused

dailyconfused

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
K thanks, I think I did everything the way it told me to, if not sorry.

Logfile of HijackThis v1.99.1
Scan saved at 2:15:26 PM, on 5/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Documents and Settings\Owner\Desktop\etmin.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\dwwin.exe
C:\Program Files\JGsoft\EditPadPro5\EditPadPro.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\windows\system32\tptvsen.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Owner\My Documents\DOWNLOADS\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\Downloaded Program Files\ipreg32.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\rtneg.dll (file missing)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [rsbpuki] c:\windows\system32\tptvsen.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe







Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 05/09/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


* Todo C:\WINDOWS\System32\TPTVSEN.EXE
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\POKER.EXE
* UPX! C:\WINDOWS\System32\TPTVSEN.EXE
* UPX! C:\WINDOWS\JSSUYM~1.EXE
* UPX! C:\WINDOWS\NAIL.EXE
* UPX! C:\WINDOWS\__P9HE~1.EXE

* Sniffed C:\WINDOWS\System32\__DELE~1.DLL
»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\JSSUYM~1.EXE

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is HypnoFrog
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\SYSTEM32

05/02/2005 02:56 PM <DIR> cache32_rtneg
04/18/2005 03:35 PM <DIR> cache32_rtneg3
0 File(s) 0 bytes
2 Dir(s) 54,651,400,192 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C is HypnoFrog
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\system32

04/22/2005 11:01 AM 3,262 bingo_big2.ico
05/08/2005 05:22 PM 3,262 creditcard32123123123asdsa.ico
05/08/2005 05:22 PM 3,262 dice21.ico
05/08/2005 05:22 PM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
04/18/2005 07:52 PM 3,262 kas pink1233aadsfa12.ico
05/02/2005 02:56 PM 3,262 kill popups.ico
04/24/2005 10:41 AM 3,262 kill spyware12.ico
05/08/2005 05:22 PM 4,286 mp3red51aads.ico
05/08/2005 05:22 PM 16,614 popupblocker31.ico
04/18/2005 07:52 PM 3,262 popupkiller2asdf1.ico
05/08/2005 05:22 PM 2,238 red_kas21.ico
05/08/2005 05:22 PM 3,262 vh e233.ico
12 File(s) 53,520 bytes
0 Dir(s) 54,651,400,192 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\_rtneg3


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\CLSID\{302A3240-4805-4a34-97D7-1645A0B08410}
<NO NAME> REG_SZ BolgerObj Class


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll





I believe these are the two log files to post, if not just tell me which ones and Ill get one it. Thanks again
  • 0

#4
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Yep those are the ones. Let's get started on the fix now:

Download KillBox http://www.atribune....ads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and make sure that System Restore is enabled (box should be unchecked). Once you're clean we will turn this off and then create a new restore point.

Close out all open windows and disconnect the computer from any internet access.

1. Delete the below files/folders manually now:

C:\WINDOWS\system32\cache32_rtneg\
C:\WINDOWS\system32\cache32_rtneg3\
C:\WINDOWS\system32\bingo_big2.ico
C:\WINDOWS\system32\creditcard32123123123asdsa.ico
C:\WINDOWS\system32\dice21.ico
C:\WINDOWS\system32\greenmovie2313asaadsasfad112341231adsfa.ico
C:\WINDOWS\system32\kas pink1233aadsfa12.ico
C:\WINDOWS\system32\kill popups.ico
C:\WINDOWS\system32\kill spyware12.ico
C:\WINDOWS\system32\mp3red51aads.ico
C:\WINDOWS\system32\popupblocker31.ico
C:\WINDOWS\system32\popupkiller2asdf1.ico
C:\WINDOWS\system32\red_kas21.ico
C:\WINDOWS\system32\vh e233.ico


2. Go to Start->Run and type in services.msc and hit OK. Then look for 'System Startup Service (SvcProc)' and double click on it. Click on the Stop button and under Startup type, choose Disabled.

3. Run the CleanUp program you just installed and when prompted to reboot/logoff select NO.

4. Run KillBox. Go to Tools > Delete Temp Files > Click *OK* Copy and paste the following locations into KillBox one at a time. Checkmark the box that says 'Delete on Reboot' and checkmark the box 'Unregister DLL' (If available) Click the red circle with the white X and it will ask you to confirm the file for deletion, say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

**Note** Don't let KillBox reboot the computer...Reboot manually after the fixes for the HijackThis (see below).

C:\Windows\System32\svcproc.exe
C:\Windows\System32\Nail.exe
C:\Program Files\Viewpoint\
c:\windows\system32\tptvsen.exe
C:\WINDOWS\Downloaded Program Files\ipreg32.dll
C:\WINDOWS\System32\rsyncmon.dll
C:\WINDOWS\Bolger.dll
c:\windows\system\BHOmod.dll
C:\WINDOWS\System32\rtneg.dll
C:\WINDOWS\System32\POKER.EXE
C:\WINDOWS\System32\TPTVSEN.EXE
C:\WINDOWS\JSSUYM~1.EXE
C:\WINDOWS\__P9HE~1.EXE
C:\WINDOWS\System32\__DELE~1.DLL

5. Go to Start->Run and type in cmd and hit OK. Then type in each of the following (hit Enter key after each line):

cd windows
nail.exe /FullRemove
exit


6. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-qus10.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-qus10.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://qus10.hpwis.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: CDownCom Class - {031B6D43-CBC4-46A5-8E46-CF8B407C1A33} - C:\WINDOWS\Downloaded Program Files\ipreg32.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\System32\rsyncmon.dll (file missing)
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll (file missing)
O2 - BHO: BHOmodObj Class - {7F6828CA-9E42-462C-BC60-418C8144012C} - c:\windows\system\BHOmod.dll (file missing)
O2 - BHO: ohb - {999A06FF-10EF-4A29-8640-69E99882C26B} - C:\WINDOWS\System32\rtneg.dll (file missing)
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [rsbpuki] c:\windows\system32\tptvsen.exe
O4 - Global Startup: winlogin.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe


7. Reboot the computer now. Reconnect your internet access and post another FindIt’s log and HijackThis log.
  • 0

#5
dailyconfused

dailyconfused

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 05/10/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


* Todo C:\WINDOWS\System32\JUVVGK.EXE
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\JUVVGK.EXE
* UPX! C:\WINDOWS\NAIL.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE

* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
Nail.exe
»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is HypnoFrog
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C is HypnoFrog
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\Bolger


! REG.EXE VERSION 3.0

HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj
<NO NAME> REG_SZ Bolger Functional Class


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\_rtneg3


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll


Logfile of HijackThis v1.99.1
Scan saved at 11:39:38 AM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system32\juvvgk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\jssuymzfa.exe
C:\Documents and Settings\Owner\My Documents\DOWNLOADS\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [togeulq] c:\windows\system32\juvvgk.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



Here ya go, Thanks, it already runs better. A couple of the files(actually I think only 1) wouldnt get deleted from hijackthis (that winlogon thing) also is it supposed to tell you antyhing when you /fullremove nail.exe? it didnt for me(I used to know but havent done anything like that in a long time)
  • 0

#6
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
It should stop the nail.exe process and allow it to be removed once you enter that. You may close the command prompt when you hit Enter.

Download KillBox http://www.atribune....ads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and make sure that System Restore is enabled (box should be unchecked). Once you're clean we will turn this off and then create a new restore point.

Close out all open windows and disconnect the computer from any internet access.

1. Delete the below files/folders manually now:



2. Go to Start->Run and type in services.msc and hit OK. Then look for 'System Startup Service (SvcProc)' and double click on it. Click on the Stop button and under Startup type, choose Disabled.

3. Run the CleanUp program you just installed and when prompted to reboot/logoff select NO.

4. Run KillBox. Go to Tools > Delete Temp Files > Click *OK* Copy and paste the following locations into KillBox one at a time. Checkmark the box that says 'Delete on Reboot' and checkmark the box 'Unregister DLL' (If available) Click the red circle with the white X and it will ask you to confirm the file for deletion, say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

**Note** Don't let KillBox reboot the computer...Reboot manually after the fixes for the HijackThis (see below).

C:\Windows\svcproc.exe
C:\Windows\Nail.exe
c:\windows\system32\juvvgk.exe
C:\WINDOWS\jssuymzfa.exe
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\winlogin.exe
C:\WINDOWS\System32\DRPMON.DLL


5. Go to Start->Run and type in cmd and hit OK. Then type in each of the following (hit Enter key after each line):

cd windows
nail.exe /FullRemove
exit


6. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [togeulq] c:\windows\system32\juvvgk.exe
O4 - Global Startup: winlogin.exe


7. Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to the following (fix whatever applies, if it's not there just skip it):

HKEY_CURRENT_USER\Software\ and delete aurora

HKEY_CURRENT_USER\Software\ and delete Bolger

HKEY_CLASSES_ROOT\ and delete BolgerDll.BolgerDllObj

HKEY_CURRENT_USER\Software\ and delete _rtneg3

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ and delete ZepMon

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ and delete ZepMon


If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

Reboot the computer now. Reconnect your internet access and post another FindIt’s log and HijackThis log. Again, try not to restart or shutdown during this time until you do the fixes that I will give you.
  • 0

#7
dailyconfused

dailyconfused

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Logfile of HijackThis v1.99.1
Scan saved at 5:03:46 PM, on 5/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Common Files\Real\Update_OB\rnathchk.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
c:\windows\system32\tknfwa.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\DOWNLOADS\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [jsrbcvg] c:\windows\system32\tknfwa.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 05/10/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


* Todo C:\WINDOWS\System32\TKNFWA.EXE
»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\TKNFWA.EXE

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is HypnoFrog
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C is HypnoFrog
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».



here ya go, thanks so much for helping me too
the winlogon file wouldnt get deleted again, tells me to stop the task but when I try it says its a critical system process and wont let me close it
  • 0

#8
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
KillBox can't even delete it? You meant winlogin.exe right?

OK, give me this log also (do not restart or shutdown yet):

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.
  • 0

#9
dailyconfused

dailyconfused

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
yeah, Im stupid. I keep forgetting about that whole DONT LOG OFF. its jsut a habbit of mine that I cant seem to lose, since I did that do I have to post the two logs again? sorry for my stupidity. I gotta go shopping but will check back when Im done(will not shut off computer) thanks
  • 0

#10
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Not sure if logging off will have the same effect, but keep it logged in just in case.

So yes, post a new HijackThis and FindIt's log. Also run that mwav scan. I want to see if there is anything else that might be hiding there.
  • 0

Advertisements


#11
dailyconfused

dailyconfused

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
here ya go, it sucked though. Yesterday the power went out.



File c:\windows\system32\fufbhsd.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\svcproc.exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File System Found infected by "quicken Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "Visicom Media Spyware/Adware" Virus. Action Taken: No Action Taken.
File System Found infected by "morpheus Spyware/Adware" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\frame1.exe infected by "Trojan.Win32.Small.v" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\jssuymzfa.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ldo.sys infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Nail.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\DrPMon.dll infected by "Trojan.Win32.Agent.db" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ghq20.exe infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ldo.sys infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\srtwia.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\4DIFC5EV\svcproc[1].exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\A5C723AB\DrPMon[1].dll infected by "Trojan.Win32.Agent.db" Virus. Action Taken: No Action Taken.
File C:\DOCUME~1\Owner\LOCALS~1\TEMPOR~1\Content.IE5\OPQRSTUV\Nail[1].exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\counter.cab infected by "Trojan-Dropper.Win32.Agent.az" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Administrator\My Documents\tribes\Tribes\Patch\tribes18to111.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Default User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archiveb1.jar-2921e73b-6d8689f5.zip infected by "Trojan-Downloader.Java.OpenConnection.g" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-2a3e4b7f.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv68.jar-158e9df2-237c8490.zip infected by "Trojan.Java.ClassLoader.h" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0D.dat infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Default User\My Documents\DOWNLOADS\tribes_fullgame.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Default User\My Documents\tribes\Tribes\Install\Setup\pcv\Pcvkit.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Default User\My Documents\tribes\Tribes\Patch\tribes18to111.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archiveb1.jar-2921e73b-6d8689f5.zip infected by "Trojan-Downloader.Java.OpenConnection.g" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-2a3e4b7f.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-1e6596a3-518b7f9a.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv68.jar-158e9df2-237c8490.zip infected by "Trojan.Java.ClassLoader.h" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0D.dat infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4DIFC5EV\svcproc[1].exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\A5C723AB\DrPMon[1].dll infected by "Trojan.Win32.Agent.db" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\Nail[1].exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\Owner\My Documents\DOWNLOADS\New Folder\backups\backup-20050510-112238-362.dll infected by "Trojan-Downloader.Win32.Agent.fh" Virus. Action Taken: No Action Taken.
File C:\hp\bin\Terminator.exe tagged as not-a-virus:RiskWare.Tool.KillApp. No Action Taken.
File C:\hp\bin\win32all-146.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Bib cdrom multi\DataTestJoy.exe infected by "Trojan-Downloader.Win32.Swizzor.bi" Virus. Action Taken: No Action Taken.
File C:\Program Files\Bib cdrom multi\Rdr Heart Hold.exe infected by "Trojan-Downloader.Win32.Swizzor.bm" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\14B96FB6 infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\14C043AF infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\27037166 infected by "not-a-virus:AdWare.Gator.4104" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3DF72C54 infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\3DFA5650 infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7F620D32 infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Norton AntiVirus\Quarantine\7F65372F infected by "Exploit.Java.Bytverify" Virus. Action Taken: No Action Taken.
File C:\Program Files\Online Services\AOL90US\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Program Files\Showwin\4 gpl.exe infected by "Trojan-Downloader.Win32.Swizzor.bo" Virus. Action Taken: No Action Taken.
File C:\SIERRA\Half-Life\hltv.exe tagged as not-a-virus:RiskWare.Proxy.Hltv. No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP118\A0028440.exe infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP131\A0031273.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP131\A0031278.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP131\A0031281.exe infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP132\snapshot\MFEX-1.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP132\snapshot\MFEX-2.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP132\snapshot\MFEX-3.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\A0031455.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\A0032273.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\A0032278.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\A0032300.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\A0032301.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\A0032308.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\A0032314.exe infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\A0032322.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\A0032327.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\snapshot\MFEX-1.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\snapshot\MFEX-2.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP133\snapshot\MFEX-3.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0032352.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0032357.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0032358.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0032374.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0032379.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0033379.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0033405.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0034374.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0034379.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0034387.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0034388.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0035389.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036390.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036395.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036427.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036432.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036437.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036455.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036461.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036475.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036479.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036480.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036499.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036501.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036523.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036524.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036529.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\A0036540.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\snapshot\MFEX-1.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\snapshot\MFEX-2.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\snapshot\MFEX-3.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\snapshot\MFEX-4.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP134\snapshot\MFEX-5.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0036552.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0036557.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0036562.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0036565.exe infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0036566.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0036570.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0036573.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0036578.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0036579.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0036587.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0037573.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0037578.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0037582.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0037585.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0037590.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0037591.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0037594.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP135\A0037610.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0037630.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0037635.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0037636.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0037642.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0037656.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0037672.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0037677.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0037688.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0037694.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0038672.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0038677.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0038678.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\A0038683.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\snapshot\MFEX-1.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\snapshot\MFEX-2.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\snapshot\MFEX-3.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\snapshot\MFEX-4.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\snapshot\MFEX-5.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\snapshot\MFEX-6.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\snapshot\MFEX-7.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP136\snapshot\MFEX-8.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038713.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038718.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038721.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038743.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038773.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038774.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038777.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038783.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038806.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038807.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038821.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0038825.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0039806.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\A0039831.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP137\snapshot\MFEX-1.DAT infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP138\A0039849.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP138\A0039856.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP138\A0040000.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040035.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040041.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040054.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040066.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040082.exe infected by "not-a-virus:AdWare.ToolBar.TPSystem.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040083.exe infected by "not-a-virus:AdWare.ToolBar.TPSystem.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040088.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040089.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040091.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.g" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040109.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040119.exe infected by "Trojan-Downloader.Win32.Swizzor.bj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040120.exe infected by "Trojan-Downloader.Win32.Swizzor.bj" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040125.exe infected by "not-a-virus:AdWare.Sahat.o" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP139\A0040132.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP140\A0040152.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP140\A0040160.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP140\A0040171.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP140\A0041170.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP143\A0043170.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP143\A0043197.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP143\A0043198.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP143\A0043199.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP144\A0043207.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP144\A0043214.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP144\A0043215.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP144\A0043217.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP144\A0043219.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP144\A0043234.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP144\A0043238.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP145\A0043249.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP145\A0043254.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP145\A0043257.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP145\A0043264.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP145\A0043265.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP145\A0043278.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP145\A0043280.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP146\A0043285.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP146\A0043311.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP146\A0043312.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP146\A0043315.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043321.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043324.exe infected by "Trojan-Downloader.Win32.Apropo.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043325.exe infected by "Trojan-Downloader.Win32.Agent.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043326.exe infected by "Trojan-Downloader.Win32.Small.kl" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043327.exe infected by "Trojan-Dropper.Win32.Small.hb" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043328.exe infected by "Trojan-Dropper.Win32.Small.hb" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043329.exe infected by "Trojan-Dropper.Win32.Small.hb" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043330.exe infected by "Trojan-Dropper.Win32.Small.hb" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043331.exe infected by "Trojan-Dropper.Win32.Small.hb" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043332.exe infected by "Trojan-Dropper.Win32.Small.hb" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043335.exe infected by "Trojan-Downloader.Win32.Delf.go" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043341.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043342.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP147\A0043346.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP148\A0043412.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP148\A0043424.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP148\A0043434.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP148\A0043437.dll infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP148\A0043469.exe infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP148\A0043475.dll infected by "not-a-virus:AdWare.WinAD" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP148\A0043496.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP148\A0043500.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP148\A0043505.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0043531.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP150\A0043539.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP168\A0044050.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP168\A0044100.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP168\A0044217.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044391.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044396.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044400.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044424.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044441.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044442.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044454.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044457.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044461.exe infected by "not-a-virus:AdWare.PurityScan.h" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044462.exe infected by "Trojan.Win32.Dissec.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044463.exe infected by "Trojan.Win32.Dissec.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044464.exe infected by "Trojan.Win32.Dissec.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044465.exe infected by "Trojan.Win32.Dissec.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044466.exe infected by "Trojan-Downloader.Win32.Small.ahg" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044467.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044468.exe tagged as not-a-virus:RiskWare.Dialer.DateRegon. No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044469.exe infected by "Trojan.Win32.Stervis.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044470.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044471.dll infected by "Trojan-Downloader.Win32.Agent.li" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044472.exe infected by "not-a-virus:AdWare.Sahat.m" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044473.dll infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044474.exe infected by "not-a-virus:AdWare.SafeSurfing.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044475.exe infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044476.dll infected by "not-a-virus:AdWare.Beginto.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044477.dll infected by "not-a-virus:AdWare.SafeSurfing.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044478.dll infected by "not-a-virus:AdWare.ToolBar.HotSearchBar.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044489.dll infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044490.dll infected by "Trojan.Win32.Agent.db" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044496.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044497.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044498.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044671.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044678.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044679.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044680.exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP169\A0044681.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044685.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044686.exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044687.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044690.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044692.exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044693.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044694.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044695.dll infected by "Trojan.Win32.Agent.db" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044700.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044709.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044710.exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP170\A0044711.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP171\A0044719.exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP171\A0044720.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP171\A0044727.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP172\A0044732.exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP172\A0044733.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP172\A0044736.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP172\A0045709.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP172\A0045710.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP172\A0045711.exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP172\A0045712.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP173\A0045720.exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP173\A0045721.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP173\A0045723.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP174\A0045724.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP174\A0045731.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP174\A0045734.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP174\A0045738.exe infected by "Trojan.Win32.Stervis.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP174\A0045739.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{BC9F3C70-F33F-48FB-93C7-198E1A9B1607}\RP174\A0045754.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\frame1.exe infected by "Trojan.Win32.Small.v" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\jssuymzfa.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ldo.sys infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Nail.exe infected by "not-a-virus:AdWare.BetterInternet.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archiveb1.jar-2921e73b-6d8689f5.zip infected by "Trojan-Downloader.Java.OpenConnection.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\classload.jar-10ffa0b5-2a3e4b7f.zip infected by "Trojan.Java.ClassLoader.c" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\loaderadv68.jar-158e9df2-237c8490.zip infected by "Trojan.Java.ClassLoader.h" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0D.dat infected by "not-a-virus:AdWare.WildTangent.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\sta18.exe infected by "Trojan-Downloader.Win32.Swizzor.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\sta19.exe infected by "Trojan-Downloader.Win32.Swizzor.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\Local Settings\Temp\sta20.exe infected by "Trojan-Downloader.Win32.Swizzor.bi" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\My Documents\DOWNLOADS\tribes_fullgame.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\My Documents\tribes\Tribes\Install\Setup\pcv\Pcvkit.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\config\systemprofile\My Documents\tribes\Tribes\Patch\tribes18to111.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\WINDOWS\system32\DrPMon.dll infected by "Trojan.Win32.Agent.db" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ghq20.exe infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ldo.sys infected by "Trojan.Win32.Delf.cf" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\srtwia.exe infected by "Trojan.Win32.Agent.cp" Virus. Action Taken: No Action Taken
  • 0

#12
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Click on Start->Settings->Control Panel->Java Plug-in and click on the Cache tab. Then click on the Clear button and hit OK.

The Temp folders should be cleaned out periodically as installation programs and hijack programs leave a lot of junk there. Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/Cleanup.exe ) and install it. Run CleanUp! and click on CleanUp! button. When it asks you if you want to logoff, click on Yes.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. For each of the following files below, check the box that says 'Unregister .dll Before Deleting' if it's not grayed out. Copy and paste each of the following into KillBox (hitting the X button for each file - choose NO when it asks if you want to reboot):

C:\Program Files\Bib cdrom multi\
C:\Program Files\Showwin\ - delete this whole folder using KillBox unless you know what it's for
C:\WINDOWS\frame1.exe
C:\WINDOWS\jssuymzfa.exe
C:\WINDOWS\ldo.sys
C:\WINDOWS\Nail.exe
C:\WINDOWS\System32\DrPMon.dll
C:\WINDOWS\System32\ghq20.exe
C:\WINDOWS\System32\ldo.sys
C:\WINDOWS\System32\srtwia.exe
C:\WINDOWS\System32\TKNFWA.EXE


Delete all the quarantines in this folder -> C:\Program Files\Norton AntiVirus\Quarantine\

Restart and post a new HijackThis and FindIt's log.
  • 0

#13
dailyconfused

dailyconfused

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
Here ya go. I thought I posted these with that other log, but they didnt show up

Logfile of HijackThis v1.99.1
Scan saved at 11:27:49 AM, on 5/15/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
c:\windows\system32\dlmwpdp.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\DOWNLOADS\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [jqcwnvl] c:\windows\system32\dlmwpdp.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe





Microsoft Windows XP [Version 5.1.2600]

Microsoft Windows XP [Version 5.1.2600]
The current date is: Sun 05/15/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\DLMWPDP.EXE
* UPX! C:\WINDOWS\SVCPROC.EXE

»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

svcproc.exe
»»»»» Checking for System32\DrPMon.dll.

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is HypnoFrog
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C is HypnoFrog
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_CURRENT_USER\Software\aurora
  • 0

#14
greyknight17

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download KillBox http://www.atribune....ads/KillBox.exe
Download and install CleanUp http://cleanup.stevengould.org/

Go to My Computer->Tools->Folder Options->View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing/visible also. Please make sure system restore is enabled by right clicking on My Computer and go to Properties->System Restore and make sure that System Restore is enabled (box should be unchecked). Once you're clean we will turn this off and then create a new restore point.

Close out all open windows and disconnect the computer from any internet access.

1. SKIP

2. Go to Start->Run and type in services.msc and hit OK. Then look for 'System Startup Service (SvcProc)' and double click on it. Click on the Stop button and under Startup type, choose Disabled.

3. Run the CleanUp program you just installed and when prompted to reboot/logoff select NO.

4. Run KillBox. Go to Tools > Delete Temp Files > Click *OK* Copy and paste the following locations into KillBox one at a time. Checkmark the box that says 'Delete on Reboot' and checkmark the box 'Unregister DLL' (If available) Click the red circle with the white X and it will ask you to confirm the file for deletion, say YES and when the next box opens prompting you to reboot now...click NO...and proceed with the next file. Once you get to the last one click NO when it asks you to reboot.

**Note** Don't let KillBox reboot the computer...Reboot manually after the fixes for the HijackThis (see below).

C:\Documents and Settings\Owner\Start Menu\Programs\Startup\winlogin.exe
C:\WINDOWS\Nail.exe
C:\WINDOWS\svcproc.exe
c:\windows\system32\dlmwpdp.exe


5. Go to Start->Run and type in cmd and hit OK. Then type in each of the following (hit Enter key after each line):

cd windows
nail.exe /FullRemove
exit


6. Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [jqcwnvl] c:\windows\system32\dlmwpdp.exe
O4 - Global Startup: winlogin.exe

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. While in the Registry Editor, navigate to:

HKEY_CURRENT_USER\Software\ and delete aurora


If any of the above registry keys are giving you problems deleting, right click on them and click on Permissions. Then click on the Advanced button. Make sure the first box (Inherit from parent...) is checked. Click OK and OK. Then try deleting the entry again. Once you're done, close the Registry Editor.

7. Reboot the computer now. Reconnect your internet access and post another FindIt’s log and HijackThis log. Again, try not to restart or shutdown during this time until you do the fixes that I will give you.
  • 0

#15
dailyconfused

dailyconfused

    Member

  • Topic Starter
  • Member
  • PipPip
  • 34 posts
that winlonin.exe file still wont go away when I use hijackthis to 'fix checked' says its being used.


Logfile of HijackThis v1.99.1
Scan saved at 10:55:03 AM, on 5/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
c:\Program Files\Norton AntiVirus\navapsvc.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
c:\Program Files\Norton AntiVirus\SAVScan.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\LTMSG.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
C:\PROGRA~1\PESTPA~1\PPControl.exe
C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
c:\windows\system32\tnglhn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\DOWNLOADS\New Folder\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [mmtask] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe
O4 - HKLM\..\Run: [PPMemCheck] C:\PROGRA~1\PESTPA~1\PPMemCheck.exe
O4 - HKLM\..\Run: [PestPatrol Control Center] C:\PROGRA~1\PESTPA~1\PPControl.exe
O4 - HKLM\..\Run: [CookiePatrol] C:\PROGRA~1\PESTPA~1\CookiePatrol.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [ovxwfzc] c:\windows\system32\tnglhn.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9AA73F41-EC64-489E-9A73-9CD52E528BC4} (ZoneAxRcMgr Class) - http://messenger.zon...ry/ZAxRcMgr.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zon...ro.cab32846.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe




Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 05/16/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\TNGLHN.EXE
* UPX! C:\WINDOWS\JSSUYM~1.EXE

* Sniffed C:\WINDOWS\System32\DRPMON.DLL
»»»»» lagitamate file's can/will show in this section.

»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\JSSUYM~1.EXE

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»» Checking Windir\svcproc.exe and nail.exe.

»»»»» Checking for System32\DrPMon.dll.

DrPMon.dll
»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is HypnoFrog
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C is HypnoFrog
Volume Serial Number is 18A1-900D

Directory of C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»».


! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll

! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\ZepMon
Driver REG_SZ DrPMon.dll
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP