Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

infected [RESOLVED]


  • This topic is locked This topic is locked

#1
yemforbin

yemforbin

    Member

  • Member
  • PipPip
  • 12 posts
My web browser opens to an "update searches" page, I'm getting lots of popups, there's something running in my task bar with a red circle and white x, don't know what that is, and my background is black with "caution! your computer is infected!" and in my desktop properties a bunch of tabs are missing.

wow, that's a lot.
here's my HijackThis log file:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:41 PM, on 05/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\winnook.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
c:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Robert Turnbull\My Documents\My Received Files\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp5320.tmp
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\System32\LogFiles\A5281300.so
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Microsoft AntiSpyware helper - {E9EDDA2A-5A87-4EE2-BC57-9B0B3C3D4C7D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E9EDDA2A-5A87-4EE2-BC57-9B0B3C3D4C7D} - (no file) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Download and install CCleaner
Do not use it yet.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.updatesearches.com/bar.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.updatesea...earch.php?qq=%1
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.updatesea...earch.php?qq=%1
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.updatesearches.com/
O2 - BHO: VMHomepage Class - {FFFFFFFF-FFFF-FFFF-FFFF-FFFFFFFFFFFA} - C:\WINDOWS\System32\hp5320.tmp
O4 - HKLM\..\Run: [MSN Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [WindowsFZ] C:\WINDOWS\System32\LogFiles\A5281300.so
O4 - HKCU\..\Run: [Intel system tool] C:\WINDOWS\System32\winnook.exe
O9 - Extra button: Microsoft AntiSpyware helper - {E9EDDA2A-5A87-4EE2-BC57-9B0B3C3D4C7D} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E9EDDA2A-5A87-4EE2-BC57-9B0B3C3D4C7D} - (no file) (HKCU)
O16 - DPF: {14A3221B-1678-1982-A355-7263B1281987} - ms-its:mhtml:file://C:tsk.mht!http://69.50.171.149....chm::/file.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...ip/RdxIE601.cab


* Click on Fix Checked when finished and exit HijackThis.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Using Windows Explorer, locate the following files and delete them if still present:

C:\WINDOWS\System32\winnook.exe
C:\WINDOWS\System32\hp5320.tmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\system32\hhk.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\intmon.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe
C:\Windows\system32\shnlog.exe
C:\Windows\desktop.html

Delete the following folders if present:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files
C:\Program Files\Security IGuard

* Still in safe mode Run Ccleaner and click Run Cleaner (bottom right)

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there

* Reboot your system back to normal mode.

* Download http://metallica.gee...m/smitfraud.reg and save it on your desktop
Doubleclick on it and when it asks you if you want to add the content to the registry, click yes/ok.

* Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

* Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

* Perform an onlinescan with Kaspersky OnLine and/or Bitdefender and let it delete everything it is finding.

Post a new HiJackThis log.
  • 0

#3
yemforbin

yemforbin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
alright, i followed all the instructions. thank you so much for the help. one question: i ran both Kaspersky OnLine and Bitdefender and they both found viruses they didn't delete. do i just delete all the files manually? i have logs of both.

here's my new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:36:33 PM, on 17/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Robert Turnbull\My Documents\My Received Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R3 - Default URLSearchHook is missing
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

Just some leftovers in hijackthis to fix:

R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [iexplore.exe] C:\Program Files\Internet Explorer\iexplore.exe


For the files that the onlinescanner couldn't delete, can you post them in your next reply?
I want to take a look at it first.
Also, how is your desktop looking now?
  • 0

#5
yemforbin

yemforbin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Here's 3 logs:

Kaspersky Log:

Infected Object Name Virus Name
C:\Documents and Settings\Robert Turnbull\My Documents\My Received Files\HijackThis\backups\backup-20050617-163214-100.dll Infected: Trojan.Win32.Puper.m

C:\ms32.tmp Infected: Trojan-Downloader.Win32.Small.azk

C:\Program Files\Norton AntiVirus\Quarantine\1E6F512A.zip/BlackBox.class Infected: Exploit.Java.ByteVerify

C:\Program Files\Norton AntiVirus\Quarantine\1E6F512A.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify

C:\Program Files\Norton AntiVirus\Quarantine\1E6F512A.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa

C:\Program Files\Norton AntiVirus\Quarantine\1E6F512A.zip Infected: Trojan-Downloader.Java.OpenConnection.aa

C:\Program Files\Norton AntiVirus\Quarantine\200E2561.exe Infected: Trojan.Win32.Puper.h

C:\Program Files\Norton AntiVirus\Quarantine\206D66F9.exe Infected: Trojan.Win32.Agent.ct

C:\Program Files\Norton AntiVirus\Quarantine\20D52686.so Infected: Trojan-Dropper.Win32.Small.zi

C:\Program Files\Norton AntiVirus\Quarantine\407D1B0E.exe Infected: Trojan-Downloader.Win32.Zlob.j

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP49\A0012764.EXE Infected: Trojan-Downloader.Win32.Small.asf

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013868.exe Infected: Trojan-Downloader.Win32.Zlob.j

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013869.exe Infected: Backdoor.Win32.Agent.bg

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013923.exe Infected: Trojan.Win32.Favadd.y

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\snapshot\MFEX-1.DAT Infected: Virus.Win32.Nsag.a

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013932.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013933.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013934.dll Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\snapshot\MFEX-1.DAT Infected: Virus.Win32.Nsag.a

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014037.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014038.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014039.dll Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014049.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014050.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014051.dll Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014059.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014060.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014061.dll Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014074.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014142.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014143.dll Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014157.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014158.dll Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014160.exe Infected: Trojan-Downloader.Win32.Zlob.j

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014164.exe Infected: Trojan.Win32.Puper.h

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014165.exe Infected: Trojan-Clicker.Win32.Agent.cr

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014166.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014167.exe Infected: Trojan.Win32.Zapchast

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014173.exe Infected: Trojan.Win32.Favadd.z

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014179.exe Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014180.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014181.dll Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014186.exe Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014187.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014188.dll Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014193.exe Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014194.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014195.dll Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014200.exe Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014201.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014202.dll Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014219.exe Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014222.exe Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014226.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014227.dll Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP61\A0014246.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP61\A0014247.dll Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP62\A0014269.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP62\A0014270.dll Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP63\A0014277.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP63\A0014278.dll Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP64\A0014296.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP64\A0014297.dll Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP65\A0014305.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP65\A0014306.dll Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP65\A0014307.exe Infected: Trojan-Downloader.Win32.Agent.ns

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP66\A0014367.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP66\A0014368.dll Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014399.exe Infected: Trojan.Win32.Puper.l

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014400.dll Infected: Trojan.Win32.Puper.m

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014401.exe Infected: Trojan.Win32.Favadd.aa

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014402.exe Infected: Trojan-Clicker.Win32.Small.ge

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014403.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014404.exe Infected: Trojan-Clicker.Win32.Agent.dj

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP77\A0014679.exe Infected: Trojan.Win32.TopAntiSpyware.l

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP77\A0014680.dll Infected: Trojan-Downloader.Win32.Agent.le

C:\WINDOWS\GetServer.ini:aoijjj:$DATA Infected: Trojan-Downloader.Win32.Agent.bc

C:\WINDOWS\HLInstaller6b.exe/data0000 Infected: Backdoor.Win32.Agent.bg

C:\WINDOWS\HLInstaller6b.exe Infected: Backdoor.Win32.Agent.bg

C:\WINDOWS\sysls32.exe Infected: Trojan-Downloader.Win32.Agent.bq

C:\WINDOWS\system32\oleadm.dll Infected: Trojan-Downloader.Win32.Agent.ns

C:\WINDOWS\system32\wininet.dll Infected: Virus.Win32.Nsag.a














Bit Defender Log:

Scanned File
Status

C:\Documents and Settings\Robert Turnbull\My Documents\My Received Files\HijackThis\backups\backup-20050617-163214-100.dll
Infected with: Trojan.Puper.M

C:\Documents and Settings\Robert Turnbull\My Documents\My Received Files\HijackThis\backups\backup-20050617-163214-100.dll
Disinfection failed

C:\Documents and Settings\Robert Turnbull\My Documents\My Received Files\HijackThis\backups\backup-20050617-163214-100.dll
Deleted

C:\Program Files\InterMute\SpySubtract\usrwl.dat
Suspected of: Exploit.Html.MhtRedir.Gen

C:\Program Files\InterMute\SpySubtract\usrwl.dat
Disinfection failed

C:\Program Files\InterMute\SpySubtract\usrwl.dat
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\200E2561.exe=>(Quarantine-2)
Infected with: Dropped:Trojan.Puper.J

C:\Program Files\Norton AntiVirus\Quarantine\200E2561.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\200E2561.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\206D66F9.exe=>(Quarantine-2)
Infected with: Trojan.Agent.CT

C:\Program Files\Norton AntiVirus\Quarantine\206D66F9.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\206D66F9.exe=>(Quarantine-2)
Deleted

C:\Program Files\Norton AntiVirus\Quarantine\407D1B0E.exe=>(Quarantine-2)
Infected with: BehavesLike:Win32.ExplorerHijack

C:\Program Files\Norton AntiVirus\Quarantine\407D1B0E.exe=>(Quarantine-2)
Disinfection failed

C:\Program Files\Norton AntiVirus\Quarantine\407D1B0E.exe=>(Quarantine-2)
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP49\A0012764.EXE
Infected with: Trojan.Downloader.Small.ASF

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP49\A0012764.EXE
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP49\A0012764.EXE
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013868.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013868.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013868.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013869.exe
Infected with: Backdoor.Agent.BG

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013869.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013869.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013923.exe
Infected with: Trojan.Favadd.Y

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013923.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP53\A0013923.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013932.exe
Infected with: Trojan.Puper.C

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013932.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013932.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013933.exe
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013933.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013933.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013934.dll
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013934.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP54\A0013934.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014037.exe
Infected with: Trojan.Puper.C

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014037.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014037.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014038.exe
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014038.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014038.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014039.dll
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014039.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP55\A0014039.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014049.exe
Infected with: Trojan.Puper.C

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014049.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014049.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014050.exe
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014050.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014050.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014051.dll
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014051.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP56\A0014051.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014059.exe
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014059.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014059.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014060.exe
Infected with: Trojan.Puper.C

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014060.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014060.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014061.dll
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014061.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014061.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014074.exe
Infected with: Trojan.Puper.C

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014074.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014074.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014142.exe
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014142.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014142.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014143.dll
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014143.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014143.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014157.exe
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014157.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014157.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014158.dll
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014158.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014158.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014160.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014160.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP58\A0014160.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014164.exe
Infected with: Trojan.Puper.C

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014164.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014164.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014165.exe
Infected with: Trojan.Clicker.Agent.CR

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014165.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014166.exe
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014166.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014166.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014167.exe
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014167.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014167.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014173.exe
Infected with: Trojan.Favadd.Z

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014173.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014173.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014179.exe
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014179.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014179.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014181.dll
Infected with: Trojan.Puper.D

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014181.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014181.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014186.exe
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014186.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014186.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014188.dll
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014188.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014188.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014193.exe
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014193.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014193.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014195.dll
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014195.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014195.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014200.exe
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014200.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014200.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014202.dll
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014202.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP59\A0014202.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014219.exe
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014219.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014219.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014222.exe
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014222.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014222.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014227.dll
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014227.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP60\A0014227.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP61\A0014247.dll
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP61\A0014247.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP61\A0014247.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP62\A0014270.dll
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP62\A0014270.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP62\A0014270.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP63\A0014278.dll
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP63\A0014278.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP63\A0014278.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP64\A0014297.dll
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP64\A0014297.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP64\A0014297.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP65\A0014306.dll
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP65\A0014306.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP65\A0014306.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP65\A0014307.exe
Infected with: Trojan.Downloader.Agent.NS

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP65\A0014307.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP65\A0014307.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP66\A0014368.dll
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP66\A0014368.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP66\A0014368.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014399.exe
Infected with: Dropped:Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014399.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014399.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014400.dll
Infected with: Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014400.dll
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014400.dll
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014401.exe
Infected with: Trojan.Favadd.AA

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014401.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014401.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014402.exe
Infected with: Trojan.Clicker.Small.GE

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014402.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014402.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014403.exe
Infected with: Dropped:Trojan.Puper.M

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014403.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP67\A0014403.exe
Deleted

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP77\A0014679.exe
Infected with: Trojan.TopAntiSpyware.L

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP77\A0014679.exe
Disinfection failed

C:\System Volume Information\_restore{B2E13941-C488-45C6-A30C-48E541B799D7}\RP77\A0014679.exe
Deleted

C:\WINDOWS\HLInstaller6b.exe
Infected with: Backdoor.Agent.BG

C:\WINDOWS\HLInstaller6b.exe
Disinfection failed

C:\WINDOWS\HLInstaller6b.exe
Deleted

C:\WINDOWS\sysls32.exe
Infected with: Trojan.Downloader.Agent.BQ

C:\WINDOWS\sysls32.exe
Disinfection failed

C:\WINDOWS\sysls32.exe
Deleted

C:\WINDOWS\system32\HyperLinker6.exe
Infected with: Trojan.Multidr.MH

C:\WINDOWS\system32\HyperLinker6.exe
Disinfection failed

C:\WINDOWS\system32\HyperLinker6.exe
Deleted

C:\WINDOWS\system32\oleadm.dll
Infected with: Trojan.Downloader.Agent.NS

C:\WINDOWS\system32\oleadm.dll
Disinfection failed

C:\WINDOWS\system32\oleadm.dll
Delete failed








New Hijack This Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:07:25 PM, on 17/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Robert Turnbull\My Documents\My Received Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#6
yemforbin

yemforbin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
and my desktop seems to be cured.
  • 0

#7
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello,

Most of them are flagged in your quarantaine/backup folders of your virusscanner/antispywarescanners, so don't worry about that.
Also in your system restore points, but we'll deal with that as a last step.

First of all, open your norton antivirus, select the quarantaine-option and delete everything in there.
Then, open hijackthis, click config (bottom right)
Choose Misc tools
choose 'Open ADS spy'
Check: Ignore safe system info streams! Important!
Click scan, check everything that's in there and choose 'remove selected'

Delete next files manually (better in safe mode) if still present!

C:\ms32.tmp
C:\WINDOWS\system32\oleadm.dll
C:\WINDOWS\sysls32.exe
C:\WINDOWS\HLInstaller6b.exe
C:\WINDOWS\system32\HyperLinker6.exe

Open notepad and copy and paste next contents in it:

dir C:\wininet.dll /a h /s > files.txt
start notepad files.txt


Save this as look.bat
Choose to save as all files and doubleclick on it.
Notepad will open with some txt in it, copy and paste this in your next reply.

The wininet.dll is an important systemfile but it is infected.
You may not delete it, because it can cause your system to crash, so just wait for my instructions to deal with it.
  • 0

#8
yemforbin

yemforbin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
can't seem to figure out how to delete the quarentined stuff in norton.
there's a quarentined items report but says there's no quarentined items.
  • 0

#9
yemforbin

yemforbin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
Won't let me delete C:\WINDOWS\system32\oleadm.dll

look.bat log:

Volume in drive C has no label.
Volume Serial Number is 78DF-CEC5

Directory of C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$

23/08/2001 07:00 AM 593,920 wininet.dll
1 File(s) 593,920 bytes

Directory of C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819

04/08/2004 02:56 AM 656,384 wininet.dll
1 File(s) 656,384 bytes

Directory of C:\WINDOWS\system32

08/01/2004 03:23 PM 585,216 wininet.dll
1 File(s) 585,216 bytes

Directory of C:\WINDOWS\system32\dllcache

08/01/2004 03:23 PM 585,216 wininet.dll
1 File(s) 585,216 bytes
  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Those quarantained items could already be deleted by bitdefender.

Ok; let's try next...
There is also a wininet.dll present in your C:\windows\system32\dllcache-folder
This is a hidden folder, so make sure you have your hidden folders and files visible + extensions visible:

Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Go to your C:\Windows\system32-folder and rename the bad wininet.dll to wininet.old
Go to your C:\Windows\system32\system32\dllcache-folder and rightclick on the good wininet.dll and choose copy.
Go back to your C:\Windows\system32-folder, rightclick anywhere in that folder and choose paste.
It could be possible you'll get an error saying the file already exists.
If it gives an error again, reboot.
Check afterwards if there is a new wininet.dll in your system32-folder and if the wininet.old is also present.
In my case, there was, not sure where it came from though, so, it's better to upload and scan that new C:\Windows\system32\wininet.dll on next site:

http://virusscan.jotti.org/

let it scan and post the results in your next reply.

Try to delete C:\WINDOWS\system32\oleadm.dll afterwards again.
If you can't delete it, open hijackthis, config > misc tools > delete on reboot option and in the field, copy and paste C:\WINDOWS\system32\oleadm.dll and click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.. click yes.
  • 0

Advertisements


#11
yemforbin

yemforbin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
virusscan.jotti results:

Service load: 0% 100%

File: wininet.dll
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 6626545292428ae1ed5b4237404b346a
Packers detected: -
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing
  • 0

#12
yemforbin

yemforbin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
got rid of C:\WINDOWS\system32\oleadm.dll
new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 2:45:00 AM, on 18/06/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\devldr32.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Robert Turnbull\My Documents\My Received Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = www.google.com
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\SpySub.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
  • 0

#13
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Great, seems like we also fixed that.
Now we are going to take care of those systemrestorepoints.

note: this will delete all your system restore points and malware that were present in it).
How to disable system restore in XP
Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now! :tazz:

To keep this clean in the future, I would suggest the following things:

Most important thing here --- Visit asap http://windowsupdate.microsoft.com to download and install all the updates and security patches!!

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Kaspersky online and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates: http://windowsupdate.microsoft.com/

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again! ;)
  • 0

#14
yemforbin

yemforbin

    Member

  • Topic Starter
  • Member
  • PipPip
  • 12 posts
thank you so very much!
  • 0

#15
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Glad I could help you. :tazz:
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP