Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

HiJackThis Log [CLOSED]

Started by centrus , Jul 08 2005 08:09 PM

This topic is locked

#1
centrus

Posted 08 July 2005 - 08:09 PM

Member

Member
10 posts

ive been getting a lot of random popups that just appear out of nowhere. im not even using IE, and they keep coming up. i recently had to delete some program called AdDestroyer which just spontaneously appeared. another program called OIN (OuterInfo Network) also keeps appearing and it reinstalls itself after i attempt to uninstall it. i have already tried everything you guys suggested in the "you must read here" post, and they still come up. please help!

heres the log:

Logfile of HijackThis v1.99.1
Scan saved at 12:19:01 PM, on 7/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\pnarjn.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\vidctrl\vidctrl.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wintask.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\avtapi.exe
C:\Program Files\rtrt\erso.exe
C:\WINDOWS\System32\r?ndll.exe
C:\Program Files\Cas\Client\casclient.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Nikon\NkView6\NkvMon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\Gary\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Gary\Application Data\Mozilla\Profiles\default\s1jivp5f.slt\prefs.js)
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfgmgr52.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4A25D449-2BAA-4426-A992-D18CA70CF5A9} - C:\WINDOWS\SYSTEM32\yx4kpne.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {62DE1251-9B4D-2CB3-D502-625508F37346} - C:\WINDOWS\System32\kwg.dll (file missing)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\pnarjn.exe reg_run
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [vidctrl] C:\WINDOWS\System32\vidctrl\vidctrl.exe
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKCU\..\Run: [Steam] C:\Programs\Shoutcast\Steam.exe -silent
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [avtapi] C:\WINDOWS\System32\avtapi.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Boou] C:\Program Files\rtrt\erso.exe
O4 - HKCU\..\Run: [Mdtr] C:\WINDOWS\System32\r?ndll.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: NkvMon.exe.lnk = C:\Program Files\Nikon\NkView6\NkvMon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\dQd8thk.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Edited by centrus, 09 July 2005 - 01:20 PM.

#2
Buckeye_Sam

Posted 13 July 2005 - 10:57 AM

Malware Expert

Member
10,019 posts

Hello and welcome to Geeks To Go. My name is Sam and I will be helping you.
Lets start out with some general scans and see if we cant clean things up a little.

+++++ Step 1 +++++

Please download Ewido security suite it is a trial version of the program.

Install Ewido security suite
Launch Ewido, there should be an icon on your desktop double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen

You will need to update ewido to the latest definition files.

On the left hand side of the main screen click update
Click on Start

The update will start and a progress bar will show the updates being installed.
Once the updates are installed do the following:

Click on scanner
Make sure the following boxes are checked before scanning:
- Binder
- Crypter
- Archives
Click on Start Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean files, click OK

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop

+++++ Step 2 +++++

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

+++++ Step 3 +++++

After that, I will need to see two different logs from HiJackThis. The first is the normal log like you posted here. To get the other one, follow these directions.

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Post back with those logs and we can continue from there.

If you have recieved help elsewhere or no longer need our assistance, please let us know.

#3
centrus

Posted 13 July 2005 - 05:41 PM

Member

Topic Starter
Member
10 posts

thanks for the response :tazz:

heres the logs

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 4:37:29 PM, 7/13/2005
+ Report-Checksum: DC520CE7

+ Scan result:

C:\Documents and Settings\Gary\Local Settings\Temp\atiupdate.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\Documents and Settings\Gary\Local Settings\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\Documents and Settings\Gary\Local Settings\Temp\mirindaspf.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\Documents and Settings\Gary\Local Settings\Temp\msshed32.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\Documents and Settings\Gary\Local Settings\Temp\v98b.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\Program Files\BullsEye Network\bin\adv.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\bin\adx.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\bin\bargains.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\Program Files\CasStub\casstub.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe -> Spyware.Delfin : Cleaned with backup
C:\Program Files\Opera7\Plugins\npwthost.dll -> Spyware.WildTangent : Cleaned with backup
C:\Program Files\themexp\Themexp.org File\NNEZTA388.exe -> Spyware.NewDotNet : Cleaned with backup
C:\Program Files\themexp\Themexp.org File\TBEZA127Q.exe -> Spyware.Quick : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0193590.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0193592.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194546.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194573.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194574.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194575.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194576.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194577.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194578.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194579.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194589.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194598.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194601.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194602.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194603.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194604.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194605.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194606.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194624.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194632.exe -> TrojanDownloader.Small.aal : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194633.exe -> Adware.BetterInternet : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194634.exe -> TrojanDownloader.Agent.qg : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194663.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194680.dll -> Spyware.Look2Me : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194734.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194735.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194736.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194737.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194738.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194739.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194740.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194742.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194743.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194744.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194745.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194746.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194755.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194771.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194777.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194778.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194779.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194780.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194781.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195779.exe -> TrojanDropper.Delf.ev : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195780.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195781.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195782.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195783.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195784.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195785.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195791.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195817.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195819.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195820.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195821.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195822.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195823.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195832.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195842.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195845.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195846.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195847.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195848.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196828.exe -> TrojanDownloader.Adload.a : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196834.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196839.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196840.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196841.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196842.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196843.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196844.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197875.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197876.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197877.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197878.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197879.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197880.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197881.exe -> Trojan.Delf.cf : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197882.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197891.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0198900.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0198906.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0198907.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0198908.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0198909.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198920.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198921.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198922.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198923.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198924.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198928.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198941.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198942.exe -> Spyware.CashBack : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198944.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198945.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198946.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\cfgmgr52.dll -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1018.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.3\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.4\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\HDPlugin1018.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\HDPlugin1019.dll -> Adware.Gator : Cleaned with backup
C:\WINDOWS\NDNuninstall6_22.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_30.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\NDNuninstall6_38.exe -> Spyware.NewDotNet : Cleaned with backup
C:\WINDOWS\ru.exe -> Spyware.PurityScan : Cleaned with backup
C:\WINDOWS\SYSTEM\UpdInst.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\0152y1m.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\97k9xd.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\AUNPS2.dll -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\avtapi.exe -> TrojanDownloader.Agent.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\cLmocx.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\cqc.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\dasetup.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\dQd8thk.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\dwusic.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\e6f1873b.dll -> TrojanDownloader.Braidupdate.d : Cleaned with backup
C:\WINDOWS\SYSTEM32\exdl.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\exdl1.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\exdl2.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\exp.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\SYSTEM32\exul.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\exul1.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\id113.exe -> Trojan.SecondThought.ak : Cleaned with backup
C:\WINDOWS\SYSTEM32\in10b6s.dlltmp -> TrojanDropper.Mudrop.m : Cleaned with backup
C:\WINDOWS\SYSTEM32\iqitpki.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\izvideo.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\javexulm.vxd -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\lcbfaac.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mirindaspf.exe -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\mnvfw32.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\mqwmdmsp.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\msbe.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\msshed32.exe -> TrojanDownloader.Delf.go : Cleaned with backup
C:\WINDOWS\SYSTEM32\ngbfx.dll -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsvsvc\nsv.ocx -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsvsvc\nsvs.dll -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\SYSTEM32\nsvsvc\nsvsvc.exe -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\SYSTEM32\qd776.exe -> Trojan.Delf.cf : Cleaned with backup
C:\WINDOWS\SYSTEM32\redit.cpl -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\SHAgentNew.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\SYSTEM32\shpdate.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\skytown.exe -> TrojanSpy.VB.eh : Cleaned with backup
C:\WINDOWS\SYSTEM32\supdate.dll -> TrojanDownloader.Qoologic.p : Cleaned with backup
C:\WINDOWS\SYSTEM32\TVM_B5_Bundle_34.EXE -> TrojanDownloader.Small.wk : Cleaned with backup
C:\WINDOWS\SYSTEM32\v98b.sys -> Trojan.Kolweb.b : Cleaned with backup
C:\WINDOWS\SYSTEM32\vidctrl\vidctrl.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
C:\WINDOWS\SYSTEM32\wintask.exe -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\Temp\b.com -> TrojanDropper.Agent.pb : Cleaned with backup
C:\WINDOWS\Temp\f1498296.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\Temp\f1947312.exe -> TrojanDownloader.Qoologic.u : Cleaned with backup
C:\WINDOWS\Temp\MediaAccessInstPack.exe -> Spyware.WinAD : Cleaned with backup
C:\WINDOWS\Temp\upd207.exe -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\update13.js -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\v98b.sys -> Trojan.Kolweb.b : Cleaned with backup

::Report End

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Wednesday, July 13, 2005 16:37:48
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 13/07/2005
Kaspersky Anti-Virus database records: 130514
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 89669
Number of viruses found: 36
Number of infected objects: 204
Number of suspicious objects: 100
Duration of the scan process: 14332 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Setup\Setup.dll Infected: Trojan.Win32.StartPage.ku
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipan.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Documents and Settings\Gary\Local Settings\Temp\atiupdate.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\Documents and Settings\Gary\Local Settings\Temp\b.com Infected: Trojan-Dropper.Win32.Agent.pb
C:\Documents and Settings\Gary\Local Settings\Temp\mirindaspf.exe Infected: Trojan.Win32.Kolweb.b
C:\Documents and Settings\Gary\Local Settings\Temp\msshed32.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\Documents and Settings\Gary\Local Settings\Temp\v98b.sys Infected: Trojan.Win32.Kolweb.b
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[10].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[11].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[12].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[13].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[14].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[15].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[17].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[18].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[19].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[1].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[20].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[21].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[22].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[23].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[24].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[2].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[3].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\deliver46860[4].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\sia[1].txt/index.exe Infected: Trojan-Dropper.Win32.Delf.ev
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\sia[1].txt/index.htm Infected: Trojan-Downloader.VBS.Psyme.a
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\8R1T34WX\sia[1].txt Infected: Trojan-Downloader.VBS.Psyme.a
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[10].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[11].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[13].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[14].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[15].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[16].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[17].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[18].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[19].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[1].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[20].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[21].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[22].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[2].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[3].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[7].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\R1K3M5XG\deliver46860[8].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[10].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[11].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[12].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[13].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[14].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[15].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[18].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[1].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[22].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[23].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[24].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[25].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[26].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[27].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[28].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[29].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[2].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[30].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[31].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[32].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[33].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[34].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[35].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[36].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[37].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[39].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[3].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[4].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[5].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[8].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\RTPITK5J\deliver46860[9].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[10].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[11].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[12].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[13].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[14].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[15].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[16].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[17].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[18].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[19].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[1].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[20].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[21].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[22].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[23].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[24].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[25].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[26].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[27].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[28].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[29].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[30].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[31].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[32].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[33].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[34].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[35].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[36].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[4].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[5].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[6].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[7].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[8].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\Local Settings\Temporary Internet Files\Content.IE5\U9JG00E2\deliver46860[9].htm Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Gary\My Documents\ChDragon.exe/WISE0023.BIN Infected: Trojan-Dropper.Win32.Small.jh
C:\Documents and Settings\Gary\My Documents\ChDragon.exe Infected: Trojan-Dropper.Win32.Small.jh
C:\Program Files\CasStub\casstub.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\02993FA5.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0A1B341A.dll Infected: Backdoor.Win32.Netbus
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0A325A00.exe Infected: Backdoor.Win32.SubSeven.22
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0B132B08.exe Infected: Backdoor.Win32.SubSeven.22
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0B5055E1.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0B621AB2.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0F4A1080.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\166A627B.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\16E011E0.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\192602C0.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\192602C0.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\253B0813.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\28B71357.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3A7C6EFA.dll Infected: Backdoor.Win32.SubSeven.22.b2
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3EB571D2.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\40642FEA.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\40AC4B9B.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\41711217.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\447B3283.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45471E92.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\458777E2.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45E800BB.cgi Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45E800BB.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45E800BB.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45EC2AB7.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45EC2AB7.exe Infected: Backdoor.Win32.SubSeven.22
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45EF54B4.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46D779B5.cgi Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46D779B5.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46D779B5.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46DA23B1.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46DD4DAD.dll Infected: Backdoor.Win32.SubSeven.22.b2
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46E177AA.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46E421A6.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46E421A6.exe Infected: Backdoor.Win32.SubSeven.22
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4E2C299B.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F0B571A.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F5E7DCD.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F732A14.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F732A14.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5FB60930 Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\76704B14.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7A227CEA.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7AFC56F6.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FBF19E2.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\SDProtectorBasic\SDProtectorStd.exe Infected: Backdoor.Win32.Dragonbot.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0193590.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0193592.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194573.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194574.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194575.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194576.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194577.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194578.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194579.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194598.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194601.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194602.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194603.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194604.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194605.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194606.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194624.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194632.exe Infected: Trojan-Downloader.Win32.Small.aal
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194634.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194734.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194735.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194736.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194737.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194738.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP479\A0194739.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194740.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194742.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194743.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194744.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194745.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194746.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194755.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194771.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194777.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194778.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194779.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194780.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0194781.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195779.exe Infected: Trojan-Dropper.Win32.Delf.ev
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195780.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195781.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195782.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195783.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195784.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195785.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195791.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195817.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195819.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195820.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195821.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195822.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195823.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195832.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195842.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195845.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195846.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195847.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0195848.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196828.exe Infected: Trojan-Downloader.Win32.Adload.a
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196834.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196839.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196840.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196841.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196842.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196843.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0196844.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197875.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197876.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197877.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197878.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197879.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197880.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197881.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197882.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0197891.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0198900.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0198906.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0198907.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0198908.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP480\A0198909.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198920.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198921.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198922.exe Infected: Trojan.Win32.Kolweb.b
C:

#4
centrus

Posted 13 July 2005 - 05:44 PM

Member

Topic Starter
Member
10 posts

o, i guess it cut off part of the kaspersky scan.. heres the rest of it including the hijackthis logs

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198923.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198924.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0198928.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\WINDOWS\SYSTEM32\0152y1m.dll Infected: Trojan.Win32.Kolweb.b
C:\WINDOWS\SYSTEM32\97k9xd.exe Infected: Trojan.Win32.Kolweb.b
C:\WINDOWS\SYSTEM32\AUNPS2.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\WINDOWS\SYSTEM32\avtapi.exe Infected: Trojan-Downloader.Win32.Agent.am
C:\WINDOWS\SYSTEM32\e6f1873b.dll Infected: Trojan-Downloader.Win32.Braidupdate.d
C:\WINDOWS\SYSTEM32\exp.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\WINDOWS\SYSTEM32\id113.exe Infected: Trojan-Downloader.Win32.SecondThought.ah
C:\WINDOWS\SYSTEM32\iokrpor.dll Infected: Trojan-Downloader.Win32.Qoologic.s
C:\WINDOWS\SYSTEM32\kbupa.dat Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\SYSTEM32\mirindaspd.exe Infected: Trojan.Win32.Kolweb.a
C:\WINDOWS\SYSTEM32\mirindaspf.exe Infected: Trojan.Win32.Kolweb.b
C:\WINDOWS\SYSTEM32\mirindaspg.exe Infected: Trojan.Win32.Kolweb.b
C:\WINDOWS\SYSTEM32\mrabnrb.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\SYSTEM32\msshed32.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\WINDOWS\SYSTEM32\ngbfx.dll Infected: Trojan.Win32.Kolweb.b
C:\WINDOWS\SYSTEM32\pnarjn.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\SYSTEM32\qd776.exe Infected: Trojan.Win32.Kolweb.b
C:\WINDOWS\SYSTEM32\redit.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\WINDOWS\SYSTEM32\skytown.exe Infected: Trojan-Spy.Win32.VB.eh
C:\WINDOWS\SYSTEM32\sqkuw.dll Infected: Trojan-Downloader.Win32.Qoologic.t
C:\WINDOWS\SYSTEM32\supdate.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\WINDOWS\SYSTEM32\TVM_B5_Bundle_34.EXE Infected: Trojan-Downloader.Win32.Small.wk
C:\WINDOWS\SYSTEM32\v98b.sys Infected: Trojan.Win32.Kolweb.b
C:\WINDOWS\SYSTEM32\wintask.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\WINDOWS\Temp\b.com Infected: Trojan-Dropper.Win32.Agent.pb
C:\WINDOWS\Temp\Del17.tmp Infected: Trojan-Downloader.Win32.Small.asf
C:\WINDOWS\Temp\f1498296.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\Temp\f1947312.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\update13.js Infected: Trojan.JS.StartPage.a
C:\WINDOWS\v98b.sys Infected: Trojan.Win32.Kolweb.b
G:\McAfee Anti-Virus 2005 with serial.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.gen
G:\McAfee Anti-Virus 2005 with serial.exe Infected: Trojan-Downloader.Win32.IstBar.gen

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 4:40:45 PM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\WINDOWS\System32\pnarjn.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Java\jre1.5.0_01\bin\javaw.exe
C:\Documents and Settings\Gary\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Gary\Application Data\Mozilla\Profiles\default\s1jivp5f.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\pnarjn.exe reg_run
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM32\hkcmd.exe
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [avtapi] C:\WINDOWS\System32\avtapi.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\mvjtes40.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

AC Tool 4.6.2 Install
AC3Filter (remove only)
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe After Effects 6.5
Adobe MPEG Encoder
Adobe Photoshop CS
Adobe Premiere 6.5
Adobe Reader 6.0.1
Adobe SVG Viewer 3.0
Advanced RealMedia Export Plug-in for Premiere 6.0
AMIP (remove only)
AOL Instant Messenger
ArcSoft Software Suite
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HydraVision
AviSynth 2.5
Azureus
BitTornado 0.2.0
BitTorrent 3.4.2
BootXPv2 Uninstall
Brothers In Arms
BTeasy 0.2.1.5
BulletProof FTP Server (remove only)
Camouflage
CC_ccProxyMSI
CC_ccStart
ccCommon
CD-DA X-Tractor v0.24
Cheating-Death 4.31.0
CleanUp!
Click_App 1.0
Counter-Strike Source
dBpowerAMP Monkeys Audio Codec
dBpowerAMP Mp4 & AAC Decode Codec
dBpowerAMP Musepack Codec
dBpowerAMP Music Converter
dBpowerAMP Ogg Vorbis Codec
dBpowerAMP WMA V9 Codec
DeadAIM
Dell Digital Jukebox Driver
Dell Media Experience
Dell Solution Center
Dell Support
Dell Support 5.0.0 (766)
Direct Show Ogg Vorbis Filter (remove only)
DirectShow subtitle filter colleciton (remove only)
DivX
DivX Player
D-Link AirPlus
Doom 3
ewido security suite
Fast Audio Converter version 0.95
Fraps
GameSpy Arcade
GCFScape 1.2.5
Guild Wars
HijackThis 1.99.1
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 2100 series
hp psc 2100 series
Huffyuv AVI lossless video codec (Remove Only)
Intel® Extreme Graphics Driver
Intel® PRO Network Adapters and Drivers
Intel® PROSet
Internet Explorer Default Page
J2SE Runtime Environment 5.0 Update 1
Jasc Paint Shop Photo Album
Jasc Paint Shop Pro 8 Dell Edition
Java 2 Runtime Environment, SE v1.4.1_02
Java 2 Runtime Environment, SE v1.4.2
Java Web Start
jetAudio
KAA Playback Pack
Kaspersky Anti-Virus Web Scanner
Kazaa Lite K++ v2.4.3
K-Lite Codec Pack 2.34 Full
LiveReg (Symantec Corporation)
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Fireworks MX 2004
Macromedia Flash Player
Matroska Pack (remove only)
MaxBlast 3
Microsoft .NET Framework 1.1
Microsoft Encarta Encyclopedia Standard 2004
Microsoft Halo
Microsoft Money 2004
Microsoft Money 2004 System Pack
Microsoft NetShow Player 2.0
Microsoft Office XP Professional with FrontPage
Microsoft Windows Media Video 9 VCM
mIRC
Mozilla Firefox (1.0PR)
MSN Messenger 7.0
MSN Music Assistant
MSRedist
MSXML 4.0 SP2 Parser and SDK
MySQL Servers and Clients 3.23.52
Natural Selection 3.0
Nero Suite
Netscape (7.2)
Nikon View 6
NJStar Communicator
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Opera
PowerDVD
QuickTime
RealOne Player
RegScrubXP 3.25
SDProtector Basic Edition v1.12
Shockwave
SHOUTcast DNAS (remove only)
SHOUTcast Source DSP 1.8.2 (remove only)
SINfo v1 Beta *3*
SmartFTP
Sony USB Driver
Sony Vegas 5.0a
Spybot - Search & Destroy 1.3
SpywareBlaster v3.4
SqrSoft® Advanced Crossfading (remove only)
Star Wars Republic Commando Demo
Starcraft
Steam
StepVoice Recorder 1.4
StuffIt Standard
Sven Co-op 3.0
Symantec Script Blocking Installer
SysMetrix 3.20
TeamSpeak 2 RC2
The Core Media Player 4.0
Themexp.org File
TightVNC 1.2.9
Tom Clancy's Rainbow Six 3: Raven Shield 1.60.412
Undisker
Universal Media Player
Ventrilo
VideoLAN VLC media player 0.8.0
Viewpoint Media Player
VobSub v2.23 (Remove Only)
Winamp (remove only)
WindowBlinds
Windows Media Format Runtime
Windows Media Player 10
WinPatrol
WinRAR archiver
XPlite PROFESSIONAL
XviD MPEG-4 Video Codec
Yahoo! Address AutoComplete
Yahoo! Messenger Explorer Bar
Zoom Player (remove only)

#5
Buckeye_Sam

Posted 13 July 2005 - 05:54 PM

Malware Expert

Member
10,019 posts

Great job posting all that info! :tazz:

The scans cleaned up a lot. But they also pointed out an infection that we will have to deal with in a different way.

Download L2mfix from one of these two locations:

http://www.atribune....oads/l2mfix.exe
http://www.downloads....org/l2mfix.exe

Save the file to your desktop and double click l2mfix.exe. Click the Install button to extract the files and follow the prompts, then open the newly added l2mfix folder on your desktop. Double click l2mfix.bat and select option #1 for Run Find Log by typing 1 and then pressing enter. This will scan your computer and it may appear nothing is happening, then, after a minute or 2, notepad will open with a log. Copy the contents of that log and paste it into this thread.

IMPORTANT: Do NOT run option #2 OR any other files in the l2mfix folder until you are asked to do so!

#6
centrus

Posted 13 July 2005 - 06:11 PM

Member

Topic Starter
Member
10 posts

here it is:

L2MFIX find log 1.03
These are the registry keys present
**********************************************************************************
Winlogon/notify:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\MCD]
"Asynchronous"=dword:00000000
"DllName"="C:\\WINDOWS\\system32\\mvjtes40.dll"
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\PROGRA~1\\Stardock\\OBJECT~1\\WINDOW~1\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

**********************************************************************************
useragent:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{1584B9BE-1823-1084-4360-913AFA598992}"=""

**********************************************************************************
Shell Extension key:
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{B8323370-FF27-11D2-97B6-204C4F4F5020}"="SmartFTP Shell Extension DLL"
"{FED7043D-346A-414D-ACD7-550D052499A7}"="dBpowerAMP Music Converter 1"
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}"="dBpowerAMP Music Converter"
"{8D1636FD-CA49-4B4E-90E4-0A20E03A15E8}"="jetAudio"
"{2F5AC606-70CF-461C-BFE1-734234536262}"="WindowBlinds CPL Extension"
"{32020A01-506E-484D-A2A8-BE3CF17601C3}"="AlcoholShellEx"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{516EC4D3-4AD9-11D5-AA6A-00E0189008B3}"="The Core Media Player Shell Extension"
"{32A9D769-5B55-4a25-9A62-86B5683FE50A}"="NikonView Drop Extension"
"{C524B32B-1C9F-4121-91D6-CABA45385DD8}"=""
"{DD71C271-A400-4BE2-A1F5-39A60C200E36}"=""
"{5E2121EE-0300-11D4-8D3B-444553540000}"="Catalyst Context Menu extension"

**********************************************************************************
HKEY ROOT CLASSIDS:
Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{C524B32B-1C9F-4121-91D6-CABA45385DD8}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C524B32B-1C9F-4121-91D6-CABA45385DD8}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C524B32B-1C9F-4121-91D6-CABA45385DD8}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{C524B32B-1C9F-4121-91D6-CABA45385DD8}\InprocServer32]
@="C:\\WINDOWS\\system32\\mqwmdmsp.dll"
"ThreadingModel"="Apartment"

Windows Registry Editor Version 5.00

[HKEY_CLASSES_ROOT\CLSID\{DD71C271-A400-4BE2-A1F5-39A60C200E36}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DD71C271-A400-4BE2-A1F5-39A60C200E36}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DD71C271-A400-4BE2-A1F5-39A60C200E36}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\CLSID\{DD71C271-A400-4BE2-A1F5-39A60C200E36}\InprocServer32]
@="C:\\WINDOWS\\system32\\mncories.dll"
"ThreadingModel"="Apartment"

**********************************************************************************
Files Found are not all bad files:

C:\WINDOWS\SYSTEM32\
ati2cqag.dll Thu May 12 2005 6:38:02p A.... 208,896 204.00 K
ati2dvag.dll Thu May 12 2005 7:15:28p A.... 228,864 223.50 K
ati2edxx.dll Thu May 12 2005 7:10:20p A.... 39,936 39.00 K
ati2evxx.dll Thu May 12 2005 7:10:10p A.... 46,080 45.00 K
ati3duag.dll Thu May 12 2005 7:01:24p A.... 2,347,520 2.24 M
atiddc.dll Thu May 12 2005 7:08:34p A.... 53,248 52.00 K
atidemgr.dll Thu May 12 2005 9:23:08p A.... 229,376 224.00 K
atiiiexx.dll Thu May 12 2005 9:54:06p A.... 299,008 292.00 K
atikvmag.dll Thu May 12 2005 6:44:06p A.... 139,264 136.00 K
atioglx1.dll Thu May 12 2005 8:39:58p A.... 6,680,576 6.37 M
atioglxx.dll Thu May 12 2005 7:31:36p A.... 4,816,896 4.59 M
atipdlxx.dll Thu May 12 2005 7:10:44p A.... 94,208 92.00 K
atitvo32.dll Thu May 12 2005 6:43:18p A.... 17,408 17.00 K
ativvaxx.dll Thu May 12 2005 6:55:20p A.... 613,440 599.06 K
dgsrslvr.dll Mon Jul 11 2005 2:53:26p ..S.R 417,792 408.00 K
djnput8.dll Mon Jul 11 2005 2:53:10p ..S.R 417,792 408.00 K
hdetwiz.dll Mon Jul 11 2005 1:46:14p ..S.R 417,792 408.00 K
iokrpor.dll Sat Jul 2 2005 1:01:38a A.... 27,648 27.00 K
iom32.dll Mon Jul 11 2005 4:13:46p ..S.R 417,792 408.00 K
mncories.dll Wed Jul 13 2005 5:04:46p ..S.R 417,792 408.00 K
mtg_hook.dll Mon Jul 11 2005 1:47:38p ..S.R 417,792 408.00 K
mvjtes40.dll Mon Jul 11 2005 11:22:52p ..S.R 417,792 408.00 K
oemdspif.dll Thu May 12 2005 7:10:32p A.... 73,728 72.00 K
sqkuw.dll Sat Jul 2 2005 1:01:38a A.... 9,728 9.50 K
swayerxp.dll Tue Jul 12 2005 12:25:34a ..S.R 417,792 408.00 K
wzvdmoe.dll Tue Jul 12 2005 12:33:28a ..S.R 417,792 408.00 K

26 items found: 26 files (9 H/S), 0 directories.
Total of file sizes: 19,685,952 bytes 18.77 M
Locate .tmp files:

C:\WINDOWS\SYSTEM32\
guard.tmp Sat Jul 9 2005 2:39:38a ..S.R 417,792 408.00 K

1 item found: 1 file (1 H/S), 0 directories.
Total of file sizes: 417,792 bytes 408.00 K
**********************************************************************************
Directory Listing of system files:
Volume in drive C has no label.
Volume Serial Number is 2CB6-9C93

Directory of C:\WINDOWS\System32

07/13/2005 05:04 PM 417,792 mncories.dll
07/12/2005 12:33 AM 417,792 wzvdmoe.dll
07/12/2005 12:25 AM 417,792 swayerxp.dll
07/11/2005 11:22 PM 417,792 mvjtes40.dll
07/11/2005 04:13 PM 417,792 iom32.dll
07/11/2005 02:53 PM 417,792 dgsrslvr.dll
07/11/2005 02:53 PM 417,792 djnput8.dll
07/11/2005 01:47 PM 417,792 mTg_hook.dll
07/11/2005 01:46 PM 417,792 hdetwiz.dll
07/10/2005 12:48 AM <DIR> DLLCACHE
07/09/2005 02:39 AM 417,792 guard.tmp
11/21/2004 03:08 PM 10,022 KGyGaAvL.sys
03/29/2004 08:11 PM <DIR> Microsoft
11 File(s) 4,187,942 bytes
2 Dir(s) 4,862,140,416 bytes free

#7
Buckeye_Sam

Posted 13 July 2005 - 06:24 PM

Malware Expert

Member
10,019 posts

Close any programs you have open since this step requires a reboot.

From the l2mfix folder on your desktop, double click l2mfix.bat and select option #2 for Run Fix by typing 2 and then pressing enter, then press any key to reboot your computer. After a reboot, your desktop and icons will appear, then disappear (this is normal). L2mfix will continue to scan your computer and when it's finished, notepad will open with a log. Copy the contents of that log and paste it back into this thread, along with a new hijackthis log.

IMPORTANT: Do NOT run any other files in the l2mfix folder until you are asked to do so!

#8
centrus

Posted 13 July 2005 - 06:34 PM

Member

Topic Starter
Member
10 posts

thanks for the quick responses Sam, i really appreciate the help :tazz:

here are the logs:

L2Mfix 1.03a

Running From:
C:\Documents and Settings\Gary\Desktop\l2mfix

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting registry permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Denying C(CI) access for predefined group "Administrators"
- adding new ACCESS DENY entry

Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- BUILTIN\Administrators
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Setting up for Reboot

Starting Reboot!

C:\Documents and Settings\Gary\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\Gary\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 340 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1192 'rundll32.exe'
Killing PID 1192 'rundll32.exe'
Killing PID 1192 'rundll32.exe'
Killing PID 1192 'rundll32.exe'
Killing PID 1192 'rundll32.exe'
Killing PID 1192 'rundll32.exe'
Killing PID 1192 'rundll32.exe'
Killing PID 1192 'rundll32.exe'
Killing PID 1192 'rundll32.exe'
Killing PID 1192 'rundll32.exe'
Killing PID 1192 'rundll32.exe'
Killing PID 1540 'rundll32.exe'

Scanning First Pass. Please Wait!

First Pass Completed

Second Pass Scanning

Second pass Completed!
Backing Up: C:\WINDOWS\system32\dgsrslvr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dgsrslvr.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\djnput8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\djnput8.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dsserver.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\dsserver.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hdetwiz.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\hdetwiz.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iom32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\iom32.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mncories.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mncories.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mTg_hook.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mTg_hook.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvjtes40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\mvjtes40.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swayerxp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\swayerxp.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wzvdmoe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\wzvdmoe.dll
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
Backing Up: C:\WINDOWS\system32\guard.tmp
1 file(s) copied.
deleting: C:\WINDOWS\system32\dgsrslvr.dll
Successfully Deleted: C:\WINDOWS\system32\dgsrslvr.dll
deleting: C:\WINDOWS\system32\dgsrslvr.dll
Successfully Deleted: C:\WINDOWS\system32\dgsrslvr.dll
deleting: C:\WINDOWS\system32\djnput8.dll
Successfully Deleted: C:\WINDOWS\system32\djnput8.dll
deleting: C:\WINDOWS\system32\djnput8.dll
Successfully Deleted: C:\WINDOWS\system32\djnput8.dll
deleting: C:\WINDOWS\system32\dsserver.dll
Successfully Deleted: C:\WINDOWS\system32\dsserver.dll
deleting: C:\WINDOWS\system32\dsserver.dll
Successfully Deleted: C:\WINDOWS\system32\dsserver.dll
deleting: C:\WINDOWS\system32\hdetwiz.dll
Successfully Deleted: C:\WINDOWS\system32\hdetwiz.dll
deleting: C:\WINDOWS\system32\hdetwiz.dll
Successfully Deleted: C:\WINDOWS\system32\hdetwiz.dll
deleting: C:\WINDOWS\system32\iom32.dll
Successfully Deleted: C:\WINDOWS\system32\iom32.dll
deleting: C:\WINDOWS\system32\iom32.dll
Successfully Deleted: C:\WINDOWS\system32\iom32.dll
deleting: C:\WINDOWS\system32\mncories.dll
Successfully Deleted: C:\WINDOWS\system32\mncories.dll
deleting: C:\WINDOWS\system32\mncories.dll
Successfully Deleted: C:\WINDOWS\system32\mncories.dll
deleting: C:\WINDOWS\system32\mTg_hook.dll
Successfully Deleted: C:\WINDOWS\system32\mTg_hook.dll
deleting: C:\WINDOWS\system32\mTg_hook.dll
Successfully Deleted: C:\WINDOWS\system32\mTg_hook.dll
deleting: C:\WINDOWS\system32\mvjtes40.dll
Successfully Deleted: C:\WINDOWS\system32\mvjtes40.dll
deleting: C:\WINDOWS\system32\mvjtes40.dll
Successfully Deleted: C:\WINDOWS\system32\mvjtes40.dll
deleting: C:\WINDOWS\system32\swayerxp.dll
Successfully Deleted: C:\WINDOWS\system32\swayerxp.dll
deleting: C:\WINDOWS\system32\swayerxp.dll
Successfully Deleted: C:\WINDOWS\system32\swayerxp.dll
deleting: C:\WINDOWS\system32\wzvdmoe.dll
Successfully Deleted: C:\WINDOWS\system32\wzvdmoe.dll
deleting: C:\WINDOWS\system32\wzvdmoe.dll
Successfully Deleted: C:\WINDOWS\system32\wzvdmoe.dll
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp
deleting: C:\WINDOWS\system32\guard.tmp
Successfully Deleted: C:\WINDOWS\system32\guard.tmp

Zipping up files for submission:
adding: dgsrslvr.dll (164 bytes security) (deflated 48%)
adding: djnput8.dll (164 bytes security) (deflated 48%)
adding: dsserver.dll (164 bytes security) (deflated 48%)
adding: hdetwiz.dll (164 bytes security) (deflated 48%)
adding: iom32.dll (164 bytes security) (deflated 48%)
adding: mncories.dll (164 bytes security) (deflated 48%)
adding: mTg_hook.dll (164 bytes security) (deflated 48%)
adding: mvjtes40.dll (164 bytes security) (deflated 48%)
adding: swayerxp.dll (164 bytes security) (deflated 48%)
adding: wzvdmoe.dll (164 bytes security) (deflated 48%)
adding: guard.tmp (164 bytes security) (deflated 48%)
adding: clear.reg (164 bytes security) (deflated 36%)
adding: echo.reg (164 bytes security) (deflated 8%)
adding: direct.txt (164 bytes security) (stored 0%)
adding: lo2.txt (164 bytes security) (deflated 85%)
adding: readme.txt (164 bytes security) (deflated 49%)
adding: report.txt (164 bytes security) (deflated 66%)
adding: test.txt (164 bytes security) (deflated 86%)
adding: test2.txt (164 bytes security) (deflated 17%)
adding: test3.txt (164 bytes security) (deflated 17%)
adding: test5.txt (164 bytes security) (deflated 17%)
adding: xfind.txt (164 bytes security) (deflated 82%)
adding: backregs/C524B32B-1C9F-4121-91D6-CABA45385DD8.reg (164 bytes security) (deflated 70%)
adding: backregs/DD71C271-A400-4BE2-A1F5-39A60C200E36.reg (164 bytes security) (deflated 70%)
adding: backregs/shell.reg (164 bytes security) (deflated 73%)

Restoring Registry Permissions:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Revoking access for predefined group "Administrators"
Inherited ACE can not be revoked here!
Inherited ACE can not be revoked here!

Registry permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(NI) ALLOW Full access NT AUTHORITY\SYSTEM
(IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER

Restoring Sedebugprivilege:

Granting SeDebugPrivilege to Administrators ... successful

deleting local copy: dgsrslvr.dll
deleting local copy: dgsrslvr.dll
deleting local copy: djnput8.dll
deleting local copy: djnput8.dll
deleting local copy: dsserver.dll
deleting local copy: dsserver.dll
deleting local copy: hdetwiz.dll
deleting local copy: hdetwiz.dll
deleting local copy: iom32.dll
deleting local copy: iom32.dll
deleting local copy: mncories.dll
deleting local copy: mncories.dll
deleting local copy: mTg_hook.dll
deleting local copy: mTg_hook.dll
deleting local copy: mvjtes40.dll
deleting local copy: mvjtes40.dll
deleting local copy: swayerxp.dll
deleting local copy: swayerxp.dll
deleting local copy: wzvdmoe.dll
deleting local copy: wzvdmoe.dll
deleting local copy: guard.tmp
deleting local copy: guard.tmp

The following Is the Current Export of the Winlogon notify key:
****************************************************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
"DLLName"="Ati2evxx.dll"
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000001
"Lock"="AtiLockEvent"
"Logoff"="AtiLogoffEvent"
"Logon"="AtiLogonEvent"
"Disconnect"="AtiDisConnectEvent"
"Reconnect"="AtiReConnectEvent"
"Safe"=dword:00000000
"Shutdown"="AtiShutdownEvent"
"StartScreenSaver"="AtiStartScreenSaverEvent"
"StartShell"="AtiStartShellEvent"
"Startup"="AtiStartupEvent"
"StopScreenSaver"="AtiStopScreenSaverEvent"
"Unlock"="AtiUnLockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,33,00,32,00,2e,00,64,00,6c,00,\
6c,00,00,00
"Logoff"="ChainWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet]
"Asynchronous"=dword:00000000
"Impersonate"=dword:00000000
"DllName"=hex(2):63,00,72,00,79,00,70,00,74,00,6e,00,65,00,74,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Logoff"="CryptnetWlxLogoffEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll]
"DLLName"="cscdll.dll"
"Logon"="WinlogonLogonEvent"
"Logoff"="WinlogonLogoffEvent"
"ScreenSaver"="WinlogonScreenSaverEvent"
"Startup"="WinlogonStartupEvent"
"Shutdown"="WinlogonShutdownEvent"
"StartShell"="WinlogonStartShellEvent"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui]
@=""
"DLLName"="igfxsrvc.dll"
"Asynchronous"=dword:00000001
"Impersonate"=dword:00000001
"Unlock"="WinlogonUnlockEvent"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp]
"DLLName"="wlnotify.dll"
"Logon"="SCardStartCertProp"
"Logoff"="SCardStopCertProp"
"Lock"="SCardSuspendCertProp"
"Unlock"="SCardResumeCertProp"
"Enabled"=dword:00000001
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"StartShell"="SchedStartShell"
"Logoff"="SchedEventLogOff"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy]
"Logoff"="WLEventLogoff"
"Impersonate"=dword:00000000
"Asynchronous"=dword:00000001
"DllName"=hex(2):73,00,63,00,6c,00,67,00,6e,00,74,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn]
"DLLName"="WlNotify.dll"
"Lock"="SensLockEvent"
"Logon"="SensLogonEvent"
"Logoff"="SensLogoffEvent"
"Safe"=dword:00000001
"MaxWait"=dword:00000258
"StartScreenSaver"="SensStartScreenSaverEvent"
"StopScreenSaver"="SensStopScreenSaverEvent"
"Startup"="SensStartupEvent"
"Shutdown"="SensShutdownEvent"
"StartShell"="SensStartShellEvent"
"PostShell"="SensPostShellEvent"
"Disconnect"="SensDisconnectEvent"
"Reconnect"="SensReconnectEvent"
"Unlock"="SensUnlockEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv]
"Asynchronous"=dword:00000000
"DllName"=hex(2):77,00,6c,00,6e,00,6f,00,74,00,69,00,66,00,79,00,2e,00,64,00,\
6c,00,6c,00,00,00
"Impersonate"=dword:00000000
"Logoff"="TSEventLogoff"
"Logon"="TSEventLogon"
"PostShell"="TSEventPostShell"
"Shutdown"="TSEventShutdown"
"StartShell"="TSEventStartShell"
"Startup"="TSEventStartup"
"MaxWait"=dword:00000258
"Reconnect"="TSEventReconnect"
"Disconnect"="TSEventDisconnect"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB]
"Asynchronous"=dword:00000000
"DllName"="C:\\PROGRA~1\\Stardock\\OBJECT~1\\WINDOW~1\\fastload.dll"
"Startup"="StartSys"
"Logon"="StartWB"

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon]
"DLLName"="wlnotify.dll"
"Logon"="RegisterTicketExpiredNotificationEvent"
"Logoff"="UnregisterTicketExpiredNotificationEvent"
"Impersonate"=dword:00000001
"Asynchronous"=dword:00000001

The following are the files found:
****************************************************************************
C:\WINDOWS\system32\dgsrslvr.dll
C:\WINDOWS\system32\dgsrslvr.dll
C:\WINDOWS\system32\djnput8.dll
C:\WINDOWS\system32\djnput8.dll
C:\WINDOWS\system32\dsserver.dll
C:\WINDOWS\system32\dsserver.dll
C:\WINDOWS\system32\hdetwiz.dll
C:\WINDOWS\system32\hdetwiz.dll
C:\WINDOWS\system32\iom32.dll
C:\WINDOWS\system32\iom32.dll
C:\WINDOWS\system32\mncories.dll
C:\WINDOWS\system32\mncories.dll
C:\WINDOWS\system32\mTg_hook.dll
C:\WINDOWS\system32\mTg_hook.dll
C:\WINDOWS\system32\mvjtes40.dll
C:\WINDOWS\system32\mvjtes40.dll
C:\WINDOWS\system32\swayerxp.dll
C:\WINDOWS\system32\swayerxp.dll
C:\WINDOWS\system32\wzvdmoe.dll
C:\WINDOWS\system32\wzvdmoe.dll
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp

Registry Entries that were Deleted:
Please verify that the listing looks ok.
If there was something deleted wrongly there are backups in the backreg folder.
****************************************************************************
REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{C524B32B-1C9F-4121-91D6-CABA45385DD8}"=-
"{DD71C271-A400-4BE2-A1F5-39A60C200E36}"=-
[-HKEY_CLASSES_ROOT\CLSID\{C524B32B-1C9F-4121-91D6-CABA45385DD8}]
[-HKEY_CLASSES_ROOT\CLSID\{DD71C271-A400-4BE2-A1F5-39A60C200E36}]
REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"SV1"=""
****************************************************************************
Desktop.ini Contents:
****************************************************************************
****************************************************************************

Logfile of HijackThis v1.99.1
Scan saved at 5:34:02 PM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\WINDOWS\System32\pnarjn.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Opera\Opera.exe
C:\Documents and Settings\Gary\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Gary\Application Data\Mozilla\Profiles\default\s1jivp5f.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\pnarjn.exe reg_run
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM32\hkcmd.exe
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [avtapi] C:\WINDOWS\System32\avtapi.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

#9
Buckeye_Sam

Posted 13 July 2005 - 06:55 PM

Malware Expert

Member
10,019 posts

We are definitely making progress! :tazz:

Let's clean up your hijackthis log a little bit and then we'll take another look for malware with yet another log.

Download rkfiles.zip
http://skads.org/special/rkfiles.zip
Unzip the contents to a permanent folder, but don't run anything yet.

Please make sure that you can VIEW ALL HIDDEN FILES.

Place a checkmark next to these entries, close all browsers and windows, and have HijackThis fix them by clicking Fix Checked:

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.exactsearch.net/sidesearch
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\pnarjn.exe reg_run
O4 - HKLM\..\Run: [A70F6A1D-0195-42a2-934C-D8AC0F7C08EB] rundll32.exe E6F1873B.DLL,D9EBC318C
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKCU\..\Run: [avtapi] C:\WINDOWS\System32\avtapi.exe
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\Cas\Client\casmf.dll
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Reboot your computer into SAFE MODE

Then delete these files or directories (Do not be concerned if they do not exist):

C:\WINDOWS\System32\AUNPS2.DLL
C:\WINDOWS\System32\pnarjn.exe
C:\WINDOWS\System32\E6F1873B.DLL
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\System32\avtapi.exe
C:\Program Files\Cas
C:\WINDOWS\svcproc.exe

Doubleclick rkfiles.bat that you downloaded earlier.
It will scan for a while, so please be patient.
Wait till the DOS window closes and reboot back to normal mode.

Post the contents of C:\log.txt in your next reply along with a new hijackthis log.

#10
centrus

Posted 13 July 2005 - 07:37 PM

Member

Topic Starter
Member
10 posts

here are the logs:

C:\Documents and Settings\Gary\Desktop\rkfiles

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
Files Found in system Folder............
------------------------
C:\WINDOWS\SYSTEM32\avisynth.dll: UPX!
C:\WINDOWS\SYSTEM32\fmod.dll: UPX!
C:\WINDOWS\SYSTEM32\MACDec.dll: UPX!
C:\WINDOWS\SYSTEM32\MonkeySource.ax: UPX!
C:\WINDOWS\SYSTEM32\npkcsvc.exe: UPX!
C:\WINDOWS\SYSTEM32\dfrg.msc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAwGpEc213

Files Found in all users startup Folder............
------------------------
Files Found in all users windows Folder............
------------------------
C:\WINDOWS\CoreAAC.ax: UPX!
Finished
bye

Logfile of HijackThis v1.99.1
Scan saved at 7:01:46 PM, on 7/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\cisvc.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Gary\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Gary\Application Data\Mozilla\Profiles\default\s1jivp5f.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM32\hkcmd.exe
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: ipan.exe
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe (file missing)

Edited by centrus, 13 July 2005 - 08:01 PM.

#11
Buckeye_Sam

Posted 14 July 2005 - 04:14 PM

Malware Expert

Member
10,019 posts

Looking much better. :tazz:

Please delete these files.

C:\WINDOWS\SYSTEM32\MACDec.dll
C:\WINDOWS\CoreAAC.ax

=========

Next let's remove that stubborn service that's left from a previous infection.

Click Start -> Run -> (type) services.msc

Scroll down and find the service called System Startup Service When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows.

Run Hijackthis and click on Open the Misc Tools section -> Delete an NT Service
Copy and paste this into the text box and click OK.

SvcProc

Reboot your computer.

=========

Please run this online virus scans.
Make sure it is set to clean automatically

Panda Virus Scan

There may be files that this scan will not remove. Please include that information in your next post.

=========

Reboot and post a new hijackthis log and the info from your virus scan.
Let me know how things feel on your end.

Edited by Buckeye_Sam, 14 July 2005 - 04:15 PM.

#12
centrus

Posted 14 July 2005 - 06:01 PM

Member

Topic Starter
Member
10 posts

I tried to run the Panda Virus Scan, but for some wierd reason, it doesnt work. My computer is functioning MUCH better now, and the popups have stopped :tazz:

heres my latest hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 5:00:00 PM, on 7/14/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\mysql\bin\mysqld-nt.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\System32\pnarjn.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\D-Link AirPlus\AirPlus.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\SYSTEM32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Gary\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://gmail.com/
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Gary\Application Data\Mozilla\Profiles\default\s1jivp5f.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Web assistant - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: TGTSoft Explorer Toolbar Changer - {C333CF63-767F-4831-94AC-E683D962C63C} - (no file)
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPAT~1\winpatrol.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\SYSTEM32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\SYSTEM32\hkcmd.exe
O4 - HKLM\..\Run: [SysMetrix] C:\Program Files\SysMetrix\SysMetrix.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\pnarjn.exe reg_run
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: D-Link AirPlus.lnk = ?
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Picture Package Menu.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
O4 - Global Startup: Picture Package VCD Maker.lnk = C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: MySql - Unknown owner - C:\mysql\bin\mysqld-nt.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#13
Buckeye_Sam

Posted 14 July 2005 - 07:12 PM

Malware Expert

Member
10,019 posts

We're still dealing with a persistent trojan.

Delete temp files

Navigate to the C:\Windows\Temp folder. Open the Temp folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Navigate to the C:\Windows\Prefetch folder. Open the Prefetch folder and go to Edit > Select All then Edit > Delete to delete the entire contents of the Prefetch folder.

Go to Start > Run and type %temp% in the Run box. The Temp folder will open. Click Edit > Select All then Edit > Delete to delete the entire contents of the Temp folder.

Finally go to Control Panel > Internet Options. On the General tab under "Temporary Internet Files" Click "Delete Files". Put a check by "Delete Offline Content" and click OK. Click on the Programs tab then click the "Reset Web Settings" button. Click Apply then OK.

Empty the Recycle Bin.

===========

Run Kaspersky's online virus scan and save the results to post in your next reply.

http://www.kaspersky...oduct=161744315

===========

Please download FindQoologic from here:
http://forums.net-in...=post&id=134981
Save it to the desktop and run Find-Qoologic2.bat. This will generate a log file; please post the entire contents of the log file here for me to see.

==========

To summarize, I need to see the report from Kasperky and the log from findqoolic in your next post.

#14
centrus

Posted 15 July 2005 - 01:21 PM

Member

Topic Starter
Member
10 posts

here are the logs:

-------------------------------------------------------------------------------
KASPERSKY ANTI-VIRUS WEB SCANNER REPORT
Friday, July 15, 2005 12:03:59
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Anti-Virus Web Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/07/2005
Kaspersky Anti-Virus database records: 130634
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 90597
Number of viruses found: 26
Number of infected objects: 79
Number of suspicious objects: 0
Duration of the scan process: 9705 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Setup\Setup.dll Infected: Trojan.Win32.StartPage.ku
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipan.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\Documents and Settings\Gary\My Documents\ChDragon.exe/WISE0023.BIN Infected: Trojan-Dropper.Win32.Small.jh
C:\Documents and Settings\Gary\My Documents\ChDragon.exe Infected: Trojan-Dropper.Win32.Small.jh
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\02993FA5.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0A1B341A.dll Infected: Backdoor.Win32.Netbus
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0A325A00.exe Infected: Backdoor.Win32.SubSeven.22
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0B132B08.exe Infected: Backdoor.Win32.SubSeven.22
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0B5055E1.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0B621AB2.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\0F4A1080.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\166A627B.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\16E011E0.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\192602C0.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\192602C0.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\253B0813.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\28B71357.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3A7C6EFA.dll Infected: Backdoor.Win32.SubSeven.22.b2
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\3EB571D2.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\40642FEA.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\40AC4B9B.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\41711217.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\447B3283.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45471E92.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\458777E2.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45E800BB.cgi Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45E800BB.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45E800BB.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45EC2AB7.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45EC2AB7.exe Infected: Backdoor.Win32.SubSeven.22
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\45EF54B4.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46D779B5.cgi Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46D779B5.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46D779B5.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46DA23B1.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46DD4DAD.dll Infected: Backdoor.Win32.SubSeven.22.b2
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46E177AA.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46E421A6.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\46E421A6.exe Infected: Backdoor.Win32.SubSeven.22
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4E2C299B.exe Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F0B571A.class Infected: Exploit.Java.Bytverify
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F5E7DCD.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F732A14.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5F732A14.exe Infected: Backdoor.Win32.SubSeven.22.a
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\5FB60930 Infected: Backdoor.Win32.Netbus.170
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\76704B14.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7A227CEA.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7AFC56F6.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\7FBF19E2.dll Infected: Backdoor.Win32.SubSeven.22.plugin
C:\Program Files\SDProtectorBasic\SDProtectorStd.exe Infected: Backdoor.Win32.Dragonbot.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199132.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199143.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199144.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199154.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199157.exe Infected: Trojan-Downloader.Win32.SecondThought.ah
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199162.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199166.exe Infected: Trojan-Downloader.Win32.Delf.go
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199167.dll Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199171.exe Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199172.cpl Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199175.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199176.EXE Infected: Trojan-Downloader.Win32.Small.wk
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199177.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0199179.sys Infected: Trojan.Win32.Kolweb.b
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0200112.dll Infected: Trojan-Clicker.Win32.Small.ez
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0200113.exe Infected: Trojan-Downloader.Win32.Agent.am
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0200114.dll Infected: Trojan-Downloader.Win32.Braidupdate.d
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0200115.dll Infected: Trojan-Downloader.Win32.Qoologic.p
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0200116.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP481\A0202235.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\SYSTEM32\iokrpor.dll Infected: Trojan-Downloader.Win32.Qoologic.s
C:\WINDOWS\SYSTEM32\kbupa.dat Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\SYSTEM32\mrabnrb.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\SYSTEM32\pnarjn.exe Infected: Trojan-Downloader.Win32.Qoologic.u
C:\WINDOWS\SYSTEM32\sqkuw.dll Infected: Trojan-Downloader.Win32.Qoologic.t

Scan process completed.

PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, There WILL be LEGIT FILES LISTED PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
some examples are MRT.EXE NTDLL.DLL.
»»»»»»»»»»»»»»»»»»»»»»»» Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Packed files »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» startup files»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Checking Global Startup »»»»»»»»»»»»»»»»»»»»»»

(fstarts by IMM - test ver. 0.001) NOT using address check -- 0x77f75fae

Global Startup:
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
.
..
Adobe Gamma Loader.lnk
ATI CATALYST System Tray.lnk
D-Link AirPlus.lnk
DESKTOP.INI
hp psc 2000 Series.lnk
hpoddt01.exe.lnk
ipan.exe
Picture Package Menu.lnk
Picture Package VCD Maker.lnk

User Startup:
C:\Documents and Settings\Gary\Start Menu\Programs\Startup
.
..
DESKTOP.INI

#15
Buckeye_Sam

Posted 15 July 2005 - 04:17 PM

Malware Expert

Member
10,019 posts

Please fix this line with Hijackthis.

O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\pnarjn.exe reg_run

Download the Pocket Killbox.

Unzip the contents of KillBox.zip to a convenient location and then double-click on KillBox.exe to launch the program.

Highlight the lines below and press the Ctrl key and the C key at the same time to copy them to the clipboard:
- C:\Documents and Settings\All Users\Application Data\Setup\Setup.dll
  C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ipan.exe
  C:\Documents and Settings\Gary\My Documents\ChDragon.exe
  C:\Program Files\SDProtectorBasic\SDProtectorStd.exe
  C:\WINDOWS\SYSTEM32\iokrpor.dll
  C:\WINDOWS\SYSTEM32\kbupa.dat
  C:\WINDOWS\SYSTEM32\mrabnrb.exe
  C:\WINDOWS\SYSTEM32\pnarjn.exe
  C:\WINDOWS\SYSTEM32\sqkuw.dll
Now go to the Killbox application and click on the File menu and then the Paste from Clipboard menu item. In the Full Path of File to Delete box you should see the first file. If you dropdown that box you should see the rest of them. Make sure that they are all there.
Click on the Delete on Reboot option and then click on the red circle with a white 'X' in to to delete the files. Killbox will tell you that all listed files will be deleted on next reboot, click YES. When it asks if you would like to Reboot now, click YES. If you get a "PendingFileRenameOperations Registry Data has been Removed by External Process!" message then just restart manually.