Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Aurora, Nail, Keylogger, Winfix, etc. Help! [RESOLVED]

Started by emocoregirl , Jul 29 2005 10:11 AM

This topic is locked

#1
emocoregirl

Posted 29 July 2005 - 10:11 AM

Member

Member
26 posts

Somehow, and I'm not sure how, I've been bombarded with malware, keyloggers, etc. on my computer at work. I really need help. I would like to rid my computer of these problems a/s/a/p. I've done a Norton virus scan, removed sidekick3 or whatever it is along with a number of other suspicious programs that I hadn't seen in the system before. I removed elite but that keeps coming back. I have spybot and have been using it but nothing seems to be working.

I shutdown/startup my computer everyday. I believe there are trojans/keyloggers that are mutating. and i get new ones (more and more)every day. we are on a network...is that going to have a problem as well.

Here is my Hijackthis Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:12:52 PM, on 07/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\msesdpia.exe
C:\WINDOWS\system32\pabjar.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\DOCUME~1\JILL~1.NLF\LOCALS~1\Temp\sysnet.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
F:\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
c:\windows\system32\upbrfd.exe
C:\Program Files\Internet Explorer\iexplore.exe
F:\WordPerfect Office 2000\programs\wpwin9.exe
C:\WINDOWS\abpqyrweoa.exe
C:\WINDOWS\abpqyrweoa.exe
C:\HJT-log\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepnm32.exe
O4 - HKLM\..\Run: [53mh39W] msesdpia.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pabjar.exe reg_run
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\JILL~1.NLF\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [tpqgmh] c:\windows\system32\upbrfd.exe r
O4 - HKCU\..\Run: [K05nRVa4Q] mqlmm.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [wkkz] C:\PROGRA~1\COMMON~1\wkkz\wkkzm.exe
O4 - Startup: Desktop Application Director 9.LNK = WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.norun
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NLFISHCO.COM
O17 - HKLM\Software\..\Telephony: DomainName = NLFISHCO.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NLFISHCO.COM
O18 - Filter: text/html - {8293D547-38DD-4325-B35A-F1817EDFA5FC} - C:\Program Files\CMAPP\Client\cmappmf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

Edited by emocoregirl, 29 July 2005 - 05:45 PM.

#2
tampabelle

Posted 30 July 2005 - 08:35 AM

Member 5k

Retired Staff
6,363 posts

Hi emocoregirl,

You have a bunch of infections on your PC !! It will take a few iterations to clean up everything but it can be done.

First we will need to download a few tools that will help us in the removal of your problem.

Download about:buster by RubbeRDuckY Here.
Download CWShredder Here.
Download and install CleanUp! Here

Save all of these files somewhere you will remember like to the Desktop.

Update About:Buster

Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
Click "OK" at the prompt with instructions.
Click "Update" and then "Check For Update" to begin the update process.
If any updates exist please download them by clicking "Download Update" then click the X to close that window.
Now close About:Buster

Update CWShredder

Open CWShredder and click I AGREE
Click Check For Update
Close CWShredder

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Please run about:buster by RubbeRDuckY:

Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
Click Yes to allow it to shutdown explorer.exe.
It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
When it has finished, click Save Log. Make sure you save it as I may need a copy of it later.
Reboot your computer into safe mode again

Run about:buster again following the same instructions as above, this time without the restart at the end

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything it asks about.

Now run CleanUp!Reboot your computer into normal windows.

Please run an on-line virus scan at Kaspersky OnLine Scan or if that doesnt work, you can use TrendMicro or BitDefender. (Please post the results of the scan(s) in your next reply)

After all that, please post back with how things went as well as the logs requested and a new HiJackThis log.

#3
emocoregirl

Posted 30 July 2005 - 02:04 PM

Member

Topic Starter
Member
26 posts

Thank you so much for responding tampabelle! I apologize, I am not at work today but I assure you I will definitely follow your suggested steps and repost a log as soon as I'm finished on Monday morning. Thanks again!!

#4
tampabelle

Posted 30 July 2005 - 02:44 PM

Member 5k

Retired Staff
6,363 posts

no problem. I will look at your logs when you post them

#5
emocoregirl

Posted 01 August 2005 - 03:30 PM

Member

Topic Starter
Member
26 posts

I will update with my new logs tomorrow am. i am very sorry.

#6
tampabelle

Posted 01 August 2005 - 04:27 PM

Member 5k

Retired Staff
6,363 posts

no problem

#7
emocoregirl

Posted 02 August 2005 - 08:34 AM

Member

Topic Starter
Member
26 posts

I had done all the steps you provided me with. my computer is still being bombarded with pop-ups. so much that i can't even x them out in enough time. I did a trendmicro virus scan and for some reason it won't let me get rid of anything. i have 19 infections it says. mostly trojans. here is my about:buster log as well as my hijackthis log.

about:buster -

Scanned at: 4:31:12 PM on: 8/1/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 31

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 31

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 4:35:10 PM on: 8/1/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 31

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 31

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

HijackThis Log: -

Logfile of HijackThis v1.99.1
Scan saved at 10:33:54 AM, on 08/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\SKSMAILD.EXE
C:\WINDOWS\system32\Pelmiced.exe
c:\windows\system32\wadgqum.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
F:\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Aprps\CxtPls.exe
C:\HJT-log\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepnm32.exe
O4 - HKLM\..\Run: [53mh39W] msesdpia.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pabjar.exe reg_run
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\JILL~1.NLF\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [pznhgti] c:\windows\system32\wadgqum.exe r
O4 - HKCU\..\Run: [K05nRVa4Q] mqlmm.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [wkkz] C:\PROGRA~1\COMMON~1\wkkz\wkkzm.exe
O4 - Startup: Desktop Application Director 9.LNK = WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: rpin.exe
O4 - Global Startup: Service Manager.norun
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NLFISHCO.COM
O17 - HKLM\Software\..\Telephony: DomainName = NLFISHCO.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NLFISHCO.COM
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

#8
emocoregirl

Posted 02 August 2005 - 01:14 PM

Member

Topic Starter
Member
26 posts

Also, I also ran a trend micro sysclean pkg. Here are the results:

/--------------------------------------------------------------\
| Trend Micro Sysclean Package |
| Copyright 2002, Trend Micro, Inc. |
| http://www.trendmicro.com |
\--------------------------------------------------------------/

2005-08-02, 14:46:25, Auto-clean mode specified.
2005-08-02, 14:46:25, Running scanner "C:\cleanup programs\trendmicro\lpt755\TSC.BIN"...
2005-08-02, 14:47:07, Scanner "C:\cleanup programs\trendmicro\lpt755\TSC.BIN" has finished running.
2005-08-02, 14:47:07, TSC Log:

Damage Cleanup Engine (DCE) 3.9(Build 1020)
Windows XP(Build 2600: Service Pack 2)

Start time : Tue Aug 02 2005 14:46:25

Load Damage Cleanup Template (DCT) "C:\cleanup programs\trendmicro\lpt755\tsc.ptn" (version 632) [success]
TROJ_STARTPAG.QY[virus found]
-->delete file("C:\WINDOWS\system32\temperror32.dat","","") success
-->reboot delete file("C:\windows\system32\elitepnm32.exe","","") success
-->delete file("C:\WINDOWS\system32\shao.vbs","","") success
-->add file("C:\WINDOWS\system32\shao.vbs","","") success
-->modify file("C:\WINDOWS\system32\shao.vbs","","") success
-->modify registry value("HKEY_LOCAL_MACHINE","SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce","ruen") success

Complete time : Tue Aug 02 2005 14:46:45
Execute pattern count(4169), Virus found count(1), Virus clean count(1), Clean failed count(0)

2005-08-02, 14:47:10, Could not set file for reading on "C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp": Access is denied.
2005-08-02, 14:47:35, An error occurred while scanning file "C:\Documents and Settings\jill.NLFISHCO\NTUSER.DAT": Access is denied.
2005-08-02, 14:47:36, An error occurred while scanning file "C:\Documents and Settings\jill.NLFISHCO\ntuser.dat.LOG": Access is denied.
2005-08-02, 14:47:38, An error occurred while scanning file "C:\Documents and Settings\jill.NLFISHCO\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-02, 14:47:38, An error occurred while scanning file "C:\Documents and Settings\jill.NLFISHCO\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-02, 14:47:39, An error occurred while scanning file "C:\Documents and Settings\jill.NLFISHCO\Local Settings\Temp\Perflib_Perfdata_a00.dat": Access is denied.
2005-08-02, 14:47:39, An error occurred while scanning file "C:\Documents and Settings\jill.NLFISHCO\Local Settings\Temp\tmp1E1.tmp": Access is denied.
2005-08-02, 14:48:52, An error occurred while scanning file "C:\Documents and Settings\LocalService\NTUSER.DAT": Access is denied.
2005-08-02, 14:48:52, An error occurred while scanning file "C:\Documents and Settings\LocalService\ntuser.dat.LOG": Access is denied.
2005-08-02, 14:48:52, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-02, 14:48:52, An error occurred while scanning file "C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-02, 14:48:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\NTUSER.DAT": Access is denied.
2005-08-02, 14:48:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\ntuser.dat.LOG": Access is denied.
2005-08-02, 14:48:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat": Access is denied.
2005-08-02, 14:48:57, An error occurred while scanning file "C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG": Access is denied.
2005-08-02, 14:51:57, An error was detected on "C:\System Volume Information\*.*": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\ABIUNINST.EXE-21B6D2C6.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\ABIUNINST.EXE-26279AB8.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\ABOUTBUSTER.EXE-0E37AD67.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\ABPQYRWEOA.EXE-00642EBB.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\AGENTSVR.EXE-002E45AB.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\AUF1.EXE-1260A51B.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\AUPATCH.DAT-2ABC88BA.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\AURARECO.EXE-047F4DF5.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\AUTOUPDATE.EXE-06160476.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\AUTO_UPDATE_INSTALL.EXE-2E54A821.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\AUUNZIP.DAT-39E18726.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\AUUPDATE.DAT-0EBBB42B.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\A~NSISU_.EXE-07CB7993.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\BVOXOO.EXE-04F6195A.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\CERRWIO.EXE-0D6CAEB8.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\CLEANUP.EXE-3001858F.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\CLEANUP.EXE-35C80709.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\CLEANUP40.EXE-16181212.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\CQEJWB.EXE-04C47DE2.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\CVTRES.EXE-13DEB540.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\CWSHREDDER.EXE-2DF630DC.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\CXTPLS.EXE-09DD979E.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\CZGKII.EXE-1FBB0737.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\DEFRAG.EXE-273F131E.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\DFRGNTFS.EXE-269967DF.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\DINST.EXE-1E333838.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\DINST.EXE-1F115A99.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\DLXPAYA.EXE-06FC4F53.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\DRWTSN32.EXE-2B4B52AC.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\DUMPREP.EXE-1B46F901.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\DWWIN.EXE-30875ADC.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\EGCHGS.EXE-05B3CA3C.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\EXCEL.EXE-1C75F8D6.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\EXCLEAN.EXE-1839C52C.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\EXDL.EXE-379F80E9.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\F1943562.EXE-37E303EE.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\F4636765.EXE-301A13BF.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\GVNSIH.EXE-0A857B53.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\HELPSVC.EXE-2878DDA2.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\HIJACKTHIS.EXE-2696A42B.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\HKCMD.EXE-1D05234B.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\ICO.EXE-2A655EB7.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\IEXPLORE.EXE-27122324.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\IGFXTRAY.EXE-3391579A.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\Layout.ini": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\LOGON.SCR-151EFAEA.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\MSESDPIA.EXE-3037EBD6.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\NAIL.EXE-25042152.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\NET.EXE-01A53C2F.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-189578DA.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\NOTEPAD.EXE-336351A9.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\NTBACKUP.EXE-012B886C.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\NTOSBOOT-B00DFAAD.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\NTVDM.EXE-1A10A423.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\OUTLOOK.EXE-3784AE71.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\PABJAR.EXE-0266F7B4.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\PATCH.EXE-1DE617D3.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\POP90.EXE-1A19A03B.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\PROTECTOR.EXE-167D2B91.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\PSOF1.EXE-18DE2D0E.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RCGJWIHF.EXE-3553E63A.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\REGEDIT.EXE-1B606482.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\REGSVR32.EXE-25EEFE2F.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RICHUP.EXE-1BEDA451.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RSMSINK.EXE-032F2BAB.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-147710F4.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-177CB2C3.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-26193580.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-268BFF96.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2C7B5C4A.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-2CD85FD3.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-34A1FC07.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-371DC9B2.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\RUNDLL32.EXE-43A6BE9F.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\SKDAEMON.EXE-2C388FC6.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\SKSMAILD.EXE-393634FD.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\SPYBOTSD.EXE-1344276B.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\SVCPROC.EXE-1C37B2EB.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.COM-076A90D2.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.COM-29F79E53.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-173B6989.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\SYSCLEAN.EXE-1CE67BDC.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\TASKMGR.EXE-20256C55.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\THNALL1A.EXE-042879F1.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\THNALL~1.EXE-000C5E39.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\THNALL~1.EXE-026ABE54.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\THNALL~1.EXE-13A879D4.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\THNALL~1.EXE-1AAEDC38.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\THNALL~1.EXE-1B95BAED.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\THNALL~1.EXE-1CAC81F5.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\THNALL~1.EXE-38C23337.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\THNALL~1.EXE-39DCA3DF.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\TP7543.EXE-02F2AD27.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.BIN-0C07259A.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.EXE-16EB999F.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\TSC.EXE-2B4C0858.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\UNINSTALL.EXE-258350C1.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\UNINSTALL.EXE-30BC145D.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\UNINSTALL.EXE-32B09AF1.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\VCMNET11.EXE-00F8D6F4.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\VPC32.EXE-29593AFF.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\VPTRAY.EXE-01C37178.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\W04TAX.EXE-0B29C2E8.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\WADGQUM.EXE-3772E0EA.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\WDOTPJK.EXE-010B9CAB.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\WKKZL.EXE-14A59269.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\WLWHPPD.EXE-0275799E.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\WMIPRVSE.EXE-28F301A9.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\WNLBIP.EXE-3299FF28.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\WPWIN9.EXE-065C4300.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\WUAUCLT.EXE-399A8E72.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\XJIPJK.EXE-001632D5.pf": Access is denied.
2005-08-02, 14:54:01, Could not set file for reading on "C:\WINDOWS\Prefetch\XRQJJVO.EXE-26390CA0.pf": Access is denied.
2005-08-02, 14:56:05, An error occurred while scanning file "C:\WINDOWS\system32\CatRoot2\edb.log": Access is denied.
2005-08-02, 14:56:05, An error occurred while scanning file "C:\WINDOWS\system32\CatRoot2\tmp.edb": Access is denied.
2005-08-02, 14:56:05, An error occurred while scanning file "C:\WINDOWS\system32\config\default": Access is denied.
2005-08-02, 14:56:05, An error occurred while scanning file "C:\WINDOWS\system32\config\default.LOG": Access is denied.
2005-08-02, 14:56:06, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM": Access is denied.
2005-08-02, 14:56:06, An error occurred while scanning file "C:\WINDOWS\system32\config\SAM.LOG": Access is denied.
2005-08-02, 14:56:06, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY": Access is denied.
2005-08-02, 14:56:06, An error occurred while scanning file "C:\WINDOWS\system32\config\SECURITY.LOG": Access is denied.
2005-08-02, 14:56:06, An error occurred while scanning file "C:\WINDOWS\system32\config\software": Access is denied.
2005-08-02, 14:56:06, An error occurred while scanning file "C:\WINDOWS\system32\config\software.LOG": Access is denied.
2005-08-02, 14:56:06, An error occurred while scanning file "C:\WINDOWS\system32\config\system": Access is denied.
2005-08-02, 14:56:06, An error occurred while scanning file "C:\WINDOWS\system32\config\system.LOG": Access is denied.
2005-08-02, 14:56:37, Running scanner "C:\cleanup programs\trendmicro\lpt755\VSCANTM.BIN"...
2005-08-02, 15:07:57, Files Detected:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 8/2/2005 14:56:38
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 755 (105672 Patterns) (2005/08/01) (275500)
Command Line: C:\cleanup programs\trendmicro\lpt755\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\cleanup programs\trendmicro\lpt755

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rpin.exe [TROJ_QOOLOGIC.H]
C:\Documents and Settings\jill.NLFISHCO\Local Settings\Temp\f4636765.exe [TROJ_QOOLOGIC.N]
C:\Documents and Settings\jill.NLFISHCO\Local Settings\Temporary Internet Files\Content.IE5\W1AV8H23\protector[1].exe [TROJ_STARTPAG.QY]
C:\WINDOWS\system32\conres.cpl [TROJ_QOOLOGIC.P]
C:\WINDOWS\system32\cxtpls_loader.exe [TROJ_APROPO.AE]
C:\WINDOWS\system32\datadx.dll [TROJ_QOOLOGIC.P]
C:\WINDOWS\system32\drmbcnb.exe [TROJ_QOOLOGIC.N]
C:\WINDOWS\system32\eoajd.dll [TROJ_QOOLOGIC.N]
C:\WINDOWS\system32\exp [TROJ_SMALL.AAL]
C:\WINDOWS\system32\kjhdfgd.dll [TROJ_QOOLOGIC.N]
C:\WINDOWS\system32\kjhdfgd.dll.tmp [TROJ_QOOLOGIC.N]
C:\WINDOWS\system32\msesdpia.exe [TROJ_APROPO.H]
C:\WINDOWS\system32\pabjar.exe [TROJ_QOOLOGIC.N]
C:\WINDOWS\system32\PSof1.exe [TROJ_DLOADER.OS]
C:\WINDOWS\system32\temperror32.dat [TROJ_STARTPAG.QY]
C:\WINDOWS\system32\wbkpq.dat [TROJ_QOOLOGIC.H]
C:\WINDOWS\system32\xjipjk.exe [TROJ_AGENT.UX]
37038 files have been read.
37038 files have been checked.
29546 files have been scanned.
46024 files have been scanned. (including files in archived)
17 files containing viruses.
Found 17 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/2/2005 15:07:57
---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-02, 15:07:57, Files Clean:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 8/2/2005 14:56:37
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 755 (105672 Patterns) (2005/08/01) (275500)
Command Line: C:\cleanup programs\trendmicro\lpt755\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\cleanup programs\trendmicro\lpt755

Success Clean [ TROJ_QOOLOGIC.H]( 1) from C:\Documents and Settings\All Users\Start Menu\Programs\Startup\rpin.exe
Success Clean [ TROJ_QOOLOGIC.N]( 1) from C:\Documents and Settings\jill.NLFISHCO\Local Settings\Temp\f4636765.exe
Success Clean [TROJ_STARTPAG.QY]( 1) from C:\Documents and Settings\jill.NLFISHCO\Local Settings\Temporary Internet Files\Content.IE5\W1AV8H23\protector[1].exe
Success Clean [ TROJ_QOOLOGIC.P]( 1) from C:\WINDOWS\system32\conres.cpl
Success Clean [ TROJ_APROPO.AE]( 1) from C:\WINDOWS\system32\cxtpls_loader.exe
Success Clean [ TROJ_QOOLOGIC.N]( 1) from C:\WINDOWS\system32\drmbcnb.exe
Success Clean [ TROJ_SMALL.AAL]( 1) from C:\WINDOWS\system32\exp
Success Clean [ TROJ_QOOLOGIC.N]( 1) from C:\WINDOWS\system32\kjhdfgd.dll.tmp
Success Clean [ TROJ_APROPO.H]( 1) from C:\WINDOWS\system32\msesdpia.exe
Success Clean [ TROJ_DLOADER.OS]( 1) from C:\WINDOWS\system32\PSof1.exe
Success Clean [TROJ_STARTPAG.QY]( 1) from C:\WINDOWS\system32\temperror32.dat
Success Clean [ TROJ_QOOLOGIC.H]( 1) from C:\WINDOWS\system32\wbkpq.dat
37038 files have been read.
37038 files have been checked.
29546 files have been scanned.
46024 files have been scanned. (including files in archived)
17 files containing viruses.
Found 17 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/2/2005 15:07:57 11 minutes 19 seconds (679.03 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-02, 15:07:57, Clean Fail:
Copyright © 1990 - 2004 Trend Micro Inc.
Report Date : 8/2/2005 14:56:37
VSAPI Engine Version : 7.510-1002
VSCANTM Version : 1.1-1001
Virus Pattern Version : 755 (105672 Patterns) (2005/08/01) (275500)
Command Line: C:\cleanup programs\trendmicro\lpt755\VSCANTM.BIN /NBPM /S /CLEANALL /LAPPEND /LD /LC /LCF /NM /NB /C /ACTIVEACTION=5 C:\*.* /P=C:\cleanup programs\trendmicro\lpt755

37038 files have been read.
37038 files have been checked.
29546 files have been scanned.
46024 files have been scanned. (including files in archived)
17 files containing viruses.
Found 17 viruses totally.
Maybe 0 viruses totally.
Stop At : 8/2/2005 15:07:57 11 minutes 19 seconds (679.03 seconds) has elapsed.

---------*---------*---------*---------*---------*---------*---------*---------*
2005-08-02, 15:07:57, Scanner "C:\cleanup programs\trendmicro\lpt755\VSCANTM.BIN" has finished running.

#9
tampabelle

Posted 02 August 2005 - 02:24 PM

Member 5k

Retired Staff
6,363 posts

Hi emocoregirl,

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

CleanUp
Ewido Security Suite

Install Ewido, and update the definitions to the newest files. Do NOT run a scan yet.

Nailfix.exe
Double click on this file. It will create a new folder Nailfix on your desktop and place a couple of files in it.

LQfix.zip
Unzip it to the same folder but do NOT run it yet.

2. Remove Infections

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

Once in Safe Mode, please double-click on Nailfix.cmd. Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

please run LQfix.bat.

Run CleanUp and delete all temp files including temporary internet files

Run Ewido full scan. Let it fix any items it finds.

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll
O4 - HKLM\..\Run: [PSof1] C:\WINDOWS\System32\PSof1.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\System32\wintask.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [richup] C:\WINDOWS\System32\richup.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepnm32.exe
O4 - HKLM\..\Run: [53mh39W] msesdpia.exe
O4 - HKLM\..\Run: [exp] C:\WINDOWS\System32\exp
O4 - HKLM\..\Run: [C:\WINDOWS\VCMnet11.exe] C:\WINDOWS\VCMnet11.exe
O4 - HKLM\..\Run: [Sysnet] C:\DOCUME~1\JILL~1.NLF\LOCALS~1\Temp\sysnet.exe
O4 - HKLM\..\Run: [Dinst] C:\WINDOWS\dinst.exe
O4 - HKLM\..\Run: [pznhgti] c:\windows\system32\wadgqum.exe r
O4 - HKCU\..\Run: [K05nRVa4Q] mqlmm.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [wkkz] C:\PROGRA~1\COMMON~1\wkkz\wkkzm.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Folders

C:\WINDOWS\EliteToolBar
C:\Program Files\Cas
C:\Program Files\CMAPP
C:\Program Files\Common Files\wkkz

Files
C:\WINDOWS\System32\PSof1.exe
C:\WINDOWS\System32\exp.exe
C:\WINDOWS\System32\wintask.exe
C:\WINDOWS\cfgmgr52.dll
C:\WINDOWS\System32\richup.exe
C:\windows\system32\elitepnm32.exe
C:\WINDOWS\System32\exp.exe
c:\windows\system32\wadgqum.exe
C:\WINDOWS\VCMnet11.exe
C:\WINDOWS\dinst.exe
C:\DOCUME~1\JILL~1.NLF\LOCALS~1\Temp\sysnet.exe

mqlmm.exe
msesdpia.exe

(Search for these files using the Windows Search function)

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!

Reboot the PC in Normal Mode.

Run Hijack This and post a fresh HJT log along with Ewido scan report.

#10
emocoregirl

Posted 03 August 2005 - 11:50 AM

Member

Topic Starter
Member
26 posts

Wow. that cleaned up soooo much. Thank you so much. here is my new hijackthis log. I do see some files on there that haven't been deleted simply b/c while i was in safe mode i didn't see them listed, therefore could not fix them on hijackthis.

i also saw some other files that looked as though they can be problem files..but [bleep], what do i know. heh

Thanks again. If there is anything else that must be done just let me know! :tazz:

Logfile of HijackThis v1.99.1
Scan saved at 1:47:20 PM, on 08/03/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\cleanup programs\security suite\ewidoctrl.exe
C:\cleanup programs\security suite\ewidoguard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SKDAEMON.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\System32\SKSMAILD.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
F:\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT-log\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pabjar.exe reg_run
O4 - HKLM\..\Run: [huksvz] c:\windows\system32\erklurs.exe r
O4 - HKCU\..\Run: [K05nRVa4Q] mqlmm.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [wkkz] C:\PROGRA~1\COMMON~1\wkkz\wkkzm.exe
O4 - Startup: Desktop Application Director 9.LNK = WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.norun
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NLFISHCO.COM
O17 - HKLM\Software\..\Telephony: DomainName = NLFISHCO.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NLFISHCO.COM
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\cleanup programs\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\cleanup programs\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

#11
emocoregirl

Posted 03 August 2005 - 11:53 AM

Member

Topic Starter
Member
26 posts

actually...this file is what i'm really worried about..can i delete it? it is the aurora file. "abpqyrweoa" it has a white ball with an orange line and a blue one that crosses underneath it.

#12
emocoregirl

Posted 03 August 2005 - 01:01 PM

Member

Topic Starter
Member
26 posts

hmm..Can i run hijackthis and fix the problems that are still there running the computer in Normal mode instead of Safe mode. so that i can get rid of the mqlmm.exe as well as any others that are still in the system?

#13
tampabelle

Posted 05 August 2005 - 07:09 AM

Member 5k

Retired Staff
6,363 posts

Hi emocogirl,

I was away for a couple of days. Can you post a fresh HJT log?? we will then clean up the rest of the stuff !! I dont think it will take too much time :tazz:

#14
emocoregirl

Posted 05 August 2005 - 07:48 AM

Member

Topic Starter
Member
26 posts

Hi!

Not a problem. I wish I was away for a few days! heh

Here's my new log:

Logfile of HijackThis v1.99.1
Scan saved at 9:48:50 AM, on 08/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\NavNT\defwatch.exe
C:\cleanup programs\security suite\ewidoctrl.exe
C:\cleanup programs\security suite\ewidoguard.exe
C:\Program Files\NavNT\rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SKDAEMON.EXE
C:\WINDOWS\system32\ICO.EXE
C:\WINDOWS\System32\igfxtray.exe
C:\WINDOWS\system32\Pelmiced.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\System32\SKSMAILD.EXE
F:\WordPerfect Office 2000\programs\dad9.exe
C:\Program Files\Microsoft Office\Office\1033\msoffice.exe
C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT-log\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O4 - HKLM\..\Run: [Hot Key Kbd Daemon] SKDAEMON.EXE
O4 - HKLM\..\Run: [Mouse Suite 98 Daemon] ICO.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [winsync] C:\WINDOWS\system32\pabjar.exe reg_run
O4 - HKLM\..\Run: [huksvz] c:\windows\system32\erklurs.exe r
O4 - HKCU\..\Run: [K05nRVa4Q] mqlmm.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [wkkz] C:\PROGRA~1\COMMON~1\wkkz\wkkzm.exe
O4 - Startup: Desktop Application Director 9.LNK = WordPerfect Office 2000\programs\dad9.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Service Manager.norun
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = NLFISHCO.COM
O17 - HKLM\Software\..\Telephony: DomainName = NLFISHCO.COM
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = NLFISHCO.COM
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\cleanup programs\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\cleanup programs\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe

#15
tampabelle

Posted 05 August 2005 - 08:11 AM

Member 5k

Retired Staff
6,363 posts

Please print out these instructions or copy them into a text file on your Desktop for easy access.

During the fix, u will be asked to fix some entries, delete some files or uninstall some programs. If in case, you do not see those entries / files / programs, please make a note of it. Continue with the fix and in your next post please inform me of all deviations from the fix prescribed.

1. Download Programs

Please download these programs and save them in a new folder on your desktop -

Download DSRFIX from HERE onto your Desktop.

Unzip and EXTRACT the files to your Desktop.
The program creates and names the new folder to house the files.
DO NOT RUN IT YET

Procvess Explorer
Download the appropriate version of Process Explorer. Unzip the contents of the zip file and save them on your desktop.

2. Remove Infections

[*]Open the folder dsrfix

Double click on the dsrfix batch file( the one with the little gear in it )
Once dsrfix has completed it will close on its own

Run Process Explorer (procexp.exe) and find the following process in the list of Processes:

erklurs.exe

Select the process and click Process > Suspend.

Leave Process Explorer running with the process suspended the whole time! Do NOT close it - even when your system is rebooting!

Then run HijackThis. Click Config > Misc Tools > Delete a file on reboot...
In the explorer Window select the file c:\windows\system32\erklurs.exe
When prompted if you want to reboot click YES

Restart the PC in Safe Mode (repeatedly tap the F8 key when the PC is starting up).

Run CleanUp and delete all temp files including temporary internet files

3. Run Hijack This

Run Hijack This and click on scan. The following items need to be fixed -

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = http://searchmiracle.com/sp.php
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = about:blank
O2 - BHO: Band Class - {00F1D395-4744-40f0-A611-980F61AE2C59} - C:\WINDOWS\dsr.dll (file missing)
O4 - HKLM\..\Run: [huksvz] c:\windows\system32\erklurs.exe r
O4 - HKCU\..\Run: [K05nRVa4Q] mqlmm.exe
O4 - HKCU\..\Run: [CAS Client] "C:\Program Files\Cas\Client\casclient.exe"
O4 - HKCU\..\Run: [CMAPP] "C:\Program Files\CMAPP\Client\cmappclient.exe"
O4 - HKCU\..\Run: [wkkz] C:\PROGRA~1\COMMON~1\wkkz\wkkzm.exe

Close all windows other than Hijack This. Check the boxes next to above items and click on Fix checked.

4. Delete Rogue files

Open Windows Explorer (right click on Start and then click on explore). Locate and delete the following folders and files -

Folders
C:\Program Files\Cas
C:\Program Files\CMAPP
C:\Program Files\Common Files\wkkz

Files
mqlmm.exe
(Search for this file using the Windows Search function)

Clear out the files in the Prefetch folder. Go to start> run> type into the box Prefetch and delete all the files in that folder. Dont delete the folder, only the files in it !!!!!!!!

Reboot the PC in Normal Mode.

Run Hijack This and post a fresh HJT log.