Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Persistent virus/hijacker [RESOLVED]


  • This topic is locked This topic is locked

#31
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Steve,

I may have a better option for you -

Lets do a repair install of windows.

The advantage of repair install is that it preserves all the installed programs and the data files in all user profiles. So you dont need to copy them / back them up !!!! The only issue is that you need to get all the patches from Microsoft after the repair install.


Please visit this page - http://www.windowsreinstall.com.

Scroll down right to the bottom of the page. ou need to choose the appropriate Windows version - XP Home or XP pro !!!

Please read the instaructions on Repair install very carefully. Make a note of them if possible.

Do the repair install.

Once the repair install is done, immediately go to Windows security and critical updates and install Service Pack 1a. Dont install Service Pack 2 yet. In case you have any remanents of any infection, then SP2 can create lots of problems for you.

Post back a fresh HJT log. If everything is fine then we can set up your PC then.
  • 0

Advertisements


#32
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Okay -- am posting from work.

Repair installation went well last night. Wireless internet is not responding at all, so I guess I need to reinstall that software and get my connection again. Will try to do that tonight, get SP1a, and post an HJT log.

steve
  • 0

#33
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Sure, no problem
  • 0

#34
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Okay, I have manually plugged back into my wireless router. For some reason, I cannot get my laptop to detect the wireless internet network.

My wife's computer is not having any problems connecting to the internet wirelessly, so I know the problem is in my laptop.

Sigh.

Here is the HijackThis! Log:


Logfile of HijackThis v1.99.1
Scan saved at 3:24:23 PM, on 9/11/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\NORTON~2\navapw32.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\slserv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stephen Hines\Desktop\Security Stuff\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dallasnews.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~2\navapw32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: CorelCENTRAL 10.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - https://a248.e.akama...qt/qtplugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1124323643390
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {A82C3A33-5C0E-466C-B020-71585433A7E4} (PhxStudent.OeSetup15) - https://mycampus.pho...hxStudent15.CAB
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPxySvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Internet Security Accounts Manager (NISUM) - Symantec Corporation - C:\Program Files\Norton Internet Security\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: SmartLinkService (SLService) -   - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


I have turned off Symantec's firewall; when I click on the Window's Firewall in the control panel, I get a message stating that Windows Firewall cannot be displayed due to an unknown problem.

I tried doing the Microsoft Wireless Network Setup Wizard and got this message:

Error in C:\WINDOWS\system32\wzcdlg.dll
Missing entry :FlashConfigCreateNetwork


I've tried reinstalling my wireless network drivers, but to no avail.

Thanks in advance for your assistance. Have you any advice for my wireless connection problems?

Steve

Edited by MrSpkr, 11 September 2005 - 02:44 PM.

  • 0

#35
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Hi Steve,

Why dont you post a topic in our Networking sub-forum ??

One of our experts in that section should be abvle to advise you on how to best proceed !!!
  • 0

#36
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
I asked my techno-geek neighbor to help me with the networking today. As of now, the wireless is up and running (we ended up resetting the wireless router and starting over from scratch).

Now, I am not seeing the boot-up error messages I used to see. I have just logged in tonight, so I don't know whether I will get the memory issues again. The only thing I am noticing is that it is taking a significantly longer time to boot up and log in to windows.

Did my HijackThis! log have anything of interest?
  • 0

#37
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Lets get the registry cleaned up a little.



Please download WebRoot SpySweeper from here:
http://www.webroot.c...6d6f87b866d2848
(It's a 2 week trial)

Click the "Free Trial" link on the right - next to "SpySweeper for Home Computers".
On the next page, click the "Free Trial" button.
Download it and install it.
When you open the program, it will prompt you to update to the latest definitions.
Please do so, then click "Sweep Now"
Then click the "Start" button.
When it's done scanning, click the "Next" button.
Remove everything it finds, then save the log - copy the log and paste it here for me.
  • 0

#38
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts

********
8:10 PM: |···  Start of Session, Monday, September 12, 2005  ···|
8:10 PM: Spy Sweeper started
8:10 PM: Sweep initiated using definitions version 532
8:10 PM: Starting Memory Sweep
8:12 PM: Memory Sweep Complete, Elapsed Time: 00:01:46
8:12 PM: Starting Registry Sweep
8:12 PM:  Found Adware: dealhelper
8:12 PM:  HKLM\software\microsoft\windows\currentversion\uninstall\windh\  (3 subtraces) (ID = 124816)
8:12 PM: Registry Sweep Complete, Elapsed Time:00:00:06
8:12 PM: Starting Cookie Sweep
8:12 PM:  Found Spy Cookie: 2o7.net cookie
8:12 PM:  stephen hines@2o7[2].txt (ID = 1957)
8:12 PM:  Found Spy Cookie: belointeractive cookie
8:12 PM:  stephen hines@ads.belointeractive[1].txt (ID = 2295)
8:12 PM:  Found Spy Cookie: atwola cookie
8:12 PM:  stephen hines@atwola[1].txt (ID = 2255)
8:12 PM:  Found Spy Cookie: bannerspace cookie
8:12 PM:  stephen hines@bannerspace[1].txt (ID = 2284)
8:12 PM:  stephen hines@belointeractive[2].txt (ID = 2294)
8:12 PM:  Found Spy Cookie: gostats cookie
8:12 PM:  stephen hines@c3.gostats[2].txt (ID = 2748)
8:12 PM:  stephen hines@cnn.122.2o7[2].txt (ID = 1958)
8:12 PM:  Found Spy Cookie: go.com cookie
8:12 PM:  stephen hines@espn.go[1].txt (ID = 2729)
8:12 PM:  stephen hines@gostats[2].txt (ID = 2747)
8:12 PM:  stephen hines@go[1].txt (ID = 2728)
8:12 PM:  stephen hines@sports.espn.go[1].txt (ID = 2729)
8:12 PM:  stephen hines@te.belointeractive[2].txt (ID = 2295)
8:12 PM:  Found Spy Cookie: 123count cookie
8:12 PM:  stephen hines@www.123count[1].txt (ID = 1928)
8:12 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
8:12 PM: Starting File Sweep
8:13 PM:  dun.exe (ID = 125700)
8:13 PM:  oqziack.xml (ID = 57646)
8:13 PM:  newoqziacu.xml (ID = 134362)
8:14 PM:  newoqziacu1.xml (ID = 134360)
8:14 PM:  newoqziacu2.xml (ID = 134361)
8:14 PM:  oqziac.exe (ID = 131871)
8:14 PM:  oqziack1.xml (ID = 57647)
8:14 PM:  oqziacu1.xml (ID = 57650)
8:14 PM:  newoqziack1.xml (ID = 134357)
8:14 PM:  Warning: Failed to read file "c:\documents and settings\stephen hines\local settings\temp\perflib_perfdata_2e0.dat". System Error.  Code: 32.
The process cannot access the file because it is being used by another process
8:14 PM:  newoqziack2.xml (ID = 134358)
8:14 PM:  oqziacu2.xml (ID = 57651)
8:14 PM:  oqziack2.xml (ID = 57648)
8:15 PM:  oqziacu.xml (ID = 57649)
8:15 PM:  oqziacdk.xml (ID = 57645)
8:15 PM: File Sweep Complete, Elapsed Time: 00:03:30
8:15 PM: Full Sweep has completed.  Elapsed time 00:05:28
8:15 PM: Traces Found: 31
8:17 PM: Removal process initiated
8:17 PM:  Quarantining All Traces: dealhelper
8:18 PM:  Quarantining All Traces: 2o7.net cookie
8:18 PM:  Quarantining All Traces: belointeractive cookie
8:18 PM:  Quarantining All Traces: atwola cookie
8:18 PM:  Quarantining All Traces: bannerspace cookie
8:18 PM:  Quarantining All Traces: gostats cookie
8:18 PM:  Quarantining All Traces: go.com cookie
8:18 PM:  Quarantining All Traces: 123count cookie
8:18 PM: Removal process completed.  Elapsed time 00:00:07
********
8:09 PM: |···  Start of Session, Monday, September 12, 2005  ···|
8:09 PM: Spy Sweeper started
8:09 PM: Messenger service has been disabled.
8:10 PM: Processing Hosts File Alerts
8:10 PM:  Allowed Hosts File entry: NPI960524
8:10 PM: |···  End of Session, Monday, September 12, 2005  ···|


Here you go.

Steve
  • 0

#39
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Second step in cleaning the registry -

*Please dowload: RegSeeker.
*Click on "Clean The Registry" in the left panel.
*Check all boxes (make sure the backup box in the lower left corner is selected!).
*After it runs, click "Select All" on the bottom, then right-click on any selected item in the window and select "Delete Selected Items".
*Click "Quit RegSeeker".

Now, open any of your installed programs, and make sure that everything opens ok. If so, reboot, then go back and run the RegSeeker again, do the same thing again if anything is found. It may have to be run several times, but you want it finding none to very few items. *Make sure to reboot between each use of the program.
  • 0

#40
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
In the process fo doing this -- Norton just detected a virus -- Backdoor.greybird. Norton has isolated.

Still doing regseeker.

Steve
  • 0

Advertisements


#41
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Okay -- was up til one doing this and virus scans.

Here is the odd thing on the virus scans -- Norton would detect the virus and deny access to it during boot-up (which is still taking an inordinately long time), but could not locate it during a subsequent full system scan.

PandaScan couldn't find it on a full system scan, either.

I did some reading about the Backdoor.Greybird virus -- here is Symantec's entry:

<quote>Backdoor.Graybird is a back door Trojan Horse that gives its creator unauthorized access to your computer. The existence of the file, Svch0st.exe, is an indication of a possible infection. Backdoor.Graybird is a Delphi application.

Also Known As: Backdoor.GrayBird [KAV], BackDoor-ARR [McAfee]

Type: Trojan Horse
Infection Length: 386,236 bytes

Systems Affected: Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows XP
_________________

Damage

Payload:
Modifies files: Modifies the registry
Releases confidential info: Intercepts confidential information by hooking keystrokes
Compromises security settings: Allows unauthorized access to your computer

When Backdoor.Graybird runs, it performs the following actions:

Copies itself as one of the following filenames:

%System%\Svch0st.exe
%System%\Winlogon.exe
%System%\Explorer.exe
%System%\ravmond.exe


NOTE: %System% is a variable. The Trojan locates the System folder and copies itself to that location. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).

Creates one of the following values, or a similar value, depending on the variant:

"svchost" = "%System%\Svch0st.exe"
"winlogon" = "%System%\Winlogon.exe"
"system" = "%System%\Explorer.exe"
"ravmond" = "%System%\Explorer.exe"


in the registry keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

so that the Trojan runs when you start Windows.

If the operating system is Windows NT/2000/XP, the Trojan also creates the value:

"run" = "%system%\svch0st.EXE"
"run" = "%system%\ravmond.exe"

in the registry key:

HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows

If the operating system is Windows 95/98/Me, the Trojan adds the line to the [windows] section of the Win.ini file:

run = C:\WINDOWS\SYSTEM\SVCH0ST.EXE

so that the Trojan runs when you start Windows.

Attempts to access the password cache stored on your computer. The cached passwords include, amongst others, the modem and dialup passwords, URL passwords, and share passwords.

Intercepts keystrokes allowing Backdoor.Graybird to steal confidential information.

Once Backdoor.Graybird is installed, it waits for the commands from the remote client.

These commands allow the Trojan's creator to perform any of the following actions:

Deliver system and network information to the Trojan's creator, including the login names and cached network passwords.
Install an FTP server, allowing the hacker to use the compromised computer as a temporary storage device.
Open or close the CD-ROM drive and perform other annoying actions.
Download and execute files.


I have not tried to manually remove the virus yet. I suspect Norton AV is already tainted and that I may have to uninstall/reinstall to fix it.

The very odd thing is that, until I ran RegSeeker, Norton missed this file entirely.

As to RegSeeker -- I will try to finish that tonight. My list went from 200 processes the first tim, then to 100; then to 60; then to 6, then to 11.

Then is was one AM. :tazz:

Steve
  • 0

#42
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Please download RootKitRevealer from here:
http://www.sysintern...kitrevealer.zip
Unzip it to the desktop, run it, and click Scan. This will generate a log file; please post the entire contents of the log file here for me to see.
  • 0

#43
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts
Here you go.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesProcessed 9/17/2005 1:49 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\TracesSuccessful 9/17/2005 1:49 AM 4 bytes Data mismatch between Windows API and raw hive data.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher\LastTraceFailure 9/17/2005 1:49 AM 4 bytes Data mismatch between Windows API and raw hive data.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 9/17/2005 1:52 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.



Got the same virus message on a reboot, but not initial boot. Still getting a few things on RegSeeker, too.

Steve
  • 0

#44
tampabelle

tampabelle

    Member 5k

  • Retired Staff
  • 6,363 posts
Update your Norton anti-virus product.


Boot in Safe Mode.

Run a full system scan with Norton AV.

Save the scan report.


Reboot the PC in Normal Mode.

Post back the scan report. Norton should have fixed the file / virus in Safe Mode. Lets see
  • 0

#45
MrSpkr

MrSpkr

    Member

  • Topic Starter
  • Member
  • PipPip
  • 62 posts

Date: 9/15/2005, Time: 23:50:56, Stephen Hines on HINES-LAPTOP
Virus scanning completed.
Master boot records:
Scanned:  0
Infected:  0
Repaired:  0
Boot records:
Scanned:  0
Infected:  0
Repaired:  0
Files:
Scanned:  1
Infected:  0
Repaired:  0
Quar'ed:  0
Deleted:  0

Date: 9/15/2005, Time: 23:50:58, Stephen Hines on HINES-LAPTOP
Virus scan started.

Date: 9/15/2005, Time: 23:50:58, Stephen Hines on HINES-LAPTOP
Virus scanning completed.
Master boot records:
Scanned:  0
Infected:  0
Repaired:  0
Boot records:
Scanned:  0
Infected:  0
Repaired:  0
Files:
Scanned:  1
Infected:  0
Repaired:  0
Quar'ed:  0
Deleted:  0

Date: 9/16/2005, Time: 0:00:42, SYSTEM on HINES-LAPTOP
The file
C:\WINDOWS\TEMP\mc22.tmp
is infected with the Backdoor.Graybird virus.
Access to the file was denied.



Date: 9/16/2005, Time: 0:07:06, Stephen Hines on HINES-LAPTOP
Virus scan started.

Date: 9/16/2005, Time: 0:26:52, Stephen Hines on HINES-LAPTOP
Virus scan canceled.

Date: 9/16/2005, Time: 0:29:42, Stephen Hines on HINES-LAPTOP
Virus scan started.

Date: 9/16/2005, Time: 0:29:42, Stephen Hines on HINES-LAPTOP
Virus scanning completed.
Master boot records:
Scanned:  0
Infected:  0
Repaired:  0
Boot records:
Scanned:  0
Infected:  0
Repaired:  0
Files:
Scanned:  6
Infected:  0
Repaired:  0
Quar'ed:  0
Deleted:  0

Date: 9/16/2005, Time: 0:56:08, Stephen Hines on HINES-LAPTOP
Virus scan started.

Date: 9/16/2005, Time: 0:56:08, Stephen Hines on HINES-LAPTOP
Virus scanning completed.
Master boot records:
Scanned:  0
Infected:  0
Repaired:  0
Boot records:
Scanned:  0
Infected:  0
Repaired:  0
Files:
Scanned:  1
Infected:  0
Repaired:  0
Quar'ed:  0
Deleted:  0

Date: 9/16/2005, Time: 1:11:08, SYSTEM on HINES-LAPTOP
The file
C:\WINDOWS\TEMP\mc22.tmp
is infected with the Backdoor.Graybird virus.
Access to the file was denied.


Date: 9/17/2005, Time: 1:52:44, SYSTEM on HINES-LAPTOP
The file
C:\WINDOWS\TEMP\mc21.tmp
is infected with the Backdoor.Graybird virus.
Access to the file was denied.


Date: 9/17/2005, Time: 14:43:10, SYSTEM on HINES-LAPTOP
The file
C:\WINDOWS\TEMP\mc22.tmp
is infected with the Backdoor.Graybird virus.
Access to the file was denied.


Date: 9/17/2005, Time: 15:26:10, Stephen Hines on HINES-LAPTOP
Virus scan started.

Date: 9/17/2005, Time: 18:55:50, Stephen Hines on HINES-LAPTOP
Virus scanning completed.
Master boot records:
Scanned:  1
Infected:  0
Repaired:  0
Boot records:
Scanned:  3
Infected:  0
Repaired:  0
Files:
Scanned:  113417
Infected:  0
Repaired:  0
Quar'ed:  0
Deleted:  0



It doesn't look to me like it removed anything. What next?

Steve

Edited by MrSpkr, 17 September 2005 - 09:29 PM.

  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP