Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

winfixer 2005 [RESOLVED]

Started by hasgtg805 , Aug 21 2005 10:33 PM

This topic is locked

#1
hasgtg805

Posted 21 August 2005 - 10:33 PM

Member

Member
14 posts

Hello GTG,

I am also having the problem of the winfixer 2005 installer at start up. I have done all the recommended steps in the malware forum including windows update and HJT, but still seeing the winfixer installer. See my HJT log below.
Please provide some help for a system novice!

Thanks

Logfile of HijackThis v1.99.1
Scan saved at 11:04:33 PM, on 8/21/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Defenders\Ewido LogFiles\security suite\ewidoctrl.exe
C:\Defenders\Ewido LogFiles\security suite\ewidoguard.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINNT\system32\svnlitup32.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Documents and Settings\Dell User\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {212EFB64-4385-4D28-A4D1-40C6F61196C0} - C:\WINNT\system32\hnbwwwpd.dll (file missing)
O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IEFriendly Class - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiSearchPlus.dll (file missing)
O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSearch.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SetupType] Portable
O4 - HKLM\..\Run: [NAV Live Update] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\oocfwm.exe
O4 - HKLM\..\Run: [Windows Explorer] Explorer .exe
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\cab\back32.exe C:\WINNT\system32\cab\service.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [Windos Manage] qzfdx.exe
O4 - HKLM\..\Run: [Application] C:\winnt\system32\dhcp\files\hidden32.exe mdll.exe
O4 - HKLM\..\Run: [TempShell] C:\winnt\system32\rmtcfg\files\hiddenrun.exe temp.bat
O4 - HKLM\..\Run: [smss.exe] C:\WINNT\unwise32.exe C:\WINNT\smss.exe
O4 - HKLM\..\Run: [lsass.exe] C:\WINNT\lsass.exe
O4 - HKLM\..\Run: [csrss.exe] C:\WINNT\unwise32.exe C:\WINNT\csrss.exe C:\WINNT\cfxr.dll
O4 - HKLM\..\Run: [4] C:\documents and settings\dell user\local settings\temp\4.exe
O4 - HKLM\..\Run: [F4cwHlDl4] C:\documents and settings\dell user\local settings\temp\F4cwHlDl4.exe
O4 - HKLM\..\Run: [ZB] C:\documents and settings\dell user\local settings\temp\ZB.exe
O4 - HKLM\..\Run: [gqk] C:\documents and settings\dell user\local settings\temp\gqk.exe
O4 - HKLM\..\Run: [LSPzHh9D] C:\documents and settings\dell user\local settings\temp\LSPzHh9D.exe
O4 - HKLM\..\Run: [oeH5] C:\documents and settings\dell user\local settings\temp\oeH5.exe
O4 - HKLM\..\Run: [lameshit] C:\crash.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINNT\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Defenders\Trojan Hunter\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [svnlitup32] svnlitup32.exe
O4 - HKLM\..\RunServices: [Windos Manage] qzfdx.exe
O4 - HKLM\..\RunServices: [svnlitup32] svnlitup32.exe
O4 - HKCU\..\Run: [svnlitup32] svnlitup32.exe
O4 - HKCU\..\RunServices: [svnlitup32] svnlitup32.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Defenders\Ewido LogFiles\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Defenders\Ewido LogFiles\security suite\ewidoguard.exe

#2
greyknight17

Posted 22 August 2005 - 09:20 PM

Malware Expert

Visiting Consultant
16,560 posts

Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Please download Ewido Security Suite at http://www.ewido.net/en/download/.

1. Install Ewido Security Suite.
2. When installing, under 'Additional Options' uncheck:
* Install background guard
* Install scan via context menu
3. Launch Ewido, there should be an icon on your desktop, double click it.
4. The program will now open to the main screen.
5. When you run Ewido for the first time, you will get a warning 'Database could not be found!'. Click OK. We will fix this in a moment.
6. You will need to update Ewido to the latest definition files.
* On the left hand side of the main screen click update.
* Then click on Start Update.
7. The update will start and a progress bar will show the updates being installed. The status bar at the bottom will display 'Update successful'.
8. Exit Ewido. DO NOT scan yet.

If you are having problems with the updater, you can go to http://www.ewido.net...wnload/updates/ to update manually.

Download Nailfix Utility at http://www.noidea.us...050711214630636 Save it to your desktop. Do NOT run it yet.

Download dsrfix.zip http://www.atribune....oads/dsrfix.zip and save it to your desktop. Unzip the dsrfix.zip contents to your desktop. This will create a new folder on your desktop named dsrfix. Do NOT open that folder yet.

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

Once in Safe Mode, double click on nailfix.exe.
Click 'Next' in the setup, then make sure 'Run Nailfix' is checked and click 'Finish'.
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Now open Ewido and do a scan on your system.

* Click on scanner
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with Ewido it is finding cases of false positives.
o You will need to step through the process of cleaning files one-by-one.
o If Ewido detects a file you KNOW to be legitimate, select none as the action.
o Do NOT select 'Perform action on all infections'
o If you are unsure of any entry found, select none for now as the action.
* Once the scan has completed, there will be a button located on the bottom of the screen named Save report
* Click Save report.
* Save the report .txt file to your desktop or a location where you can find it easily.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O2 - BHO: (no name) - {212EFB64-4385-4D28-A4D1-40C6F61196C0} - C:\WINNT\system32\hnbwwwpd.dll (file missing)
O2 - BHO: PBlockadeHelper Class - {4115122B-85FF-4DD3-9515-F075BEDE5EB5} - C:\Program Files\Oemji\Toolbar\PopupBlocker\PBHelper.dll (file missing)
O2 - BHO: IEFriendly Class - {D240DC29-C093-4388-B71F-A7103C796B0C} - C:\Program Files\Oemji\OemjiSearchPlus\OemjiSearchPlus.dll (file missing)
O3 - Toolbar: Oemji - {804DB5C7-31E6-4885-850A-F1941B58A4C7} - C:\Program Files\Oemji\Toolbar\OemjiSearch.dll (file missing)
O4 - HKLM\..\Run: [SetupType] Portable
O4 - HKLM\..\Run: [NAV Live Update] C:\Documents and Settings\All Users\Start Menu\Programs\Startup\oocfwm.exe
O4 - HKLM\..\Run: [Windows Explorer] Explorer .exe
O4 - HKLM\..\Run: [Services] C:\WINNT\system32\cab\back32.exe C:\WINNT\system32\cab\service.exe
O4 - HKLM\..\Run: [Windos Manage] qzfdx.exe
O4 - HKLM\..\Run: [Application] C:\winnt\system32\dhcp\files\hidden32.exe mdll.exe
O4 - HKLM\..\Run: [TempShell] C:\winnt\system32\rmtcfg\files\hiddenrun.exe temp.bat
O4 - HKLM\..\Run: [smss.exe] C:\WINNT\unwise32.exe C:\WINNT\smss.exe
O4 - HKLM\..\Run: [lsass.exe] C:\WINNT\lsass.exe
O4 - HKLM\..\Run: [csrss.exe] C:\WINNT\unwise32.exe C:\WINNT\csrss.exe C:\WINNT\cfxr.dll
O4 - HKLM\..\Run: [4] C:\documents and settings\dell user\local settings\temp\4.exe
O4 - HKLM\..\Run: [F4cwHlDl4] C:\documents and settings\dell user\local settings\temp\F4cwHlDl4.exe
O4 - HKLM\..\Run: [ZB] C:\documents and settings\dell user\local settings\temp\ZB.exe
O4 - HKLM\..\Run: [gqk] C:\documents and settings\dell user\local settings\temp\gqk.exe
O4 - HKLM\..\Run: [LSPzHh9D] C:\documents and settings\dell user\local settings\temp\LSPzHh9D.exe
O4 - HKLM\..\Run: [oeH5] C:\documents and settings\dell user\local settings\temp\oeH5.exe
O4 - HKLM\..\Run: [lameshit] C:\crash.exe
O4 - HKLM\..\Run: [SpySpotter] C:\PROGRA~1\SPYSPO~1\SpySpotter.exe
O4 - HKLM\..\Run: [NI.UWFX5LP_0001_0614] "C:\WINNT\Downloaded Program Files\CONFLICT.1\UWFX5LP_0001_0614NetInstaller.exe"
O4 - HKLM\..\Run: [svnlitup32] svnlitup32.exe
O4 - HKLM\..\RunServices: [Windos Manage] qzfdx.exe
O4 - HKLM\..\RunServices: [svnlitup32] svnlitup32.exe
O4 - HKCU\..\Run: [svnlitup32] svnlitup32.exe
O4 - HKCU\..\RunServices: [svnlitup32] svnlitup32.exe

Now open the folder dsrfix on your desktop.
* Double click on dsrfix.bat
* A window will pop up briefly then close, this is normal.

Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\WINNT\system32\svnlitup32.exe
C:\WINNT\system32\hnbwwwpd.dll
C:\crash.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\oocfwm.exe
C:\WINNT\lsass.exe
C:\WINNT\system32\cab\back32.exe
C:\WINNT\system32\cab\service.exe
C:\winnt\system32\dhcp\files\hidden32.exe
C:\winnt\system32\rmtcfg\files\hiddenrun.exe
C:\WINNT\csrss.exe
C:\WINNT\cfxr.dll
C:\WINNT\smss.exe

Uninstall SpySpotter via the Add/Remove panel if listed.

Delete these if found:

C:\PROGRA~1\SPYSPO~1\
C:\Program Files\Oemji\
Explorer .exe
mdll.exe
qzfdx.exe
svnlitup32.exe

Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

attrib -r -s -h "C:\WINNT\Downloaded Program Files\CONFLICT.1\"
rmdir /s/q "C:\WINNT\Downloaded Program Files\CONFLICT.1\"
del delete.bat

Save the file as "delete.bat". Make sure to save it with the quotes. Double click on it.

Restart your computer.

Download FindIt's.zip http://forums.net-in...=post&id=142443 to your desktop.

1. Unzip/extract the files to a folder on your desktop.
2. Open the folder. Double click on FindIt's.bat and wait for Notepad to open a text file. It will take a while so please be patient... Note: If you are having problems using FindIt's.bat (16 bit error), copy autoexec.nt from the C:\WINDOWS\repair folder to C:\WINDOWS\system32 folder. Now try running FindIt's.bat.
3. Then post the FindIt's log here along with the logs for HijackThis and Ewido.

#3
hasgtg805

Posted 23 August 2005 - 09:27 PM

Member

Topic Starter
Member
14 posts

greyknight17,

A few questions before I proceed with your instructions.

I had run ewido and cleanup (based on the steps in the Malware Removal must read section) prior to running HJT. See Ewido logs below for before and after I did an Ewido update. Ewido currently resides on my desktop and updates automatically at startup.

Do I proceed with the rest of your instructions of running the scans and fixes.

I have already download the nailfix, dsrfix and killbox and awaiting your response.

Thanks
hasgtg805

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:10:48 PM, 8/21/2005
+ Report-Checksum: 38A50739

+ Scan result:

HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy : Cleaned with backup
C:\crashy.exe -> TrojanDropper.PurityScan.h : Cleaned with backup
C:\Documents and Settings\Dell User\Cookies\dell user@trafficmp[2].txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Dell User\Cookies\dell user@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\AjbcAP.exe.tcf -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\Aw7lg.dll -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\bb.exe -> Spyware.BargainBuddy.l : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ei.dll -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\fRpa.dll -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\HWNbl.dll -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\iinstall.exe -> TrojanDownloader.IstBar : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\jC.dll -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\LSPzHh9D.exe -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\oeH5.exe -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\randreco.exe.tcf -> TrojanDropper.Agent.ch : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\sahagent.exe.tcf -> Adware.SAHA : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\sr.exe.tcf -> Spyware.Relevance.b : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\TRRXIHX.dll -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\u5.dll -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\whenu.exe.tcf -> Adware.SaveNow : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\YDc.dll -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ZB.exe -> Adware.MidADle : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\zqoxm.exe/xnsqn.exe -> Backdoor.SdBot : Cleaned with backup
C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\zThcEZciY.dll -> Adware.MidADle : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0432C721-DB62-40B1-AF72-D80F94.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\06D010D5-2090-4D8C-8213-28F0F6.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\076F9AF6-D7C8-4E1A-8055-AB9C18.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\08F82B0A-F037-4EF5-8649-9A6FD7.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0A177755-F9A2-4443-B99A-B62447.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\0FD70CC9-3A44-4F97-9244-63D03D.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\10ADEE8E-EF48-42CA-B756-1A6E20.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\125B6848-0BFB-4E5D-913F-A312A5.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\13D307F2-58B3-499D-A409-8C07A4.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1453433F-4215-46B3-BB4A-555E7E.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\14A68113-5DEF-41F7-8354-BD995B.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1DF62291-5E9B-4C83-82FF-06F9FE.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1ECA67FF-4979-4B18-BDE8-B79C8E.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\1FFDADFE-8DC2-41EC-8759-B3E5FF.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2058758A-9AA5-45F8-998F-99539A.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\21B24F29-DE25-45F1-906F-E99F04.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\23C22FE0-D7E8-4433-87DF-E82045.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2606ED11-BB48-4012-A871-64575D.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\277F946A-F5B6-42A4-8C1B-A6AFCB.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2877F4B7-219A-4A6D-9EDE-4D4C11.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2902283C-D190-49F5-A570-4257A7.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2A60F096-D35C-4751-B1E3-6F7437.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2AD04BB0-10CA-41BB-AE6F-4077C5.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2DE58381-4158-49DE-AC3E-471B4F.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\2F98E0F0-1218-4160-8D11-2DE969.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\30F4B7E5-BF50-4C11-8DB6-63F3B1.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\36C79834-DB7C-48C3-B76E-C715F2.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\39AF9FA4-CEE5-4C52-AAC3-495230.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3AA0A03E-C8DD-4136-A2FB-FBA305.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3D233B82-BFD4-49C1-BB57-F59D0E.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3D38D7BB-C85B-4C62-8C65-60303F.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3D73D7AB-4108-4918-A90B-24F666.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3FBA5780-3205-40DD-AED6-6FB847.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\3FC4DD4D-E24F-4B57-B111-B83190.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\405C6B09-5FBA-4D00-B09D-C29333.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\428D7ECD-5189-4D3D-A78A-B6E609.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\43069927-F346-4E4B-BCFE-560AB6.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\44B66079-D401-4688-825C-0D1A28.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\44F35741-5A57-4CB8-B0C0-7609C7.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\458A7244-BFA6-44F2-8D3A-CB0592.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\466EBAC6-87D1-499C-B2DA-5D44F6.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4B590EC2-50E2-4F0F-9531-8C5183.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4BE35758-9299-4F63-AE18-2730BC.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4E68CF0A-59ED-4B54-9725-181F3C.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4EFEE794-940F-413F-98DB-5C7142.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4F12889C-3D1C-4441-BBD1-150B3F.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\4F1C6BE9-9D21-437E-BB0C-39B4E7.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\53830AD9-E9DE-4D7C-89C0-F6C178.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\539EC99F-8C3F-4A59-A772-84B26C.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\582D7A41-45CD-43E9-BBCA-4095A3.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5A9DEFBC-9783-4848-929D-CA7EA4.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5B4B6CC7-3380-4C42-8571-E0A7BC.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5B62C58E-AC11-4678-8500-907766.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5CAF624D-6DDD-4164-83FB-62121E.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\5E4DCC2C-4D23-456D-9641-44F153.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\61488DEF-F9F4-411A-BE6D-68003B.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6366EEB0-A261-494B-AEFA-1564E8.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6458EE37-9EBA-4228-AA97-E5AA00.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\65577137-423B-47DB-9AD6-9C61FE.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\667F1135-FBC8-447A-ACEB-3772D6.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\674937B7-6228-4A61-82F5-14C5E1.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\67A70E0E-C840-4894-9F32-056CA2.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\680A1625-808C-4F70-9A16-6FD7AB.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\689B652F-79B0-489F-8164-3F1CAE.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\69FBCD24-D0EE-444A-A623-52FF3F.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6E03D06B-8F68-42F0-AF87-8F10FA.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\6E1189E3-64B4-4A52-90E8-872546.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7037E4A9-2DD9-427D-80DD-B48C0E.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\726CEE6E-67A2-406B-BEBF-6D33AE.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\74FB6322-138D-41B1-BCF9-681A1A.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\768D77D2-F06F-4C83-BDCE-CED56C.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\76AEF88A-26CA-4D56-AA9A-EF53F7.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\795EE7FE-7B62-47DA-B063-06FD0D.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7A1F8041-2560-438B-A933-0D0653.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7B52A5F6-B82A-4633-AF3B-58CDF7.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7E3D1DAB-4030-42DF-8F2D-92FFEF.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7E54F46B-0605-4B98-8754-6565EA.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7E7AFB21-2605-4E39-ACD7-3D1A4D.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\7FF9D8BF-CAD8-4CC7-BFA1-1BA5C2.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\804CFF73-73FE-4C47-8DCB-9456C8.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\83A637BD-9AC3-4D8E-B845-D01D9D.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8406F75E-E2CF-4888-82E6-5EA2E4.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\859D543D-6664-40DD-BA15-8DE8EF.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\87D74766-4924-4899-9B5C-608AA3.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\89B0FE91-EC75-41D4-9670-64D2D6.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\89CA5774-2A7E-4675-A5BA-EA4111.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8A912AF4-2773-41C3-ADF0-0E65C6.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8BF9479F-7C16-446A-AA80-DC4158.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8C84CB27-F89F-4F60-BC03-6D2A44.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\8EA6E968-4EDA-46E0-8E0D-A63959.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\907FDFAB-3E62-4E61-9DE4-72A868.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\916BA67D-F439-46FC-A592-4FB12F.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\93B9097D-81B9-4FBF-B271-5183DA.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\93C62CDC-9148-409D-ACA5-B16917.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\94BB415B-100C-482B-A4DF-B75B3E.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\964E0CD8-0CFF-45B6-B380-44205A.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\977053F0-7381-415D-BD29-924B84.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9856DDB0-5D3B-4D85-9529-559DD9.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\99D89982-192F-4CB5-A813-63CB1C.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\99E6A21E-DCD7-4F13-8210-D7D94F.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\9CEE8615-DF2D-47CE-9B9E-ADC9D6.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A0B6FCB7-4DA2-4A5B-8CB5-D85AEF.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A28268EF-BE8C-4EBE-8DCC-F25368.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A355A4A0-17D2-4513-B178-CF75CD.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A4533FF6-5540-4FA9-8A8D-2B1C3F.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A6AF15FA-CBB4-46E2-9D62-E3A86A.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A820CC8D-CFF0-45E4-B07A-47BBE3.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\A90CC797-7651-4ABF-B6F9-B608C3.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\AAF728FA-33BD-459E-B971-490B30.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\AC111CE1-E7BB-461D-BC9A-B66C22.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\ACE35843-425C-4C62-A0A1-5B3ECF.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\ACF4EFED-966E-428D-A9F9-1DB382.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\AE398B1B-79A5-4507-BD40-C3F6F1.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\AEB6E0CD-0BA3-4BB8-B1FE-3DA101.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\AF096724-3573-4206-9EF6-4C77B6.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\AF2E6273-9893-4E24-AC96-2AE111.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B02DF468-5026-43A0-B319-EAFA93.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B15B1886-1419-4EB1-BEEA-AA322D.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B4C2B4C8-DD46-43AA-B62B-878FA4.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B628FF20-8617-42B7-B21C-0AF71A.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B7034828-DCC5-4785-B84F-839DD0.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B7A8FB46-000D-40D5-A785-B83BC5.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B843DC77-E809-4DB6-B632-4BDA7E.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B968BEBC-B3BA-4B62-A061-5D3072.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B9DC9068-8E97-4C7D-91A7-D9F8BF.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\B9F65CFF-054E-4BFB-9DBE-40D6E6.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\BA103882-4F81-40C9-9D01-4EB633.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\C0BA4F28-BA88-4BB9-A1EB-D31DAD.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\C24E7284-2FA3-4E03-8849-8296FC.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\C2B73563-5E85-4054-AA51-6342B1.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\C2D4C9A4-B10B-48F6-9308-71BAF1.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\C51992BA-C81F-4053-873E-09ED58.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\CDA008AD-8B7B-4D90-8AA3-C0D80F.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D013CDC8-DA18-4E2F-A2E6-7D9E13.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D0A6DE39-3628-4E70-B221-DCBCD4.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D22D764B-78CF-4204-9FCE-930806.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D3C7CFDE-E84D-40E2-AF72-2CE4A3.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D3E0D1BD-A0E8-424D-8451-62BD05.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D56398FD-7E5A-4B7B-A5F8-C67D80.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D76C3105-C6FF-4207-9BC3-445886.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D8B7BF92-61A7-4490-A4C4-DC5924.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\DAF88036-E1EA-45D8-A469-0BC74A.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\DC04C11C-2A08-4E89-AD98-9FDB79.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\DC3D7A2C-1673-4E53-9DDE-810AD2.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E3B9F29B-2E7A-4BE2-B1E7-767E3D.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E58F0E13-6E97-4460-B205-2C0109.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E6BAD141-719F-40F8-8EFC-DD6A2C.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\E6E77846-BE34-406B-90B2-5B2213.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\EC89BC78-93BF-41CA-BCBF-970EC4.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\ED9943BA-304D-48DE-A8E0-83463F.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F06A5F8F-1D1D-499B-81C7-1B85D6.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F4F95EA1-A4BA-40C5-BAD6-35264A.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F6282C4E-A2D4-42FB-BB81-071D87.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\F9877F68-6DA6-4932-B2D8-C0B7CF.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\FB868051-05DD-4E19-82B5-E98DAF.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\FD6FB281-B2D2-4CEC-8BA4-46229B.asq -> Backdoor.ServU-based : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\12F9F4E4-128B-4DBA-B240-960E24\D85D7246-578E-42F1-8F0D-CC2B39 -> Spyware.SideFind : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\12F9F4E4-128B-4DBA-B240-960E24\DD7E10B3-4226-4439-AEFF-40C335 -> Spyware.SideFind : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\7B436342-8342-4A73-B4D1-972056\27C8C0D5-6A82-4C66-A25E-355E66 -> Spyware.SideFind : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C9828C4F-BACE-4FDD-875D-C538E9\76F20BF3-8839-46B9-90AD-4B899B -> Spyware.Relevance : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\C9828C4F-BACE-4FDD-875D-C538E9\EC869053-74CB-45B1-BE63-BA7507 -> Spyware.Relevance : Cleaned with backup
C:\WINNT\csrss.exe.tcf -> Backdoor.iroffer.12.b26 : Cleaned with backup
C:\WINNT\dd4a.exe -> Trojan.Hiddenrun : Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.1\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.2\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINNT\Downloaded Program Files\CONFLICT.3\HDPlugin1101.dll -> Adware.Gator : Cleaned with backup
C:\WINNT\lsass.exe.tcf -> Backdoor.ServU-based : Cleaned with backup
C:\WINNT\Q887287.ini -> Worm.Randon : Cleaned with backup
C:\WINNT\remtm3.exe.tcf -> Adware.BetterInternet : Cleaned with backup
C:\WINNT\system32\hiddenrun.exe.tcf -> Trojan.Hiddenrun : Cleaned with backup
C:\WINNT\system32\hnbwwwpd.dll -> Spyware.PurityScan : Cleaned with backup
C:\WINNT\system32\plugin\090-ntpass.xpn -> Not-A-Virus.Hacktool.Ntpass : Cleaned with backup
C:\WINNT\system32\winupdate\msnq32.exe -> Backdoor.Cl4 : Cleaned with backup
C:\WINNT\system32\winupdate\pmmc32.exe -> Not-A-Virus.Tool.PsExec.123 : Cleaned with backup
C:\WINNT\system32\xnqn.exe/xnsqn.exe -> Backdoor.SdBot : Cleaned with backup
C:\WINNT\system32\xnqn.exe/fqecs.exe -> TrojanProxy.Ranky : Cleaned with backup
C:\WINNT\wmip.ini -> Backdoor.Zapchast : Cleaned with backup

::Report End

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:50:40 PM, 8/21/2005
+ Report-Checksum: B8C5C8FF

+ Scan result:

C:\WINNT\system32\drivers\df_kmd.sys -> Trojan.Rootkit.Agent.af : Cleaned with backup

::Report End

#4
greyknight17

Posted 24 August 2005 - 05:58 PM

Malware Expert

Visiting Consultant
16,560 posts

Yes, please run it one more time just in case something crept in while the infection is still there.

#5
hasgtg805

Posted 25 August 2005 - 08:12 PM

Member

Topic Starter
Member
14 posts

greyknight

I carried out the clean up as best as I could. The start up process is running smoothly without any error messages and WITHOUT winfixer installer.

Here are the logs.

I also noticed a pv.exe similar to the smss type when I was running KillBox. Should it be removed also??

Thanks
hasgtg805

Microsoft Windows 2000 [Version 5.00.2195]
The current date is: Thu 08/25/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINNT\System32\TASKMA~1.EXE
* UPX! C:\WINNT\BOOT.EXE
* UPX! C:\WINNT\TSC.EXE
* UPX! C:\WINNT\UNWISE32.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINNT\DXDIAGK.DLL
* UPX! C:\WINNT\VSAPI32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C has no label.
Volume Serial Number is 6835-1DC8

Directory of C:\WINNT\SYSTEM32

»»»»» Checking for SAHAgent ico files.
Volume in drive C has no label.
Volume Serial Number is 6835-1DC8

Directory of C:\WINNT\system32

»»»»»»»»»»»»»»»»»»»»»»»».

Logfile of HijackThis v1.99.1
Scan saved at 8:38:15 PM, on 8/25/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Defenders\Ewido LogFiles\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Dell User\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Defenders\Trojan Hunter\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [Windos Manage] qzfdx.exe
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Defenders\Ewido LogFiles\security suite\ewidoctrl.exe

---------------------------------------

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:08:16 PM, 8/24/2005
+ Report-Checksum: 48B2369D

+ Scan result:

C:\WINNT\system32\svnlitup32.exe -> Heuristic.Win32.Backdoor.IrcBot : Cleaned with backup

::Report End

#6
greyknight17

Posted 26 August 2005 - 08:02 PM

Malware Expert

Visiting Consultant
16,560 posts

I also noticed a pv.exe similar to the smss type when I was running KillBox. Should it be removed also??

I'm not sure what you are referring to here. What are you talking about?

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Make sure to close any open browsers. Check and fix this in HijackThis:

O4 - HKLM\..\RunServices: [Windos Manage] qzfdx.exe

Delete this file (search for it) -> qzfdx.exe

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Copy the below files and go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say no:

C:\WINNT\System32\TASKMA~1.EXE
C:\WINNT\BOOT.EXE
C:\WINNT\DXDIAGK.DLL

Restart and run both these scans:

Run an online virus scan at TrendMicro http://uk.trendmicro...call_launch.php. Just follow the instructions on the site to run the free online scan. If any viruses/trojans are detected, try to delete or clean them in that site. If any are not cleanable, copy and paste the infected files here. You may also use Panda ActiveScan at http://www.pandasoft...ucts/activescan. Post the log from the Panda scan here.

Restart again and post a new HijackThis log.

#7
hasgtg805

Posted 26 August 2005 - 10:24 PM

Member

Topic Starter
Member
14 posts

greyknight17,

I used the search function to find the qzfdx file and it returned a no result. Shall I continue to the KillBox scan?

hasgtg805

#8
greyknight17

Posted 28 August 2005 - 08:26 AM

Malware Expert

Visiting Consultant
16,560 posts

Yes, continue with the rest of the instructions. :tazz:

#9
hasgtg805

Posted 31 August 2005 - 09:30 PM

Member

Topic Starter
Member
14 posts

greyknight17,

See logs below from last scan and fix.

hasgtg805
-------------------------------
ActiveScan

Incident Status Location

Adware:adware/elitebar No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\OSD149F.OSD
Adware:adware/toprebates No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/twain-tech No disinfected C:\WINNT\satmat.ini
Adware:adware/searchrelevancy No disinfected C:\PROGRAM FILES\SearchRelevant
Adware:adware/wupd No disinfected C:\PROGRAM FILES\Winad Client
Adware:adware/oemji No disinfected C:\PROGRAM FILES\COMMON FILES\Oem Common
Spyware:spyware/betterinet No disinfected Windows Registry
Possible Virus. No disinfected C:\Defenders\Trojan Hunter\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Application Data\atmd.exe.tcf
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\!update.exe.tcf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\alchem.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\alchem.ini
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\bJjXeh.exe
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\conscorr.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\conscorr.ini
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\faMn06.exe
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD1.tmp\MediaTicketsInstaller.INF
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD2.tmp\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD3.tmp\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD4.tmp\MediaTicketsInstaller.INF
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\istsv_.exe.tcf
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\multimpp.inf
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe]
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe][sks.exe]
Virus:Bck/Sdbot.KA No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe][fot.exe]
Virus:Bck/Sdbot.KA No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fot.exe]
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[sks.exe]
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\P0kei7.exe
Virus:W32/Gaobot.batch Disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\r.bat
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\satmat.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\satmat.ini
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\sdexe.exe.tcf
Adware:Adware/SearchRelevancy No disinfected C:\Program Files\SearchRelevant\uninstall.exe.tcf
Spyware:Spyware/Cydoor No disinfected C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
Adware:Adware/EliteBar No disinfected C:\WINNT\blocklist.reg
Adware:Adware/WUpd No disinfected C:\WINNT\Downloaded Program Files\WinadX.inf
Spyware:Spyware/BetterInet No disinfected C:\WINNT\inf\satmat.inf
Adware:Adware/IPInsight No disinfected C:\WINNT\satmat.ini
Virus:Backdoor Program Disinfected C:\WINNT\system32\windows.ini
Adware:Adware/PurityScan No disinfected C:\WINNT\system32\?hkdsk.exe
--------------------------
HouseCall

Trend Micro Housecall Virus Scan1 virus detected

Results:
We have detected 1 infected file(s) with 1 virus(es) on your
computer. Only 0 out of 0 infected files are displayed.
Detected FileAssociated Virus Name
C:\Documents and
Settings\MyFiles\MyOtherFiles\Local
Settings\Temp\istsv_.exe.tcfTROJ_ISTBAR.CJ

Trojan/Worm CheckNo worm/Trojan horse detected

What we checked:
Malicious activity by a Trojan horse program. Although a
Trojan seems like a harmless program, it contains malicious
code and once installed can cause damage to your computer.
Results:
We have detected 0 Trojan horse program(s) and worm(s) on your
computer. Only 0 out of 0 Trojan horse programs and worms are
displayed.
Trojan/Worm NameTrojan/Worm Type

Spyware Check18 spyware programs detected

What we checked:
Whether personal information was tracked and reported by
spyware. Spyware is often installed secretly with legitimate
programs downloaded from the Internet.
Results:
We have detected 18 spyware(s) on your computer. Only 0 out of
0 spywares are displayed.
Spyware NameSpyware Type
COOKIE_153Cookie
COOKIE_169Cookie
COOKIE_222Cookie
COOKIE_281Cookie
COOKIE_611Cookie
COOKIE_722Cookie
COOKIE_1020Cookie
COOKIE_1198Cookie
COOKIE_1802Cookie
COOKIE_2136Cookie
COOKIE_2250Cookie
COOKIE_2574Cookie
COOKIE_2817Cookie
COOKIE_3201Cookie
COOKIE_6853Cookie
ADW_SAHAGENT.AAdware
ADW_ELITEBAR.CAdware
ADW_SEARCHREL.EAdware

Microsoft Vulnerability Check2 vulnerabilities detected

What we checked:
Microsoft known security vulnerabilities. These are issues
Microsoft has identified and released Critical Updates to fix.

Results:
We have detected 2 vulnerability/vulnerabilities on your
computer. Only 0 out of 0 vulnerabilities are displayed.
Risk LevelIssueHow to Fix
CriticalThis vulnerability allows a remote
attacker to conduct unauthorized activities via
the Show Me function in Office Help, since Office
2000 UA ActiveX Control is marked as safe for
scripting. MS00-034
CriticalThis vulnerability allows attackers to
execute macros without user warning. It is done by
linking a Rich Text Format document to a template
that contains an embedded macro. MS01-028

-----------------------------
HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 9:38:59 PM, on 8/31/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Defenders\Ewido LogFiles\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Documents and Settings\Dell User\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Defenders\Trojan Hunter\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Defenders\Ewido LogFiles\security suite\ewidoctrl.exe

---------------------

#10
greyknight17

Posted 01 September 2005 - 08:19 PM

Malware Expert

Visiting Consultant
16,560 posts

Run the CleanUp program now.

Delete these if found:

C:\WINNT\DOWNLOADED PROGRAM FILES\OSD149F.OSD
C:\WINNT\DOWNLOADED PROGRAM FILES\WinadX.inf
C:\WINNT\satmat.ini
C:\PROGRAM FILES\SearchRelevant
C:\PROGRAM FILES\Winad Client
C:\PROGRAM FILES\COMMON FILES\Oem Common
C:\Documents and Settings\MyFiles\MyOtherFiles\Application Data\atmd.exe.tcf
C:\Program Files\SearchRelevant\uninstall.exe.tcf
C:\Program Files\Spybot - Search & Destroy\Dummies\dummy.cd_clint.dll
C:\WINNT\blocklist.reg
C:\WINNT\Downloaded Program Files\WinadX.inf
C:\WINNT\inf\satmat.inf
C:\WINNT\satmat.ini

Do a search for ?hkdsk.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Boot into Safe Mode and run Ewido. Save the log when it's done.

Restart and run the Panda scan again. Post that log here along with the Ewido log you saved.

Edited by greyknight17, 01 September 2005 - 08:26 PM.

#11
hasgtg805

Posted 07 September 2005 - 10:28 PM

Member

Topic Starter
Member
14 posts

greyknight17,

Here are the logs from the last runs.

Hasgtg805

---------------------
ActiveScan

Incident Status Location

Adware:adware/elitebar No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\OSD149F.OSD
Adware:adware/toprebates No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/oemji No disinfected Windows Registry
Possible Virus. No disinfected C:\Defenders\Trojan Hunter\TrojanHunter 4.2\Tools\Process Viewer\ProcessViewer.exe
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\!update.exe.tcf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\alchem.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\alchem.ini
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\bJjXeh.exe
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\conscorr.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\conscorr.ini
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\faMn06.exe
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD1.tmp\MediaTicketsInstaller.INF
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD2.tmp\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD3.tmp\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD4.tmp\MediaTicketsInstaller.INF
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\multimpp.inf
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe]
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe][sks.exe]
Virus:Bck/Sdbot.KA No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe][fot.exe]
Virus:Bck/Sdbot.KA No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fot.exe]
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[sks.exe]
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\P0kei7.exe
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\satmat.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\satmat.ini
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\sdexe.exe.tcf
Adware:Adware/WUpd No disinfected C:\WINNT\Downloaded Program Files\WinadX.inf
Adware:Adware/PurityScan No disinfected C:\WINNT\system32\?hkdsk.exe
----------------------
Ewido

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 11:18:27 PM, 9/2/2005
+ Report-Checksum: D91D5156

+ Scan result:

No infected objects found.

::Report End

-----------------------------------
HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 9:37:55 PM, on 9/3/2005
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\SYSTEM32\DNTUS26.EXE
C:\WINNT\System32\svchost.exe
C:\Defenders\Ewido LogFiles\security suite\ewidoctrl.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
C:\PROGRA~1\NavNT\vptray.exe
C:\Program Files\Lexmark X125\LEX125SU.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Documents and Settings\Dell User\Desktop\HijackThis.exe

O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_6_0_0.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LMPDPSRV] C:\WINNT\System32\spool\DRIVERS\W32X86\3\LMPDPSRV.EXE
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\NavNT\vptray.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Defenders\Trojan Hunter\TrojanHunter 4.2\THGuard.exe"
O4 - Global Startup: Lexmark X125 Settings Utility.lnk = C:\Program Files\Lexmark X125\LEX125SU.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINNT\system32\msjava.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.c...nst20040510.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by12fd.bay12....es/MsnPUpld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft...free/asinst.cab
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINNT\SYSTEM32\DNTUS26.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Defenders\Ewido LogFiles\security suite\ewidoctrl.exe

---------------------------------

#12
greyknight17

Posted 08 September 2005 - 08:54 PM

Malware Expert

Visiting Consultant
16,560 posts

Delete these files:

C:\WINNT\DOWNLOADED PROGRAM FILES\OSD149F.OSD
C:\WINNT\Downloaded Program Files\WinadX.inf

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Do a search for ?hkdsk.exe and right click on any of the files found. Go to Properties->Version tab and see if it's from Microsoft. Do this for each file found. If it's not from Microsoft (or doesn't even have a version tab) and it was created recently, then delete it.

Restart and run a new Panda scan. Post that Panda log here.

#13
hasgtg805

Posted 13 September 2005 - 10:40 PM

Member

Topic Starter
Member
14 posts

Greyknight17,

A search of the hkdsk returned 2 check disk utility files from Microsoft created in 2003.

Do I need to delete the MyOtherFiles folder to remove some of the adware identified in the log below.

Am I being re-infected after each cleaning process or are they files which are difficult to remove.

See ActiveScan Log

Thanks
hasgtg805

Incident Status Location

Adware:adware/elitebar No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\OSD149F.OSD
Adware:adware/toprebates No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/oemji No disinfected Windows Registry
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\!update.exe.tcf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\alchem.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\alchem.ini
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\bJjXeh.exe
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\conscorr.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\conscorr.ini
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\faMn06.exe
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD1.tmp\MediaTicketsInstaller.INF
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD2.tmp\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD3.tmp\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD4.tmp\MediaTicketsInstaller.INF
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\multimpp.inf
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe]
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe][sks.exe]
Virus:Bck/Sdbot.KA No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe][fot.exe]
Virus:Bck/Sdbot.KA No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fot.exe]
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[sks.exe]
Spyware:Spyware/ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\P0kei7.exe
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\satmat.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\satmat.ini
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\sdexe.exe.tcf
Adware:Adware/WUpd No disinfected C:\WINNT\Downloaded Program Files\WinadX.inf
Adware:Adware/PurityScan No disinfected C:\WINNT\system32\?hkdsk.exe

#14
greyknight17

Posted 14 September 2005 - 07:54 PM

Malware Expert

Visiting Consultant
16,560 posts

For chkdsk.exe, you said you saw two. See what icons each of them have. The valid one should have a command prompt (white window) icon. If you see one that has like 3 blocks/cubes in the icon, then delete that one.

OK, is that MyOtherFiles folder a windows created folder? I assume MyFiles is your actual user account name right? If MyOtherFiles has nothing useful and is not a Windows folder (which doesn't seem like one), then delete it:

C:\Documents and Settings\MyFiles\MyOtherFiles\

Delete these two files again:

C:\WINNT\DOWNLOADED PROGRAM FILES\OSD149F.OSD
C:\WINNT\Downloaded Program Files\WinadX.inf

Run CleanUp again.

Restart and run a new panda scan. Post the log here.

Probably not a reinfection, just not removed :tazz:

#15
hasgtg805

Posted 21 September 2005 - 10:08 PM

Member

Topic Starter
Member
14 posts

greyknight17,

Both chkdsk.exe are check disk utility files by Microsoft located in

C:\WINNT\System32 and C:\WINNT\ServicePackFiles\i386 folders.

It seems like file in the service pack folder (created in 2003) was an update to the file in the system32 folder (created in 1999)!!

Still unable to locate and delete WinadX.inf and OSD149F.OSD.

I ran the cleanup and Activescan producing the first log below. From the log I located the Temp folder in the MyOtherFiles folder (I had to activate show hidden files) and deleted all files (mainly images from sites visited).

A second run of Activescan produced the second log below.

Seems like we are close to total eradication!!!!!!!!

hasgtg805
--------------------------
First run log

Incident Status Location

Adware:adware/elitebar No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\OSD149F.OSD
Adware:adware/toprebates No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/oemji No disinfected Windows Registry
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\!update.exe.tcf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\alchem.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\alchem.ini
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\bJjXeh.exe
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\conscorr.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\conscorr.ini
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\faMn06.exe
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD1.tmp\MediaTicketsInstaller.INF
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD2.tmp\istactivex.inf
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD3.tmp\MediaTicketsInstaller.INF
Adware:Adware/MediaTickets No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ICD4.tmp\MediaTicketsInstaller.INF
Adware:Adware/MultiMPP No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\multimpp.inf
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe]
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe][sks.exe]
Virus:Bck/Sdbot.KA No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fasz.exe][fot.exe]
Virus:Bck/Sdbot.KA No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[fot.exe]
Virus:Trj/WMProxy.A No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\ozjnh.exe[sks.exe]
Adware:Adware/IST.ISTBar No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\P0kei7.exe
Spyware:Spyware/BetterInet No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\satmat.inf
Adware:Adware/IPInsight No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\satmat.ini
Adware:Adware/PurityScan No disinfected C:\Documents and Settings\MyFiles\MyOtherFiles\Local Settings\Temp\sdexe.exe.tcf
Adware:Adware/WUpd No disinfected C:\WINNT\Downloaded Program Files\WinadX.inf
Adware:Adware/PurityScan No disinfected C:\WINNT\system32\?hkdsk.exe ------------------------------

Second log run

Incident Status Location

Adware:adware/elitebar No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\OSD149F.OSD
Adware:adware/toprebates No disinfected C:\WINNT\DOWNLOADED PROGRAM FILES\WinadX.inf
Adware:adware/oemji No disinfected Windows Registry
Adware:Adware/WUpd No disinfected C:\WINNT\Downloaded Program Files\WinadX.inf
Adware:Adware/PurityScan No disinfected C:\WINNT\system32\?hkdsk.exe