Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Completed all steps in the Spyware Section [CLOSED]

Started by RoshDogg , Aug 31 2005 08:14 PM

  • This topic is locked This topic is locked

#1
RoshDogg
Posted 31 August 2005 - 08:14 PM

RoshDogg

    New Member

  • Member
  • Pip
  • 9 posts
I've completed all the steps in the section listing how to get rid of most spyware - I think most of it is gone, not getting tons of pop-ups anymore. There is still a little bit left because I'm getting a few popups still. Here is my Hijack This Log.
Logfile of HijackThis v1.99.1
Scan saved at 10:10:37 PM, on 8/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\BOINC\boinc.exe
C:\WINDOWS\cm9zaGRvZ2cA\command.exe
C:\Program

Files\BOINC\projects\setiathome.berkeley.edu\setiathome_4.18_windows

_intelx86.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\srnesdgc\hlsg.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\tsoafs.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\rkewkjun\raqow.exe
C:\WINDOWS\system32\gudqpdsp\abimxekf.exe
C:\WINDOWS\system32\pgolrw\bnladpdr.exe
C:\WINDOWS\system32\modgswp\qogujnq.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WinMX\WinMX.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\roshdogg.HOME1\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =

http://ve3d.ign.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - (no

file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program

Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program

Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program

Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [raqow] C:\WINDOWS\system32\rkewkjun\raqow.exe
O4 - HKLM\..\Run: [hlsg] C:\WINDOWS\system32\srnesdgc\hlsg.exe
O4 - HKLM\..\Run: [abimxekf]

C:\WINDOWS\system32\gudqpdsp\abimxekf.exe
O4 - HKLM\..\Run: [bnladpdr] C:\WINDOWS\system32\pgolrw\bnladpdr.exe
O4 - HKLM\..\Run: [qogujnq] C:\WINDOWS\system32\modgswp\qogujnq.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media

Access\MediaAccK.exe
O4 - HKLM\..\Run: [whgpay] C:\WINDOWS\system32\tsoafs.exe r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [STYLEXP] C:\Program

Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common

Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common

Files\mc-110-12-0000079.exe
O4 - Startup: BOINC Manager.lnk = C:\Program

Files\BOINC\boincmgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program

Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263}

- C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec

AntiVirus scanner) -

http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet

Download Control Class) -

http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} -

http://downloads.sho..._ysp1001_sp2.ca

b
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl

Class) -

http://update.micros...ls/en/x86/clien

t/wuweb_site.cab?1120046548109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI

Utility Class) -

http://security.syma...on/bin/cabsa.ca

b
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access

Support) - https://www.pc.ibm.c...er/IbmEgath.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} -

http://www.pacimedia...ll/pcs_0002.exe
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector

Class) -

http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX

Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain =

home1.local
O23 - Service: Adobe LM Service - Unknown owner - C:\Program

Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BOINC - Unknown owner - C:\Program

Files\BOINC\boinc.exe" -daemon (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner -

C:\WINDOWS\cm9zaGRvZ2cA\command.exe
O23 - Service: ewido security suite control - ewido networks -

C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks -

C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: hlsgsrnesdgc - Unknown owner -

C:\WINDOWS\system32\srnesdgc\hlsg.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common

Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. -

C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA

Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program

Files\TGTSoft\StyleXP\StyleXPService.exe

Help is appreciated - you guys rock!
  • 0

Advertisements

#2
Guse
Posted 31 August 2005 - 10:00 PM

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
Heya and welcome to Geeks to Go. I'm currently reviewing your log and will be back with you shortly.
  • 0

#3
Guse
Posted 31 August 2005 - 10:13 PM

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
Again, Hello and welcome to Geeks to Go. My name is Guse and I'll be helping you through this thing.

The first thing we need to do is to turn Word Wrap off in your Notepad program. It makes the log very, very hard to read.

Open Notepad, click Format and then clear the checkmark next to Word Wrap.

Now, onto the actual fix.

Please download ewido security suite it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido, there should be an icon on your desktop, double-click it.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you will get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
  • Exit ewido. DO NOT scan yet.
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates

Download CleanUp
Install the program, dont run it yet, we will later.

Please download this file: Nailfix Utility
Save it to your desktop.
DO NOT run it yet.

Download dsrfix.zip
Save it to your desktop.
  • Unzip dsrfix.zip and extract it to your desktop.
  • This will create a new folder on your desktop named dsrfix.
  • Do Not open that folder yet.
Please download APT and unzip the contents to a new folder on your desktop.
  • Open the folder you just created and click on apt.exe and search in the window for C:\WINDOWS\system32\tsoafs.exe.
  • Open your C:\Windows\system32 folder and search for tsoafs.exe.
    Don't delete it yet, just leave the system32 folder open so you can see the bad file.
  • In APT again, Select C:\WINDOWS\system32\tsoafs.exe and Click Kill3
  • Then immediately delete tsoafs.exe from your system32 folder.
Close APT.

To reboot into SafeMode with Windows XP, you can follow these steps from Microsoft:

Next, please reboot your computer in SafeMode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, start tapping press F8 key.
  • Instead of Windows loading as normal, a menu should appear
  • Select the first option, to run Windows in Safe Mode.
Once in Safe Mode, please double-click on nailfix.exe.
Click "Next" in the setup, then make sure "Run Nailfix" is checked and click "Finish".
Your desktop and icons will disappear and reappear, and a window should open and close very quickly --- this is normal.

Now open ewido and do a scan of your system.
  • Click on scanner
  • Click on Complete System Scan and the scan will begin.
  • You will be prompted to clean the first infection.
  • Select "Perform action on all infections", then proceed.
  • Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report.
  • Save the report .txt file to your desktop or a location where you can find it easily.
Now scan with HJT and place a checkmark next to each of the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ve3d.ign.com/
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O1 - Hosts: 216.39.69.102 view.atdmt.com
O2 - BHO: (no name) - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - (no file)
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\system32\exp.exe
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [raqow] C:\WINDOWS\system32\rkewkjun\raqow.exe
O4 - HKLM\..\Run: [hlsg] C:\WINDOWS\system32\srnesdgc\hlsg.exe
O4 - HKLM\..\Run: [abimxekf] C:\WINDOWS\system32\gudqpdsp\abimxekf.exe
O4 - HKLM\..\Run: [bnladpdr] C:\WINDOWS\system32\pgolrw\bnladpdr.exe
O4 - HKLM\..\Run: [qogujnq] C:\WINDOWS\system32\modgswp\qogujnq.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [whgpay] C:\WINDOWS\system32\tsoafs.exe r
O4 - HKCU\..\Run: [pshower] C:\WINDOWS\system32\pshwr.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe
O16 - DPF: {5F3B3060-09E0-44C6-86F7-BC7B02B57BEE} - http://downloads.sho...ysp1001_sp2.cab
O16 - DPF: {972BB342-14A7-4660-83C1-51DDBEE171DB} - http://www.pacimedia...ll/pcs_0002.exe

Close all open windows except for HJT, then click the Fix Checked button. Close HJT.

Now open the folder dsrfix on your desktop.
  • Double-Click on dsrfix.bat
  • A window will pop up briefly then close, this is normal.
Enable show hidden files and folders:

* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK

Now using Windows Explorer find and remove the following folders/files

C:\WINDOWS\cm9zaGRvZ2cA\command.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\exp.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\rkewkjun\raqow.exe
C:\WINDOWS\system32\srnesdgc\hlsg.exe
C:\WINDOWS\system32\gudqpdsp\abimxekf.exe
C:\WINDOWS\system32\pgolrw\bnladpdr.exe
C:\WINDOWS\system32\modgswp\qogujnq.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\WINDOWS\system32\pshwr.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000079.exe
C:\Program Files\Common Files\mc-110-12-0000079.exe

Now run the CleanUp program:

*IMPORTANT NOTE*
CleanUp deletes EVERYTHING out of your temp/temporary folders, it does not make backups.
If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp

Running CleanUp
  • Start CleanUp by double-clicking the icon on your desktop (or from the Start > All Programs menu).
  • When CleanUp starts go to the Options button (right side of CleanUp screen)
  • Move the arrow down to "Custom CleanUp!"
  • Now place a checkmark next to the following (Make sure nothing else is checked!):
    • Delete Cookies
      This is optional, if you leave the box checked it will remove all of your cookies, at this point removing cookies is a good idea
    • Empty Recycle Bins
    • Delete Prefetch files
    • Cleanup! All Users
  • Click OK
  • Then click on the CleanUp button. This will take a short while, let it do its thing.
  • When asked to reboot system select No
  • Close CleanUp
Finally, restart your computer back into Normal Mode and please post a new HJT log, as well as the ewido report log from the Ewido scan by using Add Reply
  • 0

#4
RoshDogg
Posted 06 September 2005 - 06:57 PM

RoshDogg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Ok I've followed all of your instructions, and here are my new logs - things seem to be awsome so far!

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 8:08:18 PM, 9/6/2005
+ Report-Checksum: 8C1B44FA

+ Scan result:

No infected objects found.


::Report End


Logfile of HijackThis v1.99.1
Scan saved at 8:54:47 PM, on 9/6/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\BOINC\projects\setiathome.berkeley.edu\setiathome_4.18_windows_intelx86.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WinMX\WinMX.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\winCMAPP\wincmapp.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Documents and Settings\roshdogg.HOME1\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120046548109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.c...er/IbmEgath.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home1.local
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BOINC - Unknown owner - C:\Program Files\BOINC\boinc.exe" -daemon (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\cm9zaGRvZ2cA\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: hlsgsrnesdgc - Unknown owner - C:\WINDOWS\system32\srnesdgc\hlsg.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

Thanks again for all of your help!
  • 0

#5
Guse
Posted 06 September 2005 - 08:47 PM

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
Not bad. Not bad at all. There's some house-cleaning that needs to be done and a few more fixes.

First, let's get rid of a couple of bad services:

Go to Start | Run and type "services.msc" (no quotes) into the box and hit enter. Find the Command Service service and double click it. Click the STOP button and then change the startup type to disabled.

Then, perform the same steps for a hlsgsrnesdgc.

Then, open HijackThis.
  • Click the Config button.
  • Click the Misc Tools button.
  • Select Delete an NT service.
  • Copy and paste the following into the box:
    Command Service
  • Click Ok.
Then, perform the same steps for a hlsgsrnesdgc.

Next, start HijackThis again and place checks next to the following entries:

O4 - HKCU\..\Run: [wincmap] "C:\Program Files\winCMAPP\wincmapp.exe"
O4 - HKCU\..\Run: [DNS] C:\Program Files\Common Files\mc-110-12-0000079.exe

Close all other windows and click Fix Checked

Now, please reboot into safe mode Safe mode(tap the F8 key repeatedly while your system is starting, select Safe Mode from the menu).

Remove these entries from Add/Remove Programs in the Control Panel (if present):

winCMAPP

Please delete these folders using Windows Explorer(if present):

C:\Program Files\winCMAPP

Please delete these files using Windows Explorer(if present):

C:\WINDOWS\cm9zaGRvZ2cA\command.exe
C:\WINDOWS\system32\srnesdgc\hlsg.exe
C:\Program Files\Common Files\mc-110-12-0000079.exe


Now, reboot into Normal Mode.

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information along with another HijackThis log in your next post.

  • 0

#6
RoshDogg
Posted 07 September 2005 - 05:37 AM

RoshDogg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Well a lot of the things that the virus scanner found are in a backup folder I made for someone - I don't access them, and I'll just delete those directories now. Here's the new logs.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, September 07, 2005 07:31:37
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/09/2005
Kaspersky Anti-Virus database records: 148090
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
I:\
N:\
S:\
V:\

Scan Statistics:
Total number of scanned objects: 170022
Number of viruses found: 81
Number of infected objects: 229
Number of suspicious objects: 0
Duration of the scan process: 4959 sec

Infected Object Name - Virus Name
C:\Bob Backup\Documents and Settings\James\My Documents\Resource Center\installers\wildtangent\blastrb2.exe/data0011/data0004 Infected: not-a-virus:AdWare.WildTangent.a
C:\Bob Backup\Documents and Settings\James\My Documents\Resource Center\installers\wildtangent\blastrb2.exe/data0011/data0112 Infected: not-a-virus:AdWare.WinAD
C:\Bob Backup\Documents and Settings\James\My Documents\Resource Center\installers\wildtangent\blastrb2.exe/data0011 Infected: not-a-virus:AdWare.WinAD
C:\Bob Backup\Documents and Settings\James\My Documents\Resource Center\installers\wildtangent\blastrb2.exe Infected: not-a-virus:AdWare.WinAD
C:\Documents and Settings\roshdogg.HOME1\Desktop\Geeks To Go Files\nailfix\Process.exe Infected: not-a-virus:RiskTool.Win32.Processor.20
C:\Program Files\BitTorrent\uninstall.exe/stream/data0001 Infected: not-a-virus:RiskTool.Win32.Processor.1001
C:\Program Files\BitTorrent\uninstall.exe/stream Infected: not-a-virus:RiskTool.Win32.Processor.1001
C:\Program Files\BitTorrent\uninstall.exe Infected: not-a-virus:RiskTool.Win32.Processor.1001
C:\Program Files\Cas\Client\casmf.dll Infected: not-a-virus:AdWare.CASClient.a
C:\Program Files\Common Files\InetGet\mc-110-12-0000079.exe Infected: not-a-virus:AdWare.Maxifiles.h
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temp\installer4_thin.exe/data0002/data0001 Infected: not-a-virus:AdWare.SafeSurfing.o
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temp\installer4_thin.exe/data0002 Infected: not-a-virus:AdWare.SafeSurfing.o
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temp\installer4_thin.exe/data0009 Infected: not-a-virus:AdWare.BetterInternet
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temp\installer4_thin.exe Infected: not-a-virus:AdWare.BetterInternet
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe/stream/data0002 Infected: not-a-virus:AdWare.Adstart.c
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe/stream/data0003 Infected: not-a-virus:AdWare.Adstart.b
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe/stream/data0006 Infected: not-a-virus:AdWare.Adstart.d
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe/stream/data0007 Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe/stream Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0001 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.ad
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream/data0007 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0005/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0005/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0005/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.l
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006/stream/data0007 Infected: not-a-virus:AdWare.CashBack.b
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006/stream/data0008 Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006/stream Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006 Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\Documents and Settings\Divya Satyapriya\Local Settings\Temporary Internet Files\Content.IE5\OVFPTUTI\google[1].htm Infected: Trojan-Downloader.JS.IstBar.z
C:\Sathya Backup\Documents and Settings\Divya Satyapriya\Local Settings\Temporary Internet Files\Content.IE5\QZB37W36\prompt[2].php Infected: Trojan-Downloader.JS.IstBar.ab
C:\Sathya Backup\Program Files\asys\VFX60_nok.exe Infected: Trojan-Dropper.Win32.Agent.tb
C:\Sathya Backup\WINDOWS\fuvtlp.exe Infected: not-a-virus:AdWare.BetterInternet.r
C:\Sathya Backup\WINDOWS\system32\bk.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\Sathya Backup\WINDOWS\system32\bk.exe/InpB Infected: not-a-virus:AdWare.SurfSide.r
C:\Sathya Backup\WINDOWS\system32\bk.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\Sathya Backup\WINDOWS\system32\datadx.dll Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\Sathya Backup\WINDOWS\system32\p66upjkl.ini Infected: not-a-virus:AdWare.Sahat.ao
C:\Sathya Backup\WINDOWS\system32\shopinst.exe Infected: Trojan-Downloader.Win32.Small.apm
C:\Sathya Backup\WINDOWS\Temp\install.exe/stream/data0002 Infected: not-a-virus:AdWare.Adstart.c
C:\Sathya Backup\WINDOWS\Temp\install.exe/stream/data0003 Infected: not-a-virus:AdWare.Adstart.b
C:\Sathya Backup\WINDOWS\Temp\install.exe/stream/data0006 Infected: not-a-virus:AdWare.Adstart.d
C:\Sathya Backup\WINDOWS\Temp\install.exe/stream/data0007 Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\install.exe/stream Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\install.exe Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe/stream/data0002 Infected: not-a-virus:AdWare.Adstart.c
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe/stream/data0003 Infected: not-a-virus:AdWare.Adstart.b
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe/stream/data0006 Infected: not-a-virus:AdWare.Adstart.d
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe/stream/data0007 Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe/stream Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0001 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.ad
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream/data0007 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0005/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0005/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0005/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.l
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006/stream/data0007 Infected: not-a-virus:AdWare.CashBack.b
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006/stream/data0008 Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006/stream Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006 Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe Infected: not-a-virus:AdWare.CashBack.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP283\A0061404.exe/stream/data0001 Infected: not-a-virus:RiskTool.Win32.Processor.1001
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP283\A0061404.exe/stream Infected: not-a-virus:RiskTool.Win32.Processor.1001
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP283\A0061404.exe Infected: not-a-virus:RiskTool.Win32.Processor.1001
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107663.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107667.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107668.dll Infected: not-a-virus:AdWare.ToolBar.EliteBar.ap
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107673.ini Infected: not-a-virus:AdWare.Sahat.ao
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107674.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107674.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107674.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107674.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107674.exe/InpB Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107674.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107686.ocx Infected: not-a-virus:AdWare.DelphinMediaViewer.c
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107687.dll Infected: not-a-virus:AdWare.DelphinMedia.Viewer.f
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107711.exe Infected: not-a-virus:AdWare.Sahat.aq
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107712.exe Infected: not-a-virus:AdWare.Sahat.f
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107714.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0107717.exe Infected: not-a-virus:AdWare.BetterInternet
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108041.dll Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108042.dll Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108043.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108044.dll Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108045.dll Infected: not-a-virus:AdWare.Sahat.ad
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108051.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108056.dll Infected: not-a-virus:AdWare.180Solutions.j
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108057.exe Infected: Trojan-Downloader.Win32.PurityScan.ai
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108058.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108060.exe Infected: not-a-virus:AdWare.BetterInternet
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108066.exe Infected: not-a-virus:AdWare.180Solutions.g
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108067.exe Infected: not-a-virus:AdWare.DelphinMedia.Viewer.f
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108068.exe Infected: not-a-virus:AdWare.DelphinMediaViewer.f
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108071.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108072.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108077.exe Infected: Trojan.Win32.Stervis.f
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108078.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108079.exe Infected: not-a-virus:AdWareBetterInternet.t
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108080.exe Infected: Trojan-Dropper.Win32.Delf.fl
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108081.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108082.exe Infected: Trojan-Downloader.Win32.Agent.rv
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108083.exe Infected: not-a-virus:AdWare.Maxifiles.a
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108084.dll Infected: not-a-virus:AdWare.WinAD.am
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108085.exe Infected: not-a-virus:AdWare.WinAD.am
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108086.exe Infected: not-a-virus:AdWare.WinAD.am
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108087.com Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108088.exe Infected: Trojan-Downloader.Win32.Small.bgl
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108089.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108090.exe Infected: Trojan-Downloader.Win32.Small.bgl
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108091.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108092.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108093.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108094.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108095.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108096.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108097.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108098.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108099.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108100.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108101.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108102.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108103.exe Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108104.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108106.dll Infected: not-a-virus:AdWare.BHO.E2Give.c
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108107.dll Infected: not-a-virus:AdWare.WinAD.aw
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108108.exe Infected: not-a-virus:AdWare.BetterInternet
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108109.exe Infected: Trojan-Downloader.Win32.Intexp.e
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108110.ocx Infected: not-a-virus:AdWare.Look2Me.ag
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108111.dll Infected: not-a-virus:AdWare.ToolBar.ImiBar.h
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108112.exe/dsr.dll Infected: not-a-virus:AdWare.ToolBar.ImiBar.h
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108112.exe Infected: not-a-virus:AdWare.ToolBar.ImiBar.h
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108113.exe Infected: Trojan-Clicker.Win32.VB.gn
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108114.exe Infected: not-a-virus:AdWare.BetterInternet.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108115.exe Infected: Trojan-Downloader.Win32.VB.hw
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108116.exe Infected: Trojan.Win32.Stervis.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108117.exe Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108118.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108119.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108120.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108121.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108122.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108123.exe Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108124.exe Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108125.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108126.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108127.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108128.exe Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108129.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108130.dll Infected: Trojan-Downloader.Win32.Qoologic.ac
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108131.dll Infected: not-a-virus:AdWare.Look2Me.ag
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108132.exe Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108133.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108134.exe Infected: not-a-virus:AdWare.PurityScan.cw
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108135.com Infected: Trojan-Dropper.Win32.Agent.pb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108136.exe Infected: Trojan-Downloader.Win32.VB.kd
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108137.dll Infected: Trojan.Win32.EliteBar.a
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108138.exe Infected: not-a-virus:AdWare.ToolBar.EliteBar.ap
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108139.dll Infected: not-a-virus:AdWare.ToolBar.EliteBar.ap
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108140.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108141.exe Infected: Trojan-Downloader.Win32.Agent.tq
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108142.exe Infected: Trojan-Downloader.Win32.Agent.qg
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108143.exe Infected: Trojan-Downloader.Win32.QDown.z
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108144.exe Infected: not-a-virus:AdWare.ToolBar.ISearch.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108145.dll Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108146.exe Infected: Trojan-Downloader.Win32.Agent.tq
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108147.exe Infected: not-a-virus:AdWare.Pacer.j
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108148.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108149.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108157.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108158.exe Infected: not-a-virus:AdWare.SafeSurfing.s
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108166.exe Infected: Trojan.Win32.Stervis.f
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108167.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108168.exe Infected: not-a-virus:AdWareBetterInternet.t
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108182.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108183.exe Infected: Trojan.Win32.Stervis.f
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108184.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108185.exe Infected: not-a-virus:AdWareBetterInternet.t
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP313\A0108195.exe Infected: Trojan.Win32.Agent.ay
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP315\A0108228.dll Infected: not-a-virus:AdWare.ToolBar.ActivShopper.a
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP315\A0108230.exe Infected: not-a-virus:Downloader.Win32.Agent.c
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP315\A0108231.exe Infected: not-a-virus:Downloader.Win32.Agent.c
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP315\A0108232.exe Infected: not-a-virus:Downloader.Win32.Agent.c
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP315\A0108233.exe Infected: not-a-virus:Downloader.Win32.Agent.c
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP315\A0108234.exe Infected: not-a-virus:AdWare.PurityScan.cx
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP315\A0108235.exe Infected: Trojan-Downloader.Win32.Small.bkr
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP315\A0108236.dll Infected: not-a-virus:AdWare.SafeSurfing.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP315\A0108237.exe Infected: not-a-virus:AdWare.BetterInternet
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP315\A0108238.exe Infected: Trojan.Win32.Stervis.f
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP316\A0108258.exe Infected: Trojan-Downloader.Win32.Agent.lg
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP316\A0108259.exe Infected: Trojan-Downloader.Win32.Agent.lg
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP317\A0108312.dll Infected: Trojan.Win32.Agent.db
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP317\A0108313.dll/gui.exe Infected: not-a-virus:AdWare.Maxifiles.a
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP317\A0108313.dll Infected: not-a-virus:AdWare.Maxifiles.a
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP317\A0108314.exe Infected: Trojan-Downloader.Win32.Apropo.aj
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP317\A0108325.exe Infected: not-a-virus:AdWare.Maxifiles.h
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP317\A0108695.dll Infected: Trojan-Downloader.Win32.Agent.lg
C:\WINDOWS\system32\GSM3-0511.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\WINDOWS\system32\GSM3-0511.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\GSM3-0511.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\InstallerV5.exe/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\WINDOWS\system32\InstallerV5.exe Infected: Backdoor.Win32.HacDef.bo
C:\WINDOWS\system32\mc-110-12-0000079.exe Infected: not-a-virus:AdWare.Maxifiles.f
C:\WINDOWS\system32\netlanm.dll Infected: not-a-virus:AdWare.SafeSurfing.t
C:\WINDOWS\system32\VB3.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\WINDOWS\system32\ventura-hot_246765.exe/data0003 Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\WINDOWS\system32\ventura-hot_246765.exe Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 7:36:01 AM, on 9/7/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WinMX\WinMX.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_4.79_windows_intelx86.exe
C:\Documents and Settings\roshdogg.HOME1\Desktop\Geeks To Go Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ve3d.ign.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120046548109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.c...er/IbmEgath.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home1.local
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BOINC - Unknown owner - C:\Program Files\BOINC\boinc.exe" -daemon (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
  • 0

#7
Guse
Posted 07 September 2005 - 05:56 AM

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
Run Cleanup again, but this time without checking any options. Let it all run.

*IMPORTANT: Cleanup cleans out ALL temporary/temp folders and does NOT make backups.

Then, let's reset your restore points:

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405

Then, run the Kaspersky webb scan again and post the results.
  • 0

#8
RoshDogg
Posted 07 September 2005 - 12:16 PM

RoshDogg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
New Kaspersky log after turning on/off system restore.

I'm going to repost this after getting rid of some of these old backups - should be a lot less stuff then.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, September 07, 2005 14:15:40
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 7/09/2005
Kaspersky Anti-Virus database records: 148168
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
I:\
N:\
S:\
V:\

Scan Statistics:
Total number of scanned objects: 161065
Number of viruses found: 31
Number of infected objects: 89
Number of suspicious objects: 0
Duration of the scan process: 4121 sec

Infected Object Name - Virus Name
C:\Bob Backup\Documents and Settings\James\My Documents\Resource Center\installers\wildtangent\blastrb2.exe/data0011/data0112 Infected: not-a-virus:AdWare.WinAD
C:\Bob Backup\Documents and Settings\James\My Documents\Resource Center\installers\wildtangent\blastrb2.exe/data0011 Infected: not-a-virus:AdWare.WinAD
C:\Bob Backup\Documents and Settings\James\My Documents\Resource Center\installers\wildtangent\blastrb2.exe Infected: not-a-virus:AdWare.WinAD
C:\Program Files\Cas\Client\casmf.dll Infected: not-a-virus:AdWare.CASClient.a
C:\Program Files\Common Files\InetGet\mc-110-12-0000079.exe Infected: not-a-virus:AdWare.Maxifiles.h
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temp\installer4_thin.exe/data0002/data0001 Infected: not-a-virus:AdWare.SafeSurfing.o
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temp\installer4_thin.exe/data0002 Infected: not-a-virus:AdWare.SafeSurfing.o
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temp\installer4_thin.exe/data0009 Infected: not-a-virus:AdWare.BetterInternet
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temp\installer4_thin.exe Infected: not-a-virus:AdWare.BetterInternet
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe/stream/data0002 Infected: not-a-virus:AdWare.Adstart.c
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe/stream/data0003 Infected: not-a-virus:AdWare.Adstart.b
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe/stream/data0006 Infected: not-a-virus:AdWare.Adstart.d
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe/stream/data0007 Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe/stream Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\GJO98505\install[1].exe Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0001 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.ad
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream/data0007 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0004 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0005/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0005/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0005/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.l
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006/stream/data0007 Infected: not-a-virus:AdWare.CashBack.b
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006/stream/data0008 Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006/stream Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream/data0006 Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe/stream Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IZA5M30J\package_MARKETING58[1].exe Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\Documents and Settings\Divya Satyapriya\Local Settings\Temporary Internet Files\Content.IE5\OVFPTUTI\google[1].htm Infected: Trojan-Downloader.JS.IstBar.z
C:\Sathya Backup\Documents and Settings\Divya Satyapriya\Local Settings\Temporary Internet Files\Content.IE5\QZB37W36\prompt[2].php Infected: Trojan-Downloader.JS.IstBar.ab
C:\Sathya Backup\Program Files\asys\VFX60_nok.exe Infected: Trojan-Dropper.Win32.Agent.tb
C:\Sathya Backup\WINDOWS\fuvtlp.exe Infected: not-a-virus:AdWare.BetterInternet.r
C:\Sathya Backup\WINDOWS\system32\bk.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\Sathya Backup\WINDOWS\system32\bk.exe/InpB Infected: not-a-virus:AdWare.SurfSide.r
C:\Sathya Backup\WINDOWS\system32\bk.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\Sathya Backup\WINDOWS\system32\datadx.dll Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\Sathya Backup\WINDOWS\system32\p66upjkl.ini Infected: not-a-virus:AdWare.Sahat.ao
C:\Sathya Backup\WINDOWS\system32\shopinst.exe Infected: Trojan-Downloader.Win32.Small.apm
C:\Sathya Backup\WINDOWS\Temp\install.exe/stream/data0002 Infected: not-a-virus:AdWare.Adstart.c
C:\Sathya Backup\WINDOWS\Temp\install.exe/stream/data0003 Infected: not-a-virus:AdWare.Adstart.b
C:\Sathya Backup\WINDOWS\Temp\install.exe/stream/data0006 Infected: not-a-virus:AdWare.Adstart.d
C:\Sathya Backup\WINDOWS\Temp\install.exe/stream/data0007 Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\install.exe/stream Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\install.exe Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe/stream/data0002 Infected: not-a-virus:AdWare.Adstart.c
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe/stream/data0003 Infected: not-a-virus:AdWare.Adstart.b
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe/stream/data0006 Infected: not-a-virus:AdWare.Adstart.d
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe/stream/data0007 Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe/stream Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\C56NGH23\install[1].exe Infected: not-a-virus:AdWare.Adstart.i
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0001 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.ad
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream/data0007 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0004 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0005/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0005/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0005/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.l
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006/stream/data0007 Infected: not-a-virus:AdWare.CashBack.b
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006/stream/data0008 Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006/stream Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream/data0006 Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe/stream Infected: not-a-virus:AdWare.CashBack.d
C:\Sathya Backup\WINDOWS\Temp\Temporary Internet Files\Content.IE5\S96F4HIR\package_MARKETING58[1].exe Infected: not-a-virus:AdWare.CashBack.d
C:\WINDOWS\system32\GSM3-0511.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\WINDOWS\system32\GSM3-0511.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\GSM3-0511.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\InstallerV5.exe/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\WINDOWS\system32\InstallerV5.exe Infected: Backdoor.Win32.HacDef.bo
C:\WINDOWS\system32\mc-110-12-0000079.exe Infected: not-a-virus:AdWare.Maxifiles.f
C:\WINDOWS\system32\netlanm.dll Infected: not-a-virus:AdWare.SafeSurfing.t
C:\WINDOWS\system32\VB3.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\WINDOWS\system32\ventura-hot_246765.exe/data0003 Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\WINDOWS\system32\ventura-hot_246765.exe Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i

Scan process completed.

Edited by RoshDogg, 07 September 2005 - 12:21 PM.

  • 0

#9
Guse
Posted 07 September 2005 - 01:55 PM

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
Sounds good. Just post as a new reply when you get it.
  • 0

#10
RoshDogg
Posted 07 September 2005 - 02:30 PM

RoshDogg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Well here is my new log after getting rid of a whole bunch - but now system restore is back, bringing many friends :/

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, September 07, 2005 16:28:41
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 7/09/2005
Kaspersky Anti-Virus database records: 148168
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
I:\
N:\
S:\
V:\

Scan Statistics:
Total number of scanned objects: 151415
Number of viruses found: 29
Number of infected objects: 87
Number of suspicious objects: 0
Duration of the scan process: 4276 sec

Infected Object Name - Virus Name
C:\Program Files\Cas\Client\casmf.dll Infected: not-a-virus:AdWare.CASClient.a
C:\Program Files\Common Files\InetGet\mc-110-12-0000079.exe Infected: not-a-virus:AdWare.Maxifiles.h
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000011.exe Infected: not-a-virus:AdWare.BetterInternet.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000153.exe/stream/data0002 Infected: not-a-virus:AdWare.Adstart.c
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000153.exe/stream/data0003 Infected: not-a-virus:AdWare.Adstart.b
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000153.exe/stream/data0006 Infected: not-a-virus:AdWare.Adstart.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000153.exe/stream/data0007 Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000153.exe/stream Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000153.exe Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0001 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.ad
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0004/stream/data0007 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0004/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0004 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0005/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0005/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0005/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0006/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.l
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0006/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0006/stream/data0007 Infected: not-a-virus:AdWare.CashBack.b
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0006/stream/data0008 Infected: not-a-virus:AdWare.CashBack.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0006/stream Infected: not-a-virus:AdWare.CashBack.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream/data0006 Infected: not-a-virus:AdWare.CashBack.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe/stream Infected: not-a-virus:AdWare.CashBack.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000158.exe Infected: not-a-virus:AdWare.CashBack.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000161.exe/stream/data0002 Infected: not-a-virus:AdWare.Adstart.c
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000161.exe/stream/data0003 Infected: not-a-virus:AdWare.Adstart.b
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000161.exe/stream/data0006 Infected: not-a-virus:AdWare.Adstart.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000161.exe/stream/data0007 Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000161.exe/stream Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000161.exe Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000260.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000260.exe/InpB Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000260.exe Infected: not-a-virus:AdWare.SurfSide.r
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000396.dll Infected: Trojan-Downloader.Win32.Qoologic.ad
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0001414.ini Infected: not-a-virus:AdWare.Sahat.ao
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0001668.exe Infected: Trojan-Downloader.Win32.Small.apm
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0011756.exe Infected: Trojan-Dropper.Win32.Agent.tb
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0001 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.q
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0004/stream/data0002 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0004/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.ad
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0004/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0004/stream/data0007 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0004/stream/data0008 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0004/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0004 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0005/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0005/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0005/stream Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.n
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0006/stream/data0005 Infected: not-a-virus:AdWare.BargainBuddy.l
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0006/stream/data0006 Infected: not-a-virus:AdWare.BargainBuddy.y
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0006/stream/data0007 Infected: not-a-virus:AdWare.CashBack.b
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0006/stream/data0008 Infected: not-a-virus:AdWare.CashBack.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0006/stream Infected: not-a-virus:AdWare.CashBack.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream/data0006 Infected: not-a-virus:AdWare.CashBack.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe/stream Infected: not-a-virus:AdWare.CashBack.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012173.exe Infected: not-a-virus:AdWare.CashBack.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012179.exe/stream/data0002 Infected: not-a-virus:AdWare.Adstart.c
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012179.exe/stream/data0003 Infected: not-a-virus:AdWare.Adstart.b
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012179.exe/stream/data0006 Infected: not-a-virus:AdWare.Adstart.d
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012179.exe/stream/data0007 Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012179.exe/stream Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012179.exe Infected: not-a-virus:AdWare.Adstart.i
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012214.exe/data0002/data0001 Infected: not-a-virus:AdWare.SafeSurfing.o
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012214.exe/data0002 Infected: not-a-virus:AdWare.SafeSurfing.o
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012214.exe/data0009 Infected: not-a-virus:AdWare.BetterInternet
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012214.exe Infected: not-a-virus:AdWare.BetterInternet
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012439.exe/data0011/data0112 Infected: not-a-virus:AdWare.WinAD
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012439.exe/data0011 Infected: not-a-virus:AdWare.WinAD
C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0012439.exe Infected: not-a-virus:AdWare.WinAD
C:\WINDOWS\system32\GSM3-0511.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\WINDOWS\system32\GSM3-0511.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\GSM3-0511.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\InstallerV5.exe/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\WINDOWS\system32\InstallerV5.exe Infected: Backdoor.Win32.HacDef.bo
C:\WINDOWS\system32\mc-110-12-0000079.exe Infected: not-a-virus:AdWare.Maxifiles.f
C:\WINDOWS\system32\netlanm.dll Infected: not-a-virus:AdWare.SafeSurfing.t
C:\WINDOWS\system32\VB3.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\WINDOWS\system32\ventura-hot_246765.exe/data0003 Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\WINDOWS\system32\ventura-hot_246765.exe Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i

Scan process completed.
  • 0

Advertisements

#11
Guse
Posted 07 September 2005 - 03:41 PM

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
I should have thought about that! Your system restore has saved all the bad files you just deleted. We'll have to reset the points 1 more time and re-run the scan.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405

Then, run the Kaspersky web scan again and post the results of that along with another HijackThis log. I think we're almost there.
  • 0

#12
RoshDogg
Posted 08 September 2005 - 04:25 PM

RoshDogg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here is a new HiJack This log and Kaspersky log.

Logfile of HijackThis v1.99.1
Scan saved at 6:24:18 PM, on 9/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WinMX\WinMX.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_4.79_windows_intelx86.exe
C:\Documents and Settings\roshdogg.HOME1\Desktop\Geeks To Go Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ve3d.ign.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120046548109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.c...er/IbmEgath.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home1.local
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BOINC - Unknown owner - C:\Program Files\BOINC\boinc.exe" -daemon (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, September 08, 2005 18:24:34
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 8/09/2005
Kaspersky Anti-Virus database records: 148306
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
I:\
N:\
S:\
V:\

Scan Statistics:
Total number of scanned objects: 139141
Number of viruses found: 10
Number of infected objects: 13
Number of suspicious objects: 0
Duration of the scan process: 4068 sec

Infected Object Name - Virus Name
C:\Program Files\Cas\Client\casmf.dll Infected: not-a-virus:AdWare.CASClient.a
C:\Program Files\Common Files\InetGet\mc-110-12-0000079.exe Infected: not-a-virus:AdWare.Maxifiles.h
C:\WINDOWS\system32\GSM3-0511.exe/data0002 Infected: Trojan.Win32.Registrator.b
C:\WINDOWS\system32\GSM3-0511.exe/data0003 Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\GSM3-0511.exe Infected: Trojan-Downloader.Win32.Small.ayh
C:\WINDOWS\system32\InstallerV5.exe/data0006 Infected: Backdoor.Win32.HacDef.bo
C:\WINDOWS\system32\InstallerV5.exe Infected: Backdoor.Win32.HacDef.bo
C:\WINDOWS\system32\mc-110-12-0000079.exe Infected: not-a-virus:AdWare.Maxifiles.f
C:\WINDOWS\system32\netlanm.dll Infected: not-a-virus:AdWare.SafeSurfing.t
C:\WINDOWS\system32\VB3.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\WINDOWS\system32\ventura-hot_246765.exe/data0003 Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\WINDOWS\system32\ventura-hot_246765.exe Infected: not-a-virus:AdWare.ToolBar.HotSearchBar.i
C:\WINDOWS\vecdbm.exe Infected: not-a-virus:AdWare.BetterInternet.aa

Scan process completed.
  • 0

#13
Guse
Posted 08 September 2005 - 04:54 PM

Guse

    Visiting Staff

  • Member
  • PipPipPip
  • 624 posts
Quick question: what are you using for virus detection/defense? I'm not seeing a program...

Try another online scan here at BitDefender. Click the SCAN ONLINE button on the far left of the screen.

Make sure you select any alternatives to clean automatically.

Also, if you're not using virus protection, let me know. Without that, we're both spinning our wheels here.
  • 0

#14
RoshDogg
Posted 08 September 2005 - 05:59 PM

RoshDogg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
I'm using ewido, but I'm not running it all the time, before that, nothing. I know it's bad... never had a problem before :tazz: So should I enable the service to run and schedule scans too? Let me try BitDefender, then I'll get back to you.
  • 0

#15
RoshDogg
Posted 08 September 2005 - 06:57 PM

RoshDogg

    New Member

  • Topic Starter
  • Member
  • Pip
  • 9 posts
Here is my new HiJackThis log and the log from BitDefender.

Logfile of HijackThis v1.99.1
Scan saved at 8:56:17 PM, on 9/8/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\D-Tools\daemon.exe
C:\WINDOWS\system32\taskswitch.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WinMX\WinMX.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\BOINC\boincmgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\BOINC\projects\einstein.phys.uwm.edu\einstein_4.79_windows_intelx86.exe
C:\Documents and Settings\roshdogg.HOME1\Desktop\Geeks To Go Files\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ve3d.ign.com/
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\system32\taskswitch.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - Startup: BOINC Manager.lnk = C:\Program Files\BOINC\boincmgr.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://www.bitdefend...can8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1120046548109
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.pc.ibm.c...er/IbmEgath.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = home1.local
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: BOINC - Unknown owner - C:\Program Files\BOINC\boinc.exe" -daemon (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
BitDefender Online Scanner



Scan report generated at: Thu, Sep 08, 2005 - 20:35:43





Scan path: A:\;C:\;I:\;N:\;S:\;V:\;







Statistics

Time
00:31:38

Files
356630

Folders
10358

Boot Sectors
4

Archives
1983

Packed Files
53561




Results

Identified Viruses
5

Infected Files
6

Suspect Files
1

Warnings
0

Disinfected
0

Deleted Files
7




Engines Info

Virus Definitions
205230

Engine build
AVCORE v1.0 (build 2292) (i386) (Mar 3 2005 11:57:29)

Scan plugins
13

Archive plugins
39

Unpack plugins
4

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
exe;com;dll;ocx;scr;bin;dat;386;vxd;sys;wdm;cla;class;ovl;ole;hlp;doc;dot;xls;ppt;wbk;wiz;pot;ppa;xla;xlt;vbs;vbe;mdb;rtf;htm;hta;html;xml;xtp;php;asp;js;shs;chm;lnk;pif;prc;url;smm;pfd;msi;ini;csc;cmd;bas;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Sathya Backup\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
Detected with: Adware.Wheaterbug.A

C:\Sathya Backup\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
Disinfection failed

C:\Sathya Backup\Program Files\AIM\Sysfiles\WxBug.EXE=>wise0008
Deleted

C:\Sathya Backup\Program Files\AIM\Sysfiles\WxBug.EXE
Update failed

C:\Sathya Backup\temp\CtxPack6.exe
Infected with: Dropped:Trojan.Downloader.Apropo.AB

C:\Sathya Backup\temp\CtxPack6.exe
Disinfection failed

C:\Sathya Backup\temp\CtxPack6.exe
Deleted

C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000008.exe
Infected with: Dropped:Trojan.Downloader.Apropo.AB

C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000008.exe
Disinfection failed

C:\System Volume Information\_restore{55BD96AE-7B4A-4FB5-9686-5F6A3D1364F2}\RP1\A0000008.exe
Deleted

C:\WINDOWS\system32\GSM3-0511.exe
Infected with: Trojan.Registrator.B

C:\WINDOWS\system32\GSM3-0511.exe
Disinfection failed

C:\WINDOWS\system32\GSM3-0511.exe
Deleted

C:\WINDOWS\system32\InstallerV5.exe=>(NSIS o)=>zlib_nsis0005
Suspected of: Backdoor.Win32.Hacdef.Gen

C:\WINDOWS\system32\InstallerV5.exe=>(NSIS o)=>zlib_nsis0005
Disinfection failed

C:\WINDOWS\system32\InstallerV5.exe=>(NSIS o)=>zlib_nsis0005
Deleted

C:\WINDOWS\system32\InstallerV5.exe=>(NSIS o)
Update failed

C:\WINDOWS\system32\VB3.exe
Infected with: Dropped:Trojan.Downloader.Small.ABD

C:\WINDOWS\system32\VB3.exe
Disinfection failed

C:\WINDOWS\system32\VB3.exe
Deleted

C:\WINDOWS\vecdbm.exe
Infected with: Trojan.Clicker.Aura.A

C:\WINDOWS\vecdbm.exe
Disinfection failed

C:\WINDOWS\vecdbm.exe
Deleted
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP