Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hacktool.rootkit and Remon.sys

Started by Kirsch , Oct 04 2005 02:22 PM

Please log in to reply

#1
Kirsch

Posted 04 October 2005 - 02:22 PM

New Member

Member
5 posts

Hi guys, I'm having some problems. I have followed everystep in the sticky and still NAV is telling me I have hacktool.rootkit on remon.sys. Not only that but the bug is on both my laptop and my dekstop!

It's really been slowing my computer down and little things here and there don't work all of the time. Sometimes programs won't open. IE doesn't work at all (even though I never ever use it) and Firefox freezes sometimes. Sometimes Task Manager won't open. Argh!

Here is my HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 4:17:42 PM, on 10/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\CCUPD32.EXE
C:\WINDOWS\System32\BTUPD32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\taskcntr.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nancies.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O1 - Hosts: 207.68.172.246 msn.com
O1 - Hosts: 207.68.172.246 msn.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Yahoo Updater] Messenger.exe
O4 - HKLM\..\Run: [nortonav] C:\WINDOWS\System32\CCUPD32.EXE
O4 - HKLM\..\Run: [Microsoft Windows 32 Update] C:\WINDOWS\System32\BTUPD32.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [Yahoo Updater] Messenger.exe
O4 - HKLM\..\RunServices: [Windows Update 64] nbupd64.exe
O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O4 - HKCU\..\Run: [dplayx] C:\WINDOWS\System32\dplayx.exe
O4 - HKCU\..\Run: [uxtheme] C:\WINDOWS\System32\uxtheme.exe
O4 - HKCU\..\Run: [Yahoo Updater] Messenger.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Startup: OpenOffice.org 1.0.3.lnk = C:\Program Files\OpenOffice.org1.0.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127693317357
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: TASKESV (TESV) - Unknown owner - C:\WINDOWS\taskcntr.exe

Thank you very much. Your help is greatly appreciated!

Here is my Ewido scan log too.

Well I did have one... now I can't find it...

EDIT: Here it is, hot off the presses.

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 5:22:54 PM, 10/4/2005
+ Report-Checksum: 780E2506

+ Scan result:

:mozilla.17:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.18:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.19:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.20:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.21:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.2o7 : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.86:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.87:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.88:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.89:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.90:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.117:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.118:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.119:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup
:mozilla.134:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.135:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.136:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.137:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Specificclick : Cleaned with backup
:mozilla.139:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.141:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.142:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Hitbox : Cleaned with backup
:mozilla.146:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Mediaplex : Cleaned with backup
:mozilla.148:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Questionmarket : Cleaned with backup
:mozilla.149:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.150:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.151:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.152:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.153:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.165:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.166:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.167:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.168:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Hitslink : Cleaned with backup
:mozilla.177:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.178:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.179:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.180:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.181:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.182:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.183:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Trafficmp : Cleaned with backup
:mozilla.196:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.197:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Adserver : Cleaned with backup
:mozilla.205:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.206:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.207:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.213:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Bridgetrack : Cleaned with backup
:mozilla.218:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.219:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Centrport : Cleaned with backup
:mozilla.220:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.221:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.222:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.223:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.224:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.230:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.231:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.232:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.233:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Pointroll : Cleaned with backup
:mozilla.234:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.235:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
C:\WINDOWS\__delete_on_reboot__taskcntr.exe -> Backdoor.SdBot.aad : Cleaned with backup

Edited by ~Kat~, 04 October 2005 - 03:39 PM.

#2
Wizard

Posted 04 October 2005 - 04:23 PM

Retired Staff

Retired Staff
5,661 posts

Hi Kirsch,

Lets see what we can do about this!

Please Download the Zip below
http://www.atribune....oads/kirsch.zip

Right Click the Zip and Select Extract All Files but dont run it just yet!

Please follow all instructions as specified. Print these instructions to ensure all are followed.

Please download the following programs, but do not run them yet:

* rdrivRem.zip

Unzip it to your desktop.

* Ewido Security Suite

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed
After the updates are installed exit Ewido.

* CleanUp!

Install it.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight "Safe Mode" then hit enter.

1.) Please go into the rdrivrem folder and double-click rdrivRem.bat to run the program - follow the instructions on the screen. After it's complete, rdriv.txt will be created in the rdrivRem folder.

2.) Double-click the Ewido Security Suite icon to run the program.

Click on scanner
Click Complete System Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop
Exit Ewido

3.) Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.
**If it asks if you want to reboot or log off press NO.

4.) After Cleanup! is finished, Open the kirsh folder and double click kirsh.bat

A dos window will appear and disappear quickly-> After the dos window closes Reboot your computer into normal mode.

5.) Make sure your firewall is on. Make sure you can turn it off then turn it back on and that nothing is greyed out.
Also, Make sure your Anti-Virus program is working properly - you can turn on and off auto-protect, etc.

6.) Run BOTH of these online virus scans (NOT at the same time!):
ActiveScan
TrendMicro's HouseCall - check "Auto Clean"

Save the results from ActiveScan.

I need you to post the contents of rdriv.txt, the log from Ewido, the log from ActiveScan, and a new HiJackThis log into this topic.

#3
Kirsch

Posted 04 October 2005 - 06:04 PM

New Member

Topic Starter
Member
5 posts

Here you go:

RDriv Log

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

~~~~~~~~~~~~~ Pre-run File Check ~~~~~~~~~~~~~

sysmanager.exe present!

~~~~~~~~~~~~~ Post run File Check ~~~~~~~~~~~~~

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 7:42:27 PM, 10/4/2005
+ Report-Checksum: 27194532

+ Scan result:

:mozilla.23:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.24:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Kirschdaddy\Application Data\Mozilla\Firefox\Profiles\default.luw\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup

::Report End

HiJackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 8:03:33 PM, on 10/4/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\CCUPD32.EXE
C:\WINDOWS\System32\BTUPD32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\OpenOffice.org1.0.3\program\soffice.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nancies.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [Yahoo Updater] Messenger.exe
O4 - HKLM\..\Run: [nortonav] C:\WINDOWS\System32\CCUPD32.EXE
O4 - HKLM\..\Run: [Microsoft Windows 32 Update] C:\WINDOWS\System32\BTUPD32.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\RunServices: [Yahoo Updater] Messenger.exe
O4 - HKLM\..\RunServices: [Windows Update 64] nbupd64.exe
O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe
O4 - HKCU\..\Run: [dplayx] C:\WINDOWS\System32\dplayx.exe
O4 - HKCU\..\Run: [uxtheme] C:\WINDOWS\System32\uxtheme.exe
O4 - HKCU\..\Run: [Yahoo Updater] Messenger.exe
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - Startup: OpenOffice.org 1.0.3.lnk = C:\Program Files\OpenOffice.org1.0.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127693317357
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Edited by Kirsch, 04 October 2005 - 06:04 PM.

#4
Wizard

Posted 04 October 2005 - 06:42 PM

Retired Staff

Retired Staff
5,661 posts

Sorry I missed you in Chat!

Dont worry about the Online Scanner,it only works with Internet Explorer!

Download WinPFind:
http://www.bleepingc...es/winpfind.php

Right Click the Zip Folder and Select "Extract All"

Don't use it yet!

Download this Repair Tool from Sophos
http://www.sophos.co...rs/forbtgui.com

Download the File and Double Click forbtgui.com to execute!

Click Accept and GO and let the tool do its thing!

Download Pocket KillBox from here:
http://www.atribune....ads/KillBox.exe

Highlight the list below and press Ctrl+C to Copy!

C:\WINDOWS\WINPROC.exe
C:\WINDOWS\HOOKCLK.DLL
C:\WINDOWS\HOOKKEY.DLL
C:\WINDOWS\ARQEVE.TXT
C:\WINDOWS\ARQKEY.TXT
C:\WINDOWS\ARQCLK.TXT
C:\WINDOWS\HOOKIMG.DBF
C:\WINDOWS\HOOKIMG.DBT
C:\WINDOWS\System32\Messenger.exe
C:\WINDOWS\System32\winproc.exe
C:\WINDOWS\System32\nbupd64.exe
C:\WINDOWS\System32\dplayx.exe
C:\WINDOWS\System32\uxtheme.exe
C:\WINDOWS\System32\CCUPD32.EXE
C:\WINDOWS\System32\BTUPD32.EXE

Open Pocket Killbox-> Click File-> Click Paste from Clipboard!

Place a tick by Delete on Reboot-> Click the Red Circle to Delete!

Click Yes to the Prompts that follow and let Killbox Reboot the PC!

Reboot into SAFE MODE(Tap F8 when restarting)
Here is a link on how to boot into Safe Mode:
http://service1.syma...src=sec_doc_nam

Once in Safe Mode-> Run each entry through Killbox again,one at a time,place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"

Click the Red Circle with the White X in the Middle to Delete!

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com

O4 - HKLM\..\Run: [Yahoo Updater] Messenger.exe

O4 - HKLM\..\Run: [nortonav] C:\WINDOWS\System32\CCUPD32.EXE

O4 - HKLM\..\Run: [Microsoft Windows 32 Update] C:\WINDOWS\System32\BTUPD32.EXE

O4 - HKLM\..\RunServices: [Yahoo Updater] Messenger.exe

O4 - HKLM\..\RunServices: [Windows Update 64] nbupd64.exe

O4 - HKLM\..\RunServices: [Windows Process Manager] winproc.exe

O4 - HKCU\..\Run: [dplayx] C:\WINDOWS\System32\dplayx.exe

O4 - HKCU\..\Run: [uxtheme] C:\WINDOWS\System32\uxtheme.exe

O4 - HKCU\..\Run: [Yahoo Updater] Messenger.exe

O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab

O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

From the WinPFind folder-> Doubleclick WinPFind.exe and Click "Start Scan"

It will scan the entire System, so please be patient!

One you see "Scan Complete"-> a log (WinPFind.txt) will be automatically generated in the WinPFind folder!

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK!

Under the "General" Tab
Make Sure Normal Startup is Checked!!

Click Apply>>Close>>Follow the Prompts to Restart!!

Restart Normal and have the PC Scanned here:
HouseCall

Save the Report

Post back with a fresh HijackThis log and the reports from WinPFind and House Call!

#5
Wizard

Posted 04 October 2005 - 07:26 PM

Retired Staff

Retired Staff
5,661 posts

Hit and Miss!

Thanks Michelle for keeping us connected!

Since WinPFind wont run,lets try something else!

Please RIGHT-CLICK HERE to download Silent Runner's.

Save it to the desktop.
Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
You will receive a prompt:
- Do you want to skip supplementary searches?
  click NO
You will see a text file appear on the desktop - it's not done, let it run (it won't appear to be doing anything!)
Once you receive the prompt All Done!, open the text file on the desktop, copy that entire log, and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

Now generate a HijackThis Startup List Log

Hijackthis StartUp Log:
Open HijackThis,Select Config(Bottom Right)>>>Select Misc Tools>>> Select Generate StartUpList log and make sure that both Boxes beside it are checked:

Put a check by:
List all minor sections(Full)
and
List Empty Sections(Complete)

It will produce a NotePad Page,I need you to post the entire contents of that page to the next post!

#6
Kirsch

Posted 04 October 2005 - 10:10 PM

New Member

Topic Starter
Member
5 posts

Here we go the logs:

Also of note after my computer remains running for awhile when I try to save things whatever program it is that is trying to save freezes and stops responding... Notepad, HJT, Firefox, etc...

HJT

Logfile of HijackThis v1.99.1
Scan saved at 12:01:02 AM, on 10/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\WINDOWS\System32\??rvices.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nancies.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe
O4 - HKLM\..\Run: [itbjbiva] C:\WINDOWS\System32\gqbvil.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [Uagem] C:\WINDOWS\System32\??rvices.exe
O4 - HKCU\..\Run: [Raam] C:\Documents and Settings\Kirschdaddy\Application Data\epsw.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.0.3.lnk = C:\Program Files\OpenOffice.org1.0.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127693317357
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Silent Runner:

"Silent Runners.vbs", revision 40.1, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Steam" = "C:\Program Files\Valve\Steam\\Steam.exe -silent" ["Valve Corporation"]
"Uagem" = (value not set)
"Start WingMan Profiler" = (empty string)
"Raam" = "C:\Documents and Settings\Kirschdaddy\Application Data\epsw.exe" [file not found]
"MSMSGS" = ""C:\Program Files\Messenger\msmsgs.exe" /background" [MS]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"ATIPTA" = ""C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"" ["ATI Technologies, Inc."]
"NeroCheck" = "C:\WINDOWS\System32\NeroCheck.exe" ["Ahead Software Gmbh"]
"NvMixerTray" = "C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe" ["NVIDIA Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]
"SunJavaUpdateSched" = "C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe" [null data]
"EM_EXEC" = "C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" ["Logitech Inc. "]
"Creative WebCam Tray" = "C:\Program Files\Creative\Shared Files\CAMTRAY.EXE" [file not found]
"KernelFaultCheck" = "%systemroot%\system32\dumprep 0 -k" [MS]
"WatchDog" = "C:\Program Files\mobile PhoneTools\WatchDog.exe" [file not found]
"Motive SmartBridge" = "C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" ["Motive Communications, Inc."]
"Logitech Hardware Abstraction Layer" = "KHALMNPR.EXE" ["Logitech Inc."]
"iTunesHelper" = ""C:\Program Files\iTunes\iTunesHelper.exe"" ["Apple Computer, Inc."]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"vptray" = "C:\PROGRA~1\SYMANT~1\VPTray.exe" ["Symantec Corporation"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"THGuard" = ""C:\Program Files\TrojanHunter 4.2\THGuard.exe"" ["Mischel Internet Security"]
"Windows SA" = "C:\Program Files\WindowsSA\omniscient.exe" [file not found]
"WebRebates0" = ""C:\Program Files\Web_Rebates\WebRebates0.exe"" [file not found]
"VVSN" = "C:\Program Files\VVSN\VVSN.exe" [file not found]
"Power Scan" = "C:\Program Files\Power Scan\powerscan.exe" [file not found]
"itbjbiva" = "C:\WINDOWS\System32\gqbvil.exe" [file not found]
"Internet Optimizer" = ""C:\Program Files\Internet Optimizer\optimize.exe"" [file not found]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{FED7043D-346A-414D-ACD7-550D052499A7}" = "dBpowerAMP Music Converter 1"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dBShell.dll" [empty string]
"{2C49B5D0-ACE7-4D17-9DF0-A254A6C5A0C5}" = "dBpowerAMP Music Converter"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Illustrate\dBpowerAMP\dMCShell.dll" [empty string]
"{BDA77241-42F6-11d0-85E2-00AA001FE28C}" = "LDVP Shell Extensions"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! NavLogon\DLLName = "C:\WINDOWS\System32\NavLogon.dll" ["Symantec Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
ewido\(Default) = "{57BD36D7-CE32-4600-9B1C-1A0C47EFC02E}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\context.dll" ["ewido networks"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
LDVPMenu\(Default) = "{BDA77241-42F6-11d0-85E2-00AA001FE28C}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\SSC\vpshell2.dll" ["Symantec Corporation"]
TrojanHunter\(Default) = "{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.2\contmenu.dll" [null data]

Active Desktop and Wallpaper:
-----------------------------

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Kirschdaddy\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "C:\WINDOWS\System32\logon.scr" [MS]

Startup items in "Kirschdaddy" & "All Users" startup folders:
-------------------------------------------------------------

C:\Documents and Settings\Kirschdaddy\Start Menu\Programs\Startup
"OpenOffice.org 1.0.3" -> shortcut to: "C:\Program Files\OpenOffice.org1.0.3\program\quickstart.exe" [null data]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Adobe Gamma Loader" -> shortcut to: "C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe" ["Adobe Systems, Inc."]
"Logitech SetPoint" -> shortcut to: "C:\Program Files\Logitech\SetPoint\SetPoint.exe" ["Logitech Inc."]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" [file not found]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\ = "&Yahoo! Messenger" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" [file not found]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
"ButtonText" = "Messenger"
"MenuText" = "Yahoo! Messenger"
"CLSIDExtension" = "{4C171D40-8277-11D5-AD55-00010333D0AD}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes.dll" [file not found]

{AC9E2541-2814-11D5-BC6D-00B0D0A1DE45}\
"ButtonText" = "AIM"
"Exec" = "C:\Program Files\AIM\aim.exe" ["America Online, Inc."]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\MSMSGS.EXE" [MS]

Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\System32\Ati2evxx.exe" ["ATI Technologies Inc."]
avast! iAVS4 Control Service, aswUpdSv, ""C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe"" [null data]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
iPodService, iPodService, "C:\Program Files\iPod\bin\iPodService.exe" ["Apple Computer, Inc."]
Symantec AntiVirus, Symantec AntiVirus, ""C:\Program Files\Symantec AntiVirus\Rtvscan.exe"" ["Symantec Corporation"]
Symantec AntiVirus Definition Watcher, DefWatch, ""C:\Program Files\Symantec AntiVirus\DefWatch.exe"" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\System32\wdfmgr.exe" [MS]

----------
+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ The search for DESKTOP.INI DLL launch points on all local fixed drives
took 71 seconds.
+ The search for all Registry CLSIDs containing dormant Explorer Bars
took 17 seconds.
---------- (total run time: 284 seconds)

HJT Startup

StartupList report, 10/5/2005, 12:09:51 AM
StartupList version: 1.52.2
Started from : C:\hijackthis\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Valve\Steam\Steam.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\hijackthis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Kirschdaddy\Start Menu\Programs\Startup]
OpenOffice.org 1.0.3.lnk = C:\Program Files\OpenOffice.org1.0.3\program\quickstart.exe

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

ATIPTA = "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
NvMixerTray = C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
SunJavaUpdateSched = C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
EM_EXEC = C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
Creative WebCam Tray = C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
KernelFaultCheck = %systemroot%\system32\dumprep 0 -k
WatchDog = C:\Program Files\mobile PhoneTools\WatchDog.exe
Motive SmartBridge = C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
Logitech Hardware Abstraction Layer = KHALMNPR.EXE
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
vptray = C:\PROGRA~1\SYMANT~1\VPTray.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
THGuard = "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
Windows SA = C:\Program Files\WindowsSA\omniscient.exe
WebRebates0 = "C:\Program Files\Web_Rebates\WebRebates0.exe"
VVSN = C:\Program Files\VVSN\VVSN.exe
Power Scan = C:\Program Files\Power Scan\powerscan.exe
itbjbiva = C:\WINDOWS\System32\gqbvil.exe
Internet Optimizer = "C:\Program Files\Internet Optimizer\optimize.exe"

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Steam = C:\Program Files\Valve\Steam\\Steam.exe -silent
Uagem = C:\WINDOWS\System32\??rvices.exe
Start WingMan Profiler =
Raam = C:\Documents and Settings\Kirschdaddy\Application Data\epsw.exe
MSMSGS = "C:\Program Files\Messenger\msmsgs.exe" /background

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINDOWS\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\mplayer2.inf,PerUserStub.NT

[{2C7339CF-2B09-4501-B3F3-F3508C9228ED}] *
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{5945c046-1e7d-11d1-bc44-00c04fd912be}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection %SystemRoot%\INF\msmsgs.inf,BLC.Install.PerUser

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\system32\ie4uinit.exe

[{ACC563BC-4266-43f0-B6ED-9D38C4202C7E}] *
StubPath = rundll32 iesetup.dll,IEAccessUserInst

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINDOWS\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\logon.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Checking for EXPLORER.EXE instances:

C:\WINDOWS\Explorer.exe: PRESENT!

C:\Explorer.exe: not present
C:\WINDOWS\Explorer\Explorer.exe: not present
C:\WINDOWS\System\Explorer.exe: not present
C:\WINDOWS\System32\Explorer.exe: not present
C:\WINDOWS\Command\Explorer.exe: not present
C:\WINDOWS\Fonts\Explorer.exe: not present

--------------------------------------------------

Checking for superhidden extensions:

.lnk: HIDDEN! (arrow overlay: yes)
.pif: HIDDEN! (arrow overlay: yes)
.exe: not hidden
.com: not hidden
.bat: not hidden
.hta: not hidden
.scr: not hidden
.shs: HIDDEN!
.shb: HIDDEN!
.vbs: not hidden
.vbe: not hidden
.wsh: not hidden
.scf: HIDDEN! (arrow overlay: NO!)
.url: HIDDEN! (arrow overlay: yes)
.js: not hidden
.jse: not hidden

--------------------------------------------------

Verifying REGEDIT.EXE integrity:

- Regedit.exe found in C:\WINDOWS
- .reg open command is normal (regedit.exe %1)
- Company name OK: 'Microsoft Corporation'
- Original filename OK: 'REGEDIT.EXE'
- File description: 'Registry Editor'

Registry check passed

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\PROGRA~1\SPYBOT~1\SDHelper.dll - {53707962-6F74-2D53-2644-206D7942484F}

--------------------------------------------------

Enumerating Task Scheduler jobs:

*No jobs found*

--------------------------------------------------

Enumerating Download Program Files:

[Microsoft XML Parser for Java]
CODEBASE = file://C:\WINDOWS\Java\classes\xmldso.cab
OSD = C:\WINDOWS\Downloaded Program Files\Microsoft XML Parser for Java.osd

[Yahoo! Euchre]
CODEBASE = http://download.game...nts/y/et1_x.cab
OSD = C:\WINDOWS\Downloaded Program Files\Yahoo! Euchre.osd

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.micr...922/wmv9VCM.CAB

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://codecs.micros...386/wmv9dmo.cab

[{4A01A151-E350-4839-A2B8-03DC39D6C8E5}]
CODEBASE = http://download.yaho...d2003080601.cab

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.micros...b?1127693317357

[Java Plug-in 1.4.2_07]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[RegConfig Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yregcfg.dll
CODEBASE = http://download.yaho...rod/yregcfg.cab

[{B9191F79-5613-4C76-AA2A-398534BB8999}]
CODEBASE = http://download.yaho...alls/yab_af.cab

[Java Plug-in 1.4.2_01]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_01\bin\npjpi142_01.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.4.2_03]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[Java Plug-in 1.4.2_07]
InProcServer32 = C:\Program Files\Java\j2re1.4.2_07\bin\npjpi142_07.dll
CODEBASE = http://java.sun.com/...indows-i586.cab

[PhotosCtrl Class]
InProcServer32 = C:\Program Files\Yahoo!\common\YPhotos.dll
CODEBASE = http://photos.yahoo....plorer1_9us.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\macromed\flash\Flash.ocx
CODEBASE = http://download.macr...ash/swflash.cab

--------------------------------------------------

Enumerating Winsock LSP files:

NameSpace #1: C:\WINDOWS\System32\mswsock.dll
NameSpace #2: C:\WINDOWS\System32\winrnr.dll
NameSpace #3: C:\WINDOWS\System32\mswsock.dll
Protocol #1: C:\WINDOWS\system32\mswsock.dll
Protocol #2: C:\WINDOWS\system32\mswsock.dll
Protocol #3: C:\WINDOWS\system32\mswsock.dll
Protocol #4: C:\WINDOWS\system32\rsvpsp.dll
Protocol #5: C:\WINDOWS\system32\rsvpsp.dll
Protocol #6: C:\WINDOWS\system32\mswsock.dll
Protocol #7: C:\WINDOWS\system32\mswsock.dll
Protocol #8: C:\WINDOWS\system32\mswsock.dll
Protocol #9: C:\WINDOWS\system32\mswsock.dll
Protocol #10: C:\WINDOWS\system32\mswsock.dll
Protocol #11: C:\WINDOWS\system32\mswsock.dll
Protocol #12: C:\WINDOWS\system32\mswsock.dll
Protocol #13: C:\WINDOWS\system32\mswsock.dll
Protocol #14: C:\WINDOWS\system32\mswsock.dll
Protocol #15: C:\WINDOWS\system32\mswsock.dll

--------------------------------------------------

Enumerating Windows NT/2000/XP services

Microsoft ACPI Driver: System32\DRIVERS\ACPI.sys (system)
Microsoft Kernel Acoustic Echo Canceller: system32\drivers\aec.sys (manual start)
AFD Networking Support Environment: \SystemRoot\System32\drivers\afd.sys (autostart)
Alerter: %SystemRoot%\System32\svchost.exe -k LocalService (manual start)
Application Layer Gateway Service: %SystemRoot%\System32\alg.exe (manual start)
Application Management: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
1394 ARP Client Protocol: System32\DRIVERS\arp1394.sys (manual start)
avast! iAVS4 Control Service: "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe" (autostart)
RAS Asynchronous Media Driver: System32\DRIVERS\asyncmac.sys (manual start)
Standard IDE/ESDI Hard Disk Controller: System32\DRIVERS\atapi.sys (system)
Ati HotKey Poller: %SystemRoot%\System32\Ati2evxx.exe (autostart)
ATI Smart: C:\WINDOWS\system32\ati2sgag.exe (autostart)
ati2mtag: System32\DRIVERS\ati2mtag.sys (manual start)
ATM ARP Client Protocol: System32\DRIVERS\atmarpc.sys (manual start)
Windows Audio: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Audio Stub Driver: System32\DRIVERS\audstub.sys (manual start)
avast! Antivirus: "C:\Program Files\Alwil Software\Avast4\ashServ.exe" (autostart)
avast! Mail Scanner: "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (manual start)
avast! Web Scanner: "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (manual start)
Background Intelligent Transfer Service: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
MAC Bridge: System32\DRIVERS\bridge.sys (manual start)
MAC Bridge Miniport: System32\DRIVERS\bridge.sys (manual start)
Computer Browser: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Closed Caption Decoder: System32\DRIVERS\CCDECODE.sys (manual start)
Symantec Event Manager: "C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe" (autostart)
Symantec Password Validation: "C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe" (manual start)
Symantec Settings Manager: "C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe" (autostart)
cdiskdun: \??\C:\DOCUME~1\KIRSCH~1\LOCALS~1\Temp\cdiskdun.sys (manual start)
CD-ROM Driver: System32\DRIVERS\cdrom.sys (system)
Indexing Service: %SystemRoot%\system32\cisvc.exe (manual start)
ClipBook: %SystemRoot%\system32\clipsrv.exe (manual start)
COM+ System Application: C:\WINDOWS\System32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} (manual start)
Cryptographic Services: %SystemRoot%\system32\svchost.exe -k netsvcs (autostart)
Symantec AntiVirus Definition Watcher: "C:\Program Files\Symantec AntiVirus\DefWatch.exe" (autostart)
DHCP Client: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Disk Driver: System32\DRIVERS\disk.sys (system)
Logical Disk Manager Administrative Service: %SystemRoot%\System32\dmadmin.exe /com (manual start)
dmboot: System32\drivers\dmboot.sys (disabled)
Logical Disk Manager Driver: System32\DRIVERS\dmio.sys (system)
Logical Disk Manager: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft Kernel DLS Syntheiszer: system32\drivers\DMusic.sys (manual start)
DNS Client: %SystemRoot%\System32\svchost.exe -k NetworkService (disabled)
Microsoft Kernel DRM Audio Descrambler: system32\drivers\drmkaud.sys (manual start)
Error Reporting Service: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Event Log: %SystemRoot%\system32\services.exe (autostart)
COM+ Event System: C:\WINDOWS\System32\svchost.exe -k netsvcs (manual start)
ewido security suite control: C:\Program Files\ewido\security suite\ewidoctrl.exe (autostart)
ewido security suite driver: \??\C:\Program Files\ewido\security suite\guard.sys (system)
ewido security suite guard: C:\Program Files\ewido\security suite\ewidoguard.exe (autostart)
Fast User Switching Compatibility: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
Floppy Disk Controller Driver: System32\DRIVERS\fdc.sys (manual start)
Floppy Disk Driver: System32\DRIVERS\flpydisk.sys (manual start)
Volume Manager Driver: System32\DRIVERS\ftdisk.sys (system)
GEAR CDRom Filter: SYSTEM32\DRIVERS\GEARAspiWDM.sys (manual start)
Generic Packet Classifier: System32\DRIVERS\msgpc.sys (manual start)
Help and Support: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Human Interface Device Access: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Microsoft HID Class Driver: System32\DRIVERS\hidusb.sys (manual start)
i8042 Keyboard and PS/2 Mouse Port Driver: System32\DRIVERS\i8042prt.sys (system)
InstallDriver Table Manager: C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (manual start)
IMAPI CD-Burning COM Service: C:\WINDOWS\System32\imapi.exe (manual start)
IP Traffic Filter Driver: System32\DRIVERS\ipfltdrv.sys (manual start)
IP in IP Tunnel Driver: System32\DRIVERS\ipinip.sys (manual start)
IP Network Address Translator: System32\DRIVERS\ipnat.sys (manual start)
iPodService: C:\Program Files\iPod\bin\iPodService.exe (manual start)
IPSEC driver: System32\DRIVERS\ipsec.sys (system)
IR Enumerator Service: System32\DRIVERS\irenum.sys (manual start)
PnP ISA/EISA Bus Driver: System32\DRIVERS\isapnp.sys (system)
Keyboard Class Driver: System32\DRIVERS\kbdclass.sys (system)
Keyboard HID Driver: System32\DRIVERS\kbdhid.sys (system)
Microsoft Kernel Wave Audio Mixer: system32\drivers\kmixer.sys (manual start)
Logitech SetPoint Keyboard Driver: System32\DRIVERS\L8042Kbd.sys (manual start)
Logitech SetPoint PS/2 Mouse Filter Driver: System32\Drivers\L8042mou.sys (manual start)
Server: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Workstation: %SystemRoot%\System32\svchost.exe -k netsvcs (autostart)
Logitech HID/USB Mouse Filter Driver: System32\DRIVERS\LHidFlt2.sys (manual start)
Logitech SetPoint HID Mouse Filter Driver: System32\DRIVERS\LHidKE.Sys (manual start)
Logitech USB Receiver device driver: system32\drivers\LHidUsb.Sys (manual start)
Logitech SetPoint USB Receiver device driver: System32\Drivers\LHidUsbK.Sys (manual start)
Logitech Keyboard Class Filter Driver: System32\DRIVERS\LKbdFlt2.sys (manual start)
TCP/IP NetBIOS Helper: %SystemRoot%\System32\svchost.exe -k LocalService (autostart)
Logitech Mouse Class Filter Driver: System32\DRIVERS\LMouFlt2.sys (manual start)
Logitech SetPoint Mouse Filter Driver: System32\Drivers\LMouKE.sys (manual start)
mchInjDrv: \??\C:\DOCUME~1\KIRSCH~1\LOCALS~1\Temp\mc23.tmp (disabled)
Messenger: %SystemRoot%\System32\svchost.exe -k netsvcs (disabled)
NetMeeting Remote Desktop Sharing: C:\WINDOWS\System32\mnmsrvc.exe (manual start)
Mouse Class Driver: System32\DRIVERS\mouclass.sys (system)
Mouse HID Driver: System32\DRIVERS\mouhid.sys (manual start)
WebDav Client Redirector: System32\DRIVERS\mrxdav.sys (manual start)
MRXSMB: System32\DRIVERS\mrxsmb.sys (system)
Distributed Transaction Coordinator: C:\WINDOWS\System32\msdtc.exe (manual start)
Windows Installer: C:\WINDOWS\System32\msiexec.exe /V (manual start)
Microsoft Streaming Service Proxy: system32\drivers\MSKSSRV.sys (manual start)
Microsoft Streaming Clock Proxy: system32\drivers\MSPCLOCK.sys (manual start)
Microsoft Streaming Quality Manager Proxy: system32\drivers\MSPQM.sys (manual start)
Microsoft Streaming Tee/Sink-to-Sink Converter: system32\drivers\MSTEE.sys (manual start)
NABTS/FEC VBI Codec: System32\DRIVERS\NABTSFEC.sys (manual start)
NAVENG: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050926.007\naveng.sys (manual start)
NAVEX15: \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20050926.007\navex15.sys (manual start)
Microsoft TV/Video Connection: System32\DRIVERS\NdisIP.sys (manual start)
Remote Access NDIS TAPI Driver: System32\DRIVERS\ndistapi.sys (manual start)
NDIS Usermode I/O Protocol: System32\DRIVERS\ndisuio.sys (manual start)
Remote Access NDIS WAN Driver: System32\DRIVERS\ndiswan.sys (manual start)
NetBIOS Interface: System32\DRIVERS\netbios.sys (system)
NetBios over Tcpip: System32\DRIVERS\netbt.sys (system)
Network DDE: %SystemRoot%\system32\netdde.exe (manual start)
Network DDE DSDM: %SystemRoot%\system32\netdde.exe (manual start)
Net Logon: %SystemRoot%\System32\lsass.exe (manual start)
Network Connections: %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
1394 Net Driver: System32\DRIVERS\nic1394.sys (manual start)
Network Location Awareness (NLA): %SystemRoot%\System32\svchost.exe -k netsvcs (manual start)
NMUSB: system32\drivers\nmusb.sys (manual start)
NT LM Security Support Provider: %SystemRoot%\System32\lsass.exe (manual start)
Removable Storage: %SystemRoot%\system32\svchost.exe -k netsvcs (manual start)
nvatabus: System32\DRIVERS\nvatabus.sys (system)
Service for NVIDIA® nForce™ Audio Enumerator: system32\drivers\nvax.sys (manual start)
NVIDIA nForce MCP Networking Adapter Driver: System32\DRIVERS\NVENET.sys (manual start)
Service for NVIDIA® nForce™ Audio: system32\drivers\nvapu.sys (manual start)
NVIDIA nForce AGP Bus Filter: System32\DRIVERS\nv_agp.sys (system)
IPX Traffic Filter Driver: System32\DRIVERS\nwlnkflt.sys (manual start)
IPX Traffic Forwarder Driver: System32\DRIVERS\nwlnkfwd.sys (manual start)
OHCI Compliant IEEE 1394 Host Controller: System32\DRIVERS\ohci1394.sys (system)
Parallel port driver: System32\DRIVERS\parport.sys (manual start)
PCI Bus Driver: System32\DRIVERS\pci.sys (system)
PCIIde: System32\DRIVERS\pciide.sys (system)
Plug and Play: %SystemRoot%\system32\services.exe (autostart)
IPSEC Services: %SystemRoot%\System32\lsass.exe (autostart)
WAN Miniport (PPTP): System32\DRIVERS\raspptp.sys (manual start)
Processor

#7
Wizard

Posted 05 October 2005 - 05:18 AM

Retired Staff

Retired Staff
5,661 posts

I had a feeling this was going to get interesting!

If you do not have an Active Firewall installed,please install this one

Sygate Personal Firewall:
http://smb.sygate.co...pf_standard.htm

Go to Add\Remove Programs and Remove these

WindowsSA\Windows Search Assistant
Web Rebates
Internet Optimizer
Power Scan
WhenU

Restart in Safe Mode and Open Pocket KillBox!

Run each of these entries through Killbox

C:\Program Files\WindowsSA\omniscient.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\Program Files\VVSN\VVSN.exe
C:\Program Files\Power Scan\powerscan.exe
C:\WINDOWS\System32\gqbvil.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Documents and Settings\Kirschdaddy\Application Data\epsw.exe

Place a tick by any of these selections available

"Standard File Kill"
"End Explorer Shell while Killing File"
"Unregister .dll before Deleting"
"Deltree(Include Subdirectories)"

Click the Red Circle with the White X in the Middle to Delete!

Make sure Windows and Showing Hidden Files
http://www.bleepingc...al62.html#winxp

Navigate to C:\WINDOWS\System32

Search for all instances of services.exe

Please let me know how many you find and what the size of the file is?

Open HijackThis and put a check by these but DO NOT hit the Fix Checked button yet!

O4 - HKLM\..\Run: [Windows SA] C:\Program Files\WindowsSA\omniscient.exe

O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"

O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe

O4 - HKLM\..\Run: [Power Scan] C:\Program Files\Power Scan\powerscan.exe

O4 - HKLM\..\Run: [itbjbiva] C:\WINDOWS\System32\gqbvil.exe

O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

O4 - HKCU\..\Run: [Uagem] C:\WINDOWS\System32\??rvices.exe

O4 - HKCU\..\Run: [Raam] C:\Documents and Settings\Kirschdaddy\Application Data\epsw.exe

Now Make sure ALL WINDOWS and BROWSERS are CLOSED and hit the Fix Checked Button!

While in Safe Mode,Attempt to Unzip WinPFind and Scan the System with it!

Restart Normal and Open Internet Explorer-> Click Tools-> Click Windows Updates!

We can not go any further until Windows has been updated completely!

It would be futile as ReInfection is certain without all the Windows Security Patches!

Have you been able to run any of the Online Scans at all?

Please post back and let me know about the Updates and any results from any of the Scans!

#8
Kirsch

Posted 05 October 2005 - 04:20 PM

New Member

Topic Starter
Member
5 posts

There is 1 Services.exe and it is 99.0KB

WinPFind still isn't acting right, let it go for 20 minutes with it not doing anything, just making the computer really slow...

HJT log while in safe mode:

Logfile of HijackThis v1.99.1
Scan saved at 6:15:23 PM, on 10/5/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.nancies.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMixerTray] C:\Program Files\NVIDIA Corporation\NvMixer\NvMixerTray.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_07\bin\jusched.exe
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\Shared Files\CAMTRAY.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [Steam] C:\Program Files\Valve\Steam\\Steam.exe -silent
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: OpenOffice.org 1.0.3.lnk = C:\Program Files\OpenOffice.org1.0.3\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: Yahoo! Euchre - http://download.game...nts/y/et1_x.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1127693317357
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

#9
Wizard

Posted 06 October 2005 - 03:54 AM

Retired Staff

Retired Staff
5,661 posts

Alright,lets see how we did!

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

#10
Kirsch

Posted 06 October 2005 - 11:03 AM

New Member

Topic Starter
Member
5 posts

Ummm this thing is really really long

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, October 06, 2005 13:05:59
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/10/2005
Kaspersky Anti-Virus database records: 152710
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 92423
Number of viruses found: 40
Number of infected objects: 3780
Number of suspicious objects: 0
Duration of the scan process: 7396 sec

Infected Object Name - Virus Name
C:\!KillBox\BTUPD32.EXE Infected: Trojan-Proxy.Win32.Ranky.gen
C:\!KillBox\CCUPD32.EXE Infected: Trojan-Proxy.Win32.Ranky.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03F40000\43FCC4C4.VBN/mxTarget.dll Infected: not-a-virus:AdWare.Win32.BiSpy.n
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03F40000\43FCC4C4.VBN/preInsMt.exe Infected: not-a-virus:AdWare.Win32.BiSpy.q
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\03F40000\43FCC4C4.VBN Infected: not-a-virus:AdWare.Win32.BiSpy.q
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06D80000\47D99CC7.VBN Infected: not-a-virus:AdWare.Win32.MediaMotor.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640000.VBN Infected: Backdoor.Win32.Wootbot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640001.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640002.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640003.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640004.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640005.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640006.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640007.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640008.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640009.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764000A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764000B.VBN Infected: Trojan-Proxy.Win32.Ranky.ch
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764000C.VBN Infected: Trojan-Proxy.Win32.Ranky.ch
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764000D.VBN Infected: Trojan-Proxy.Win32.Ranky.ch
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764000E.VBN Infected: Trojan-Proxy.Win32.Ranky.ch
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764000F.VBN Infected: Trojan-Proxy.Win32.Ranky.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640010.VBN Infected: Trojan-Proxy.Win32.Ranky.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640011.VBN Infected: Trojan-Proxy.Win32.Ranky.cd
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640012.VBN Infected: Trojan-Proxy.Win32.Ranky.cd
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640013.VBN Infected: Trojan-Proxy.Win32.Ranky.cd
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640014.VBN Infected: Trojan-Proxy.Win32.Ranky.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640015.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640016.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640017.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640018.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640019.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764001A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764001B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764001C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764001D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764001E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764001F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640020.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640021.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640022.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640023.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640024.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640025.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640026.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640027.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640028.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640029.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764002A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764002B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764002C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764002D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764002E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764002F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640030.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640031.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640032.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640033.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640034.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640035.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640036.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640037.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640038.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640039.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764003A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764003B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764003C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764003D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764003E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0764003F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640040.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640041.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640042.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640043.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640044.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640045.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640046.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07640047.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08480000\4B789C75.VBN Infected: not-a-virus:AdWare.Win32.MediaMotor.j
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08480001\4B789E17.VBN Infected: not-a-virus:AdWare.Win32.180Solutions
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08480002\4B78A028.VBN Infected: not-a-virus:AdWare.Win32.BetterInternet.ad
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08480003\4B78A05D.VBN Infected: Trojan-Dropper.Win32.Delf.z
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09D00000.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09D00001.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09D00002.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09D00003.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09D00004.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09D00005.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09D00006.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\09D00007.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300000.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300001.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300002.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300003.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300004.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300005.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300006.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300007.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300008.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300009.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30000A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30000B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30000C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30000D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30000E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30000F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300010.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300011.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300012.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300013.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300014.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300015.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300016.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300017.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300018.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300019.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30001A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30001B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30001C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30001D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30001E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30001F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300020.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300021.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300022.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300023.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300024.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300025.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300026.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300027.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300028.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300029.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30002A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30002B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30002C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30002D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30002E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30002F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300030.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300031.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300032.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300033.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300034.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300035.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300036.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300037.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300038.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300039.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30003A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30003B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30003C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30003D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30003E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30003F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300040.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300041.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300042.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300043.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300044.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300045.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300046.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300047.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300048.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300049.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30004A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30004B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30004C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30004D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30004E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30004F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300050.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300051.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300052.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300053.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300054.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300055.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300056.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300057.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300058.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300059.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30005A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30005B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30005C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30005D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30005E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30005F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300060.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300061.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300062.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300063.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300064.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300065.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300066.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300067.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300068.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300069.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30006A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30006B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30006C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30006D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30006E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30006F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300070.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300071.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300072.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300073.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300074.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300075.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300076.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300077.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300078.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300079.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30007A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30007B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30007C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30007D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30007E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30007F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300080.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300081.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300082.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300083.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300084.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300085.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300086.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300087.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300088.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300089.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30008A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30008B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30008C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30008D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30008E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30008F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300090.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300091.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300092.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300093.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300094.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300095.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300096.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300097.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300098.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A300099.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30009A.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30009B.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30009C.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30009D.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30009E.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A30009F.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000A0.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000A1.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000A2.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000A3.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000A4.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000A5.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000A6.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000A7.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000A8.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000A9.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000AA.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000AB.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000AC.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000AD.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000AE.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000AF.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000B0.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000B1.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000B2.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000B3.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000B4.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000B5.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000B6.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000B7.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000B8.VBN Infected: Rootkit.Win32.Agent.ab
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A3000B9.VBN Infected: Rootkit.Win32.Agent.ab

And then thousands more of that line with "OA3000B9.VBN" being one or two characters different... do you want all of that? I took the liberty of skipping the rest and posting the other stuff...

C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-434dac4d.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-434dac4d.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5ad1bcbe-53990a38.zip/javainstaller/InstallerApplet.class Infected: Trojan-Downloader.Java.OpenStream.w
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5ad1bcbe-53990a38.zip Infected: Trojan-Downloader.Java.OpenStream.w
C:\gp2.exe Infected: Trojan-Proxy.Win32.Ranky.gen
C:\mmxgamesexe.exe Infected: Trojan-Downloader.Win32.VB.jl
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.616
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP300\A0047268.exe Infected: Trojan-Downloader.Win32.Agent.aw
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP333\A0048318.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP333\A0048451.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048474.exe Infected: not-a-virus:AdWare.Win32.BetterInternet
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048475.exe Infected: not-a-virus:AdWare.Win32.Sahat.aj
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048476.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048477.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048568.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048570.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048577.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048578.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048580.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048582.exe Infected: not-a-virus:AdWare.Win32.Sahat.ag
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048590.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP334\A0048591.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP344\A0050567.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP349\A0052219.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP367\A0058628.exe Infected: Backdoor.Win32.SdBot.aad
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP372\A0063619.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP372\A0067163.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP372\A0069180.dll Infected: Trojan.Win32.StartPage.ku
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP372\A0070661.exe Infected: Backdoor.Win32.SdBot.aad
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP372\A0070742.exe Infected: Backdoor.Win32.SdBot.aad
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP373\A0070746.exe Infected: Trojan-Proxy.Win32.Small.cr
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP373\A0070748.bat Infected: Trojan.BAT.Zapchast
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP373\A0071924.exe Infected: Backdoor.Win32.SdBot.aad
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP373\A0071933.exe Infected: Backdoor.Win32.SdBot.aad
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP373\A0072015.EXE Infected: Trojan-Proxy.Win32.Ranky.gen
C:\System Volume Information\_restore{287BFBB8-F59E-4FA7-A7BD-868E0018A49E}\RP373\A0072016.EXE Infected: Trojan-Proxy.Win32.Ranky.gen
C:\WINDOWS\pskill.exe Infected: not-a-virus:RiskTool.Win32.PsKill.1101
C:\WINDOWS\spoollv.exe Infected: Backdoor.Win32.SdBot.aad
C:\WINDOWS\ssk3b5doublemedia.exe/data0005 Infected: Trojan-Dropper.Win32.Small.qn
C:\WINDOWS\ssk3b5doublemedia.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\WINDOWS\system32\i Infected: Trojan-Downloader.BAT.Ftp.ab
C:\WINDOWS\system32\ph0un6mq.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao
C:\WINDOWS\system32\setup_01750.exe Infected: Backdoor.Win32.SdBot.aad
C:\WINDOWS\system32\setup_32621.exe Infected: Backdoor.Win32.SdBot.aad
C:\WINDOWS\system32\ѕеrvices.exe Infected: not-a-virus:AdWare.Win32.PurityScan.bh

Scan process completed.

Edited by Kirsch, 06 October 2005 - 11:10 AM.

#11
Wizard

Posted 06 October 2005 - 03:07 PM

Retired Staff

Retired Staff
5,661 posts

Still some uglies in there!

We will purge the java cache in a bit abd empty Nortons Quaratine folder as well!

Go into Safe Mode and Use Killbox just as before and delete all the entries below!

C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-434dac4d.zip/javainstaller/InstallerApplet.class
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-3cc46f89-434dac4d.zip
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5ad1bcbe-53990a38.zip/javainstaller/InstallerApplet.class
C:\Documents and Settings\LocalService\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\javainstaller.jar-5ad1bcbe-53990a38.zip
C:\gp2.exe
C:\mmxgamesexe.exe
C:\WINDOWS\spoollv.exe
C:\WINDOWS\ssk3b5doublemedia.exe
C:\WINDOWS\system32\i
C:\WINDOWS\system32\ph0un6mq.ini
C:\WINDOWS\system32\setup_01750.exe
C:\WINDOWS\system32\setup_32621.exe

Restart Normal-> Copy&Paste the text below into a blank notepad page and Save it to the desktop as find.bat

dir \ѕеrvices.exe /a h /s > File.txt

Double Click find.bat and wait for the notepad window to pop up!

Copy&Paste those results into the next post!

1.Go to Start > Control Panel.
2. Double-click the Java icon (coffee cup) in the control panel. It will say "Java
Plug-in" under the icon - please find the update button or tab in that Java control
panel. Update your Java, and reboot.
After reboot, go back into the Control Panel and double-click the Java icon.
3. Under Temporary Internet Files, click the Delete Files button.
There are three options on this window to clear the cache - leave ALL 3 checked:
1. Downloaded Applets
2. Downloaded Applications
3. Other Files
4. Click OK on Delete Temporary Files window.
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.

Now double click the Norton Antivirus Icon in the taskbar near the clock!

Click on reports-> Beside Quaratined Items-> Click View Reports

Highlight everything in the Quaratine Window and Select Delete item!

Edited by Cretemonster, 06 October 2005 - 03:12 PM.