[celtic4lyf]

Logfile of HijackThis v1.99.1
Scan saved at 21:46:30, on 12/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\WINDOWS\System32\setver32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\nega.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\bsc32.exe
C:\sv.exe
C:\WINDOWS\System32\lmass.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\lexpps.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Documents and Settings\Jakes\My Documents\All Mine\aim.exe
C:\winstall.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/5me...6.2.0137&OS=Win
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {11111111-2222-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\netdde.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {6533C8BF-14C0-4873-BA6A-2F433F3840A5} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: C:\WINDOWS\q17531187.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q17531187.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [MCCInstall] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\MCCINS~1\MCCINS~1.EXE -Step=13
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Distributed Link Transfer Server] nega.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Microsoft Services] C:\WINDOWS\System32\bsc32.exe
O4 - HKLM\..\Run: [Services] C:\sv.exe
O4 - HKLM\..\Run: [Spool Sc] spoolsc
O4 - HKLM\..\Run: [Windows Host Name] lmass.exe
O4 - HKLM\..\Run: [Windows secure] setver32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\RunServices: [Distributed Link Transfer Server] nega.exe
O4 - HKLM\..\RunServices: [Microsoft Services] C:\WINDOWS\System32\bsc32.exe
O4 - HKLM\..\RunServices: [Spool Sc] spoolsc
O4 - HKLM\..\RunServices: [Windows Host Name] lmass.exe
O4 - HKLM\..\RunServices: [Windows secure] setver32.exe
O4 - HKLM\..\RunOnce: [Windows secure] setver32.exe
O4 - HKCU\..\Run: [Windows secure] setver32.exe
O4 - HKCU\..\Run: [Distributed Link Transfer Server] nega.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Jakes\My Documents\All Mine\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\RunOnce: [Windows secure] setver32.exe
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Jakes\My Documents\All Mine\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\Iesearch.exe
O20 - Winlogon Notify: style32 - C:\WINDOWS\q17531187.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe

[Advertisements]

Hello,

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!
I can't stress enough how important this is!!

What I don't understand... Is your antivirus still up to date? Because I see many infections present and I know that most antivirus can get rid of them.
You have several nasty infections present.

* Download win32delfkil.exe: http://users.telenet...in32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automaticly

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/5me...6.2.0137&OS=Win
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: (no name) - {11111111-2222-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\netdde.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {6533C8BF-14C0-4873-BA6A-2F433F3840A5} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: C:\WINDOWS\q17531187.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q17531187.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [MCCInstall] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\MCCINS~1\MCCINS~1.EXE -Step=13
O4 - HKLM\..\Run: [Distributed Link Transfer Server] nega.exe
O4 - HKLM\..\Run: [Microsoft Services] C:\WINDOWS\System32\bsc32.exe
O4 - HKLM\..\Run: [Services] C:\sv.exe
O4 - HKLM\..\Run: [Spool Sc] spoolsc
O4 - HKLM\..\Run: [Windows Host Name] lmass.exe
O4 - HKLM\..\Run: [Windows secure] setver32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\RunServices: [Distributed Link Transfer Server] nega.exe
O4 - HKLM\..\RunServices: [Microsoft Services] C:\WINDOWS\System32\bsc32.exe
O4 - HKLM\..\RunServices: [Spool Sc] spoolsc
O4 - HKLM\..\RunServices: [Windows Host Name] lmass.exe
O4 - HKLM\..\RunServices: [Windows secure] setver32.exe
O4 - HKLM\..\RunOnce: [Windows secure] setver32.exe
O4 - HKCU\..\Run: [Windows secure] setver32.exe
O4 - HKCU\..\Run: [Distributed Link Transfer Server] nega.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\RunOnce: [Windows secure] setver32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\Iesearch.exe
O20 - Winlogon Notify: style32 - C:\WINDOWS\q17531187.dll
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

* Click on Fix Checked when finished and exit HijackThis.

* Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\System32\setver32.exe
C:\WINDOWS\System32\nega.exe
C:\WINDOWS\System32\bsc32.exe
C:\sv.exe
C:\WINDOWS\System32\lmass.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe
C:\WINDOWS\q17531187.dll

* Go to start > run and copy and paste next command:

sc delete ISEXEng

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Open Ad-aware and do a full scan. Remove all it finds.

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Windows.

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

* Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.

* Perform an online scan with Kaspersky Online Scanner

Click "Launch Kaspersky Anti-Virus Web Scanner"
You will be prompted if you want to install an ActiveX component from Kaspersky, click yes.
This will start downloading the latest definition files.
Once the files have been downloaded click on "Next"

* Click "Scan Settings"
Select the following in Scan Settings (normally they are already selected by default)

°Scan using the following Anti-Virus database: Standard

°Scan Options: Scan Archives
Scan Mail Bases

* Click OK
* Under select a target to scan, select "My Computer"

* This program will start to scan your system.
The scan will take a while so be patient and let it run.
When the scan is done, it will show a list of infected files found.

* Click on the "Save as Text"- button:
Save the scan log and post it along with a new HijackThis Log, the log smitfiles.txt (which you will find on your C:\) and the Ewido Log by using Add Reply.

[miekiemoes]

Hello,

It's better to print out the next instructions or save them in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!
I can't stress enough how important this is!!

What I don't understand... Is your antivirus still up to date? Because I see many infections present and I know that most antivirus can get rid of them.
You have several nasty infections present.

* Download win32delfkil.exe: http://users.telenet...in32delfkil.exe
Save it on your desktop.
Double click on win32delfkil.exe and install it. This creates a new folder on your desktop: win32delfkil
Close all windows, open the win32delfkil folder and double click on fix.bat.

The computer will reboot automaticly

* Download smitRem and save the file to your desktop.
Doubleclick it and choose install. This will create a new folder on your desktop with the name smitrem.

* Please download the trial version of Ewido Security Suite here:
http://www.ewido.net/en/download/
Please read Ewido Setup Instructions
Install it, and update the definitions to the newest files. Do NOT run a scan yet.

* If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\WINDOWS\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://g.msn.com/5me...6.2.0137&OS=Win
O2 - BHO: (no name) - {00000000-0000-0000-0000-000000000000} - (no file)
O2 - BHO: (no name) - {11111111-2222-408A-9842-CDBE1C6D37EB} - C:\WINDOWS\netdde.dll
O2 - BHO: C:\WINDOWS\adsldpbc.dll - {6533C8BF-14C0-4873-BA6A-2F433F3840A5} - C:\WINDOWS\adsldpbc.dll
O2 - BHO: C:\WINDOWS\q17531187.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q17531187.dll
O2 - BHO: (no name) - {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - (no file)
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBarBHO.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [MCCInstall] C:\DOCUME~1\OWNER\LOCALS~1\TEMP\MCCINS~1\MCCINS~1.EXE -Step=13
O4 - HKLM\..\Run: [Distributed Link Transfer Server] nega.exe
O4 - HKLM\..\Run: [Microsoft Services] C:\WINDOWS\System32\bsc32.exe
O4 - HKLM\..\Run: [Services] C:\sv.exe
O4 - HKLM\..\Run: [Spool Sc] spoolsc
O4 - HKLM\..\Run: [Windows Host Name] lmass.exe
O4 - HKLM\..\Run: [Windows secure] setver32.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\System32\paytime.exe
O4 - HKLM\..\RunServices: [Distributed Link Transfer Server] nega.exe
O4 - HKLM\..\RunServices: [Microsoft Services] C:\WINDOWS\System32\bsc32.exe
O4 - HKLM\..\RunServices: [Spool Sc] spoolsc
O4 - HKLM\..\RunServices: [Windows Host Name] lmass.exe
O4 - HKLM\..\RunServices: [Windows secure] setver32.exe
O4 - HKLM\..\RunOnce: [Windows secure] setver32.exe
O4 - HKCU\..\Run: [Windows secure] setver32.exe
O4 - HKCU\..\Run: [Distributed Link Transfer Server] nega.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [SpySheriff] C:\Program Files\SpySheriff\SpySheriff.exe
O4 - HKCU\..\RunOnce: [Windows secure] setver32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O15 - Trusted Zone: *.coolwebsearch.com
O15 - Trusted Zone: *.searchmeup.com
O16 - DPF: {10000000-1000-0000-1000-000000000000} - file://C:\Program Files\Internet Explorer\Iesearch.exe
O20 - Winlogon Notify: style32 - C:\WINDOWS\q17531187.dll
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe (file missing)

* Click on Fix Checked when finished and exit HijackThis.

* Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\System32\setver32.exe
C:\WINDOWS\System32\nega.exe
C:\WINDOWS\System32\bsc32.exe
C:\sv.exe
C:\WINDOWS\System32\lmass.exe
C:\WINDOWS\System32\paytime.exe
C:\WINDOWS\tool2.exe
C:\winstall.exe
C:\WINDOWS\q17531187.dll

* Go to start > run and copy and paste next command:

sc delete ISEXEng

* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

* Open Ad-aware and do a full scan. Remove all it finds.

* Now open Ewido Security Suite
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

* Close Ewido

* Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there. (except for "My current home page")

* Reboot back into Windows.

* Download: Hoster
Unzip hoster to an own folder, eg C:\Hoster
Start Hoster.exe, click 'Restore Original Hosts' and click OK.

* Download DelDomains.inf and save it to your desktop.
Rightclick on it and choose 'install'.

* Perform an online scan with Kaspersky Online Scanner

Click "Launch Kaspersky Anti-Virus Web Scanner"
You will be prompted if you want to install an ActiveX component from Kaspersky, click yes.
This will start downloading the latest definition files.
Once the files have been downloaded click on "Next"

* Click "Scan Settings"
Select the following in Scan Settings (normally they are already selected by default)

°Scan using the following Anti-Virus database: Standard

°Scan Options: Scan Archives
Scan Mail Bases

* Click OK
* Under select a target to scan, select "My Computer"

* This program will start to scan your system.
The scan will take a while so be patient and let it run.
When the scan is done, it will show a list of infected files found.

* Click on the "Save as Text"- button:
Save the scan log and post it along with a new HijackThis Log, the log smitfiles.txt (which you will find on your C:\) and the Ewido Log by using Add Reply.

[celtic4lyf]

new hjt log:

Logfile of HijackThis v1.99.1
Scan saved at 22:14:44, on 14/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Jakes\Desktop\security suite\ewidoctrl.exe
C:\Documents and Settings\Jakes\Desktop\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\carpserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Documents and Settings\Jakes\My Documents\All Mine\aim.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jakes\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - C:\WINDOWS\system32\prflbmsgp32.dll
O2 - BHO: C:\WINDOWS\q660062.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q660062.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\RunServices: [Distributed Link Transfer Server] nega.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Jakes\My Documents\All Mine\aim.exe -cnetwait.odl
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Jakes\My Documents\All Mine\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O20 - Winlogon Notify: style32 - C:\WINDOWS\q660062.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Jakes\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Jakes\Desktop\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe



ewido log:

---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 18:34:37, 14/10/2005
+ Report-Checksum: 4C220F7F

+ Scan result:

HKLM\SOFTWARE\Classes\AdmilliServX.Installer\CLSID\\ -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/AdmilliServX.dll\\.Owner -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/AdmilliServX.dll\\{15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} -> Spyware.WinFavorites : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy -> Spyware.SearchRelevancy : Cleaned with backup
HKLM\SOFTWARE\SearchRelevancy\Update -> Spyware.SearchRelevancy : Cleaned with backup
HKU\S-1-5-21-3984262255-3962308533-486386096-1007\Software\salm -> Spyware.180Solutions : Cleaned with backup
C:\WINDOWS\system32\drivers\etc\hosts -> Trojan.Qhost : Cleaned with backup
C:\WINDOWS\system32\logon.exe -> Backdoor.Zins : Cleaned with backup
C:\WINDOWS\system32\bsc32.exe -> TrojanProxy.Agent.co : Cleaned with backup
C:\WINDOWS\system32\spoolsc -> Backdoor.Wootbot : Cleaned with backup
C:\WINDOWS\system32\exul1.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\adlinstallwin32.exe -> TrojanDownloader.Agent.jq : Cleaned with backup
C:\WINDOWS\system32\tcpG4T.dll -> TrojanSpy.Goldun.bp : Cleaned with backup
C:\WINDOWS\system32\msudp4.sys -> TrojanSpy.Goldun.bf : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\Iesearch.exe -> Backdoor.Zins : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\Iesearch.exe -> Backdoor.Zins : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\CONFLICT.2\Iesearch.exe -> Backdoor.Zins : Cleaned with backup
C:\WINDOWS\bbchk.exe -> Spyware.BargainBuddy : Cleaned with backup
C:\WINDOWS\wt\wtupdates\webd\4.1.1\files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\wt\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
C:\WINDOWS\tool1.exe -> TrojanDownloader.Small.bnt : Cleaned with backup
C:\WINDOWS\tool4.exe -> Trojan.Qhost.n : Cleaned with backup
C:\WINDOWS\tool5.exe -> Trojan.Qhost.n : Cleaned with backup
C:\WINDOWS\ms1.exe -> TrojanDropper.Microjoin : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OL2V4DA7\0006_adult[1].cab/istactivex.dll -> TrojanDownloader.IstBar.gu : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\09AZ8HYZ\installer[1].dll -> Spyware.Downloadware : Cleaned with backup
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\09AZ8HYZ\0006_adult[1].cab/istactivex.dll -> TrojanDownloader.IstBar.gu : Cleaned with backup
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr1474\SearchRelevancy1.dll -> Spyware.Relevance : Cleaned with backup
C:\Documents and Settings\Jakes\Local Settings\Application Data\Wildtangent\Cdacache\00\00\0F.dat/files\wtvh.dll -> Spyware.WildTangent : Cleaned with backup
:mozilla.23:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Atdmt : Cleaned with backup
:mozilla.25:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.26:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.27:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.28:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.29:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.31:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.32:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.33:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.34:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.35:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.36:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.37:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.38:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.39:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.40:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.41:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.42:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.43:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.46:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.47:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.52:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.55:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.56:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.57:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.60:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.62:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.63:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.64:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.65:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.66:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.67:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.68:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.69:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.70:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.71:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.72:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.73:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.74:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Advertising : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Valueclick : Cleaned with backup
:mozilla.91:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Doubleclick : Cleaned with backup
:mozilla.92:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.93:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.94:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.95:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.96:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.97:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.98:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.100:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.101:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.102:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.103:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.104:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.106:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.110:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.111:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.112:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Targetnet : Cleaned with backup
:mozilla.113:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.114:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.115:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.116:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Casalemedia : Cleaned with backup
:mozilla.120:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.121:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Fastclick : Cleaned with backup
:mozilla.122:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.123:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.124:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.125:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.126:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Falkag : Cleaned with backup
:mozilla.128:C:\Documents and Settings\Jakes\Application Data\Mozilla\Firefox\Profiles\xo4ye715.default\cookies.txt -> Spyware.Cookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Daves\Local Settings\Temp\3.exe -> TrojanSpy.Goldun.bf : Cleaned with backup
C:\Documents and Settings\Daves\Local Settings\Temp\dima2.exe -> TrojanDropper.Agent.py : Cleaned with backup
C:\Documents and Settings\Daves\Local Settings\Temp\tBmp207.exe -> Trojan.Crypt.l : Cleaned with backup
C:\Documents and Settings\Daves\Local Settings\Temp\Cookies\[email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daves\Local Settings\Temp\Cookies\[email protected][2].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\Daves\Start Menu\Programs\SpySheriff -> Spyware.SpySheriff : Cleaned with backup
C:\Documents and Settings\Daves\Start Menu\Programs\SpySheriff\SpySheriff.lnk -> Spyware.SpySheriff : Cleaned with backup
C:\Documents and Settings\Cathy\Cookies\[email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Cathy\Cookies\[email protected][1].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Documents and Settings\Cathy\Cookies\cathy@paypopup[2].txt -> Spyware.Cookie.Paypopup : Cleaned with backup
C:\Program Files\Internet Explorer\Iesearch.exe -> Backdoor.Zins : Cleaned with backup
C:\Program Files\SupaDial\SupaDial.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0062466.EXE -> Backdoor.Wootbot : Cleaned with backup
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063502.dll -> Spyware.SpywareNo : Cleaned with backup
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063503.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063505.exe -> Adware.SpySheriff : Cleaned with backup
C:\Recycled\Dc8.exe -> Backdoor.Rbot : Cleaned with backup
C:\Recycled\Dc10.exe -> Backdoor.Agobot.nq : Cleaned with backup
C:\FOUND.003\FILE0001.CHK -> TrojanDownloader.Small.anu : Cleaned with backup
C:\users.exe -> TrojanProxy.Agent.co : Cleaned with backup
C:\crss.exe -> TrojanProxy.Agent.co : Cleaned with backup


::Report End


smitRem log file
version 2.6

by noahdfear

The current date is: 14/10/2005
The current time is: 16:59:50.45

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


Pre-run Files Present


~~~ Program Files ~~~

SpySheriff


~~~ Shortcuts ~~~

SpySheriff
SpySheriff.lnk


~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~

desktop.html


~~~ Drive root ~~~





couldnt get the kasperspy one to work cus i have firefox as my default or something ... here are the rest though

[miekiemoes]

Hello, Your log from smitrem isn't complete.
Can you run smitrem again please? No need to perform this in safe mode.
Then Reboot Important!!

After reboot..

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {16875E09-927B-4494-82BD-158A1CD46BA0} - C:\WINDOWS\system32\prflbmsgp32.dll
O2 - BHO: C:\WINDOWS\q660062.dll - {7A7E6D97-B492-4884-9ABB-C31281DCC4F2} - C:\WINDOWS\q660062.dll (file missing)
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll
O4 - HKLM\..\Run: [SupaDial] C:\Program Files\SupaDial\SupaDial.exe /A
O4 - HKLM\..\RunServices: [Distributed Link Transfer Server] nega.exe
O20 - Winlogon Notify: style32 - C:\WINDOWS\q660062.dll (file missing)

* Click on Fix Checked when finished and exit HijackThis.

Delete next folderC:\Program Files\SupaDial

Use your Internet Explorer for Kaspersky Online, because as you said, it won't run under Firefox.
So in start > all programs, select the Internet explorer icon to start IE.

Then post a new hijackthislog together with the log from smitrem (smitfiles.txt which you will find on your C:\) and the log from Kaspersky, because I really need that one!

Edited by miekiemoes, 14 October 2005 - 03:31 PM.

[celtic4lyf]

Logfile of HijackThis v1.99.1
Scan saved at 00:08:05, on 15/10/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Documents and Settings\Jakes\Desktop\security suite\ewidoctrl.exe
C:\Documents and Settings\Jakes\Desktop\security suite\ewidoguard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\WINDOWS\System32\carpserv.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe
C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe
C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinMX\WinMX.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\blueyonder IST\bin\mpbtn.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\program files\internet explorer\iexplore.exe
C:\Documents and Settings\Jakes\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\pccguide.exe"
O4 - HKLM\..\Run: [PCCClient.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\PCCClient.exe"
O4 - HKLM\..\Run: [Pop3trap.exe] "C:\Program Files\Trend Micro\PC-cillin 2002\Pop3trap.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinMX] C:\Program Files\WinMX\WinMX.exe -m
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Documents and Settings\Jakes\My Documents\All Mine\aim.exe -cnetwait.odl
O4 - Global Startup: AudioDeck.lnk = C:\Program Files\VIA Technologies, Inc\VIA Audio Driver Setup Program\AudioDeck\AudioDeck.exe
O4 - Global Startup: blueyonder Instant Support Tool.lnk = C:\Program Files\blueyonder IST\bin\matcli.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Documents and Settings\Jakes\My Documents\All Mine\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.tiny.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O23 - Service: ewido security suite control - ewido networks - C:\Documents and Settings\Jakes\Desktop\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Documents and Settings\Jakes\Desktop\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PC-cillin PersonalFirewall (PCCPFW) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\PCCPFW.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Inc. - C:\Program Files\Trend Micro\PC-cillin 2002\Tmntsrv.exe



-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, October 15, 2005 00:07:44
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/10/2005
Kaspersky Anti-Virus database records: 144867
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 68401
Number of viruses found: 21
Number of infected objects: 66
Number of suspicious objects: 0
Duration of the scan process: 3791 sec

Infected Object Name - Virus Name
C:\WINDOWS\system32\o Infected: Trojan-Downloader.BAT.Ftp.c
C:\WINDOWS\system32\avA6.sys Infected: Rootkit.Win32.Agent.an
C:\WINDOWS\system32\countrydial.exe Infected: Trojan-Downloader.Win32.Small.bqx
C:\WINDOWS\loadnew.exe Infected: Trojan-Downloader.Win32.Small.brk
C:\WINDOWS\jqrfzgt1.exe Infected: Trojan-Downloader.Win32.Small.brk
C:\WINDOWS\kl.exe Infected: Trojan-Dropper.Win32.Agent.xr
C:\WINDOWS\tool3.exe Infected: Trojan-Dropper.Win32.Small.afx
C:\WINDOWS\q17505265.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q796984.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\__delete_on_reboot__q660062.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q1997453.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q778390.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q9212687.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q10414187.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q1986937.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q3191687.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q4408062.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q5605515.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q6807484.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q8010437.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q11614171.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q12814406.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q14016140.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q17456062.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q18656015.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q19877859.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q21084765.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q23510421.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q24768890.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q22288843.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q25946015.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q27147437.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q817781.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q761156.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q2024921.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q3234718.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q4438265.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q5641125.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q6859031.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\WINDOWS\q8071250.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\Documents and Settings\Jakes\Desktop\backups\backup-20051014-165206-307.dll Infected: Trojan-Downloader.Win32.Delf.lh
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe Infected: Trojan-Spy.Win32.Small.dg
C:\Program Files\Windows Media Player\wmplayer.exe.tmp Infected: Trojan-Downloader.Win32.Small.apm
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP191\A0061368.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0062455.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0062475.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063474.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063484.dll Infected: Trojan-Downloader.Win32.Delf.lh
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063485.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063493.dll Infected: Trojan-Downloader.Win32.Delf.lh
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063507.exe Infected: Backdoor.Win32.Zins.gen
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063508.exe Infected: Trojan-Proxy.Win32.Agent.co
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063510.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063511.dll Infected: Trojan-Spy.Win32.Goldun.bp
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063512.sys Infected: Trojan-Spy.Win32.Goldun.bf
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063516.exe Infected: Trojan-Downloader.Win32.Small.bnt
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063519.exe Infected: Trojan-Dropper.Win32.Microjoin.u
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063521.exe Infected: Backdoor.Win32.Zins.gen
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063523.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063524.exe Infected: Backdoor.Win32.Agobot.nq
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063525.exe Infected: Trojan-Proxy.Win32.Agent.co
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063526.exe Infected: Trojan-Proxy.Win32.Agent.co
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063566.exe Infected: Trojan-Proxy.Win32.Agent.do
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063568.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063569.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063570.dll Infected: Trojan-Downloader.Win32.Delf.h

Scan process completed.




smitRem log file
version 2.6

by noahdfear

The current date is: 14/10/2005
The current time is: 22:37:51.96

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


Pre-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Post-run Files Present


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~



~~~ Miscellaneous Files/folders ~~~




~~~ Wininet.dll ~~~

CLEAN!

[miekiemoes]

Hi, ok, still a lot of files that needs to go..

* Download Killbox.
Click killbox.exe.
Select the option "Delete on reboot".

Now copy the next bold:

C:\WINDOWS\loadnew.exe
C:\WINDOWS\system32\o
C:\WINDOWS\system32\avA6.sys
C:\WINDOWS\system32\countrydial.exe
C:\WINDOWS\jqrfzgt1.exe
C:\WINDOWS\kl.exe
C:\WINDOWS\tool3.exe
C:\WINDOWS\q17505265.dll
C:\WINDOWS\q796984.dll
C:\WINDOWS\__delete_on_reboot__q660062.dll
C:\WINDOWS\q1997453.dll
C:\WINDOWS\q778390.dll
C:\WINDOWS\q9212687.dll
C:\WINDOWS\q10414187.dll
C:\WINDOWS\q1986937.dll
C:\WINDOWS\q3191687.dll
C:\WINDOWS\q4408062.dll
C:\WINDOWS\q5605515.dll
C:\WINDOWS\q6807484.dll
C:\WINDOWS\q8010437.dll
C:\WINDOWS\q11614171.dll
C:\WINDOWS\q12814406.dll
C:\WINDOWS\q14016140.dll
C:\WINDOWS\q17456062.dll
C:\WINDOWS\q18656015.dll
C:\WINDOWS\q19877859.dll
C:\WINDOWS\q21084765.dll
C:\WINDOWS\q23510421.dll
C:\WINDOWS\q24768890.dll
C:\WINDOWS\q22288843.dll
C:\WINDOWS\q25946015.dll
C:\WINDOWS\q27147437.dll
C:\WINDOWS\q817781.dll
C:\WINDOWS\q761156.dll
C:\WINDOWS\q2024921.dll
C:\WINDOWS\q3234718.dll
C:\WINDOWS\q4438265.dll
C:\WINDOWS\q5641125.dll
C:\WINDOWS\q6859031.dll
C:\WINDOWS\q8071250.dll
C:\Documents and Settings\Jakes\Desktop\backups\backup-20051014-165206-307.dll
C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe
C:\Program Files\Windows Media Player\wmplayer.exe.tmp

Open 'file' in the killboxmenu on top and choose Paste from clipboard

Now you will see, this is pasted in the "Full Path of File to Delete"-field.
There's a little arrow (dropdown-arrow) next to that field.
If you expand it, these lines must be there together if the files are present!

Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be deleted on next reboot.. Click YES
When it asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.
Click No at the Pending Operations prompt.

Your computer must reboot now.

Perform a new scan with Kasperky afterwards and post the log. This time the scan won't take that long.

[celtic4lyf]

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Saturday, October 15, 2005 14:37:20
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 15/10/2005
Kaspersky Anti-Virus database records: 144927
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 68877
Number of viruses found: 20
Number of infected objects: 105
Number of suspicious objects: 0
Duration of the scan process: 5245 sec

Infected Object Name - Virus Name
C:\Documents and Settings\Jakes\Desktop\Computer Stuff\backups\backup-20051014-165206-307.dll Infected: Trojan-Downloader.Win32.Delf.lh
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP191\A0061368.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0062455.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0062475.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063474.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063484.dll Infected: Trojan-Downloader.Win32.Delf.lh
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063485.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063493.dll Infected: Trojan-Downloader.Win32.Delf.lh
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063507.exe Infected: Backdoor.Win32.Zins.gen
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063508.exe Infected: Trojan-Proxy.Win32.Agent.co
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063510.exe Infected: Trojan-Downloader.Win32.Agent.jq
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063511.dll Infected: Trojan-Spy.Win32.Goldun.bp
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063512.sys Infected: Trojan-Spy.Win32.Goldun.bf
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063516.exe Infected: Trojan-Downloader.Win32.Small.bnt
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063519.exe Infected: Trojan-Dropper.Win32.Microjoin.u
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063521.exe Infected: Backdoor.Win32.Zins.gen
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063523.exe Infected: Backdoor.Win32.Rbot.gen
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063524.exe Infected: Backdoor.Win32.Agobot.nq
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063525.exe Infected: Trojan-Proxy.Win32.Agent.co
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063526.exe Infected: Trojan-Proxy.Win32.Agent.co
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063566.exe Infected: Trojan-Proxy.Win32.Agent.do
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063568.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063569.exe Infected: not-virus:Hoax.Win32.Renos.o
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063570.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063583.exe Infected: Trojan-Downloader.Win32.Small.brk
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063584.sys Infected: Rootkit.Win32.Agent.an
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063585.exe Infected: Trojan-Downloader.Win32.Small.bqx
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063586.exe Infected: Trojan-Downloader.Win32.Small.brk
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063587.exe Infected: Trojan-Dropper.Win32.Agent.xr
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063588.exe Infected: Trojan-Dropper.Win32.Small.afx
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063589.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063590.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063591.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063592.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063593.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063594.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063595.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063596.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063597.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063598.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063599.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063600.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063601.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063602.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063603.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063604.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063605.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063606.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063607.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063608.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063609.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063610.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063611.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063612.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063613.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063614.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063615.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063616.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063617.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063618.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063619.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063620.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063621.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\System Volume Information\_restore{8D7469A4-B487-48B9-8782-B05185F76186}\RP193\A0063622.exe Infected: Trojan-Spy.Win32.Small.dg
C:\!KillBox\wmplayer.exe.tmp Infected: Trojan-Downloader.Win32.Small.apm
C:\!KillBox\ibm00001.exe Infected: Trojan-Spy.Win32.Small.dg
C:\!KillBox\q8071250.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q6859031.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q5641125.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q4438265.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q3234718.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q2024921.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q761156.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q817781.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q27147437.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q25946015.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q22288843.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q24768890.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q23510421.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q21084765.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q19877859.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q18656015.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q17456062.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q14016140.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q12814406.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q11614171.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q8010437.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q6807484.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q5605515.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q4408062.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q3191687.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q1986937.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q10414187.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q9212687.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q778390.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q1997453.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\__delete_on_reboot__q660062.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q796984.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\q17505265.dll Infected: Trojan-Downloader.Win32.Delf.h
C:\!KillBox\tool3.exe Infected: Trojan-Dropper.Win32.Small.afx
C:\!KillBox\kl.exe Infected: Trojan-Dropper.Win32.Agent.xr
C:\!KillBox\jqrfzgt1.exe Infected: Trojan-Downloader.Win32.Small.brk
C:\!KillBox\countrydial.exe Infected: Trojan-Downloader.Win32.Small.bqx
C:\!KillBox\avA6.sys Infected: Rootkit.Win32.Agent.an
C:\!KillBox\loadnew.exe Infected: Trojan-Downloader.Win32.Small.brk

Scan process completed.

Are the ones in killbot not harmful then ? im pretty stumped about how much are still around

[miekiemoes]

Hello,

You may delete next folder: C:\Killbox.
Also delete the backups-folder present on your desktop.

Also perform next..

Disable your systemrestore.(note: this will delete all your system restore points and malware that were present in it).
How to disable system restore in XP
Reboot.. and after rebooting, enable it again, so a new systemrestorepoint will be made. A clean one now!

Performig above will give you a clean Kaspersky log.

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

Avoid illegal sites, because that's where most malware is present.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2.

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft...xp/iesecxp.mspx

More info on how to prevent malware you can also find here (By Tony Klein)

Happy surfing again!

[celtic4lyf]

Wowie thank you so much !!! i will take care of my computer from now on knowing how bad it would get otherwise will be guidance enough but i will use your precautions to the letter. goodbye for now

[miekiemoes]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.