Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

I'm pretty sure I have Win32.P2P-Worm.Alcan.a

Started by waxy , Nov 18 2005 10:45 PM

  • Please log in to reply

#1
waxy
Posted 18 November 2005 - 10:45 PM

waxy

    Member

  • Member
  • PipPip
  • 28 posts
I ran Ad-aware, spyboy and housecall, then got the hijackthis log below

Thanks for any help!



Logfile of HijackThis v1.99.1
Scan saved at 8:38:30 PM, on 11/18/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MoodLogic\Service\Updater.exe
C:\Program Files\winupdates\winupdates.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=localhost:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MoodLogic Service] C:\Program Files\MoodLogic\Service\MLService.exe
O4 - HKLM\..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download using ReGet - C:\Program Files\ReGet\RG_Link.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &List for ReGet - C:\Program Files\ReGet\RG_List.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download All by Re&Get - C:\Program Files\ReGet\RG_All.htm
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ReGet - {38AAF320-C5B4-11D1-B75E-111111111111} - C:\Program Files\ReGet\ReGet.dll (HKCU)
O9 - Extra 'Tools' menuitem: &Re&Get - {38AAF320-C5B4-11D1-B75E-111111111111} - C:\Program Files\ReGet\ReGet.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.side...00719/sb026.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...54/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126673542734
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx...erInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\Dr Solomon's Anti-Virus\Avsynmgr.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

Advertisements

#2
Armodeluxe
Posted 29 November 2005 - 10:45 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Hi waxy,

1)Download Brute Force Uninstaller.
Unzip it to it’s own folder (c:\BFU)

[Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon. When you click that icon, a little window will open that says: 'Please enter the full URL to the script you want to execute'
In the field, copy and paste next URL:

http://metallica.gee.../p2pnetwork.bfu

Press execute and let it do it’s job.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

2)Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
3)Please post a new HijackThis log and Kaspersky results..
  • 0

#3
waxy
Posted 29 November 2005 - 10:05 PM

waxy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here's the Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Tuesday, November 29, 2005 20:03:14
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 30/11/2005
Kaspersky Anti-Virus database records: 162248
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 90725
Number of viruses found: 25
Number of infected objects: 217
Number of suspicious objects: 2
Duration of the scan process: 7171 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite.zip/backWeb-8876480.exe Suspicious: Password-protected-EXE
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite.zip Suspicious: Password-protected-EXE
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54e95580-3c57295c.RB0/BlackBox.class Infected: Trojan.Java.ClassLoader.z
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54e95580-3c57295c.RB0/VB.class Infected: Trojan.Java.ClassLoader.ak
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54e95580-3c57295c.RB0/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54e95580-3c57295c.RB0 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54e95580-3c57295c.RB1/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\archive.jar-54e95580-3c57295c.RB1 Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\c.jar-4027eb96-1b36ca24.RB0/BB.class Infected: Trojan.Java.ClassLoader.o
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\c.jar-4027eb96-1b36ca24.RB0/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.k
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\c.jar-4027eb96-1b36ca24.RB0/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.c
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\c.jar-4027eb96-1b36ca24.RB0/VerifierBug.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\c.jar-4027eb96-1b36ca24.RB0 Infected: Exploit.Java.Bytverify
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\c.jar-4027eb96-1b36ca24.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.k
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\c.jar-4027eb96-1b36ca24.zip Infected: Trojan-Downloader.Java.OpenConnection.k
C:\Documents and Settings\Owner\Complete\14 Autodesk AutoCAD 2006 Products.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\14 Autodesk AutoCAD 2006 Products.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\30 Movies.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\30 Movies.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Adobe Photoshop Album 2.0.1.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Adobe Photoshop Album 2.0.1.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Ahead Nero 7.0 Ultra.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Ahead Nero 7.0 Ultra.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Akon - In your Eyes.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Akon - In your Eyes.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Ash Ra Tempel - The Private Tapes Vol. 6.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Ash Ra Tempel - The Private Tapes Vol. 6.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Autoruns 8.4.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Autoruns 8.4.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Blur - The Best of.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Blur - The Best of.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Britney SPEARS - Someday I Will Understa.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Britney SPEARS - Someday I Will Understa.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Call of Duty 2.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Call of Duty 2.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\CDCheck 3.1.8.1b.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\CDCheck 3.1.8.1b.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Crazy Taxi 3 High Roller.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Crazy Taxi 3 High Roller.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Dance eJay 7 Full 2CD.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Dance eJay 7 Full 2CD.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Date Cracker 2000.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Date Cracker 2000.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\DJ Envy - Def Jam R&B(2005).zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\DJ Envy - Def Jam R&B(2005).zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Duplicate MP3 File Finder 6.0.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Duplicate MP3 File Finder 6.0.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Emergency 3.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Emergency 3.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Fantastic 4.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Fantastic 4.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\FANTASY VII.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\FANTASY VII.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\FireFox 1.07.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\FireFox 1.07.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Foo Fighters - The Colour and the Shape.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Foo Fighters - The Colour and the Shape.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Get Rich or Die Tryin.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Get Rich or Die Tryin.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Google Webcam Hack.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Google Webcam Hack.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Great Metal Covers 25.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Great Metal Covers 25.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Green Day - Bullet In A Bible.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Green Day - Bullet In A Bible.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Hacker 2005 - The Broken Link.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Hacker 2005 - The Broken Link.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Harry Potter & The Goblet Of Fire.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Harry Potter & The Goblet Of Fire.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\House of Wax dvd-rip.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\House of Wax dvd-rip.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Icash 3.01.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Icash 3.01.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\IE Tab 1.0.6.4.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\IE Tab 1.0.6.4.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\IERescuer 1.2.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\IERescuer 1.2.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\ImTOO 3GP Video Converter 2.1.55.1117b.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\ImTOO 3GP Video Converter 2.1.55.1117b.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\IsoBuster Pro 1.6.0.19.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\IsoBuster Pro 1.6.0.19.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Land of the dead (2005).zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Land of the dead (2005).zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Live Billiards Deluxe 1.5.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Live Billiards Deluxe 1.5.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Logo Creators AIO.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Logo Creators AIO.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\MahJong Suite 2005 2.10.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\MahJong Suite 2005 2.10.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\McAfee 2005.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\McAfee 2005.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Mean Girl.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Mean Girl.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\MediaMonkey 2.5.1.918.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\MediaMonkey 2.5.1.918.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Morpheus Acceleration Patch 3.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Morpheus Acceleration Patch 3.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Mozilla Firefox 1.5.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Mozilla Firefox 1.5.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\MSN Messenger 8.0.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\MSN Messenger 8.0.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\MSN Messenger 8.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\MSN Messenger 8.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Need For Speed Most Wanted.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Need For Speed Most Wanted.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Network Security Tools.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Network Security Tools.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Norton Ghost 10.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Norton Ghost 10.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Norton SystemWorks 2006.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Norton SystemWorks 2006.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Operation Flashpoint Platinum.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Operation Flashpoint Platinum.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\PC Magazine December 6 2005.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\PC Magazine December 6 2005.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\PC Magazine Home Networking Solutions.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\PC Magazine Home Networking Solutions.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Pink Floyd - Dark Side of the Moon.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Pink Floyd - Dark Side of the Moon.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Piotr Banach - Wu-Wei.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Piotr Banach - Wu-Wei.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Postal 2 Apocalypse Weekend.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Postal 2 Apocalypse Weekend.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\RapidShare Checker.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\RapidShare Checker.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Real Jigsaw Puzzle 1.0.6.927.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Real Jigsaw Puzzle 1.0.6.927.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Registry Repair 2006 4.0.1.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Registry Repair 2006 4.0.1.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Remote Password Stealer 2.7.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Remote Password Stealer 2.7.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Resident Evil 2 The Apocalypse.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Resident Evil 2 The Apocalypse.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Rock Ballads III.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Rock Ballads III.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Roswell Pinball.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Roswell Pinball.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\SAS Anti-Terror Force.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\SAS Anti-Terror Force.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Shut Down Expert 4.7.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Shut Down Expert 4.7.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Star Wolves.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Star Wolves.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Symantec Antivirus Corporate.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Symantec Antivirus Corporate.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\The Matrix The Path of Neo.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\The Matrix The Path of Neo.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\The Notorious B.I.G. w Frank Sinatra.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\The Notorious B.I.G. w Frank Sinatra.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Transporter 2.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Transporter 2.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Troy.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Troy.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\USB Info 1.3.0.0.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\USB Info 1.3.0.0.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\VA - Massive Xmas Hits.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\VA - Massive Xmas Hits.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\VA - The Best Cinema Classics.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\VA - The Best Cinema Classics.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\VA - The Crow OST.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\VA - The Crow OST.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\VideoLAN Client 0.8.4.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\VideoLAN Client 0.8.4.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\webcamXP Pro 2.20.024.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\webcamXP Pro 2.20.024.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\WebEditor 2006 Suite.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\WebEditor 2006 Suite.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Wma to mp3 converter 2.8.5.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\Wma to mp3 converter 2.8.5.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\XoftSpy 4.1.9.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\XoftSpy 4.1.9.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\XPlorer 0.50.111.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Complete\XPlorer 0.50.111.zip Infected: Worm.Win32.VB.an
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <[email protected]>][Date Thu, 13 Oct 2005 01:41:32 +0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <[email protected]>][Date Thu, 13 Oct 2005 01:41:32 +0600]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <[email protected]>][Date Wed, 09 Nov 2005 19:44:06 -0200]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <[email protected]>][Date Wed, 09 Nov 2005 19:44:06 -0200]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx/[From <[email protected]>][Date Tue, 22 Nov 2005 09:08:53 -0500]/UNNAMED/aeq483.zip/gsbill.exe Infected: Trojan-Proxy.Win32.Agent.hx
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx/[From <[email protected]>][Date Tue, 22 Nov 2005 09:08:53 -0500]/UNNAMED/aeq483.zip Infected: Trojan-Proxy.Win32.Agent.hx
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx/[From <[email protected]>][Date Tue, 22 Nov 2005 09:08:53 -0500]/UNNAMED Infected: Trojan-Proxy.Win32.Agent.hx
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx Infected: Trojan-Proxy.Win32.Agent.hx
C:\MIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.91
C:\Program Files\Common Files\Totem Shared\Update\dial.dll.016 Infected: not-a-virus:Dialer.Win32.DialerOffline
C:\Program Files\Common Files\Totem Shared\Update\DialerOffline.dll.010 Infected: not-a-virus:Dialer.Win32.DialerOffline
C:\Program Files\ReGet\rgl17.exe/tsad.dll Infected: not-a-virus:AdWare.Win32.TimeSinc
C:\Program Files\ReGet\rgl17.exe/TSAdBot.exe Infected: not-a-virus:AdWare.Win32.TimeSink
C:\Program Files\ReGet\rgl17.exe Infected: not-a-virus:AdWare.Win32.TimeSink
C:\Program Files\winupdates\a.tmp Infected: Worm.Win32.VB.an
C:\Program Files\winupdates\a.zip/Setup.exe Infected: Worm.Win32.VB.an
C:\Program Files\winupdates\a.zip Infected: Worm.Win32.VB.an
C:\Program Files\winupdates\winupdates.exe Infected: Worm.Win32.VB.an
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1015\A0117187.dll Infected: not-a-virus:AdWare.Win32.VirtualBouncer.g
C:\WINDOWS\Downloaded Program Files\SbCIe026.dll Infected: not-a-virus:AdWare.Win32.SideStep.c
C:\WINDOWS\SYSTEM32\BO2802040113.dll Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d
C:\WINDOWS\SYSTEM32\BO2804040113.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.d
C:\WINDOWS\SYSTEM32\ezStub3.dll Infected: not-a-virus:AdWare.Win32.EZula.a
C:\WINDOWS\SYSTEM32\iexplore.exe Infected: Backdoor.Win32.Netsnake.h
C:\WINDOWS\SYSTEM32\index.exe Infected: Backdoor.Win32.Netsnake.h
C:\WINDOWS\SYSTEM32\KVIF_7.dll/data0002/data0002 Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\SYSTEM32\KVIF_7.dll/data0002/data0004 Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\SYSTEM32\KVIF_7.dll/data0002/data0005 Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\SYSTEM32\KVIF_7.dll/data0002 Infected: Trojan-Downloader.Win32.Keenval
C:\WINDOWS\SYSTEM32\KVIF_7.dll/data0008 Infected: Trojan-Downloader.Win32.Keenval.e
C:\WINDOWS\SYSTEM32\KVIF_7.dll/data0009 Infected: Trojan-Downloader.Win32.Keenval.e
C:\WINDOWS\SYSTEM32\KVIF_7.dll Infected: Trojan-Downloader.Win32.Keenval.e
C:\WINDOWS\SYSTEM32\SHAgentNew.dll Infected: not-a-virus:AdWare.Win32.Sahat.g
F:\David\EXE\Azureus_2.1.0.4_Win32.setup.exe/stream/data0006 Infected: Trojan.Win32.Qrap
F:\David\EXE\Azureus_2.1.0.4_Win32.setup.exe/stream/data0007/stream/data0001 Infected: Trojan.Win32.Pakes
F:\David\EXE\Azureus_2.1.0.4_Win32.setup.exe/stream/data0007/stream Infected: Trojan.Win32.Pakes
F:\David\EXE\Azureus_2.1.0.4_Win32.setup.exe/stream/data0007 Infected: Trojan.Win32.Pakes
F:\David\EXE\Azureus_2.1.0.4_Win32.setup.exe/stream Infected: Trojan.Win32.Pakes
F:\David\EXE\Azureus_2.1.0.4_Win32.setup.exe Infected: Trojan.Win32.Pakes
F:\David\EXE\rgb17_459.exe/TSUninst.exe Infected: not-a-virus:AdWare.Win32.TimeSink
F:\David\EXE\rgb17_459.exe/AdSetup.exe/EXE-file Infected: not-a-virus:AdWare.Win32.TimeSink
F:\David\EXE\rgb17_459.exe/AdSetup.exe Infected: not-a-virus:AdWare.Win32.TimeSink
F:\David\EXE\rgb17_459.exe Infected: not-a-virus:AdWare.Win32.TimeSink
F:\David\EXE\rgl17en[1].exe/tsad.dll Infected: not-a-virus:AdWare.Win32.TimeSinc
F:\David\EXE\rgl17en[1].exe/TSAdBot.exe Infected: not-a-virus:AdWare.Win32.TimeSink
F:\David\EXE\rgl17en[1].exe Infected: not-a-virus:AdWare.Win32.TimeSink

Scan process completed.
  • 0

#4
waxy
Posted 29 November 2005 - 10:07 PM

waxy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here's a new hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 8:04:15 PM, on 11/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\windows\system\hpsysdrv.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MoodLogic\Service\Updater.exe
C:\Program Files\winupdates\winupdates.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\LimeWire\LimeWire.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.94.39.234:3128
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MoodLogic Service] C:\Program Files\MoodLogic\Service\MLService.exe
O4 - HKLM\..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download using ReGet - C:\Program Files\ReGet\RG_Link.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &List for ReGet - C:\Program Files\ReGet\RG_List.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download All by Re&Get - C:\Program Files\ReGet\RG_All.htm
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ReGet - {38AAF320-C5B4-11D1-B75E-111111111111} - C:\Program Files\ReGet\ReGet.dll (HKCU)
O9 - Extra 'Tools' menuitem: &Re&Get - {38AAF320-C5B4-11D1-B75E-111111111111} - C:\Program Files\ReGet\ReGet.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.side...00719/sb026.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...54/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126673542734
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx...erInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\Dr Solomon's Anti-Virus\Avsynmgr.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#5
Armodeluxe
Posted 30 November 2005 - 10:00 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Please download Intermute's CWShredder from here:
http://cwshredder.ne.../CWShredder.exe
Save it to the desktop but do NOT run it yet.

First, download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

Please download Ewido Security Suite (do NOT run it yet!)
  • Install ewido security suite
  • Launch ewido, there should be a big E icon on your desktop, double-click it.
  • The program will prompt you to update click the OK button
  • The program will now go to the main screen
  • You will need to update ewido to the latest definition files.
  • On the left hand side of the main screen click update
  • Click on Start
  • The update will start and a progress bar will show the updates being installed
  • After the updates are installed, exit Ewido
Please download the Killbox.
Unzip it to the desktop.

1) Please run Killbox.

2) Select "Delete on Reboot". Go to Options>Delete on Reboot and select "Process all on list"

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\Program Files\winupdates\winupdates.exe
C:\Program Files\winupdates\a.tmp
C:\Program Files\winupdates\a.zip
C:\Program Files\ReGet\rgl17.exe
C:\WINDOWS\Downloaded Program Files\SbCIe026.dll
C:\WINDOWS\SYSTEM32\BO2802040113.dll
C:\WINDOWS\SYSTEM32\BO2804040113.exe
C:\WINDOWS\SYSTEM32\ezStub3.dll
C:\WINDOWS\SYSTEM32\iexplore.exe
C:\WINDOWS\SYSTEM32\index.exe
C:\WINDOWS\SYSTEM32\KVIF_7.dll
C:\WINDOWS\SYSTEM32\SHAgentNew.dll
C:\WINDOWS\SYSTEM32\CMD.COM
C:\WINDOWS\SYSTEM32\netstat.com
C:\WINDOWS\SYSTEM32\ping.com
C:\WINDOWS\SYSTEM32\regedit.com
C:\WINDOWS\SYSTEM32\tasklist.com
C:\WINDOWS\SYSTEM32\taskkill.com
C:\WINDOWS\SYSTEM32\taskmgr.com
C:\WINDOWS\SYSTEM32\tracert.com
C:\WINDOWS\SYSTEM32\msconfig.com
F:\David\EXE\Azureus_2.1.0.4_Win32.setup.exe
F:\David\EXE\rgb17_459.exe
F:\David\EXE\rgl17en[1].exe


4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the Do You Want to Reboot Now prompt.

Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode:

Please run CWShredder, and click Fix.

Open HijackThis and click Scan. Put a check next to these:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O4 - HKLM\..\Run: [winupdates] C:\Program Files\winupdates\winupdates.exe /auto
O4 - HKCU\..\Run: [uninstal] regsvr32 /u /s image.dll
O4 - Global Startup: winlogin.exe
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\Program Files\AOL Toolbar\toolbar.dll (file missing)
O16 - DPF: {0837121A-6472-43BD-8A40-D9221FF1C4CE} - http://download.side...00719/sb026.cab


Close all other windows except HijackThis and click Fix Checked.

Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

Now delete these folders in bold:

C:\Program Files\Common Files\Totem Shared
C:\Documents and Settings\Owner\Complete
C:\Program Files\winupdates

Delete everything in these folders but not the folders:

C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar
C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{5692575C-2549-44B4-816F-D2676C27C45B}\Microsoft\Outlook Express\Deleted Items.dbx

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):
  • Empty Recycle Bins
  • Delete Cookies
  • Delete Prefetch files
  • Cleanup! All Users
Click OK
Press the CleanUp! button to start the program.

If Cleanup! asks if you want to reboot, click NO

Open Ewido
  • Click on scanner
  • Click Complete System Scan
  • Let the program scan the machine
While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report
  • Click Save report
  • Save the report to your desktop
  • Exit Ewido
Reboot back to normal mode and post a new HijackThis log along with the Ewido log. Any persisting problems?
  • 0

#6
waxy
Posted 30 November 2005 - 11:40 PM

waxy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
I just finished with everything. Hijackthis! told me it couldn't fix "O4 - Global Startup: winlogin.exe" saying that I should close it in the task manager. I couldn't find it there, so I just contnued without doing anyhting about it. Also, at the end of the Ewido scan it told me a few things that it couldnt remove, most of which were among Killbox files, and also something in a system restore archive. I ignored those, too. Now that i've restarted so far so good.

Here's the Hijackthis log:


Logfile of HijackThis v1.99.1
Scan saved at 9:32:47 PM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\WINDOWS\system32\S3tray2.exe
C:\Program Files\McAfee\QuickClean\Plguni.exe
C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
C:\Program Files\MoodLogic\Service\Updater.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HiJack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us4.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 219.94.39.234:3128
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - C:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O3 - Toolbar: &Zero-Knowledge Freedom - {FA91B828-F937-4568-82C1-843627E63ED7} - C:\Program Files\Zero Knowledge\Freedom\BandObjs.dll
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [Imonitor] "C:\Program Files\McAfee\QuickClean\Plguni.exe" /START
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_04\bin\jusched.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [IPInSightLAN 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [IPInSightMonitor 01] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPMon32.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Iomega Drive Icons] C:\Program Files\Iomega\DriveIcons\ImgIcon.exe
O4 - HKLM\..\Run: [Deskup] C:\Program Files\Iomega\DriveIcons\deskup.exe /IMGSTART
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MoodLogic Service] C:\Program Files\MoodLogic\Service\MLService.exe
O4 - HKLM\..\Run: [MoodLogic Updater] C:\Program Files\MoodLogic\Service\Updater.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunOnce: [WIAWizardMenu] RUNDLL32.EXE C:\WINDOWS\system32\sti_ci.dll,WiaCreateWizardMenu
O4 - HKCU\..\Run: [MoneyAgent] "c:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - Global Startup: winlogin.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Download using ReGet - C:\Program Files\ReGet\RG_Link.htm
O8 - Extra context menu item: &Highlight - C:\WINDOWS\WEB\highlight.htm
O8 - Extra context menu item: &Links List - C:\WINDOWS\WEB\urllist.htm
O8 - Extra context menu item: &List for ReGet - C:\Program Files\ReGet\RG_List.htm
O8 - Extra context menu item: &Web Search - C:\WINDOWS\WEB\selsearch.htm
O8 - Extra context menu item: Download all by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download All by Re&Get - C:\Program Files\ReGet\RG_All.htm
O8 - Extra context menu item: Download by Net Transport - C:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: I&mages List - C:\WINDOWS\Web\imglist.htm
O8 - Extra context menu item: Open Frame in &New Window - C:\WINDOWS\WEB\frm2new.htm
O8 - Extra context menu item: Zoom &In - C:\WINDOWS\WEB\zoomin.htm
O8 - Extra context menu item: Zoom O&ut - C:\WINDOWS\WEB\zoomout.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_04\bin\npjpi150_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: ReGet - {38AAF320-C5B4-11D1-B75E-111111111111} - C:\Program Files\ReGet\ReGet.dll (HKCU)
O9 - Extra 'Tools' menuitem: &Re&Get - {38AAF320-C5B4-11D1-B75E-111111111111} - C:\Program Files\ReGet\ReGet.dll (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.co...54/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1126673542734
O16 - DPF: {72D59B9C-1E59-4958-803A-ABDEE2D4CFA6} - http://download.divx...erInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.app.../ITDetector.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AVSync Manager (AvSynMgr) - Unknown owner - C:\Program Files\McAfee\Dr Solomon's Anti-Virus\Avsynmgr.exe (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - C:\Program Files\McAfee.com\VSO\mcshield.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Mcafee.com Corporation - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#7
waxy
Posted 30 November 2005 - 11:41 PM

waxy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
Here's the Ewido log:


---------------------------------------------------------
ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 9:27:33 PM, 11/30/2005
+ Report-Checksum: 13242830

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{9F95F736-0F62-4214-A4B4-CAA6738D4C07} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{49DB48FF-02B5-4645-B676-94A4DF1AA026} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{49DB48FF-02B5-4645-B676-94A4DF1AA026}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6E0ED53C-9908-49ED-B055-7CB31B162577} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{6E0ED53C-9908-49ED-B055-7CB31B162577}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{830D3AED-2FA9-454F-B266-D931862BBF34} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{830D3AED-2FA9-454F-B266-D931862BBF34}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8C53BD8E-B12D-4C8F-AD0E-C9DDC39D1273} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{8C53BD8E-B12D-4C8F-AD0E-C9DDC39D1273}\TypeLib\\ -> Spyware.VirtualBouncer : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9BCDD51B-4A7B-446C-8452-D32D38004582} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{9BCDD51B-4A7B-446C-8452-D32D38004582}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A986F4DB-792E-4571-8974-0BB6E024766F} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{A986F4DB-792E-4571-8974-0BB6E024766F}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BCCAB53D-0895-40C3-A942-A03538CE227A} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{BCCAB53D-0895-40C3-A942-A03538CE227A}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C0F88E9E-DCEB-4655-968A-AE508A677C39} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C0F88E9E-DCEB-4655-968A-AE508A677C39}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{C285D18D-43A2-4AEF-83FB-BF280E660A97} -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D7EAC2D8-2D52-4010-A4AD-DFDF60C1706C} -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{D7EAC2D8-2D52-4010-A4AD-DFDF60C1706C}\Forward\\ -> Spyware.SecondThought : Cleaned with backup
HKLM\SOFTWARE\Classes\RunMSC.Loader\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\RunMSC.Loader.1\CLSID\\ -> Spyware.SaveNow : Cleaned with backup
HKLM\SOFTWARE\Classes\TypeLib\{5E594162-60A9-487D-84B8-DBDD716CB862} -> Spyware.VirtualBouncer : Cleaned with backup
C:\!KillBox\a.tmp -> Worm.VB.an : Cleaned with backup
C:\!KillBox\a.zip/Setup.exe -> Worm.VB.an : Error during cleaning
C:\!KillBox\BO2802040113.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\!KillBox\BO2804040113.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\!KillBox\iexplore.exe -> Backdoor.Netsnake.h : Cleaned with backup
C:\!KillBox\index.exe -> Backdoor.Netsnake.h : Cleaned with backup
C:\!KillBox\rgl17.exe/tsad.dll -> Spyware.TimeSink : Error during cleaning
C:\!KillBox\rgl17.exe/TSAdBot.exe -> Spyware.TimeSink : Error during cleaning
C:\!KillBox\rgl17.exe/tsad.dll -> Spyware.TimeSink : Error during cleaning
C:\!KillBox\rgl17.exe/TSAdBot.exe -> Spyware.TimeSink : Error during cleaning
C:\!KillBox\rgl17en[1].exe/tsad.dll -> Spyware.TimeSink : Error during cleaning
C:\!KillBox\rgl17en[1].exe/TSAdBot.exe -> Spyware.TimeSink : Error during cleaning
C:\!KillBox\rgl17en[1].exe/tsad.dll -> Spyware.TimeSink : Error during cleaning
C:\!KillBox\rgl17en[1].exe/TSAdBot.exe -> Spyware.TimeSink : Error during cleaning
C:\!KillBox\SHAgentNew.dll -> Adware.SAHA : Cleaned with backup
C:\!KillBox\winupdates.exe -> Worm.VB.an : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1015\A0117187.dll -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1016\A0118199.dll -> Spyware.WinAD : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1023\A0119532.exe -> Worm.VB.an : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1023\A0119533.exe/tsad.dll -> Spyware.TimeSink : Error during cleaning
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1023\A0119533.exe/TSAdBot.exe -> Spyware.TimeSink : Error during cleaning
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1023\A0119533.exe/tsad.dll -> Spyware.TimeSink : Error during cleaning
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1023\A0119533.exe/TSAdBot.exe -> Spyware.TimeSink : Error during cleaning
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1023\A0119534.dll -> Spyware.BargainBuddy : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1023\A0119535.exe -> Spyware.VirtualBouncer : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1023\A0119537.exe -> Backdoor.Netsnake.h : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1023\A0119538.exe -> Backdoor.Netsnake.h : Cleaned with backup
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP1023\A0119540.dll -> Adware.SAHA : Cleaned with backup


::Report End
  • 0

#8
waxy
Posted 30 November 2005 - 11:43 PM

waxy

    Member

  • Topic Starter
  • Member
  • PipPip
  • 28 posts
And thanks a lot for your help so far, Armodeluxe
  • 0

#9
Armodeluxe
Posted 01 December 2005 - 08:37 AM

Armodeluxe

    Member 2k

  • Retired Staff
  • 2,744 posts
Delete this manually:

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\winlogin.exe

Now let's reset your restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Please take the following into consideration to maintain a clean computer.

Now you should go get a firewall. Don't rely on the Windows firewall as it monitors only incoming traffic. Pick one of these, they are all free.
Kerio
Zonealarm
Sygate

I'll also recommend you to install a monitoring software which will monitor certain areas on your computer and will place alerts when those are being modified. One such software I'll recommend is Prevx, but it's for advanced users as the messages it displays can be hard to decipher. One other similar but more user friendly software is Winpatrol. Both are free programs.
Winpatrol
Prevx

Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP