Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Infected: Ballo Trojan! Pls Help... [CLOSED]

Started by syeak , Jul 19 2006 11:43 PM

  • This topic is locked This topic is locked

#1
syeak
Posted 19 July 2006 - 11:43 PM

syeak

    Member

  • Member
  • PipPip
  • 21 posts
I have scanned with Vet Virus, Adware SE Personal, and Spybot. Yet my Vet Virus keeps on decting this Trojan every time I restart. It's called Ballo Trojan. I may have other trojans, but please help me to get rid of this problem. The log results from Hijack this are as shown:

Logfile of HijackThis v1.99.1
Scan saved at 1:37:05 PM, on 20/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ieredir.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Vet\isafe.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\system32\svchost.exe
C:\Vet\VetMsg.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\yeak.YEAKY\Desktop\Virus stuff\HijackThis.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe


Please advise me on what to remove. Thank you.
  • 0

Advertisements

#2
Shaba
Posted 20 July 2006 - 04:11 AM

Shaba

    Malware Expert

  • Member
  • PipPipPip
  • 558 posts
  • MVP
Hi syeak

Kill these processes using Task Manager (press ctrl+alt+del, select Processes-tab, highlight these one at a time and click End Process):

ieredir.exe

Open HijackThis, click do a system scan only and checkmark these:

R3 - Default URLSearchHook is missing
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IE Redir] C:\WINDOWS\ieredir.exe

Close all windows including browser and press fix checked.

Boot in safe mode -> http://www.pchell.co.../safemode.shtml

When you are in safe mode, delete this file:

C:\WINDOWS\ieredir.exe

Reboot

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    o Scan using the following Anti-Virus database:

    + Extended (If available otherwise Standard)

    o Scan Options:

    + Scan Archives
    + Scan Mail Bases

  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Send:

- a fresh HijackThis log
- kaspersky report
  • 0

#3
syeak
Posted 20 July 2006 - 08:33 AM

syeak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi,

Thank you for helping me thus far. I have done the Kaspersky online scan, and also have a a fresh Hijack log below. But, I think I have more than one trojan, because my vet virus has encountered another trojan called Multidropper.Q.trojan in the system volume information. I hope you can advise me on what to do...

Logfile of HijackThis v1.99.1
Scan saved at 10:30:12 PM, on 20/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Vet\isafe.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\system32\svchost.exe
C:\Vet\VetMsg.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\yeak.YEAKY\Desktop\Virus stuff\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Thursday, July 20, 2006 10:27:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 20/07/2006
Kaspersky Anti-Virus database records: 208677
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 51116
Number of viruses found: 30
Number of infected objects: 77
Number of suspicious objects: 4
Duration of the scan process: 01:03:23

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DloaderAgentWN.zip/crackmasters.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DloaderAgentWN.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL5.zip/svchostsys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab/ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe RarSFX: infected - 4 skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\Misc\Copy of My shared folder\outlook\outlook.pst/Personal Folders/Deleted Items/18 Apr 2004 07:41 from [email protected]_DOMAIN:Undeliverab.eml/[From [email protected]][Date Sun, 18 Apr 2004 15:40:12 +0800]/UNNAMED/document_all02c.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\Misc\Copy of My shared folder\outlook\outlook.pst/Personal Folders/Deleted Items/18 Apr 2004 07:41 from [email protected]_DOMAIN:Undeliverab.eml/[From [email protected]][Date Sun, 18 Apr 2004 15:40:12 +0800]/UNNAMED/document_all02c.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\Misc\Copy of My shared folder\outlook\outlook.pst/Personal Folders/Deleted Items/18 Apr 2004 07:41 from [email protected]_DOMAIN:Undeliverab.eml/[From [email protected]][Date Sun, 18 Apr 2004 15:40:12 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\Misc\Copy of My shared folder\outlook\outlook.pst/Personal Folders/Deleted Items/18 Apr 2004 07:41 from [email protected]_DOMAIN:Undeliverab.eml Infected: Email-Worm.Win32.NetSky.q skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\Misc\Copy of My shared folder\outlook\outlook.pst/Personal Folders/Inbox/11 Jun 2003 12:12 from melissa lau:Fwd: Try It. Nice!/10 Jun 2003 17:16 from Jack Cheng:Try It. Nice!/milk_.zip/milk_.exe Infected: Trojan.Win32.VB.ky skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\Misc\Copy of My shared folder\outlook\outlook.pst/Personal Folders/Inbox/11 Jun 2003 12:12 from melissa lau:Fwd: Try It. Nice!/10 Jun 2003 17:16 from Jack Cheng:Try It. Nice!/milk_.zip Infected: Trojan.Win32.VB.ky skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\Misc\Copy of My shared folder\outlook\outlook.pst Mail MS Mail: infected - 6 skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\i5.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.j skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\i9.tmp Infected: not-a-virus:AdWare.Win32.SurfSide.j skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\temp.frE316 Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\Documents and Settings\yeak.YEAKY\My Documents\Han Stuff\Dope Wars.exe/WISE0060.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013 skipped
C:\Documents and Settings\yeak.YEAKY\My Documents\Han Stuff\Dope Wars.exe WiseSFX: infected - 1 skipped
C:\Installation Programs\kpe12.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.bx skipped
C:\Installation Programs\kpe12.exe NSIS: infected - 1 skipped
C:\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-545.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.o skipped
C:\RECYCLER\S-1-5-21-1275210071-920026266-839522115-1003\Dc7\outlook.pst/Personal Folders/Deleted Items/18 Apr 2004 07:41 from [email protected]_DOMAIN:Undeliverab.eml/[From [email protected]][Date Sun, 18 Apr 2004 15:40:12 +0800]/UNNAMED/document_all02c.zip/document.txt .exe Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-1275210071-920026266-839522115-1003\Dc7\outlook.pst/Personal Folders/Deleted Items/18 Apr 2004 07:41 from [email protected]_DOMAIN:Undeliverab.eml/[From [email protected]][Date Sun, 18 Apr 2004 15:40:12 +0800]/UNNAMED/document_all02c.zip Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-1275210071-920026266-839522115-1003\Dc7\outlook.pst/Personal Folders/Deleted Items/18 Apr 2004 07:41 from [email protected]_DOMAIN:Undeliverab.eml/[From [email protected]][Date Sun, 18 Apr 2004 15:40:12 +0800]/UNNAMED Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-1275210071-920026266-839522115-1003\Dc7\outlook.pst/Personal Folders/Deleted Items/18 Apr 2004 07:41 from [email protected]_DOMAIN:Undeliverab.eml Infected: Email-Worm.Win32.NetSky.q skipped
C:\RECYCLER\S-1-5-21-1275210071-920026266-839522115-1003\Dc7\outlook.pst/Personal Folders/Inbox/11 Jun 2003 12:12 from melissa lau:Fwd: Try It. Nice!/10 Jun 2003 17:16 from Jack Cheng:Try It. Nice!/milk_.zip/milk_.exe Infected: Trojan.Win32.VB.ky skipped
C:\RECYCLER\S-1-5-21-1275210071-920026266-839522115-1003\Dc7\outlook.pst/Personal Folders/Inbox/11 Jun 2003 12:12 from melissa lau:Fwd: Try It. Nice!/10 Jun 2003 17:16 from Jack Cheng:Try It. Nice!/milk_.zip Infected: Trojan.Win32.VB.ky skipped
C:\RECYCLER\S-1-5-21-1275210071-920026266-839522115-1003\Dc7\outlook.pst Mail MS Mail: infected - 6 skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162237.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162239.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162240.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162245.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ag skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027379.exe Infected: Trojan-Downloader.Win32.IstBar.hv skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027392.exe Infected: not-a-virus:AdWare.Win32.EliteBar.ac skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027393.exe Infected: not-a-virus:AdWare.Win32.EliteBar.q skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.F1Organizer.h skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0019.BIN Infected: Backdoor.Win32.Ruledor.c skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe WiseSFX: infected - 6 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027846.EXE Infected: not-a-virus:AdWare.Win32.MyWay.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027855.EXE Infected: not-a-virus:AdWare.Win32.MyWay.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027858.exe/WISE0060.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027858.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028304.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.bx skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028304.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028793.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028799.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ag skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028801.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028802.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0031516.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.h skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll/data0001 Infected: Trojan-Downloader.Win32.IstBar.iu skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll Exe2Dll: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll UPX: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.iu skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP447\A0203385.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP447\A0203386.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP447\A0203387.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204417.exe Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204418.exe Infected: Trojan.Win32.Zapchast.bl skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204421.exe/data0004 Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204421.exe/data0010 Infected: Trojan.Win32.Zapchast.bl skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204421.exe/data0011/data0006 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204421.exe/data0011 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204421.exe NSIS: infected - 4 skipped
C:\WINDOWS\proxy_inst.exe Infected: Trojan.Win32.EliteBar.a skipped
C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\WINDOWS\system32\service\explorer.exe Infected: Trojan-Spy.Win32.Agent.mx skipped

Scan process completed.


Thanks again... Please help me.
  • 0

#4
Shaba
Posted 20 July 2006 - 08:47 AM

Shaba

    Malware Expert

  • Member
  • PipPipPip
  • 558 posts
  • MVP
Hi

Looking better

We'll take care of system volume information (system restore) after your computer is clean :whistling:

Open Outlook, log in your account and go to inbox.

Delete this mail dated as below:

11 Jun 2003 12:12

Also empty Deleted items folder.

Please download ATF Cleaner by Atribune and save
it to desktop. Don't use it yet.

Boot in safe mode -> http://www.pchell.co.../safemode.shtml

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit to close ATF-Cleaner.

Delete these files/folders:

C:\Documents and Settings\yeak.YEAKY\My Documents\Han Stuff\Dope Wars.exe
C:\Installation Programs\kpe12.exe
C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll
C:\WINDOWS\proxy_inst.exe
C:\WINDOWS\system32\service


Empty Recycle Bin.

Reboot

Re-scan with kaspersky.

Send:

- a fresh HijackThis log
- kaspersky report
  • 0

#5
syeak
Posted 20 July 2006 - 09:05 AM

syeak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi,

I went into Outlook (i dont actually use it) and I did not need to log in. However, I didnt see any mail in he inbox. I went into Outlook express and there was, so I got rid of the one email there. The date was not the same as the one you put down... Should I still go on as usual?

Thanks so much
  • 0

#6
Shaba
Posted 20 July 2006 - 09:09 AM

Shaba

    Malware Expert

  • Member
  • PipPipPip
  • 558 posts
  • MVP
Hi

Ok, then just delete this file.

C:\Documents and Settings\yeak.YEAKY\Desktop\Misc\Copy of My shared folder\outlook\outlook.pst

Don't delete it if there's something valuable for you. It's some kind of backup of outlook account, I guess.

After that, just follow my previous instructions.

Edited by Shaba, 20 July 2006 - 09:10 AM.

  • 0

#7
syeak
Posted 20 July 2006 - 10:45 AM

syeak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi,

Thanks, and here's the fresh list: (the system restore is owning in the virus department!)

Logfile of HijackThis v1.99.1
Scan saved at 12:41:11 AM, on 21/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Vet\isafe.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\system32\svchost.exe
C:\Vet\VetMsg.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\yeak.YEAKY\Desktop\Virus stuff\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Friday, July 21, 2006 12:37:11 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 20/07/2006
Kaspersky Anti-Virus database records: 208734
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 49271
Number of viruses found: 26
Number of infected objects: 58
Number of suspicious objects: 4
Duration of the scan process: 00:54:07

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DloaderAgentWN.zip/crackmasters.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DloaderAgentWN.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL5.zip/svchostsys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab/ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe RarSFX: infected - 4 skipped
C:\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-545.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162237.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162239.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162240.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162245.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ag skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027379.exe Infected: Trojan-Downloader.Win32.IstBar.hv skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027392.exe Infected: not-a-virus:AdWare.Win32.EliteBar.ac skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027393.exe Infected: not-a-virus:AdWare.Win32.EliteBar.q skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.F1Organizer.h skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0019.BIN Infected: Backdoor.Win32.Ruledor.c skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe WiseSFX: infected - 6 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027846.EXE Infected: not-a-virus:AdWare.Win32.MyWay.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027855.EXE Infected: not-a-virus:AdWare.Win32.MyWay.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027858.exe/WISE0060.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027858.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028304.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.bx skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028304.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028793.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028799.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ag skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028801.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028802.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0031516.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.h skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll/data0001 Infected: Trojan-Downloader.Win32.IstBar.iu skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll Exe2Dll: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll UPX: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.iu skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP447\A0203385.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP447\A0203386.DLL Infected: not-a-virus:AdWare.Win32.MySearch.e skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP447\A0203387.DLL Infected: not-a-virus:AdWare.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204417.exe Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204418.exe Infected: Trojan.Win32.Zapchast.bl skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204421.exe/data0004 Infected: Trojan-Downloader.MSIL.Agent.a skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204421.exe/data0010 Infected: Trojan.Win32.Zapchast.bl skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204421.exe/data0011/data0006 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204421.exe/data0011 Infected: Trojan-Dropper.Win32.VB.mz skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204421.exe NSIS: infected - 4 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204504.exe Infected: Trojan-Spy.Win32.Agent.mx skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204507.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.bx skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204507.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204508.dll Infected: not-a-virus:AdWare.Win32.MyWebSearch.o skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP448\A0204509.exe Infected: Trojan.Win32.EliteBar.a skipped
C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped

Scan process completed.


You've been working here since the 10th! Crazy! Thanks for your help! Where do I go from here?
  • 0

#8
Shaba
Posted 20 July 2006 - 11:17 AM

Shaba

    Malware Expert

  • Member
  • PipPipPip
  • 558 posts
  • MVP
Hi

Logs look good. You have viruses but they´re on system restore which can be easily cleaned according to instructions I give you.

Do you still have any problems?
  • 0

#9
syeak
Posted 20 July 2006 - 11:26 AM

syeak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Shaba,

Thanks so much! By the way, which instructions were there on the system restore that you gave me exactly? Was it the programs that I used? Also upload speed and download speeds ar terrible, but I'm not sure if that is for here... I ran the Dan Elwell's Broadband test and got crappy results. Anyway, how do I kill of the system restore viruses? You rule! Thanks!
  • 0

#10
Shaba
Posted 20 July 2006 - 11:29 AM

Shaba

    Malware Expert

  • Member
  • PipPipPip
  • 558 posts
  • MVP
Hi syeak

No, I mean instructions that I now give you :whistling: See Windows XP System Restore Guide below.

As for upload/download speed, it may be ISP or modem issue.

You're clean :blink:

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

    You can find instructions on how to enable and reenable system restore here:

    Windows XP System Restore Guide
Reenable system restore with instructions from tutorial above
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
  • From within Internet Explorer click on the Tools menu and then click on Options.
  • Click once on the Security tab
  • Click once on the Internet icon so it becomes highlighted.
  • Click once on the Custom Level button.
  • Change the Download signed ActiveX controls to Prompt
  • Change the Download unsigned ActiveX controls to Disable
  • Change the Initialize and script ActiveX controls not marked as safe to Disable
  • Change the Installation of desktop items to Prompt
  • Change the Launching programs and files in an IFRAME to Prompt
  • Change the Navigate sub-frames across different domains to Prompt
  • When all these settings have been made, click on the OK button.
  • If it prompts you as to whether or not you want to save the settings, press the Yes button.
  • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.

See this link for a listing of some online & their stand-alone antivirus programs:

Virus, Spyware, and Malware Protection and Removal Resources

  • Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.

  • Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

    For a tutorial on Firewalls and a listing of some available ones see the link below:

    Understanding and Using Firewalls

  • Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  • Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

    A tutorial on installing & using this product can be found here:

    Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer

  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.

    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:

    Instructions for - Spybot S & D and Ad-aware

  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

    A tutorial on installing & using this product can be found here:

    Using SpywareBlaster to protect your computer from Spyware and Malware

  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety
  • IE/Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
  • MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
  • Google Toolbar <= Get the free google toolbar to help stop pop up windows.
  • Winpatrol <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
    Using Winpatrol to protect your computer from malicious software
Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place

Happy surfing and stay clean!
  • 0

Advertisements

#11
syeak
Posted 21 July 2006 - 05:26 AM

syeak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Shaba,

Things are running more smoothly now, but I did another scan with Kaspersky online after I disabled and enabled the system restore. I seem to still have infections in there, in which I thought they would be gone after re-enabling the system restore. Can you please take a look at this... (A downloader Trojan is in there as well...)

Logfile of HijackThis v1.99.1
Scan saved at 7:22:48 PM, on 21/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Vet\isafe.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\system32\svchost.exe
C:\Vet\VetMsg.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\yeak.YEAKY\Desktop\Virus stuff\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, July 21, 2006 7:21:29 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 21/07/2006
Kaspersky Anti-Virus database records: 208951
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 49746
Number of viruses found: 19
Number of infected objects: 45 / 0
Number of suspicious objects: 4
Duration of the scan process: 01:29:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DloaderAgentWN.zip/crackmasters.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DloaderAgentWN.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL5.zip/svchostsys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab/ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe RarSFX: infected - 4 skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\infected.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr.log Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\dfsr.db Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\fsr.log Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\fsrtmp.log Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\tmp.edb Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\e86d31d3-e172-458a-903d-60a81e05a9d0.WindowsLiveContact Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\z4we4y9s.default\Cache\7B83016Fd01 Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\History\History.IE5\MSHist012006072120060722\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DF6B10.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DF6C1A.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DFBCD5.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DFBCFE.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\13DW9IW8\spacerx[1].gif Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\A1385O3I\down[9].htm Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\A1385O3I\r[1].js Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\ALNARRH2\down[17].htm Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\ALNARRH2\down[20].htm Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\ALNARRH2\onepage_lp_inf_09[1].gif Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\LWG79DG9\icon_mail[1].gif Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\LWG79DG9\search[1].gif Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\OEUQ32TD\down[18].htm Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\S1UV45AF\down[1].htm Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\STA3G9QF\down[10].htm Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\My Documents\Han Stuff\CA Foundations [bleep]\SoloMike\owl52t.dll Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\My Documents\Han Stuff\CA Foundations [bleep]\SoloMike\vpDATA.dll Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\My Documents\Han Stuff\CA Foundations [bleep]\SoloMike\vpDIALOG.dll Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\My Documents\Image Transfer\'03_09_17_01\DCIM\101MSDCF\DSC01353.JPG Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\My Documents\Image Transfer\'04_09_22_01\DCIM\101MSDCF\DSC02586.JPG Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\My Documents\Image Transfer\'04_09_22_02\SONYCOPY.IND Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\My Documents\My Pictures\pups\101_0197.JPG Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\My Documents\Super Saiyaijin Yang\2006\2 - February 2006 Malaysia - Singapore Trip\CIMG0147.avi Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-545.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162237.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162239.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162240.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162245.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ag skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027379.exe Infected: Trojan-Downloader.Win32.IstBar.hv skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027392.exe Infected: not-a-virus:AdWare.Win32.EliteBar.ac skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027393.exe Infected: not-a-virus:AdWare.Win32.EliteBar.q skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.F1Organizer.h skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0019.BIN Infected: Backdoor.Win32.Ruledor.c skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe WiseSFX: infected - 6 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027846.EXE Infected: not-a-virus:AdWare.Win32.MyWay.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027855.EXE Infected: not-a-virus:AdWare.Win32.MyWay.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027858.exe/WISE0060.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027858.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028304.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.bx skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028304.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028793.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028799.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ag skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028801.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028802.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0031516.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.h skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll/data0001 Infected: Trojan-Downloader.Win32.IstBar.iu skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll Exe2Dll: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll UPX: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.iu skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP450\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\hosts.sam Infected: Trojan.Win32.Qhost.hl skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\etc\hosts.20060719-174238.backup Infected: Trojan.Win32.Qhost.hl skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Please advise me on what to do. Thanks a lot for your help so far because my uploading and downloading seems to be faster on msn now! Cheers!
  • 0

#12
Shaba
Posted 21 July 2006 - 09:46 AM

Shaba

    Malware Expert

  • Member
  • PipPipPip
  • 558 posts
  • MVP
Hi syeak

Did you reboot between disabling and enabling system restore? That's required in order to empty it.

Boot in safe mode

Delete these:

C:\WINDOWS\hosts.sam
C:\WINDOWS\system32\drivers\etc\hosts.20060719-174238.backup

Reboot

Download Hoster and unzip it to your desktop.

Open Hoster that you earlier unzipped on your desktop
  • Click "Make Hosts Writable?" upper right corner (if available)
  • Click "Restore Microsoft's Original Hosts File" and then click OK
  • Close Hoster
Note; IF you used any custom Hosts (eg. MVPS Hosts), you will have put them back manually

Re-scan with kaspersky

Send:

- a fresh HijackThis log
- kaspersky report
  • 0

#13
syeak
Posted 22 July 2006 - 09:23 AM

syeak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Hi Shaba,

It's all here: (I rebooted between but the viruses are still there...)

Logfile of HijackThis v1.99.1
Scan saved at 11:18:04 PM, on 22/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Vet\isafe.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\system32\svchost.exe
C:\Vet\VetMsg.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\yeak.YEAKY\Desktop\Virus stuff\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 22, 2006 11:15:22 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 22/07/2006
Kaspersky Anti-Virus database records: 209187
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 50073
Number of viruses found: 18
Number of infected objects: 43 / 0
Number of suspicious objects: 4
Duration of the scan process: 00:59:36

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DloaderAgentWN.zip/crackmasters.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DloaderAgentWN.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL5.zip/svchostsys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab/ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe RarSFX: infected - 4 skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\infected.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr.log Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\dfsr.db Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\fsr.log Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\fsrtmp.log Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\tmp.edb Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\History\History.IE5\MSHist012006072220060723\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DF5769.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DF5B32.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DFA3CA.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DFA42B.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-545.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162237.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162239.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162240.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac skipped
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162245.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ag skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027379.exe Infected: Trojan-Downloader.Win32.IstBar.hv skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027392.exe Infected: not-a-virus:AdWare.Win32.EliteBar.ac skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027393.exe Infected: not-a-virus:AdWare.Win32.EliteBar.q skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.F1Organizer.h skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe/WISE0019.BIN Infected: Backdoor.Win32.Ruledor.c skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe WiseSFX: infected - 6 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027846.EXE Infected: not-a-virus:AdWare.Win32.MyWay.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027855.EXE Infected: not-a-virus:AdWare.Win32.MyWay.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027858.exe/WISE0060.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027858.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028304.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.bx skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028304.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028793.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028799.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ag skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028801.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028802.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0031516.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.h skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll/data0001 Infected: Trojan-Downloader.Win32.IstBar.iu skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll NSIS: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll Exe2Dll: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll UPX: infected - 2 skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.iu skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#14
Shaba
Posted 23 July 2006 - 03:14 AM

Shaba

    Malware Expert

  • Member
  • PipPipPip
  • 558 posts
  • MVP
Ok, let's try to manually delete those:

Please download the Killbox.

Unzip it to the desktop.

Please run killbox

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162237.exe
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162239.dll
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162240.exe
C:\System Volume Information\_restore{4B00A451-6FD7-4282-B7E5-F2E39AF7D81C}\RP205\A0162245.DLL
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027379.exe
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027392.exe
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027393.exe
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027825.exe
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027846.EXE
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027855.EXE
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0027858.exe
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028304.exe
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028793.exe
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028799.DLL
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028801.dll
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0028802.exe
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0031516.exe
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033624.dll
C:\System Volume Information\_restore{8B9DCABC-642D-47B8-8301-563EA8650419}\RP50\A0033625.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

If your computer does not restart automatically, please restart it manually.

Empty this folder -> C:\!Killbox

Re-scan with kaspersky.

Send:

- a fresh HijackThis log
- kaspersky report
  • 0

#15
syeak
Posted 23 July 2006 - 08:46 AM

syeak

    Member

  • Topic Starter
  • Member
  • PipPip
  • 21 posts
Still there! ARRGGGG!!! I deleted all of them and emptied the folder after restarting. Am I suppose to empty it out in safe mode?

Logfile of HijackThis v1.99.1
Scan saved at 10:43:08 PM, on 23/07/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Vet\isafe.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\LogMeIn\RaMaint.exe
C:\Program Files\LogMeIn\LogMeIn.exe
C:\WINDOWS\system32\svchost.exe
C:\Vet\VetMsg.exe
C:\Program Files\LogMeIn\LogMeInSystray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\yeak.YEAKY\Desktop\Virus stuff\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logme...trl.cab?lmi=100
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: LMIinit - C:\WINDOWS\SYSTEM32\LMIinit.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\Vet\isafe.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\LogMeIn.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Vet\VetMsg.exe

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, July 23, 2006 10:34:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 23/07/2006
Kaspersky Anti-Virus database records: 209368
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 50294
Number of viruses found: 18
Number of infected objects: 43 / 0
Number of suspicious objects: 4
Duration of the scan process: 01:14:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DloaderAgentWN.zip/crackmasters.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DloaderAgentWN.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL5.zip/svchostsys.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\DownloaderTsupdateL5.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Application Data\Mozilla\Firefox\Profiles\z4we4y9s.default\cert8.db Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Application Data\Mozilla\Firefox\Profiles\z4we4y9s.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Application Data\Mozilla\Firefox\Profiles\z4we4y9s.default\history.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Application Data\Mozilla\Firefox\Profiles\z4we4y9s.default\key3.db Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Application Data\Mozilla\Firefox\Profiles\z4we4y9s.default\parent.lock Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab/ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi/data.cab Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar/LogMeIn.msi Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe/data.rar Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Documents and Settings\yeak.YEAKY\Desktop\LogMeIn.exe RarSFX: infected - 4 skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\infected.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Logs\Dfsr.log Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\dfsr.db Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\fsr.log Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\fsrtmp.log Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Messenger\[email protected]\SharingMetadata\Working\database_60E8_D6EA_E8D6_BD8A\tmp.edb Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\real\members.stg Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Microsoft\Windows Live Contacts\[email protected]\shadow\members.stg Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\z4we4y9s.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\z4we4y9s.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\z4we4y9s.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Application Data\Mozilla\Firefox\Profiles\z4we4y9s.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\History\History.IE5\MSHist012006072320060724\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\rd587.tmp\rd589.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DF55BA.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DF55D8.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DF83CC.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temp\~DF8402.tmp Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\yeak.YEAKY\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\LogMeIn\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\LogMeIn.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\Program Files\LogMeIn\update\2-30-545.bak\ramaint.exe Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000002.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000003.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ag skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000004.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000005.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000006.exe Infected: not-a-virus:AdWare.Win32.F1Organizer.h skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000007.dll/data0001 Infected: Trojan-Downloader.Win32.IstBar.iu skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000007.dll/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000007.dll NSIS: infected - 2 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000007.dll Exe2Dll: infected - 2 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000007.dll UPX: infected - 2 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000008.exe/data0001 Infected: Trojan-Downloader.Win32.IstBar.iu skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000008.exe/data0003 Infected: Trojan-Downloader.Win32.IstBar.nn skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000008.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000009.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.aj skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000010.dll Infected: not-a-virus:AdWare.Win32.ClearSearch.z skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000011.exe Infected: not-a-virus:AdWare.Win32.ClearSearch.ac skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000012.exe Infected: Trojan-Downloader.Win32.IstBar.hv skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000013.DLL Infected: not-a-virus:AdWare.Win32.ClearSearch.ag skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000014.exe Infected: not-a-virus:AdWare.Win32.EliteBar.ac skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000015.exe Infected: not-a-virus:AdWare.Win32.EliteBar.q skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000016.exe/WISE0016.BIN Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000016.exe/WISE0017.BIN Infected: not-a-virus:AdWare.Win32.F1Organizer.h skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000016.exe/WISE0018.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000016.exe/WISE0018.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000016.exe/WISE0018.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000016.exe/WISE0019.BIN Infected: Backdoor.Win32.Ruledor.c skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000016.exe WiseSFX: infected - 6 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000017.EXE Infected: not-a-virus:AdWare.Win32.MyWay.z skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000018.EXE Infected: not-a-virus:AdWare.Win32.MyWay.z skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000019.exe/WISE0060.BIN Infected: not-a-virus:AdWare.Win32.Gator.3013 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000019.exe WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000020.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.bx skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\A0000020.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{AB26917B-E4EA-4C6B-84F5-9DC8BB47E109}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LMIinit.dll Infected: not-a-virus:RemoteAdmin.Win32.RemotelyAnywhere.a skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Thanks
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP