Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Infected With "System32.exe" Trojan Virus

Started by fullerve , Nov 18 2005 07:40 PM

Please log in to reply

#1
fullerve

Posted 18 November 2005 - 07:40 PM

New Member

Member
6 posts

A huge thanks to anyone who can look at my hijack this lof and figure out my problem. This is a great site!

I have followed the hijack instructions on this site to a "T". Many of the applications that I am running finds and removes the virus upon boot but somehow it manages to regenerate itself and load again after rebooting.

PLease look at my log and let me know if anthing obvious stands out.

Thanks in advance.

:

hijackthis_log___fullerve.txt 10.08KB 317 downloads

#2
Armodeluxe

Posted 23 November 2005 - 10:47 AM

Member 2k

Retired Staff
2,744 posts

Hi fullerve, welcome to GeeksToGo

If you still need help, please post a new HijackThis log (please paste it, don't attach) and I will be happy to assist you.

Regards,

Armodeluxe

#3
fullerve

Posted 28 November 2005 - 08:27 PM

New Member

Topic Starter
Member
6 posts

I do still need help. Desperately. I have tried many of the solutions provided by experts for other cases.

No luck. The trojans keep reloading themselves upon reboot. My antivirus software finds them but cannot stop them. I have not downloaded any music or anything else from the internet, haven't visited any [bleep] sites. I can't understand how this happened but is very frustrating. Your help is appreciated, I will make it worth your while.

I just ran this scan and look forward to your response.

Logfile of HijackThis v1.99.1
Scan saved at 9:15:56 PM, on 11/28/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\windows\adtech2005.exe
C:\WINDOWS\system32\LinkMaker.exe
C:\WINDOWS\system32\zqactx1.exe
C:\WINDOWS\SYS98.exe
C:\WINDOWS\system32\nfomon\nfomon.exe
C:\WINDOWS\system32\vidmon\vidmon.exe
C:\WINDOWS\win320976-13948345.exe
C:\Documents and Settings\Vernie\Application Data\System Restore\actx1.exe
C:\Program Files\VBouncer\BundleOuter.EXE
C:\Program Files\webHancer\Programs\whAgent.exe
C:\Program Files\Internet Optimizer\optimize.exe
C:\Program Files\VVSN\VVSN.exe
C:\WINDOWS\ms074576-139483.exe
C:\WINDOWS\ms05834576-1394.exe
C:\WINDOWS\sys0394834576-13.exe
C:\Program Files\webHancer\Programs\whsurvey.exe
C:\Program Files\Jylqml\Qqwvnjs.exe
C:\WINDOWS\sys11-1394834576.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\PROGRA~1\COMMON~1\rmrf\rmrfm.exe
C:\WINDOWS\system32\mc-110-12-0000122.exe
C:\WINDOWS\system32\lnkxma.exe
C:\winstall.exe
C:\WINDOWS\system32\sysvcs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\lnkxma.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\VmVybmll\command.exe
C:\Program Files\Internet Optimizer\actalert.exe
C:\DOCUME~1\Vernie\LOCALS~1\Temp\5600051028.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\DOCUME~1\Vernie\LOCALS~1\Temp\GLB10.tmp
C:\WINDOWS\SYS98.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\win3208576-1394834.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\PROGRA~1\VBouncer\BUNDLE~1.EXE
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Documents and Settings\Vernie\Desktop\HijackThis.exe
C:\Program Files\Common Files\Download\mc-110-12-0000122.exe
C:\Program Files\Common Files\Windows\AutoIt3.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: imGiantObj Class - {00000062-2E5F-4AF7-986E-5B64E0951A96} - C:\WINDOWS\imGiant.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {50444070-A640-D1BC-56B3-9CAECFDE1821} - C:\WINDOWS\Lsztflwg.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsz1E.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [LinkMaker.exe] C:\WINDOWS\system32\LinkMaker.exe
O4 - HKLM\..\Run: [ZQHelper] C:\WINDOWS\system32\zqactx1.exe
O4 - HKLM\..\Run: [Linker] C:\WINDOWS\system32\LinkMaker.exe
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\SYS98
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [win320976-13948345] C:\WINDOWS\win320976-13948345.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ACTX1] C:\Documents and Settings\Vernie\Application Data\System Restore\actx1.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [F ma] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [ms074576-139483] C:\WINDOWS\ms074576-139483.exe
O4 - HKLM\..\Run: [drsmartload183a.exe] C:\WINDOWS\system32\drsmartload183a.exe
O4 - HKLM\..\Run: [MediaGateway.exeg] C:\WINDOWS\system32\MediaGateway.exeg
O4 - HKLM\..\Run: [ms05834576-1394] C:\WINDOWS\ms05834576-1394.exe
O4 - HKLM\..\Run: [sys0394834576-13] C:\WINDOWS\sys0394834576-13.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [noC=] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Eipql] C:\Program Files\Jylqml\Qqwvnjs.exe
O4 - HKLM\..\Run: [sys11-1394834576] C:\WINDOWS\sys11-1394834576.exe
O4 - HKLM\..\Run: [win3208576-1394834] C:\WINDOWS\win3208576-1394834.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [rmrf] C:\PROGRA~1\COMMON~1\rmrf\rmrfm.exe
O4 - HKCU\..\Run: [actx1.exe] C:\Documents and Settings\Vernie\Application Data\System Restore\actx1.exe
O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\system32\zqactx1.exe
O4 - HKCU\..\Run: [mc-110-12-0000122.exe] C:\WINDOWS\system32\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [fran-super.exe] C:\WINDOWS\system32\fran-super.exe
O4 - HKCU\..\Run: [ventbb.exe] C:\WINDOWS\system32\ventbb.exe
O4 - HKCU\..\Run: [VB1.exe] C:\WINDOWS\system32\VB1.exe
O4 - HKCU\..\Run: [Setup75.exe] C:\WINDOWS\system32\Setup75.exe
O4 - HKCU\..\Run: [elts4.exe] C:\WINDOWS\system32\elts4.exe
O4 - HKCU\..\Run: [SSK35.exe] C:\WINDOWS\system32\SSK35.exe
O4 - HKCU\..\Run: [o3mrk.Stub.exe] C:\WINDOWS\system32\o3mrk.Stub.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [lnkxma] C:\WINDOWS\system32\lnkxma.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sysvcs.exe
O4 - HKCU\..\RunOnce: [lnkxma] C:\WINDOWS\system32\lnkxma.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130452616765
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo....cab?refid=4675
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...5.44/ttinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{01A8B5CE-4531-478C-BB27-16093652E0F5}: NameServer = 207.144.32.41,137.118.1.32
O17 - HKLM\System\CS1\Services\Tcpip\..\{01A8B5CE-4531-478C-BB27-16093652E0F5}: NameServer = 207.144.32.41,137.118.1.32
O20 - AppInit_DLLs: repairs302972973.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\system32\ddokamfd.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VmVybmll\command.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#4
Armodeluxe

Posted 29 November 2005 - 09:53 AM

Member 2k

Retired Staff
2,744 posts

Please print these instructions for use in safe mode. Also don't close this page until you are going to reboot since you have to do some copying/pasting.

1)First, Download LSPFix.exe to a convenient location such as your desktop. Do NOT run this program. This is only to be used if you lose Internet Access after removing Webhancer.

2)Please download the Webhancer removal tool to your desktop, but don't run it yet.

http://securityrespo...ixWebHancer.exe

3)Please update Spysweeper for latest definitions. Don't run it yet.

4)First, download and install CleanUp! but do not run it yet.
*NOTE* Cleanup deletes EVERYTHING out of temp/temporary folders and does not make backups.

5)Please download Ewido Security Suite (do NOT run it yet!)

Install ewido security suite
Launch ewido, there should be a big E icon on your desktop, double-click it.
The program will prompt you to update click the OK button
The program will now go to the main screen
You will need to update ewido to the latest definition files.
On the left hand side of the main screen click update
Click on Start
The update will start and a progress bar will show the updates being installed
After the updates are installed, exit Ewido

6)Download smitRem.exe and save the file to your desktop.
Double click on the file to extract it to it's own folder on the desktop.

7)If you have not already installed Ad-Aware SE 1.06, follow these download and setup instructions, otherwise, check for updates:
Ad-Aware SE Setup
Don't run it yet!

8)Please download the Killbox.
Unzip it to the desktop.

9) Please run Killbox.

10) Select "Delete on Reboot". Go to Options>Delete on Reboot and select "Process all on list"

11) Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\windows\adtech2005.exe
C:\WINDOWS\system32\LinkMaker.exe
C:\WINDOWS\system32\zqactx1.exe
C:\WINDOWS\SYS98.exe
C:\WINDOWS\system32\nfomon\nfomon.exe
C:\WINDOWS\system32\vidmon\vidmon.exe
C:\WINDOWS\win320976-13948345.exe
C:\Documents and Settings\Vernie\Application Data\System Restore\actx1.exe
C:\WINDOWS\ms074576-139483.exe
C:\WINDOWS\ms05834576-1394.exe
C:\WINDOWS\sys0394834576-13.exe
C:\Program Files\Jylqml\Qqwvnjs.exe
C:\WINDOWS\sys11-1394834576.exe
C:\PROGRA~1\COMMON~1\rmrf\rmrfm.exe
C:\WINDOWS\system32\mc-110-12-0000122.exe
C:\WINDOWS\system32\lnkxma.exe
C:\winstall.exe
C:\WINDOWS\system32\sysvcs.exe
C:\WINDOWS\VmVybmll\command.exe
C:\DOCUME~1\Vernie\LOCALS~1\Temp\5600051028.exe
C:\DOCUME~1\Vernie\LOCALS~1\Temp\GLB10.tmp
C:\WINDOWS\SYS98.exe
C:\Program Files\Common Files\Windows\services32.exe
C:\WINDOWS\win3208576-1394834.exe
C:\Program Files\Common Files\Download\mc-110-12-0000122.exe
C:\Program Files\Common Files\Windows\AutoIt3.exe
C:\WINDOWS\imGiant.dll
C:\WINDOWS\bxxs5.dll
C:\WINDOWS\system32\repairs302972973.dll
C:\WINDOWS\system32\ddokamfd.dll
C:\WINDOWS\Lsztflwg.dll
C:\WINDOWS\system32\nsz1E.dll
C:\WINDOWS\wsem303.dll
C:\WINDOWS\system32\WinNB57.dll
C:\windows\timessquare.exe
C:\WINDOWS\system32\wintask.exe
C:\WINDOWS\system32\mmxp2passion.exe
C:\windows\mrjj.exe
C:\WINDOWS\system32\drsmartload183a.exe
C:\WINDOWS\system32\MediaGateway.exeg
C:\WINDOWS\win3208576-1394834.exe
C:\PROGRA~1\COMMON~1\rmrf\rmrfm.exe
C:\WINDOWS\system32\fran-super.exe
C:\WINDOWS\system32\ventbb.exe
C:\WINDOWS\system32\VB1.exe
C:\WINDOWS\system32\Setup75.exe
C:\WINDOWS\system32\elts4.exe
C:\WINDOWS\system32\SSK35.exe
C:\WINDOWS\system32\o3mrk.Stub.exe
C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe

12) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

13) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the Do You Want to Reboot Now prompt.

14)Reboot your computer into Safe Mode. You can do this by continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.

Once in Safe Mode:

15) Locate FixWebHancer.exe on your desktop and run it.

16)Go to Control Panel Add/Remove Programs and uninstall the following if there is an entry:

SurfSideKick 3
E2G
WebHancer
Freeprod Toolbar
VBouncer
Internet Optimizer
VVSN
Command

17)Reconfigure Windows XP to show hidden files:
Click Start. Open My Computer.
Select the Tools menu and click Folder Options. Select the View Tab.

Under the Hidden files and folders heading select "Show hidden files and folders".
Uncheck the "Hide protected operating system files (recommended)" option.
Uncheck the "Hide file extensions for known file types" option.
Click Yes to confirm. Click OK.

18)Then navigate to and delete these folders:

C:\Program Files\VBouncer
C:\Program Files\webHancer
C:\Program Files\Internet Optimizer
C:\Program Files\VVSN
C:\Program Files\Jylqml
C:\PROGRAM FILES\COMMON FILES\rmrf
C:\Program Files\Common Files\Windows
C:\Program Files\Common Files\Download
C:\Documents and Settings\Vernie\Application Data\System Restore
C:\PROGRAM FILES\COMMON FILES\rmrf

19)Open HijackThis and click Scan. Put a check next to these if still there:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.fin...siteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.fin...siteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: imGiantObj Class - {00000062-2E5F-4AF7-986E-5B64E0951A96} - C:\WINDOWS\imGiant.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\bxxs5.dll
O2 - BHO: XBTP07618 - {2296428D-C133-4928-B76A-A200FF409572} - C:\PROGRA~1\FREEPR~1\freeprod.dll
O2 - BHO: CControl Object - {3643ABC2-21BF-46B9-B230-F247DB0C6FD6} - C:\Program Files\E2G\IeBHOs.dll
O2 - BHO: (no name) - {50444070-A640-D1BC-56B3-9CAECFDE1821} - C:\WINDOWS\Lsztflwg.dll
O2 - BHO: wb - {55BE9F0D-6CAF-4c3e-B125-5A13A8C9D0EC} - C:\WINDOWS\system32\nsz1E.dll
O2 - BHO: BHObj Class - {8F4E5661-F99E-4B3E-8D85-0EA71C0748E4} - C:\WINDOWS\wsem303.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O3 - Toolbar: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O4 - HKLM\..\Run: [timessquare] C:\windows\timessquare.exe
O4 - HKLM\..\Run: [adtech2005] C:\windows\adtech2005.exe
O4 - HKLM\..\Run: [LinkMaker.exe] C:\WINDOWS\system32\LinkMaker.exe
O4 - HKLM\..\Run: [ZQHelper] C:\WINDOWS\system32\zqactx1.exe
O4 - HKLM\..\Run: [Linker] C:\WINDOWS\system32\LinkMaker.exe
O4 - HKLM\..\Run: [YourMonitor] C:\WINDOWS\SYS98
O4 - HKLM\..\Run: [Nfo] C:\WINDOWS\system32\nfomon\nfomon.exe
O4 - HKLM\..\Run: [vidmon] C:\WINDOWS\system32\vidmon\vidmon.exe
O4 - HKLM\..\Run: [bxxs5] RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun
O4 - HKLM\..\Run: [WinTask driver] C:\WINDOWS\system32\wintask.exe
O4 - HKLM\..\Run: [win320976-13948345] C:\WINDOWS\win320976-13948345.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [ACTX1] C:\Documents and Settings\Vernie\Application Data\System Restore\actx1.exe
O4 - HKLM\..\Run: [VBundleOuterDL] C:\Program Files\VBouncer\BundleOuter.EXE
O4 - HKLM\..\Run: [mmxp2passion.exe] C:\WINDOWS\system32\mmxp2passion.exe
O4 - HKLM\..\Run: [webHancer Agent] "C:\Program Files\webHancer\Programs\whAgent.exe"
O4 - HKLM\..\Run: [F ma] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [VVSN] C:\Program Files\VVSN\VVSN.exe
O4 - HKLM\..\Run: [ms074576-139483] C:\WINDOWS\ms074576-139483.exe
O4 - HKLM\..\Run: [drsmartload183a.exe] C:\WINDOWS\system32\drsmartload183a.exe
O4 - HKLM\..\Run: [MediaGateway.exeg] C:\WINDOWS\system32\MediaGateway.exeg
O4 - HKLM\..\Run: [ms05834576-1394] C:\WINDOWS\ms05834576-1394.exe
O4 - HKLM\..\Run: [sys0394834576-13] C:\WINDOWS\sys0394834576-13.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [noC=] C:\windows\mrjj.exe
O4 - HKLM\..\Run: [Eipql] C:\Program Files\Jylqml\Qqwvnjs.exe
O4 - HKLM\..\Run: [sys11-1394834576] C:\WINDOWS\sys11-1394834576.exe
O4 - HKLM\..\Run: [win3208576-1394834] C:\WINDOWS\win3208576-1394834.exe
O4 - HKCU\..\Run: [rmrf] C:\PROGRA~1\COMMON~1\rmrf\rmrfm.exe
O4 - HKCU\..\Run: [actx1.exe] C:\Documents and Settings\Vernie\Application Data\System Restore\actx1.exe
O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\system32\zqactx1.exe
O4 - HKCU\..\Run: [mc-110-12-0000122.exe] C:\WINDOWS\system32\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [fran-super.exe] C:\WINDOWS\system32\fran-super.exe
O4 - HKCU\..\Run: [ventbb.exe] C:\WINDOWS\system32\ventbb.exe
O4 - HKCU\..\Run: [VB1.exe] C:\WINDOWS\system32\VB1.exe
O4 - HKCU\..\Run: [Setup75.exe] C:\WINDOWS\system32\Setup75.exe
O4 - HKCU\..\Run: [elts4.exe] C:\WINDOWS\system32\elts4.exe
O4 - HKCU\..\Run: [SSK35.exe] C:\WINDOWS\system32\SSK35.exe
O4 - HKCU\..\Run: [o3mrk.Stub.exe] C:\WINDOWS\system32\o3mrk.Stub.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [lnkxma] C:\WINDOWS\system32\lnkxma.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sysvcs.exe
O4 - HKCU\..\RunOnce: [lnkxma] C:\WINDOWS\system32\lnkxma.exe
O9 - Extra button: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O9 - Extra 'Tools' menuitem: Freeprod Toolbar - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - C:\Program Files\Freeprod Toolbar\freeprod.dll
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo....cab?refid=4675
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.to...5.44/ttinst.cab
O20 - AppInit_DLLs: repairs302972973.dll
O21 - SSODL: SysTray.Exbr - {6368D1FC-6F5C-4f1b-B164-E67214F678E9} - C:\WINDOWS\system32\ddokamfd.dll (file missing)
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\VmVybmll\command.exe

Close all other windows except HijackThis and click Fix Checked.

20)Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu).
Set the program up as follows:
Click "Options..."
Move the arrow down to "Custom CleanUp!"
Put a check next to the following (Make sure nothing else is checked!):

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users

Click OK
Press the CleanUp! button to start the program.

If Cleanup! asks if you want to reboot, click NO

21)Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg; Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

22)Open Ad-aware and do a full scan. Remove all it finds.

23)Open Ewido

Click on scanner
Click Complete System Scan
Let the program scan the machine

While the scan is in progress you will be prompted to clean the first infected file it finds. Choose "remove", then put a check next to "Perform action on all infections" in the left corner of the box so you don't have to sit and watch Ewido the whole time. Click OK.

Once the scan has completed, there will be a button located on the bottom of the screen named Save report

Click Save report
Save the report to your desktop
Exit Ewido

24)Next go to Control Panel click Display > Desktop > Customize Desktop > Web > Uncheck "Security Info" if present.

25)Go to Start>Run and type: cmd

In the command window that opens type the following line:

sc delete cmdService

Hit the Enter key, and then type: cmd to exit the command window.

26)Open Spysweeper.

Click the Sweep Options tab.
Under What to Sweep please put a check next to the following:
- Sweep Memory
- Sweep Registry
- Sweep Cookies
- Sweep All User Accounts
- Enable Direct Disk Sweeping
- Sweep Contents of Compressed Files
- Sweep for Rootkits
- Please UNCHECK Do not Sweep System Restore Folder.
Click Sweep Now on the left side.
Click the Start button.
When it's done scanning, click the Next button.
Make sure everything has a check next to it, then click the Next button.
It will remove all of the items found.
Click Session Log in the upper right corner, copy everything in that window.
Click the Summary tab and click Finish.
Paste the contents of the session log you copied into your next reply.

27)Reboot back to normal mode.

28)In the event that you lose Internet access after removing Webhancer, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet.. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

29)If no connection problems, come back here and post:

A new HijackThis log
Ewido log
Spysweeper log
Smitrem.txt
Comments on how it went, any difficulties etc.

30)Good luck!! :tazz:

#5
fullerve

Posted 29 November 2005 - 11:20 PM

New Member

Topic Starter
Member
6 posts

Thank you for the thorough instructions. They were easy to follow, detailed and accurate. Thanks again!

The only problem I experienced was that I was not able to complete the Spysweeper Scan. This was because my trial version had expired and my System was operating so poorly that I was not able to download the upgrade and execute it.

I will do that now though. Things seem to be working nicely although Ewido did find two problems and asked to delete them upon reboot.

The other three logs which you asked for are attached here.

Thanks, Vernon :tazz:

---------------------------------------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 12:12:39 AM, on 11/30/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\system32\aupdate.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Vernie\Desktop\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\system32\aupdate.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [rmrf] C:\PROGRA~1\COMMON~1\rmrf\rmrfm.exe
O4 - HKCU\..\Run: [actx1.exe] C:\Documents and Settings\Vernie\Application Data\System Restore\actx1.exe
O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\system32\zqactx1.exe
O4 - HKCU\..\Run: [mc-110-12-0000122.exe] C:\WINDOWS\system32\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [fran-super.exe] C:\WINDOWS\system32\fran-super.exe
O4 - HKCU\..\Run: [ventbb.exe] C:\WINDOWS\system32\ventbb.exe
O4 - HKCU\..\Run: [VB1.exe] C:\WINDOWS\system32\VB1.exe
O4 - HKCU\..\Run: [Setup75.exe] C:\WINDOWS\system32\Setup75.exe
O4 - HKCU\..\Run: [elts4.exe] C:\WINDOWS\system32\elts4.exe
O4 - HKCU\..\Run: [SSK35.exe] C:\WINDOWS\system32\SSK35.exe
O4 - HKCU\..\Run: [o3mrk.Stub.exe] C:\WINDOWS\system32\o3mrk.Stub.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [lnkxma] C:\WINDOWS\system32\lnkxma.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sysvcs.exe
O4 - HKCU\..\Run: [Sen] "C:\Program Files\bama\tlii.exe" -vt yazr
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130452616765
O17 - HKLM\System\CCS\Services\Tcpip\..\{01A8B5CE-4531-478C-BB27-16093652E0F5}: NameServer = 207.144.32.41,137.118.1.32
O17 - HKLM\System\CS1\Services\Tcpip\..\{01A8B5CE-4531-478C-BB27-16093652E0F5}: NameServer = 207.144.32.41,137.118.1.32
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

ewido security suite - Scan report
---------------------------------------------------------

+ Created on: 12:00:51 AM, 11/30/2005
+ Report-Checksum: 9DDAF183

+ Scan result:

HKLM\SOFTWARE\Classes\AppID\{0DC5CD7C-F653-4417-AA43-D457BE3A9622} -> Spyware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5} -> Spyware.ISTBar : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{AA4939C3-DECA-4A48-A454-97CD587C0EF5}\TypeLib\\ -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0} -> Dialer.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\Interface\{EEE4A2E5-9F56-432F-A6ED-F6F625B551E0}\TypeLib\\ -> Spyware.SafeSurfing : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\{8A0DCBDA-6E20-489C-9041-C1E8A0352E75} -> Spyware.NetNucleus : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick2 -> Spyware.SurfSide : Cleaned with backup
HKLM\SOFTWARE\SurfSideKick2\Internet Explorer -> Spyware.SurfSide : Cleaned with backup
C:\!KillBox\actx1.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\!KillBox\adtech2005.exe -> Trojan.VB.afn : Cleaned with backup
C:\!KillBox\drsmartload183a.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\!KillBox\imGiant.dll -> Adware.BetterInternet : Cleaned with backup
C:\!KillBox\lnkxma.exe -> TrojanSpy.VB.eh : Cleaned with backup
C:\!KillBox\Lsztflwg.dll -> Adware.BookedSpace : Cleaned with backup
C:\!KillBox\mc-110-12-0000122.exe -> Spyware.Maxifiles : Cleaned with backup
C:\!KillBox\mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
C:\!KillBox\ms05834576-1394.exe -> TrojanDownloader.VB.tf : Cleaned with backup
C:\!KillBox\ms074576-139483.exe -> TrojanDownloader.VB.tf : Cleaned with backup
C:\!KillBox\nfomon.exe -> Spyware.Delfin : Cleaned with backup
C:\!KillBox\Qqwvnjs.exe -> Trojan.Small.cy : Cleaned with backup
C:\!KillBox\rmrfm.exe -> TrojanDownloader.TSUpdate.n : Cleaned with backup
C:\!KillBox\Setup75.exe -> TrojanDropper.Agent.acu : Cleaned with backup
C:\!KillBox\sys0394834576-13.exe -> TrojanDownloader.VB.tf : Cleaned with backup
C:\!KillBox\sys11-1394834576.exe -> TrojanDownloader.VB.tf : Cleaned with backup
C:\!KillBox\sysvcs.exe -> Trojan.Crypt.l : Cleaned with backup
C:\!KillBox\timessquare.exe -> Spyware.Hijacker.StartPage.aw : Cleaned with backup
C:\!KillBox\VB1.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\!KillBox\vidmon.exe -> Spyware.DelphinMediaViewer : Cleaned with backup
C:\!KillBox\win3208576-1394834.exe -> TrojanDownloader.VB.tf : Cleaned with backup
C:\!KillBox\win320976-13948345.exe -> TrojanDownloader.VB.tf : Cleaned with backup
C:\!KillBox\winstall.exe -> Not-A-Virus.Hoax.Renos.z : Cleaned with backup
C:\!KillBox\wsem303.dll -> TrojanDownloader.Dyfuca.dt : Cleaned with backup
C:\!KillBox\zqactx1.exe -> Trojan.VB.aeq : Cleaned with backup
C:\Documents and Settings\Vernie\Desktop\backups\backup-20051119-192310-408.dll -> Adware.BookedSpace : Cleaned with backup
C:\drsmartload1.exe -> Spyware.SmartLoad : Cleaned with backup
C:\drsmartload1.exe.tcf -> Spyware.SmartLoad : Cleaned with backup
C:\mte3ndi6odoxng.exe -> TrojanDownloader.Small.buy : Cleaned with backup
C:\Program Files\Common Files\InetGet\mc-110-12-0000122.exe -> Spyware.Maxifiles : Cleaned with backup
C:\Program Files\imgiant23\additional\VVSNInst.exe -> Adware.SaveNow : Cleaned with backup
C:\Program Files\Spybot - Search & Destroy\Includes\Hosts.sbs -> Trojan.Qhost.ew : Cleaned with backup
C:\WINDOWS\876029.exe -> Adware.SaveNow : Cleaned with backup
C:\WINDOWS\bsx32 -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ABSPLAT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ACCUQ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3AMERS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ASKNOW2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CARQ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CARQ2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CCB.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CHOCPBMM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CHRISMORT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3CREDITCARD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3DIRTYH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ENDOMET.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREECS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREEIPOD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREEIPOD2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3FREEXBOX.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3HAIRLOSS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3HYDRO.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN10.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN11.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN12.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN6.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3KAN7.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3LEXREPAIR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3LMORON.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3LOWRATE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3MYDISH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3MYINKS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3NETFLIX2.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3ODYSSEY.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3PARTYPOKER.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3PASSION.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3PCHSWEEPS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3POP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3SPORTSINT.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3SUPERIOR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASI3WEIGHTL.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASICLRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIEPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIPP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASIRCPRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISS2RE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\ASISSRE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\bspace.html -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\EECH1.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\MYGEEK.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPECAUTO.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPECENTER.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\SPZ3.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPC.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPD.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPE.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPF.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFAM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFI.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPFIN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPG.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPH.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPHL.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPJ.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPM.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPMTV.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPN.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPR.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPS.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSHOP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPSP.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\bsx32\TMPW.bsx -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\byfofrsx.exe -> Spyware.BookedSpace : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\drsmartload117a.exe -> TrojanDownloader.VB.qr : Cleaned with backup
C:\WINDOWS\installer_251.exe -> TrojanDownloader.Qoologic.al : Cleaned with backup
C:\WINDOWS\lncprybv.dll -> Adware.BookedSpace : Cleaned with backup
C:\WINDOWS\mm63.ocx -> Spyware.MediaMotor : Cleaned with backup
C:\WINDOWS\mm83.ocx -> TrojanDownloader.VB.ov : Cleaned with backup
C:\WINDOWS\msxp.exe -> TrojanDownloader.VB.tf : Cleaned with backup
C:\WINDOWS\optimize.exe -> TrojanDownloader.Dyfuca.EI : Cleaned with backup
C:\WINDOWS\pi1_25.exe -> TrojanDownloader.Small.afq : Cleaned with backup
C:\WINDOWS\seli.exe/mrjj.exe -> Trojan.LowZones.am : Cleaned with backup
C:\WINDOWS\SYSTEM32\actx1.exe -> Spyware.Hijacker.Generic : Cleaned with backup
C:\WINDOWS\SYSTEM32\explink.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\hr4805hue.dll -> Spyware.Look2Me : Cleaned with backup
C:\WINDOWS\SYSTEM32\latest.exe -> Trojan.Crypt.l : Cleaned with backup
C:\WINDOWS\SYSTEM32\msctl32.dll -> Trojan.Agent.ly : Cleaned with backup
C:\WINDOWS\SYSTEM32\nfomon\nfo.ocx -> Spyware.Delfin : Cleaned with backup
C:\WINDOWS\SYSTEM32\nfomon\nfom.dll -> Spyware.DelphinMedia.Viewer : Cleaned with backup
C:\WINDOWS\SYSTEM32\wfwall1.exe -> TrojanDropper.Agent.hl : Cleaned with backup
C:\WINDOWS\SYSTEM32\wintask.exe.tcf -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\SYSTEM32\wintask.exe1699.tcf -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\SYSTEM32\wintask.exe6752.tcf -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\SYSTEM32\wintask.exe6787.tcf -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\SYSTEM32\wintask.exe8082.tcf -> TrojanDownloader.Small.abd : Cleaned with backup
C:\WINDOWS\SYSTEM32\xma_32.dll -> TrojanSpy.Agent.gk : Cleaned with backup
C:\WINDOWS\SYSTEM32\xma_32.exe -> TrojanSpy.Agent.gk : Cleaned with backup
C:\WINDOWS\SYSTEM32\~update.exe -> Trojan.Crypt.l : Cleaned with backup
C:\WINDOWS\tool2.exe -> Not-A-Virus.Hoax.Renos.z : Cleaned with backup
C:\WINDOWS\tool4.exe -> TrojanDropper.Agent.aby : Cleaned with backup

::Report End

smitRem © log file
version 2.7

by noahdfear

Microsoft Windows XP [Version 5.1.2600]
The current date is: Tue 11/29/2005
The current time is: 23:03:00.34

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key

PSGuard.com key not present!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files

~~~ Program Files ~~~

SpySheriff

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

zlbw.dll

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

desktop.html

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files

~~~ Program Files ~~~

~~~ Shortcuts ~~~

~~~ Favorites ~~~

~~~ system32 folder ~~~

~~~ Icons in System32 ~~~

~~~ Windows directory ~~~

~~~ Drive root ~~~

~~~ Miscellaneous Files/folders ~~~

~~~ Wininet.dll ~~~

CLEAN!

#6
Armodeluxe

Posted 30 November 2005 - 10:28 AM

Member 2k

Retired Staff
2,744 posts

What an infection.. :tazz:

it took me more than couple hours to prepare that fix..

Some of the entries are still there, maybe they weren't visible in safe mode..or maybe Spysweeper is interfering with the fixes..please disable Spysweeper:

To disable SpySweeper Shields

Click Shields on the left.
Click Internet Explorer and uncheck all items.
Click Windows System and uncheck all items.
Click Startup Programs and uncheck all items.
Exit Spysweeper.

Open HijackThis and click Scan. Put a check next to these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O4 - HKLM\..\Run: [Auto Updater] C:\WINDOWS\system32\aupdate.exe
O4 - HKCU\..\Run: [rmrf] C:\PROGRA~1\COMMON~1\rmrf\rmrfm.exe
O4 - HKCU\..\Run: [actx1.exe] C:\Documents and Settings\Vernie\Application Data\System Restore\actx1.exe
O4 - HKCU\..\Run: [zqactx1.exe] C:\WINDOWS\system32\zqactx1.exe
O4 - HKCU\..\Run: [mc-110-12-0000122.exe] C:\WINDOWS\system32\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [fran-super.exe] C:\WINDOWS\system32\fran-super.exe
O4 - HKCU\..\Run: [ventbb.exe] C:\WINDOWS\system32\ventbb.exe
O4 - HKCU\..\Run: [VB1.exe] C:\WINDOWS\system32\VB1.exe
O4 - HKCU\..\Run: [Setup75.exe] C:\WINDOWS\system32\Setup75.exe
O4 - HKCU\..\Run: [elts4.exe] C:\WINDOWS\system32\elts4.exe
O4 - HKCU\..\Run: [SSK35.exe] C:\WINDOWS\system32\SSK35.exe
O4 - HKCU\..\Run: [o3mrk.Stub.exe] C:\WINDOWS\system32\o3mrk.Stub.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKCU\..\Run: [lnkxma] C:\WINDOWS\system32\lnkxma.exe
O4 - HKCU\..\Run: [Windows installer] C:\winstall.exe
O4 - HKCU\..\Run: [services32] C:\Program Files\Common Files\Windows\mc-110-12-0000122.exe
O4 - HKCU\..\Run: [aupd] C:\WINDOWS\system32\sysvcs.exe
O4 - HKCU\..\Run: [Sen] "C:\Program Files\bama\tlii.exe" -vt yazr

Close all other windows except HijackThis and click Fix Checked.

Then delete this file:

C:\WINDOWS\system32\aupdate.exe

If you get an error deleting, first go to taskmanager (CTRL+ALT+DEL) and endtask aupdate.exe, then try again.

Now let's run couple scans and see what else is there:

1)Please download Rootkit Revealer (link is at the very bottom of the page)

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do anything while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

2)Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
- Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.

Please post those two logs along with a new HijackThis log.

#7
fullerve

Posted 30 November 2005 - 09:42 PM

New Member

Topic Starter
Member
6 posts

My PC is working much better now. I can't thank you enough.

I simply uninstalled the spysweeper since I was not able to disable it.

The rootkit log was blank, it found nothing thus nothing to post.

Here is the Kerpasky log.

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Wednesday, November 30, 2005 22:36:51
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 1/12/2005
Kaspersky Anti-Virus database records: 162535
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 42769
Number of viruses found: 78
Number of infected objects: 432
Number of suspicious objects: 0
Duration of the scan process: 2456 sec

Infected Object Name - Virus Name
C:\!KillBox\5600051028.exe/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\!KillBox\5600051028.exe Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\!KillBox\bxxs5.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\!KillBox\elts4.exe Infected: Trojan-Spy.Win32.Agent.hi
C:\!KillBox\fran-super.exe Infected: Trojan-Dropper.Win32.Agent.abb
C:\!KillBox\GLB10.tmp/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\!KillBox\GLB10.tmp Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\!KillBox\SSK35.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\!KillBox\ventbb.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\!KillBox\ventbb.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\!KillBox\WinNB57.dll Infected: not-a-virus:AdWare.Win32.Mirar.b
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02CC0000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\02CC0001.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03600000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\037C0000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04200000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04440000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04580000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\049C0000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\049C0001.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\052C0000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\052C0001.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06600001.VBN/BlackBox.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06600001.VBN/VerifierBug.class Infected: Exploit.Java.ByteVerify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06600001.VBN/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06600001.VBN Infected: Trojan-Downloader.Java.OpenConnection.aa
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\09180000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A340000.VBN Infected: Exploit.Java.Bytverify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A340001.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A340002.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A340003.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A480000.VBN Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A480001.VBN Infected: Exploit.Java.Bytverify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A480002.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0001.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0002.VBN Infected: Trojan.Java.ClassLoader.f
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0003.VBN/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0003.VBN/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0003.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0003.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0003.VBN Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0004.VBN Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0005.VBN Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0006.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0A4C0007.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0AAC0000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B940000.VBN Infected: Trojan.Java.ClassLoader.f
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B980000.VBN Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0B980001.VBN Infected: Exploit.Java.Bytverify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BB40000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BB80000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BB80001.VBN/GetAccess.class Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BB80001.VBN/InsecureClassLoader.class Infected: Exploit.Java.Bytverify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BB80001.VBN/Dummy.class Infected: Trojan.Java.ClassLoader.Dummy.a
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BB80001.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BB80001.VBN Infected: Trojan-Downloader.Java.OpenConnection.v
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BB80002.VBN Infected: Trojan.Java.ClassLoader.Dummy.d
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BB80003.VBN Infected: Exploit.Java.Bytverify
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0BB80004.VBN Infected: Trojan.Java.ClassLoader.c
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C840001.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0C840002.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E4C0000.VBN Infected: Trojan-Proxy.Win32.Wopla.n
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E4C0001.VBN Infected: Trojan-Downloader.Win32.Small.bwr
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E4C0002.VBN Infected: Trojan-Spy.Win32.Small.dg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E680000.VBN Infected: Trojan-Proxy.Win32.Wopla.n
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E680001.VBN Infected: Trojan-Downloader.Win32.Small.bwr
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E680002.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E6C0000.VBN Infected: Trojan-Dropper.Win32.Agent.abo
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E700000.VBN Infected: Trojan-Spy.Win32.Small.dg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E700001.VBN Infected: Trojan-Dropper.Win32.Agent.abo
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E700002.VBN Infected: Trojan-Spy.Win32.Small.dg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E740000.VBN Infected: Trojan-Spy.Win32.Small.dg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E780000.VBN Infected: Trojan-Downloader.Win32.Small.bnt
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E780001.VBN Infected: Trojan-Downloader.Win32.Small.bnt
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E780002.VBN Infected: Trojan-Downloader.Win32.Small.bnt
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E780003.VBN Infected: Trojan-Downloader.Win32.Small.bnt
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E780004.VBN Infected: Trojan-Downloader.Win32.Small.bnt
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E780005.VBN Infected: Trojan-Downloader.Win32.Small.bnt
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E780007.VBN Infected: Trojan-Proxy.Win32.Wopla.n
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900001.VBN Infected: Trojan-Downloader.Win32.Small.bnt
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900002.VBN Infected: Trojan-Downloader.Win32.Small.bnt
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900003.VBN Infected: Trojan-Downloader.Win32.Small.bnt
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0E900004.VBN Infected: Trojan-Downloader.Win32.Small.bnt
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\18880000.VBN Infected: Trojan-Spy.Win32.Small.dg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\18880001.VBN Infected: Trojan-Spy.Win32.Small.dg
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\18880002.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\18880003.VBN Infected: Trojan-Dropper.Win32.Agent.abo
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\18880004.VBN Infected: Trojan-Dropper.Win32.Agent.abo
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\18880005.VBN Infected: Trojan-Proxy.Win32.Wopla.n
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\18880006.VBN Infected: Trojan-Proxy.Win32.Wopla.n
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\18880007.VBN Infected: Trojan-Downloader.Win32.Small.bwr
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\18880008.VBN Infected: Trojan-Downloader.Win32.Small.bwr
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\74500000.VBN Infected: not-a-virus:AdWare.Win32.Maxifiles.h
C:\Program Files\imgthin\setup\thin-149-2-x-x.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ac
C:\Program Files\Xer name\ace.dll Infected: Trojan.Win32.Crypt.t
C:\Program Files\Xer name\wexphost.exe Infected: Trojan.Win32.Crypt.t
C:\Program Files\Xer name\WinGenerics.dll Infected: Trojan.Win32.Crypt.t
C:\stub_113_4_0_4_0.exe Infected: Trojan-Downloader.Win32.TSUpdate.o
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP201\A0014305.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP201\A0015328.dll Infected: Trojan-Downloader.Win32.Dyfuca.gen
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP202\A0015345.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP202\A0015347.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP202\A0015350.exe Infected: Trojan-Downloader.Win32.Small.buy
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP202\A0015352.DLL Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP202\A0015353.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP202\A0015354.dll Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP202\A0015362.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP202\A0015367.exe Infected: Trojan.Win32.VB.aeq
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205\A0015390.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205\A0015391.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205\A0015393.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205\A0015394.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP205\A0015396.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015411.exe Infected: Trojan-Downloader.Win32.VB.ri
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015412.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015413.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015414.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015415.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015416.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015467.exe Infected: Trojan-Downloader.Win32.Small.buy
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015468.exe Infected: Trojan.Win32.LowZones.am
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015477.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015485.exe Infected: Trojan-Downloader.Win32.Delmed.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015487.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015491.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015493.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015505.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015508.exe Infected: Trojan-Clicker.Win32.VB.jz
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015509.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015510.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015516.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015518.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015519.exe Infected: Trojan-Proxy.Win32.Small.di
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015520.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015521.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015537.exe Infected: Trojan.Win32.Pakes
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015745.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015746.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015747.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015748.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015752.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015759.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015761.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015768.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015769.exe Infected: Trojan-Clicker.Win32.VB.jz
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015770.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015771.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015776.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015783.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015785.ocx Infected: Trojan-Downloader.Win32.VB.ov
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015786.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015788.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015789.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0015790.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016772.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016773.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016775.exe Infected: Trojan-Clicker.Win32.VB.jz
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016777.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016779.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016781.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016786.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016787.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016789.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016790.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016791.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016792.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016793.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016796.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016797.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016798.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016800.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016801.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016809.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016810.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0016811.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0017765.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP206\A0017766.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017782.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017783.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017785.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017786.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017800.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017801.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017802.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017803.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017805.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017806.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017809.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017810.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017812.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017815.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017817.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017819.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017821.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017823.exe Infected: Trojan-Clicker.Win32.VB.jz
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017824.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017826.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017843.ocx Infected: Trojan-Downloader.Win32.VB.ov
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017844.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017847.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017848.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017849.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017850.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017851.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017852.dll Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017871.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017872.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017874.exe Infected: Trojan-Downloader.Win32.VB.ri
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017875.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017876.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017885.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017947.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017953.dll Infected: not-a-virus:AdWare.Win32.BetterInternet.ad
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017958.dll Infected: Trojan.Win32.Agent.ly
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017959.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017961.exe Infected: Trojan-Dropper.Win32.Agent.aby
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017966.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017977.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017978.exe/VVSNInst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017978.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017979.exe Infected: not-virus:Hoax.Win32.Renos.z
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017980.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017981.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017985.exe Infected: Trojan.Win32.LowZones.am
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017986.exe Infected: not-virus:Hoax.Win32.Renos.z
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017988.exe/mrjj.exe Infected: Trojan.Win32.LowZones.am
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017988.exe Infected: Trojan.Win32.LowZones.am
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017990.dll Infected: not-a-virus:AdWare.Win32.Mirar.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017991.dll Infected: not-a-virus:AdWare.Win32.E2Give.c
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017994.exe Infected: Trojan.Win32.Delf.og
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017995.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bj
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017998.dll Infected: Trojan-Spy.Win32.Agent.gk
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017999.exe/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017999.exe/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017999.exe/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017999.exe/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017999.exe/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0017999.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018001.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018002.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018003.exe Infected: Trojan-Downloader.Win32.Small.buy
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018004.exe/thin-149-2-x-x.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018004.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018005.exe Infected: Trojan-Downloader.Win32.Small.afq
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018010.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018011.EXE/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018011.EXE Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018014.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018015.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018016.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018017.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018021.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018022.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018024.ocx Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.c
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018025.dll Infected: not-a-virus:AdWare.Win32.DelphinMedia.Viewer.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018026.exe Infected: not-a-virus:AdWare.Win32.DelphinMedia.Viewer.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018027.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018027.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018027.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018027.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018027.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018031.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018032.exe Infected: Trojan-Spy.Win32.Agent.hi
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018033.exe Infected: Trojan-Dropper.Win32.Agent.acu
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018034.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018035.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018035.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018036.exe Infected: Trojan-Dropper.Win32.Agent.abb
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018037.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018038.exe Infected: Trojan.Win32.VB.aeq
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018039.exe Infected: Trojan-Clicker.Win32.VB.is
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018083.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018086.exe Infected: Trojan.Win32.Crypt.t
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018088.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018089.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018090.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018091.exe Infected: Trojan-Clicker.Win32.VB.jz
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018092.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018093.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018094.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018096.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018102.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018103.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018104.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018105.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0018106.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019067.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019070.exe Infected: Trojan-Clicker.Win32.VB.jz
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019071.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019072.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019074.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019080.exe Infected: Trojan-Downloader.Win32.Small.abd
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019084.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019085.ocx Infected: Trojan-Downloader.Win32.VB.ov
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019086.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019088.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019089.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019090.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019118.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019120.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019157.exe Infected: Trojan.Win32.VB.tg
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019161.exe Infected: Trojan.Win32.VB.afn
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019163.exe Infected: Trojan.Win32.VB.aeq
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019164.exe Infected: not-a-virus:AdWare.Win32.DelphinMedia.Viewer.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019165.exe Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019166.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019167.exe Infected: Trojan-Clicker.Win32.VB.is
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019168.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019169.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019170.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019171.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019172.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019173.exe Infected: Trojan-Downloader.Win32.TSUpdate.n
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019174.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019175.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019176.exe Infected: not-virus:Hoax.Win32.Renos.z
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019177.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019180.exe Infected: Trojan-Downloader.Win32.VB.tf
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019181.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019183.dll Infected: not-a-virus:AdWare.Win32.BetterInternet.ad
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019184.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019186.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019189.dll Infected: not-a-virus:AdWare.Win32.Mirar.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019190.exe Infected: Trojan.Win32.StartPage.aw
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019192.exe Infected: Trojan.Win32.LowZones.am
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019193.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019194.exe Infected: Trojan-Dropper.Win32.Agent.abb
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019195.exe/data0002 Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019195.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.e
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019196.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019197.exe Infected: Trojan-Dropper.Win32.Agent.acu
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019198.exe Infected: Trojan-Spy.Win32.Agent.hi
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019199.exe Infected: Trojan-Dropper.Win32.Small.qn
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019200.exe Infected: Trojan-Dropper.Win32.Agent.aac
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019204.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019205.exe/WhAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019205.exe/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019205.exe/WhSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019205.exe/Webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019205.exe/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019205.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019206.exe Infected: not-a-virus:AdWare.Win32.WebHancer
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019210.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019212.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019213.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019220.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019221.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019222.exe/InpB/SskBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019222.exe/InpB/SskCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019222.exe/InpB/Ssk3RepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019222.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019222.exe Infected: not-a-virus:AdWare.Win32.SurfSide.aa
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019232.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019234.exe Infected: Trojan-Downloader.Win32.TSUpdate.l
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019239.exe Infected: Trojan-Downloader.Win32.TSUpdate.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019244.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019245.exe Infected: Trojan-Downloader.Win32.Dyfuca.ei
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019246.exe Infected: Trojan-Downloader.Win32.Dyfuca.dp
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019247.exe Infected: Trojan.Win32.Small.cy
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019248.EXE/WISE0001.BIN Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019248.EXE Infected: not-a-virus:AdWare.Win32.VirtualBouncer.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019254.dll Infected: not-a-virus:AdWare.Win32.E2Give.c
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019255.exe Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019261.dll Infected: not-a-virus:AdWare.Win32.Mirar.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019262.dll Infected: not-a-virus:AdWare.Win32.CommAd.a
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019264.exe Infected: Trojan-Clicker.Win32.VB.is
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019265.exe Infected: Trojan.Win32.VB.afn
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019266.exe Infected: Trojan-Downloader.Win32.Adload.j
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019267.dll Infected: not-a-virus:AdWare.Win32.BetterInternet.ad
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019268.exe Infected: Trojan-Spy.Win32.VB.eh
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019269.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.g
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019270.exe Infected: not-a-virus:AdWare.Win32.Maxifiles.u
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019271.exe Infected: Trojan.Win32.LowZones.am
C:\System Volume Information\_restore{202550A8-7A33-4BCA

#8
Armodeluxe

Posted 01 December 2005 - 08:10 AM

Member 2k

Retired Staff
2,744 posts

Delete these two folders and one file..

C:\Program Files\imgthin
C:\Program Files\Xer name
C:\stub_113_4_0_4_0.exe

The log you posted got cut off, were there any items after those C:\System Volume Information\_restore entries? If so post just that portion after those entries again..

#9
fullerve

Posted 03 December 2005 - 07:27 AM

New Member

Topic Starter
Member
6 posts

Yes, it did get cut off, my apologies. Here is the remainder of the Kaspersky Scan.

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019304.exe Infected: Trojan-Clicker.Win32.VB.is
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019305.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019306.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019307.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019308.dll Infected: Trojan.Win32.Agent.ly
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019309.ocx Infected: not-a-virus:AdWare.Win32.DelphinMediaViewer.c
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019310.dll Infected: not-a-virus:AdWare.Win32.DelphinMedia.Viewer.f
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019311.exe Infected: Trojan-Dropper.Win32.Agent.hl
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019312.dll Infected: Trojan-Spy.Win32.Agent.gk
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019313.exe Infected: Trojan.Win32.Delf.og
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019314.exe Infected: Packed.Win32.Klone.b
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019315.exe Infected: not-virus:Hoax.Win32.Renos.z
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP207\A0019316.exe Infected: Trojan-Dropper.Win32.Agent.aby
C:\WINDOWS\Buddy.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.am
C:\WINDOWS\imgga.exe/VVSNInst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\WINDOWS\imgga.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bo
C:\WINDOWS\linun.exe Infected: Trojan.Win32.VB.tg
C:\WINDOWS\SearchB.exe Infected: Trojan-Clicker.Win32.VB.jz
C:\WINDOWS\SYSTEM32\dro.EXE Infected: Trojan-Dropper.Win32.Small.qn
C:\WINDOWS\SYSTEM32\hosghelp.exe Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\SYSTEM32\ntkgonui.dll Infected: Trojan.Win32.Crypt.t
C:\WINDOWS\thin149.exe/thin-149-2-x-x.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ac
C:\WINDOWS\thin149.exe Infected: not-a-virus:AdWare.Win32.BetterInternet.ac
C:\WINDOWS\uninstall_wh.exe Infected: Trojan.Win32.VB.tg

Scan process completed.

#10
Armodeluxe

Posted 03 December 2005 - 01:58 PM

Member 2k

Retired Staff
2,744 posts

Delete these files as well.

C:\WINDOWS\Buddy.exe
C:\WINDOWS\imgga.exe
C:\WINDOWS\linun.exe
C:\WINDOWS\SearchB.exe
C:\WINDOWS\SYSTEM32\dro.EXE
C:\WINDOWS\SYSTEM32\hosghelp.exe
C:\WINDOWS\SYSTEM32\ntkgonui.dll
C:\WINDOWS\thin149.exe
C:\WINDOWS\uninstall_wh.exe

Then please post a final HijackThis log for me to see..do you have any problems left now?

#11
fullerve

Posted 03 December 2005 - 04:49 PM

New Member

Topic Starter
Member
6 posts

I have no problems that I am aware of. My DSL connection seems slow I just tested it and came in at 0.56Mb/Sec. I have no baseline to check it against so not sure. You have done me a great service.

Thanks so much!

How does this last scan look?

Logfile of HijackThis v1.99.1
Scan saved at 5:44:04 PM, on 12/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ezSP_Px.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpohmr08.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOSTS07.exe
C:\Program Files\Hewlett-Packard\AiO\Shared\bin\hpOFXM07.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Vernie\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [mmtask] c:\Program Files\MusicMatch\MusicMatch Jukebox\mmtask.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\system32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: hp psc 1000 series.lnk = ?
O4 - Global Startup: HPAiODevice(hp officejet v series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet v series\Bin\hpoant07.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1130452616765
O17 - HKLM\System\CCS\Services\Tcpip\..\{01A8B5CE-4531-478C-BB27-16093652E0F5}: NameServer = 207.144.32.41,137.118.1.32
O17 - HKLM\System\CS1\Services\Tcpip\..\{01A8B5CE-4531-478C-BB27-16093652E0F5}: NameServer = 207.144.32.41,137.118.1.32
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#12
Armodeluxe

Posted 03 December 2005 - 07:37 PM

Member 2k

Retired Staff
2,744 posts

Looks clean.. :tazz:

To improve performance of your pc, see this page..

http://safety.live.c...c8119f3d8af1f6f

Now let's reset your restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Please take the following into consideration to maintain a clean computer.

Now you should go get a firewall. Don't rely on the Windows firewall as it monitors only incoming traffic. Pick one of these, they are all free.
Kerio
Zonealarm
Sygate

I'll also recommend you to install a monitoring software which will monitor certain areas on your computer and will place alerts when those are being modified. One such software I'll recommend is Prevx, but it's for advanced users as the messages it displays can be hard to decipher. One other similar but more user friendly software is Winpatrol. Both are free programs.
Winpatrol
Prevx

Visit Windows Update regularly to get the latest security updates.You can also enable automatic updates.Your antivirus software and antispyware programs should also be updated regularly. Make a habit of running scans on a timely basis. Be careful about what you download, scan every file before clicking on it.

Additional programs to consider:

Spywareblaster Prevents the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted software.Blocks spyware/tracking cookies in Internet Explorer and Mozilla/Firefox.Restricts the actions of potentially unwanted sites in Internet Explorer.
Spywareguard An anti-virus program scans files before you open them and prevents execution if a virus is detected - SpywareGuard does the same thing, but for spyware!
IE/Spyad
Adds a list of malicious sites to your Restricted Sites Zone.
Firefox An alternate browser safer than IE

A good article to read:
So how did I get infected in the first place?

Regards,

Armodeluxe