Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Trojan / coolwebsearch / spyfalcon [CLOSED]

Started by Arsenial , Feb 23 2006 09:02 AM

  • This topic is locked This topic is locked

#1
Arsenial
Posted 23 February 2006 - 09:02 AM

Arsenial

    New Member

  • Member
  • Pip
  • 6 posts
Here's my hijacklog. I've tried at least a dozen different programs and instructions to get rid of the problem, but I'm still stuck:


Logfile of HijackThis v1.99.1
Scan saved at 9:56:48 PM, on 2/22/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\highjackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {CA0A7B41-CDA6-B82A-ADFB-973B84062590} - C:\WINDOWS\system32\ppmable.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpAFF6.tmp
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\mstsc.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\RunOnce: [UNINST1] rundll32 C:\DOCUME~1\Agnes\LOCALS~1\Temp\UninstManager.dll,UninstallFinalizeFromNonMsiCaller {AC76BA86-0000-0000-0000-000000000000}
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [Qkbkwa] C:\Documents and Settings\Agnes\Application Data\??sks\w?crtupd.exe
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: mstsc - C:\WINDOWS\SYSTEM32\mstsc.dll
O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
  • 0

Advertisements

#2
greyknight17
Posted 24 February 2006 - 12:39 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Welcome to GTG.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Download smitRem at http://noahdfear.gee.../click.php?id=1 and save the file to your desktop.

Please download Ewido Security Suite at http://www.ewido.net/en/download/ and read the Ewido setup instructions at http://rstones12.gee.../ewidosetup.htm. Install it, and update the definitions to the newest files. Do NOT run a scan yet. NOTE: If you have Windows 9x/ME, you don't need to run Ewido (skip this step).

If you have not already installed Ad-Aware SE 1.06, follow the download and setup instructions at http://rstones12.gee...areSE_setup.htm. Otherwise, check for updates. Don't run it yet!

Download CleanUp! http://cleanup.stevengould.org/ (Alternate Link if main link don't work - http://www.greyknigh...spy/CleanUp.exe ) and install it. Don't run it yet.

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work.

CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, please make a backup of these before running CleanUp!. Run CleanUp! and click on the Options button. Uncheck 'Scan local drives for temporary files'. Also uncheck those two Newsgroup entries if you don't want to delete them. Click OK and then click on the CleanUp! button. Let it run. After it's done, choose Yes to logoff.

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

R3 - URLSearchHook: (no name) - {CA0A7B41-CDA6-B82A-ADFB-973B84062590} - C:\WINDOWS\system32\ppmable.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: HomepageBHO - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - C:\WINDOWS\system32\hpAFF6.tmp
O2 - BHO: CIEPl Object - {F85E86D8-F796-4C97-AAA2-26664A98A42C} - C:\WINDOWS\system32\mstsc.dll
O4 - HKLM\..\RunOnce: [UNINST1] rundll32 C:\DOCUME~1\Agnes\LOCALS~1\Temp\UninstManager.dll,UninstallFinalizeFromNonMsiCaller {AC76BA86-0000-0000-0000-000000000000}
O4 - HKCU\..\Run: [srshost.exe] C:\WINDOWS\system32\srshost.exe
O4 - HKCU\..\Run: [Qkbkwa] C:\Documents and Settings\Agnes\Application Data\??sks\w?crtupd.exe
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O20 - Winlogon Notify: htproc - htproc32.dll (file missing)
O20 - Winlogon Notify: mstsc - C:\WINDOWS\SYSTEM32\mstsc.dll
O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll

Run the smitRem.exe tool you downloaded earlier. There should be a folder called smitrem created on your desktop. Open it and double click on the RunThis file. Follow the prompts on the screen. Wait for the tool to complete and disk cleanup to finish.

The tool will create a log named smitfiles.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

Delete these files if found:

C:\WINDOWS\system32\ppmable.dll
C:\WINDOWS\system32\hpAFF6.tmp
C:\WINDOWS\system32\mstsc.dll
C:\WINDOWS\system32\srshost.exe
C:\Documents and Settings\Agnes\Application Data\??sks\
C:\WINDOWS\SYSTEM32\mstsc.dll
C:\WINDOWS\SYSTEM32\winrzf32.dll

Open Ad-aware and do a full scan. Remove all it finds.

Run Ewido:

* Click on scanner.
* Click on Complete System Scan and the scan will begin.
* NOTE: During some scans with ewido it is finding cases of false positives.
* You will need to step through the process of cleaning files one-by-one.
* If Ewido detects a file you KNOW to be legitimate, select none as the action.
* Do NOT select 'Perform action on all infections'.
* If you are unsure of any entry found, select none for now.
* When the scan is finished, click the Save report button at the bottom of the screen.
* Save the report to your desktop.

Close Ewido.

Next go to Control Panel->Display->Desktop (or Appearance)->Customize Desktop->Web-> Uncheck 'Security Info' if present. Also delete it.

Restart your computer to get back to Normal Mode..

Perform an online scan with Internet Explorer at Panda ActiveScan http://www.pandasoft.../activescan.htm

* Click on 'Scan your PC' button. There should be a popup - if you have a pop-up blocker, make sure it's not blocking it.
* Click 'Check Now' & a pop-up window will appear.
* Enter your Country, State and E-mail Address & click 'Scan Now' - begin downloading Panda's ActiveX controls (8 MB size).
* Begin the scan by selecting My Computer.
* If it finds any malware, it will offer you a report. Ignore any entry it finds (since it wants you to buy the program for removal) as we will address this later.
* Click on see report. Then click Save report.
* Please post that log in your next reply.

Then post the Panda log here along with the logs for smitfiles.txt, Ewido and a new HijackThis log.
  • 0

#3
Arsenial
Posted 25 February 2006 - 11:49 AM

Arsenial

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Panda Log:

Incident Status Location

Adware:adware/spyfalcon Not disinfected C:\WINDOWS\SYSTEM32\dxmpp.dll
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Agnes\Cookies\agnes@atdmt[1].txt
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Adserver Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.z1.adserver.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/bravenetA Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.bravenet.com/]
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.maxserving.com/]
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.did-it.com/]
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.belnk.com/]
Spyware:Cookie/Tickle Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.tickle.com/]
Spyware:Cookie/Netster Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[lb1.netster.com/]
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.xiti.com/]
Spyware:Cookie/Ask Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.ask.com/]
Spyware:Cookie/Apmebf Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.apmebf.com/]
Spyware:Cookie/Hbmediapro Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.adopt.hbmediapro.com/]
Spyware:Cookie/DomainSponsor Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[landing.domainsponsor.com/]
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[.fortunecity.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt[]
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Agnes\Application Data\??mantec\csrss.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Agnes\Cookies\agnes@atdmt[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Agnes\Desktop\smitRem.exe[Process.exe]
Spyware:Cookie/adultfriendfinder Not disinfected C:\Documents and Settings\Mike\Application Data\Mozilla\Firefox\Profiles\yykw9z53.default\cookies.txt[]
Potentially unwanted tool:Application/Processor Not disinfected C:\smitrem\smitRem\Process.exe
Adware:Adware/SpywareStrike Not disinfected C:\WINDOWS\system32\dxmpp.dll
Adware:Adware/MediaTickets Not disinfected C:\WINDOWS\system32\oins.exe


smitfiles.txt


smitRem © log file
version 2.8

by noahdfear


Microsoft Windows XP [Version 5.1.2600]
The current date is: Sat 02/25/2006
The current time is: 9:22:00.70

Running from
C:\smitrem\smitRem

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Pre-run SharedTask Export

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

checking for ShudderLTD key

ShudderLTD key not present!

checking for PSGuard.com key


PSGuard.com key not present!


checking for WinHound.com key


WinHound.com key not present!

spyaxe uninstaller NOT present
Winhound uninstaller NOT present
SpywareStrike uninstaller NOT present

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Existing Pre-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~

Online Security Guide.url
Online Security Guide.url
Security Troubleshooting.url
Security Troubleshooting.url


~~~ Favorites ~~~



~~~ system32 folder ~~~

1024 dir
msvol.tlb
ld****.tmp
ncompat.tlb
nvctrl.exe
hp***.tmp


~~~ Icons in System32 ~~~

ts.ico
ot.ico


~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~




~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1688 'explorer.exe'

Starting registry repairs

Registry repairs complete

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SharedTask Export after registry fix

(GetSTS.exe) SharedTaskScheduler exporter by Lawrence Abrams (Grinler)
Copyright© 2006 BleepingComputer.com

Registry Pseudo-Format Mode (Not a valid reg file):

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{438755C2-A8BA-11D1-B96B-00A0C90312E1}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8C7461EF-2B13-11d2-BE35-3078302C2030}\InProcServer32]
@="%SystemRoot%\System32\browseui.dll"


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Deleting files

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Remaining Post-run Files


~~~ Program Files ~~~



~~~ Shortcuts ~~~



~~~ Favorites ~~~



~~~ system32 folder ~~~



~~~ Icons in System32 ~~~



~~~ Windows directory ~~~



~~~ Drive root ~~~


~~~ Miscellaneous Files/folders ~~~


~~~ Wininet.dll ~~~

CLEAN! :tazz:


Ewido:



RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002
RegQueryValueEx failed, Value: 00000002


Hijackthis:


Logfile of HijackThis v1.99.1
Scan saved at 9:14:17 AM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\highjackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {CA0A7B41-CDA6-B82A-ADFB-973B84062590} - C:\WINDOWS\system32\ppmable.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {A2B568F0-D04D-F49B-4FF7-825A62381BC4} - (no file)
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Qkbkwa] C:\Documents and Settings\Agnes\Application Data\??sks\w?crtupd.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\Program Files\CleanUp!\Cleanup.exe /WindowsRestart
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} (YazzleActiveX Control) - http://yax-download.....cab?refid=1123
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: mstsc - mstsc.dll (file missing)
O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#4
greyknight17
Posted 25 February 2006 - 01:25 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Download AntiPuper http://secured2k.hom...s/AntiPuper.exe and run it. Follow the instructions...

Check and fix these in HijackThis:

R3 - URLSearchHook: (no name) - {CA0A7B41-CDA6-B82A-ADFB-973B84062590} - C:\WINDOWS\system32\ppmable.dll (file missing)
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {A2B568F0-D04D-F49B-4FF7-825A62381BC4} - (no file)
O2 - BHO: (no name) - {4da4616d-7e6e-4fd9-a2d5-b6c535733e22} - (no file)
O4 - HKCU\..\Run: [Qkbkwa] C:\Documents and Settings\Agnes\Application Data\??sks\w?crtupd.exe
O20 - Winlogon Notify: mstsc - mstsc.dll (file missing)
O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll

Delete these:

C:\WINDOWS\SYSTEM32\dxmpp.dll
C:\Documents and Settings\Agnes\Application Data\??mantec\
C:\WINDOWS\system32\dxmpp.dll
C:\WINDOWS\system32\oins.exe
C:\WINDOWS\SYSTEM32\winrzf32.dll

Run Ewido again...do it in Normal Mode this time. Save the report.

Restart your computer and post the log for Ewido and a new HijackThis log.
  • 0

#5
Arsenial
Posted 25 February 2006 - 10:04 PM

Arsenial

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
ewido:


---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 7:55:01 PM, 2/25/2006
+ Report-Checksum: 97A34D64

+ Scan result:

[524] C:\WINDOWS\system32\winrzf32.dll -> Hijacker.Small.kb : Cleaned with backup
:mozilla.44:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup
:mozilla.45:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup
:mozilla.48:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.49:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.50:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.51:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup
:mozilla.53:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup
:mozilla.54:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.58:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.59:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.61:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup
:mozilla.75:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.76:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.77:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Adserver : Cleaned with backup
:mozilla.79:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.80:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.81:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.82:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.83:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
:mozilla.84:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup
:mozilla.85:C:\Documents and Settings\Agnes\Application Data\Mozilla\Firefox\Profiles\n50vkrxm.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Agnes\Cookies\agnes@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\highjackthis\backups\backup-20060225-091955-641.dll -> Adware.MediaTickets : Cleaned with backup
C:\WINDOWS\system32\winrzf32.dll -> Hijacker.Small.kb : Cleaned with backup


::Report End


hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 6:13:44 PM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\highjackthis\HijackThis.exe

R3 - URLSearchHook: (no name) - {A2B568F0-D04D-F49B-4FF7-825A62381BC4} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#6
greyknight17
Posted 25 February 2006 - 10:17 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Run a scan in HijackThis. Check each of the following if they still exist and hit 'Fix Checked' after you check the last one:

R3 - URLSearchHook: (no name) - {A2B568F0-D04D-F49B-4FF7-825A62381BC4} - (no file)
O20 - Winlogon Notify: winrzf32 - C:\WINDOWS\SYSTEM32\winrzf32.dll

Locate the following Files/Folders and delete them if they exist (if no location given, just do a search for them):

C:\WINDOWS\SYSTEM32\winrzf32.dll

Restart and run a new HijackThis scan. Save the log file and post it here.
  • 0

#7
Arsenial
Posted 26 February 2006 - 12:52 AM

Arsenial

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Logfile of HijackThis v1.99.1
Scan saved at 9:47:34 PM, on 2/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\TEMP\winE.tmp.exe
C:\WINDOWS\TEMP\win5A3.tmp.exe
C:\WINDOWS\TEMP\winE.tmp.exe
C:\WINDOWS\TEMP\win5A3.tmp.exe
C:\WINDOWS\TEMP\winE.tmp.exe
C:\highjackthis\HijackThis.exe

O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#8
greyknight17
Posted 26 February 2006 - 04:05 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
I want you to upload these two files:

C:\WINDOWS\TEMP\winE.tmp.exe
C:\WINDOWS\TEMP\win5A3.tmp.exe

to http://virusscan.jotti.org and report back what it found for them. Then do the below:

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\TEMP\winE.tmp.exe
C:\WINDOWS\TEMP\win5A3.tmp.exe
C:\WINDOWS\TEMP\winE.tmp.exe
C:\WINDOWS\TEMP\win5A3.tmp.exe
C:\WINDOWS\TEMP\winE.tmp.exe

If you get a PendingOperations message, just close it and restart your computer manually.

Restart...

Run a virus scan using Kaspersky Online Scanner. Just click on the Kaspersky Online Scanner button and read what's posted there - hit Accept once you're done. Download the ActiveX file when prompted. Scanning will begin shortly. When it's done post the log here along with a new HijackThis log.
  • 0

#9
Arsenial
Posted 26 February 2006 - 08:56 PM

Arsenial

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
Scan Statistics
Total number of scanned objects 45500
Number of viruses found 27
Number of infected objects 128
Number of suspicious objects 0
Duration of the scan process 00:36:52

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Agnes\.housecall\Quarantine\12500[1].exe.bac_a02964 Infected: Trojan-Dropper.Win32.Small.na skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\a.exe.bac_a02964 Infected: Trojan-Downloader.Win32.Murlo.dd skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\aijoaaaa.exe.bac_a02964 Infected: Backdoor.Win32.Rbot.agn skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\aijoaaaa.exe.bac_a03180 Infected: Backdoor.Win32.Rbot.agn skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\combo.exe.bac_a00668 Infected: Email-Worm.Win32.Bagz.o skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\count3[1].gif.bac_a02964 Infected: Trojan-Downloader.Win32.Murlo.dd skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\fgdcfjji.exe.bac_a00668 Infected: Email-Worm.Win32.Bagz.o skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\mstsc.dll.bac_a00668 Infected: Trojan.Win32.Agent.cs skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\mstsc.dll.bac_a01504 Infected: Trojan.Win32.Agent.cs skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\mstsc.dll.bac_a03568 Infected: Trojan.Win32.Agent.cs skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\mstsc.dll.bac_a03572 Infected: Trojan.Win32.Agent.cs skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\pop[1].exe.bac_a03568 Infected: Trojan-Downloader.Win32.IstBar.eq skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\srshost.exe.bac_a02964 Infected: Trojan-Proxy.Win32.Agent.hy skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\srshost.exe.bac_a03180 Infected: Trojan-Proxy.Win32.Agent.hy skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\srshostu.exe.bac_a02964 Infected: Trojan-Proxy.Win32.Agent.bz skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\win50.tmp.exe.bac_a03568 Infected: Trojan-Downloader.Win32.IstBar.eq skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\winl0gon.exe.bac_a02964 Infected: Trojan-Dropper.Win32.Small.na skipped
C:\Documents and Settings\Agnes\.housecall\Quarantine\winres.dll.bac_a03568 Infected: Trojan-Downloader.Win32.IstBar.eq skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP145\A0010720.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP145\A0010721.exe Infected: Trojan-Proxy.Win32.Agent.hy skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP145\A0010722.exe Infected: Trojan-Proxy.Win32.Agent.bz skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP145\A0010728.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP146\A0010734.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP146\A0010742.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP147\A0010748.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP147\A0010754.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP148\A0010770.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP148\A0010776.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP149\A0010782.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP150\A0010796.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP150\A0010802.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP151\A0010811.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP151\A0010817.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP157\A0010973.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP158\A0010984.exe Infected: Trojan-Dropper.Win32.Small.na skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP158\A0010990.exe Infected: Trojan-Proxy.Win32.Agent.bz skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP159\A0011005.exe Infected: Trojan-Proxy.Win32.Agent.hy skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP159\A0011006.exe Infected: Backdoor.Win32.Rbot.agn skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP190\A0013283.exe Infected: Email-Worm.Win32.Bagz.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013385.exe Infected: not-virus:Hoax.Win32.Renos.bj skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013389.exe Infected: Trojan-Downloader.Win32.INService.cy skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013392.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013393.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013394.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013395.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013396.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013397.exe Infected: Email-Worm.Win32.Bagz.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013398.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013399.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013400.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013401.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013402.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013403.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013404.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013405.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013406.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013407.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013408.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013409.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013410.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013411.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013412.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013413.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013414.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013415.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013416.exe Infected: Trojan-Downloader.Win32.Tiny.ao skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013417.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP193\A0013418.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP194\A0013714.exe Infected: Trojan-Dropper.Win32.PurityScan.ad skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP194\A0013793.exe Infected: Trojan-Downloader.Win32.Zlob.ha skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP194\A0013794.exe Infected: Trojan-Downloader.Win32.Zlob.he skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP194\A0013795.dll Infected: Trojan-Proxy.Win32.Agent.hs skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP195\A0013837.tlb Infected: Trojan-Downloader.Win32.Zlob.he skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP195\A0013846.tlb Infected: Trojan-Downloader.Win32.Zlob.hk skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014541.tlb Infected: Trojan-Downloader.Win32.Zlob.hk skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014542.exe Infected: Trojan-Downloader.Win32.Zlob.hj skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014544.exe Infected: Trojan-Downloader.Win32.Zlob.hg skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014546.exe Infected: Trojan-Downloader.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014547.exe Infected: Trojan-Downloader.Win32.Centim.an skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014569.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014571.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014572.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014573.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014574.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014575.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014576.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014577.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014578.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014579.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014580.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014583.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014584.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014585.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014586.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014587.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014589.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014592.exe Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014593.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014594.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014595.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014596.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014597.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014599.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014605.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014606.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014607.dll Infected: Trojan.Win32.Crypt.o skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014615.dll Infected: Trojan.Win32.Agent.cs skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014627.exe Infected: Trojan-Dropper.Win32.PurityScan.ad skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014628.exe Infected: Trojan-Downloader.Win32.Zlob.hd skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014639.tlb Infected: Trojan-Downloader.Win32.Zlob.hk skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014640.exe Infected: Trojan-Dropper.Win32.PurityScan.ad skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014644.exe Infected: Trojan-Downloader.Win32.Zlob.hj skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014649.exe Infected: Trojan-Dropper.Win32.PurityScan.ad skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014651.exe Infected: Trojan-Downloader.Win32.Zlob.hh skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014662.exe Infected: Trojan-Dropper.Win32.PurityScan.ad skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014665.exe Infected: Trojan-Downloader.Win32.Zlob.hg skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014666.tlb Infected: Trojan-Downloader.Win32.Zlob.hk skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP198\A0014673.tlb Infected: Trojan-Downloader.Win32.Zlob.hk skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP200\A0014686.exe Infected: Trojan-Downloader.Win32.Zlob.hh skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP200\A0014687.exe Infected: Trojan-Dropper.Win32.PurityScan.ad skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP200\A0014714.tlb Infected: Trojan-Downloader.Win32.Zlob.hk skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP200\A0014716.exe Infected: Trojan-Downloader.Win32.Zlob.hi skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP200\A0014718.dll Infected: Trojan-Downloader.Win32.IstBar.eq skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP200\A0014741.dll Infected: not-virus:Hoax.Win32.Renos.v skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP200\A0014742.exe Infected: Trojan-Dropper.Win32.PurityScan.ad skipped
C:\System Volume Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP200\A0014755.dll Infected: Trojan-Clicker.Win32.Small.kb skipped
C:\WINDOWS\system32\dfrgsrv.exe Infected: Trojan-Downloader.Win32.Zlob.hm skipped
C:\WINDOWS\system32\ffgaowxg.dll Infected: Trojan.Win32.Crypt.o skipped
Scan process completed.


hijackthis:

Logfile of HijackThis v1.99.1
Scan saved at 7:52:57 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\highjackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Konfabulator.lnk = C:\Program Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: winrzf32 - winrzf32.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#10
greyknight17
Posted 26 February 2006 - 09:05 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Did you upload those two files to Jotti to see what it reported back?

Go to Start->Run and type in regedit and hit OK. Go to File->Export and save the registry somewhere as a backup. Close the Registry Editor now. Go to Start->Run and type in notepad and hit OK. Then copy and paste the following into Notepad:

REGEDIT4
[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\winrzf32]

Save the file as "delete.reg". Make sure to save it with the quotes. Close Notepad. Double click on the delete.reg file and choose Yes to merge/add it to the registry. You may delete the file afterwards.

Delete everything inside this folder:

C:\Documents and Settings\Agnes\.housecall\Quarantine\

Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Download KillBox http://www.greyknigh...spy/KillBox.exe. Run KillBox and check the box that says 'End Explorer Shell While Killing File'. Next click on 'Delete on Reboot'. Right click and copy the below lines. Go back to KillBox. Go to File->Paste from Clipboard and then hit the button with a red circle and white X. Confirm to delete and when asked if you want to reboot, say Yes:

C:\WINDOWS\system32\dfrgsrv.exe
C:\WINDOWS\system32\ffgaowxg.dll

If you get a PendingOperations message, just close it and restart your computer manually.

Restart and run a new Kaspersky scan. Post that log here along with a new HijackThis log.
  • 0

#11
Arsenial
Posted 26 February 2006 - 11:56 PM

Arsenial

    New Member

  • Topic Starter
  • Member
  • Pip
  • 6 posts
For both files Jotti said:

The file you uploaded is 0 bytes. It is very likely a firewall or a piece

of malware is prohibiting you from uploading this file

Kaspersky:


Scan Statistics
Total number of scanned objects 37887
Number of viruses found 2
Number of infected objects 2
Number of suspicious objects 0
Duration of the scan process 00:39:15

Infected Object Name Virus Name Last Action
C:\System Volume

Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP1\A0000002.exe

Infected: Trojan-Downloader.Win32.Zlob.hm skipped
C:\System Volume

Information\_restore{15564DAE-925A-48DA-B302-513A8A2FA94F}\RP1\A0000003.dll

Infected: Trojan.Win32.Crypt.o skipped




Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:54:52 PM, on 2/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBLive\Creative Diagnostics 2.0\DIAGENT.EXE
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\highjackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} -

C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE

C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE

C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [DIAGENT] C:\Program Files\Creative\SBLive\Creative

Diagnostics 2.0\DIAGENT.EXE startup
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\Updreg.exe
O4 - HKLM\..\Run: [AHQInit] C:\Program

Files\Creative\SBLive\Program\AHQInit.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program

Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [D066UUtility] C:\WINDOWS\TWAIN_32\D66U\D066UUTY.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility]

C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program

Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe"

-atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows

Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy

Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe"

/background
O4 - Startup: Konfabulator.lnk = C:\Program

Files\Pixoria\Konfabulator\Konfabulator.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common

Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft

Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_06\bin\ssv.dll (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) -

http://messenger.zon...kr.cab31267.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -

http://housecall60.t...all/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine

Advantage Validation Tool) - http://go.microsoft....k/?linkid=48835
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient

Class) -

http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer

Class) - http://acs.pandasoft...free/asinst.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

"C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common

Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd

- C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program

Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program

Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation -

C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software,

Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
  • 0

#12
greyknight17
Posted 27 February 2006 - 06:01 PM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Turn off system restore by right clicking on My Computer and go to Properties->System Restore and check the box for Turn off System Restore. Click Apply and then OK. Restart your computer and uncheck the same box to enable System Restore.

Your log is clean.

To help prevent future spyware infections, read the Anti-Spyware Tutorial and use the tools provided.

Are there any problems now? If not, you should be set to go.
  • 0

#13
greyknight17
Posted 14 April 2006 - 08:14 AM

greyknight17

    Malware Expert

  • Visiting Consultant
  • 16,560 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP