Jump to content


Photo

HiJackThis and other programs, websites, forums being blocked


  • This topic is locked This topic is locked
18 replies to this topic

#1 aabliss

aabliss

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 03 June 2007 - 03:24 PM

Hi there,
I am having some very bad hi-jacking occuring on my windows XP PC, among other bad symptoms, so it could be several issues. I've had the following problems for a while: hijacking to search.ebay.com, monstermarketplace.com, and a general sluggish system but I was still able to do most things - surf the web, use programs, etc.

Very recently, things got a lot worse, making it almost impossible to surf the web. I can get to google.com but often when I click on the results, the window just closes itself or hijacks to adwarealert.com, clickshield.net, 8feed.info, screensavers.com, findstuff.com, and many more, including the original ones mentioned above.

Also recently, I now get a windows-esque balloon pop up in my system tray saying "Integrity Threats Detected: Some system files or hard drive structure may be corrupted. It may lead to crashed, reboots, slowdowns, and freezes of operation system. Your files and documents may get corrupted due to crashes. Click this balloon to fix this problem." and a yellow caution sign "!" stays in the systray. When I click on the yellow caution sign, an almost-exact replica of the MS "Personal Security Center" (same colors, graphics, etc) pops up and tells me to use these "security essentials" -- Ultimate Fixer, Ultimate Defender, Ultimate Cleaner, Security Monitor. I almost fell for it, it looked so real (and of course it came in a time of desparation!). A few times some system messages popped up and said "Message FROM and TO" which said that my registry was damaged and to go to regfixit.com or something like that... I've left my computer on for hours, as usual and lately I've found it has been restarting itself during some of these symptoms.

Also recently I get messages from McAfee (which is updated and has scanned this morning) saying "tpifkayy.exe" or "csrs.exe" or "logon.exe" has tried to send e-mail messages from my computer but they were blocked. I also get McAfee messages of "registry change detected" and "buffer overflow by explorer.exe detected" which I always block, when given the chance.

Lastly, and this is recent - during boot-up, there is a portion called Intel Boot Agent PXE Boot BA1210BC that is looking for a MAC address. Sometimes it will hang and say "boot file not found" or "no connection made" and then Windows will not boot. The only way to get around it, I've found, is to unplug the ethernet cord and replug it back in once Windows is starting. So sometimes if my computer has restarted itself while I'm away, it will just hang in DOS forever.

As usual, I've searched around the web for answers but found that anything that looked like it might help would not be allowed to open, so I am using my work lap top to post this message and search for answers. On the infected PC, I have an older version of HiJackThis but it closes as soon as it opens. I tried this in safemode and it still gets shutdown immediately. I've also tried renaming it to random things, which did not help. It won't let me download any new versions of HJT and even with a unrelated new filename, it shuts the connection down. The Ad-aware site, Panda, Ewido, HouseCall (didn't close but the connection was too low for scan to occur), all have been prevented from opening due to the infection.

I just did windows update which was a recommendation I read somewhere and I also managed to get CWShredder to open and run (by quickly clicking/fighting the bug closing it) and Pepi's Coolsearch program but unfortunately nothing was found.

So, if anyone has any ideas of how to be sneaky and get HiJackThis to work, or if there is something else I should try running to help with some of these issues, that would be great advice and much appreciated. Thank you! -Anne

Edited by aabliss, 03 June 2007 - 03:27 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 06 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 12 June 2007 - 09:54 AM

Hi,

Download HostsXpert from here:
http://www.funkytoad.../HostsXpert.zip

Unzip it. Open the program and click on 'Restore Original Hosts'

OK the prompt, and exit HostsXpert.

Next:

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.
jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#4 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 20 June 2007 - 04:48 AM

Due to the lack of feedback this Topic is closed.

[Reopened]

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#5 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 24 June 2007 - 10:42 AM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#6 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 24 June 2007 - 11:30 AM

Ok, please post the CureIt report.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#7 aabliss

aabliss

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 27 June 2007 - 09:39 AM

Thanks again. It has been slow-going because I had some trouble with your helpful directions.
First, I did run the HostsXpert program without a hitch.

I also downloaded Dr.Web CureIt but my problem was getting into safemode. I used to be able to but something must've changed and now, no matter what account I sign into or what type of safe mode I try, it gives me the illusion it's going to load the safe mode desktop but all I get is a black screen with "safe mode" written in white in the four corners. I'm able to do Ctrl-Alt-Del and can see some "normal" processes are running but I just can't get the desktop to show or get access to the Start Menu, etc.

So I hoped that running Dr.Web CureIt from outside of safe mode would be sufficient, but the first several times I've run it, during the long extended scan, it closes itself somewhere towards the end or after it finished, without saving (I wasn't watching it). I finally just ran it all again while sitting here and finally have the log:

dwdthlqeulbc.dll;c:\winnt\system32;Trojan.DownLoader.23142;Will be cured after reboot.;
ggf.exe;c:\winnt\system32;Probably BACKDOOR.Trojan;Incurable.Moved.;
ncruphwgqkbm.dll;c:\winnt\system32;Trojan.DownLoader.23142;Will be cured after reboot.;
tmp16D.tmp.exe;C:\Documents and Settings\Owner\Application Data;Trojan.EzulaAd;Deleted.;
tmp172.tmp.exe;C:\Documents and Settings\Owner\Application Data;Trojan.EzulaAd;Deleted.;
tmp1B.tmp.exe;C:\Documents and Settings\Owner\Application Data;Trojan.EzulaAd;Deleted.;
tmp63.tmp.exe;C:\Documents and Settings\Owner\Application Data;Trojan.EzulaAd;Deleted.;
tmpD2.tmp.exe;C:\Documents and Settings\Owner\Application Data;Trojan.EzulaAd;Deleted.;
dns_bot_20070615[1];C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\7V4ERMFX;Trojan.EzulaAd;Deleted.;
ErrorSafeFreeInstall[1].exe;C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SDUFC9QV;Trojan.DownLoader.10963;Deleted.;
A0024771.exe;C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP119;Trojan.EzulaAd;Deleted.;
A0024782.dll;C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP119;Adware.Crew;Incurable.Moved.;
A0025810.dll;C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP121;Trojan.Virtumod;Deleted.;
A0025815.exe;C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP121;Probably BACKDOOR.Trojan;Incurable.Moved.;
A0025816.exe;C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP121;Trojan.EzulaAd;Deleted.;
A0025817.exe;C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP121;Trojan.EzulaAd;Deleted.;
A0025818.exe;C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP121;Trojan.EzulaAd;Deleted.;
A0025819.exe;C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP121;Trojan.EzulaAd;Deleted.;
A0025820.exe;C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP121;Trojan.EzulaAd;Deleted.;
dwdthlqeulbc.dll;C:\WINNT\system32;Trojan.DownLoader.23142;Will be cured after reboot.;
ggf.exe;C:\WINNT\system32;Probably BACKDOOR.Trojan;Incurable.Will be moved after reboot.;
hwriitdp.exe;C:\WINNT\system32;Trojan.EzulaAd;Deleted.;
ncruphwgqkbm.dll;C:\WINNT\system32;Trojan.DownLoader.23142;Will be cured after reboot.;
obcesgvw.exe;C:\WINNT\system32;Trojan.EzulaAd;Deleted.;
okukbhie.exe;C:\WINNT\system32;Trojan.EzulaAd;Deleted.;
pndcenwt.exe;C:\WINNT\system32;Trojan.EzulaAd;Deleted.;

Everything else is pretty much the same except that McAfee now finds Vundo.dll from time to time.. doesn't seem to be able to delete it out of there.
I think the first few times that DrWebCureIt ran, there were more items found (like in the 50s) but I think it successfully deleted some. The computer is still running as slow as a snail and popups are out of control, and I can't open any HiJackThis or certain helpful websites like this one.

Thanks for reopening and being so helpful!

Edited by aabliss, 27 June 2007 - 09:42 AM.


#8 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 27 June 2007 - 06:14 PM

You're welcome,

Please do this:

1. Download this file - ComboFix
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#9 aabliss

aabliss

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 05 July 2007 - 03:41 PM

Okay here is the ComboFix.txt




"Owner" - 2007-07-05 16:02:04 - ComboFix 07-07-04.4 - Service Pack 1


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\awvvwvw.dll
C:\WINNT\system32\gebcawt.dll
C:\WINNT\system32\ssqrrrp.dll
C:\WINNT\system32\nswogdej.exe
C:\WINNT\system32\sstqn.exe
C:\WINNT\system32\vtsqr.exe
C:\WINNT\system32\tvvwa.bak1
C:\WINNT\system32\tvvwa.bak2
C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\tvvwa.ini2
C:\WINNT\system32\tvvwa.tmp
C:\WINNT\system32\tvvwa.bak1
C:\WINNT\system32\tvvwa.bak2
C:\WINNT\system32\tvvwa.ini
C:\WINNT\system32\tvvwa.ini2
C:\WINNT\system32\tvvwa.tmp
C:\WINNT\system32\cdostup.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\bold.log
C:\DOCUME~1\Owner\APPLIC~1.\searchtoolbarcorp
C:\DOCUME~1\Owner\APPLIC~1.\searchtoolbarcorp\Toolbar Vision\PageHistory.txt
C:\DOCUME~1\Owner\APPLIC~1.\searchtoolbarcorp\Toolbar Vision\WebHistory.txt
C:\DOCUME~1\Owner\APPLIC~1\tmp15.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp16.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp16B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp16C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp170.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp171.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp45.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp552.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp55A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp55B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp55C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp57B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp57C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp57D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp57E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp64.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp65.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpD3.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpD4.tmp.exe
C:\Program Files\vsadd-in
C:\WINNT\system32\components
C:\WINNT\system32\d3acdb.dll
C:\WINNT\system32\dwdthlqeulbc.dll
C:\WINNT\system32\mt_32.dll
C:\WINNT\system32\ncruphwgqkbm.dll
C:\WINNT\system32\tmp16C.tmp.dll
C:\WINNT\system32\tmp171.tmp.dll
C:\WINNT\system32\tmp1B.tmp.dll
C:\WINNT\system32\tmp1C.tmp.dll
C:\WINNT\system32\tmp45.tmp.dll
C:\WINNT\system32\tmp55C.tmp.dll
C:\WINNT\system32\tmp57E.tmp.dll
C:\WINNT\system32\tmp65.tmp.dll
C:\WINNT\system32\tmpD4.tmp.dll
C:\WINNT\system32\winload.dll
C:\WINNT\uninst2.htm
C:\WINNT\unist1.htm


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-05 to 2007-07-05 )))))))))))))))))))))))))))))))


2007-07-05 15:50 81,920 --a------ C:\WINNT\system32\lpfs.exe
2007-07-05 15:44 <DIR> d---s---- C:\DOCUME~1\Owner\%SystemDrive%
2007-07-05 15:43 51,200 --a------ C:\WINNT\nircmd.exe
2007-06-27 11:13 83,456 --a------ C:\WINNT\system32\ggf.exe
2007-06-21 22:17 20,544 --a------ C:\WINNT\system32\342Qe82k.exe
2007-06-19 22:06 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-06-19 20:56 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-19 20:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-06-19 20:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-06-11 16:42 99,880 --a------ C:\fbksrfbj1.exe
2007-06-09 21:44 271,224 --a------ C:\WINNT\system32\mucltui.dll
2007-06-09 13:36 95,808 --a------ C:\fbksrfbj3.exe
2007-06-09 13:34 100,952 --a------ C:\fbksrfbj2.exe
2007-06-09 11:32 69,632 --a------ C:\WINNT\system32\JtPeVevI.dll
2007-06-09 11:32 <DIR> d-------- C:\WINNT\system32\bmgenkji
2007-06-09 11:30 10,752 --a------ C:\WINNT\system32\kpmtozmb.exe
2007-06-09 11:30 10,752 --a------ C:\notq.exe
2007-06-09 11:20 <DIR> d-------- C:\Program Files\Common Files\speechengines


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 19:32:35 -------- d-----w C:\Program Files\AIM
2007-06-09 13:37:50 -------- d-----w C:\Program Files\support.com
2007-06-04 01:17:49 1,608 ----a-w C:\WINNT\system32\snyviuhe.exe
2007-06-03 20:30:25 271,872 ----a-w C:\WINNT\system32\typsxmfi.exe
2007-06-03 20:30:24 248,320 ----a-w C:\WINNT\system32\installer_s.exe
2007-06-03 20:19:25 271,872 ----a-w C:\WINNT\system32\izavwxob.exe
2007-06-03 19:15:10 271,872 ----a-w C:\WINNT\system32\hcpalizo.exe
2007-06-03 18:32:11 271,872 ----a-w C:\WINNT\system32\fsfovabq.exe
2007-06-03 17:59:05 271,872 ----a-w C:\WINNT\system32\lwdcdwba.exe
2007-06-03 15:35:45 -------- d-----w C:\Program Files\InterMute
2007-06-02 21:03:29 271,872 ----a-w C:\WINNT\system32\uboxmjqt.exe
2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINNT\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 13:02 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D4C7057-EAD2-44C6-AD18-9092905F28F1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]
2002-07-17 12:00 163906 --a------ C:\Program Files\Microsoft Money\System\mnyside.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
2007-06-09 11:32 69632 --a------ C:\WINNT\System32\JtPeVevI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{778FEE7A-8F5A-465A-BD3E-69F2952BED7C}]
C:\Program Files\MSN Gaming Zone\horem.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
2006-12-22 17:02 67136 --a------ c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
C:\WINNT\xmlhelper2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a43385f0-7113-496d-96d7-b9b550e3fcca}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a62d2213-2d9b-4d25-b52d-0bc282501d5b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE1AE759-1A46-4FC2-BF4D-646957A1B991}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE6C16C4-16AD-47B6-B250-26AD1829E49A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 13:15]
"WinampAgent"="C:\Program Files\Winamp3\winampa.exe" [2002-07-23 12:58]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 09:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-08 12:17]
"McAfee Guardian"="C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" [2003-01-29 03:01]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 21:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\System32\ctfmon.exe" [2003-04-15 09:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 01:42]
"McAfee.InstantUpdate.Monitor"="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" [2003-02-03 14:13]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 12:00]
"Trust Cleaner"="C:\Program Files\Trust Cleaner\TrustCleaner.exe" []
"66b652e3.exe"="C:\Documents and Settings\Owner\Local Settings\Application Data\66b652e3.exe" []
"uiio"="C:\PROGRA~1\COMMON~1\uiio\uiiom.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"="C:\WINNT\System32\JtPeVevI.dll" [2007-06-09 11:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hyparb]
hyparb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32]
winbjt32.dll


Contents of the 'Scheduled Tasks' folder
2007-06-15 05:00:03 C:\WINNT\tasks\McDefragTask.job
2005-04-30 15:23:26 C:\WINNT\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-05 16:14:05
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-05 16:17:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-05 16:16

--- E O F ---



Also, here is the ComboFix-quarantined-files.txt




2005-10-10 19:29	  510	--a------	C:\Qoobox\Quarantine\C\WINNT\Unist1.htm.vir
2006-01-27 14:20	  479	--a------	C:\Qoobox\Quarantine\C\WINNT\Uninst2.htm.vir
2007-01-14 00:20	  0	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\SearchToolbarCorp\Toolbar Vision\PageHistory.txt.vir
2007-01-14 00:20	  0	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\SearchToolbarCorp\Toolbar Vision\WebHistory.txt.vir
2007-05-31 20:58	  8222	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\gebcawt.dll.vir
2007-06-02 15:43	  70656	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\dwdthlqeulbc.dll.vir
2007-06-02 15:43	  70656	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\ncruphwgqkbm.dll.vir
2007-06-02 16:09	  70656	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\d3acdb.dll.vir
2007-06-03 11:33	  11264	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\winload.dll.vir
2007-06-03 11:33	  2556	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\mt_32.dll.vir
2007-06-03 15:44	  1610689	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tvvwa.ini.vir
2007-06-04 06:20	  1592333	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tvvwa.tmp.vir
2007-06-05 07:59	  8222	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\awvvwvw.dll.vir
2007-06-11 17:47	  8222	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\ssqrrrp.dll.vir
2007-06-19 22:03	  47899	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\sstqn.exe.vir
2007-06-21 22:18	  2313	--a------	C:\Qoobox\Quarantine\C\bold.log.vir
2007-06-22 22:03	  1875532	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tvvwa.bak1.vir
2007-06-22 22:04	  4628	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\nswogdej.exe.vir
2007-06-23 17:09	  38232	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\cdostup.dll.vir
2007-06-23 17:09	  49252	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\vtsqr.exe.vir
2007-06-26 19:17	  2065297	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tvvwa.bak2.vir
2007-06-26 19:22	  128152	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp3E.tmp.exe.vir
2007-06-26 19:25	  59480	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tmp45.tmp.dll.vir
2007-06-26 19:25	  73931	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp45.tmp.exe.vir
2007-06-26 19:28	  2043516	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tvvwa.ini2.vir
2007-06-26 19:38	  128152	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp64.tmp.exe.vir
2007-06-26 19:39	  59480	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tmp65.tmp.dll.vir
2007-06-26 19:39	  73931	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp65.tmp.exe.vir
2007-06-26 23:55	  128152	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmpD3.tmp.exe.vir
2007-06-26 23:55	  73931	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmpD4.tmp.exe.vir
2007-06-26 23:56	  59480	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tmpD4.tmp.dll.vir
2007-06-27 08:25	  128153	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp16B.tmp.exe.vir
2007-06-27 08:25	  73936	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp16C.tmp.exe.vir
2007-06-27 08:26	  59427	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tmp16C.tmp.dll.vir
2007-06-27 08:32	  128153	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp170.tmp.exe.vir
2007-06-27 08:32	  59427	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tmp171.tmp.dll.vir
2007-06-27 08:32	  73936	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp171.tmp.exe.vir
2007-06-27 11:02	  128153	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp15.tmp.exe.vir
2007-06-27 11:02	  128153	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp16.tmp.exe.vir
2007-06-29 20:02	  86016	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1A.tmp.exe.vir
2007-06-29 20:03	  59368	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tmp1B.tmp.dll.vir
2007-06-29 20:03	  59368	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tmp1C.tmp.dll.vir
2007-06-29 20:03	  73982	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1B.tmp.exe.vir
2007-06-29 20:03	  73982	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1C.tmp.exe.vir
2007-07-05 12:42	  4608	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp552.tmp.exe.vir
2007-07-05 12:46	  55235	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55A.tmp.exe.vir
2007-07-05 12:50	  128227	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55B.tmp.exe.vir
2007-07-05 12:50	  60134	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tmp55C.tmp.dll.vir
2007-07-05 12:50	  75159	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55C.tmp.exe.vir
2007-07-05 15:13	  4608	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57B.tmp.exe.vir
2007-07-05 15:14	  128227	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57D.tmp.exe.vir
2007-07-05 15:14	  55235	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57C.tmp.exe.vir
2007-07-05 15:14	  60134	--a------	C:\Qoobox\Quarantine\C\WINNT\system32\tmp57E.tmp.dll.vir
2007-07-05 15:14	  75159	--a------	C:\Qoobox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57E.tmp.exe.vir
2007-07-05 16:07	  2932	--a------	C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
2007-07-05 16:07	  846	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
2007-07-05 16:09	  136624	--a------	C:\Qoobox\Quarantine\catchme2007-07-05_161400.17.zip
2007-07-05 16:09	  387	--a------	C:\Qoobox\Quarantine\catchme.log


Folder PATH listing
Volume serial number is 71FAE346 F425:05B1
C:\QOOBOX
\---Quarantine
	|   catchme.log
	|   catchme2007-07-05_161400.17.zip
	|   
	+---C
	|   |   bold.log.vir
	|   |   
	|   +---DOCUME~1
	|   |   \---Owner
	|   |	   \---APPLIC~1
	|   |		   |   tmp15.tmp.exe.vir
	|   |		   |   tmp16.tmp.exe.vir
	|   |		   |   tmp16B.tmp.exe.vir
	|   |		   |   tmp16C.tmp.exe.vir
	|   |		   |   tmp170.tmp.exe.vir
	|   |		   |   tmp171.tmp.exe.vir
	|   |		   |   tmp1A.tmp.exe.vir
	|   |		   |   tmp1B.tmp.exe.vir
	|   |		   |   tmp1C.tmp.exe.vir
	|   |		   |   tmp3E.tmp.exe.vir
	|   |		   |   tmp45.tmp.exe.vir
	|   |		   |   tmp552.tmp.exe.vir
	|   |		   |   tmp55A.tmp.exe.vir
	|   |		   |   tmp55B.tmp.exe.vir
	|   |		   |   tmp55C.tmp.exe.vir
	|   |		   |   tmp57B.tmp.exe.vir
	|   |		   |   tmp57C.tmp.exe.vir
	|   |		   |   tmp57D.tmp.exe.vir
	|   |		   |   tmp57E.tmp.exe.vir
	|   |		   |   tmp64.tmp.exe.vir
	|   |		   |   tmp65.tmp.exe.vir
	|   |		   |   tmpD3.tmp.exe.vir
	|   |		   |   tmpD4.tmp.exe.vir
	|   |		   |   
	|   |		   \---SearchToolbarCorp
	|   |			   \---Toolbar Vision
	|   |					   PageHistory.txt.vir
	|   |					   WebHistory.txt.vir
	|   |					   
	|   \---WINNT
	|	   |   Uninst2.htm.vir
	|	   |   Unist1.htm.vir
	|	   |   
	|	   \---system32
	|			   awvvwvw.dll.vir
	|			   cdostup.dll.vir
	|			   d3acdb.dll.vir
	|			   dwdthlqeulbc.dll.vir
	|			   gebcawt.dll.vir
	|			   mt_32.dll.vir
	|			   ncruphwgqkbm.dll.vir
	|			   nswogdej.exe.vir
	|			   ssqrrrp.dll.vir
	|			   sstqn.exe.vir
	|			   tmp16C.tmp.dll.vir
	|			   tmp171.tmp.dll.vir
	|			   tmp1B.tmp.dll.vir
	|			   tmp1C.tmp.dll.vir
	|			   tmp45.tmp.dll.vir
	|			   tmp55C.tmp.dll.vir
	|			   tmp57E.tmp.dll.vir
	|			   tmp65.tmp.dll.vir
	|			   tmpD4.tmp.dll.vir
	|			   tvvwa.bak1.vir
	|			   tvvwa.bak2.vir
	|			   tvvwa.ini.vir
	|			   tvvwa.ini2.vir
	|			   tvvwa.tmp.vir
	|			   vtsqr.exe.vir
	|			   winload.dll.vir
	|			   
	\---Registry_backups
			LEGACY_DOMAINSERVICE.reg.cf
			services_DomainService.reg.cf
			


I hope this helps, thanks!

#10 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 06 July 2007 - 07:16 AM

Hi again,

OK, Combofix did a good job.

Please do the following:
Run a BitDefender Online scan Here and post the results.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#11 aabliss

aabliss

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 06 July 2007 - 01:04 PM

Thanks! Okay, here are the results:

BitDefender Online Scanner



Scan report generated at: Fri, Jul 06, 2007 - 10:25:37





Scan path: A:\;C:\;D:\;E:\;







Statistics

Time
01:17:25

Files
248427

Folders
5778

Boot Sectors
2

Archives
12272

Packed Files
19850




Results

Identified Viruses
22

Infected Files
90

Suspect Files
20

Warnings
0

Disinfected
0

Deleted Files
120




Engines Info

Virus Definitions
637293

Engine build
AVCORE v1.0 (build 2410) (i386) (Jun 12 2007 21:08:27)

Scan plugins
14

Archive plugins
38

Unpack plugins
6

E-mail plugins
6

System plugins
1




Scan Settings

First Action
Disinfect

Second Action
Delete

Heuristics
Yes

Enable Warnings
Yes

Scanned Extensions
*;

Exclude Extensions


Scan Emails
Yes

Scan Archives
Yes

Scan Packed
Yes

Scan Files
Yes

Scan Boot
Yes




Scanned File
Status

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0024782.dll
Infected with: Trojan.BHO.AR

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0024782.dll
Disinfection failed

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\A0024782.dll
Deleted

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\fosecvq0.dll
Infected with: Trojan.BHO.AR

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\fosecvq0.dll
Disinfection failed

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\fosecvq0.dll
Deleted

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\fosecvq1.dll
Infected with: Trojan.BHO.AR

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\fosecvq1.dll
Disinfection failed

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\fosecvq1.dll
Deleted

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\fosecvqc.dll
Infected with: Trojan.BHO.AR

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\fosecvqc.dll
Disinfection failed

C:\Documents and Settings\Owner\DoctorWeb\Quarantine\fosecvqc.dll
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{A2215423-984B-4988-8B69-54CEE7D83A74}\Microsoft\Outlook Express\alumni-mail.engin.umich.edu - Inbox.dbx=>(message 923)=>[Subject: Re: Thanks :)][Date: Fri, 01 Oct 2004 02:04:21 -0500]=>(MIME part)=>price.cpl
Infected with: Win32.Bagle.10.Gen@mm

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{A2215423-984B-4988-8B69-54CEE7D83A74}\Microsoft\Outlook Express\alumni-mail.engin.umich.edu - Inbox.dbx=>(message 923)=>[Subject: Re: Thanks :)][Date: Fri, 01 Oct 2004 02:04:21 -0500]=>(MIME part)=>price.cpl
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{A2215423-984B-4988-8B69-54CEE7D83A74}\Microsoft\Outlook Express\alumni-mail.engin.umich.edu - Inbox.dbx=>(message 923)=>[Subject: Re: Thanks :)][Date: Fri, 01 Oct 2004 02:04:21 -0500]=>(MIME part)=>price.cpl
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{A2215423-984B-4988-8B69-54CEE7D83A74}\Microsoft\Outlook Express\alumni-mail.engin.umich.edu - Inbox.dbx=>(message 923)=>[Subject: Re: Thanks :)][Date: Fri, 01 Oct 2004 02:04:21 -0500]=>(MIME part)
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{A2215423-984B-4988-8B69-54CEE7D83A74}\Microsoft\Outlook Express\alumni-mail.engin.umich.edu - Inbox.dbx=>(message 923)
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{A2215423-984B-4988-8B69-54CEE7D83A74}\Microsoft\Outlook Express\alumni-mail.engin.umich.edu - Inbox.dbx
Update failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Visibility][From: lturansk]=>(body)=>(Compressed Rtf)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Visibility][From: lturansk]=>(body)=>(Compressed Rtf)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Visibility][From: lturansk]=>(body)=>(Compressed Rtf)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Treatment recommendations.][From: jwachter]=>(body)=>(Compressed Rtf)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Treatment recommendations.][From: jwachter]=>(body)=>(Compressed Rtf)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Treatment recommendations.][From: jwachter]=>(body)=>(Compressed Rtf)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Congratulations][From: pochaccco2]=>(body)=>(Compressed Rtf)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Congratulations][From: pochaccco2]=>(body)=>(Compressed Rtf)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Congratulations][From: pochaccco2]=>(body)=>(Compressed Rtf)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: 22, 1997..May 23, 1999][From: jgourley]=>(body)=>(Compressed Rtf)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: 22, 1997..May 23, 1999][From: jgourley]=>(body)=>(Compressed Rtf)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: 22, 1997..May 23, 1999][From: jgourley]=>(body)=>(Compressed Rtf)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Maxlength ][From: willz]=>(body)=>(Compressed Rtf)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Maxlength ][From: willz]=>(body)=>(Compressed Rtf)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst=>[Subject: Maxlength ][From: willz]=>(body)=>(Compressed Rtf)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Alumni_2002.pst
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Visibility][From: lturansk]=>(body)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Visibility][From: lturansk]=>(body)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Visibility][From: lturansk]=>(body)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst
Update failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Treatment recommendations.][From: jwachter]=>(body)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Treatment recommendations.][From: jwachter]=>(body)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Treatment recommendations.][From: jwachter]=>(body)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst
Update failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Congratulations][From: pochaccco2]=>(body)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Congratulations][From: pochaccco2]=>(body)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Congratulations][From: pochaccco2]=>(body)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst
Update failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: 22, 1997..May 23, 1999][From: jgourley]=>(body)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: 22, 1997..May 23, 1999][From: jgourley]=>(body)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: 22, 1997..May 23, 1999][From: jgourley]=>(body)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst
Update failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Maxlength ][From: willz]=>(body)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Maxlength ][From: willz]=>(body)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Maxlength ][From: willz]=>(body)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst
Update failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Visibility][From: lturansk]=>(body)=>(Compressed Rtf)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Visibility][From: lturansk]=>(body)=>(Compressed Rtf)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Visibility][From: lturansk]=>(body)=>(Compressed Rtf)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Treatment recommendations.][From: jwachter]=>(body)=>(Compressed Rtf)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Treatment recommendations.][From: jwachter]=>(body)=>(Compressed Rtf)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Treatment recommendations.][From: jwachter]=>(body)=>(Compressed Rtf)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Congratulations][From: pochaccco2]=>(body)=>(Compressed Rtf)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Congratulations][From: pochaccco2]=>(body)=>(Compressed Rtf)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Congratulations][From: pochaccco2]=>(body)=>(Compressed Rtf)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: 22, 1997..May 23, 1999][From: jgourley]=>(body)=>(Compressed Rtf)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: 22, 1997..May 23, 1999][From: jgourley]=>(body)=>(Compressed Rtf)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: 22, 1997..May 23, 1999][From: jgourley]=>(body)=>(Compressed Rtf)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst
Updated

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Maxlength ][From: willz]=>(body)=>(Compressed Rtf)
Suspected of: Exploit.Iframe.Vulnerability

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Maxlength ][From: willz]=>(body)=>(Compressed Rtf)
Disinfection failed

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst=>[Subject: Maxlength ][From: willz]=>(body)=>(Compressed Rtf)
Deleted

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Outlook\Outlookalumni-mail.engin.umich.edu-00000002.pst
Updated

C:\notq.exe
Infected with: Trojan.Downloader.Agent.BGT

C:\notq.exe
Disinfection failed

C:\notq.exe
Deleted

C:\Program Files\Detto\IntelliMover\IMAOL.dll
Infected with: Generic.Malware.Yd!sp.FE470545

C:\Program Files\Detto\IntelliMover\IMAOL.dll
Disinfection failed

C:\Program Files\Detto\IntelliMover\IMAOL.dll
Deleted

C:\Program Files\Detto\IntelliMover\IMCompuserve.dll
Infected with: Generic.Malware.Yd!sp.4F659994

C:\Program Files\Detto\IntelliMover\IMCompuserve.dll
Disinfection failed

C:\Program Files\Detto\IntelliMover\IMCompuserve.dll
Deleted

C:\Program Files\Kazaa\Help\mymedia.htm
Detected with: Application.Kazaa.B

C:\Program Files\Kazaa\Help\mymedia.htm
Disinfection failed

C:\Program Files\Kazaa\Help\mymedia.htm
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp16C.tmp.exe.vir
Infected with: MemScan:Trojan.Agent.AAAT

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp16C.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp16C.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp171.tmp.exe.vir
Infected with: MemScan:Trojan.Agent.AAAT

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp171.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp171.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1B.tmp.exe.vir
Infected with: MemScan:Trojan.Agent.AAAT

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1B.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1B.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1C.tmp.exe.vir
Infected with: MemScan:Trojan.Agent.AAAT

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1C.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1C.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp3E.tmp.exe.vir
Infected with: Trojan.Dropper.Agent.BPG

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp3E.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp3E.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp45.tmp.exe.vir
Infected with: MemScan:Trojan.Agent.AAAT

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp45.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp45.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp552.tmp.exe.vir
Infected with: Trojan.Clicker.MNB

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp552.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp552.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55A.tmp.exe.vir
Infected with: Trojan.Fotomoto.A

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55A.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55A.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55B.tmp.exe.vir
Infected with: Trojan.Vundo.DMF

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55B.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55B.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55C.tmp.exe.vir
Infected with: Trojan.Agent.AAAT

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55C.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp55C.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57B.tmp.exe.vir
Infected with: Trojan.Clicker.MNB

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57B.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57B.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57C.tmp.exe.vir
Infected with: Trojan.Fotomoto.A

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57C.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57C.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57D.tmp.exe.vir
Infected with: Trojan.Vundo.DMF

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57D.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57D.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57E.tmp.exe.vir
Infected with: Trojan.Agent.AAAT

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57E.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp57E.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp64.tmp.exe.vir
Infected with: Trojan.Dropper.Agent.BPG

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp64.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp64.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp65.tmp.exe.vir
Infected with: MemScan:Trojan.Agent.AAAT

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp65.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp65.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmpD3.tmp.exe.vir
Infected with: Trojan.Dropper.Agent.BPG

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmpD3.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmpD3.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmpD4.tmp.exe.vir
Infected with: MemScan:Trojan.Agent.AAAT

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmpD4.tmp.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmpD4.tmp.exe.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\awvvwvw.dll.vir
Infected with: Trojan.Downloader.Conhook.AK

C:\QooBox\Quarantine\C\WINNT\system32\awvvwvw.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\awvvwvw.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\gebcawt.dll.vir
Infected with: Trojan.Downloader.Conhook.AK

C:\QooBox\Quarantine\C\WINNT\system32\gebcawt.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\gebcawt.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\nswogdej.exe.vir
Infected with: Trojan.Clicker.Agent.NP

C:\QooBox\Quarantine\C\WINNT\system32\nswogdej.exe.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\nswogdej.exe.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\ssqrrrp.dll.vir
Infected with: Trojan.Downloader.Conhook.AK

C:\QooBox\Quarantine\C\WINNT\system32\ssqrrrp.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\ssqrrrp.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\tmp16C.tmp.dll.vir
Infected with: MemScan:Trojan.BHO.BX

C:\QooBox\Quarantine\C\WINNT\system32\tmp16C.tmp.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\tmp16C.tmp.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\tmp171.tmp.dll.vir
Infected with: MemScan:Trojan.BHO.BX

C:\QooBox\Quarantine\C\WINNT\system32\tmp171.tmp.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\tmp171.tmp.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\tmp1B.tmp.dll.vir
Infected with: MemScan:Trojan.BHO.BX

C:\QooBox\Quarantine\C\WINNT\system32\tmp1B.tmp.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\tmp1B.tmp.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\tmp1C.tmp.dll.vir
Infected with: MemScan:Trojan.BHO.BX

C:\QooBox\Quarantine\C\WINNT\system32\tmp1C.tmp.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\tmp1C.tmp.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\tmp45.tmp.dll.vir
Infected with: MemScan:Trojan.BHO.BX

C:\QooBox\Quarantine\C\WINNT\system32\tmp45.tmp.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\tmp45.tmp.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\tmp65.tmp.dll.vir
Infected with: MemScan:Trojan.BHO.BX

C:\QooBox\Quarantine\C\WINNT\system32\tmp65.tmp.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\tmp65.tmp.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\tmpD4.tmp.dll.vir
Infected with: MemScan:Trojan.BHO.BX

C:\QooBox\Quarantine\C\WINNT\system32\tmpD4.tmp.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\tmpD4.tmp.dll.vir
Deleted

C:\QooBox\Quarantine\C\WINNT\system32\winload.dll.vir
Infected with: MemScan:Trojan.Downloader.JIRZ

C:\QooBox\Quarantine\C\WINNT\system32\winload.dll.vir
Disinfection failed

C:\QooBox\Quarantine\C\WINNT\system32\winload.dll.vir
Deleted

C:\QooBox\Quarantine\catchme2007-07-05_161400.17.zip=>dwdthlqeulbc.dll
Suspected of: BehavesLike:Trojan.WinlogonHook

C:\QooBox\Quarantine\catchme2007-07-05_161400.17.zip=>dwdthlqeulbc.dll
Disinfection failed

C:\QooBox\Quarantine\catchme2007-07-05_161400.17.zip=>dwdthlqeulbc.dll
Deleted

C:\QooBox\Quarantine\catchme2007-07-05_161400.17.zip
Updated

C:\QooBox\Quarantine\catchme2007-07-05_161400.17.zip=>ncruphwgqkbm.dll
Suspected of: BehavesLike:Trojan.WinlogonHook

C:\QooBox\Quarantine\catchme2007-07-05_161400.17.zip=>ncruphwgqkbm.dll
Disinfection failed

C:\QooBox\Quarantine\catchme2007-07-05_161400.17.zip=>ncruphwgqkbm.dll
Deleted

C:\QooBox\Quarantine\catchme2007-07-05_161400.17.zip
Updated

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP104\A0016501.exe
Suspected of: BehavesLike:Trojan.WinlogonHook

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP104\A0016501.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP104\A0016501.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP108\A0017627.dll
Infected with: MemScan:Trojan.Downloader.JIRZ

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP108\A0017627.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP108\A0017627.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028879.exe
Infected with: MemScan:Trojan.Agent.AAAT

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028879.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028879.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028881.exe
Infected with: MemScan:Trojan.Agent.AAAT

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028881.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028881.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028883.exe
Infected with: MemScan:Trojan.Agent.AAAT

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028883.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028883.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028884.exe
Infected with: MemScan:Trojan.Agent.AAAT

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028884.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028884.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028885.exe
Infected with: Trojan.Dropper.Agent.BPG

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028885.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028885.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028886.exe
Infected with: MemScan:Trojan.Agent.AAAT

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028886.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028886.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028887.exe
Infected with: Trojan.Clicker.MNB

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028887.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028887.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028888.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028888.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028888.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028889.exe
Infected with: Trojan.Vundo.DMF

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028889.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028889.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028890.exe
Infected with: Trojan.Agent.AAAT

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028890.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028890.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028891.exe
Infected with: Trojan.Clicker.MNB

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028891.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028891.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028892.exe
Infected with: Trojan.Fotomoto.A

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028892.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028892.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028893.exe
Infected with: Trojan.Vundo.DMF

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028893.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028893.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028894.exe
Infected with: Trojan.Agent.AAAT

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028894.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028894.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028895.exe
Infected with: Trojan.Dropper.Agent.BPG

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028895.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028895.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028896.exe
Infected with: MemScan:Trojan.Agent.AAAT

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028896.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028896.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028897.exe
Infected with: Trojan.Dropper.Agent.BPG

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028897.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028897.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028898.exe
Infected with: MemScan:Trojan.Agent.AAAT

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028898.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028898.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028899.dll
Infected with: MemScan:Trojan.BHO.BX

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028899.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028899.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028900.dll
Infected with: MemScan:Trojan.BHO.BX

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028900.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028900.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028901.dll
Infected with: MemScan:Trojan.BHO.BX

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028901.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028901.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028902.dll
Infected with: MemScan:Trojan.BHO.BX

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028902.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028902.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028903.dll
Infected with: MemScan:Trojan.BHO.BX

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028903.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028903.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028906.dll
Infected with: MemScan:Trojan.BHO.BX

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028906.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028906.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028907.dll
Infected with: MemScan:Trojan.BHO.BX

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028907.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028907.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028910.dll
Infected with: MemScan:Trojan.Downloader.JIRZ

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028910.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028910.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028911.dll
Infected with: Trojan.Downloader.Conhook.AK

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028911.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028911.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028912.dll
Infected with: Trojan.Downloader.Conhook.AK

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028912.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028912.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028913.dll
Infected with: Trojan.Downloader.Conhook.AK

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028913.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028913.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028914.exe
Infected with: Trojan.Clicker.Agent.NP

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028914.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028914.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028919.dll
Suspected of: BehavesLike:Trojan.WinlogonHook

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028919.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028919.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028920.dll
Suspected of: BehavesLike:Trojan.WinlogonHook

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028920.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP126\A0028920.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028989.dll
Infected with: Trojan.BHO.AR

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028989.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028989.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028990.dll
Infected with: Trojan.BHO.AR

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028990.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028990.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028991.dll
Infected with: Trojan.BHO.AR

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028991.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028991.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028992.dll
Infected with: Trojan.BHO.AR

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028992.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028992.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028993.exe
Infected with: Trojan.Downloader.Agent.BGT

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028993.exe
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028993.exe
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028994.dll
Infected with: Generic.Malware.Yd!sp.FE470545

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028994.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028994.dll
Deleted

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028995.dll
Infected with: Generic.Malware.Yd!sp.4F659994

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028995.dll
Disinfection failed

C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP127\A0028995.dll
Deleted

C:\WINNT\Downloaded Program Files\CONFLICT.1\MiniInstaller.exe
Infected with: Backdoor.Pcclient.GV

C:\WINNT\Downloaded Program Files\CONFLICT.1\MiniInstaller.exe
Disinfection failed

C:\WINNT\Downloaded Program Files\CONFLICT.1\MiniInstaller.exe
Deleted

C:\WINNT\Downloaded Program Files\MiniInstaller.exe
Infected with: Backdoor.Pcclient.GV

C:\WINNT\Downloaded Program Files\MiniInstaller.exe
Disinfection failed

C:\WINNT\Downloaded Program Files\MiniInstaller.exe
Deleted

C:\WINNT\Downloaded Program Files\WinAntiSpyware2007FreeInstall.exe
Infected with: Trojan.Downloader.Winfixer.O

C:\WINNT\Downloaded Program Files\WinAntiSpyware2007FreeInstall.exe
Disinfection failed

C:\WINNT\Downloaded Program Files\WinAntiSpyware2007FreeInstall.exe
Deleted

C:\WINNT\system32\342Qe82k.exe
Infected with: BehavesLike:Win32.ExplorerHijack

C:\WINNT\system32\342Qe82k.exe
Disinfection failed

C:\WINNT\system32\342Qe82k.exe
Deleted

C:\WINNT\system32\fsfovabq.exe
Infected with: Trojan.Obfus.Gen

C:\WINNT\system32\fsfovabq.exe
Disinfection failed

C:\WINNT\system32\fsfovabq.exe
Deleted

C:\WINNT\system32\hcpalizo.exe
Infected with: Trojan.Obfus.Gen

C:\WINNT\system32\hcpalizo.exe
Disinfection failed

C:\WINNT\system32\hcpalizo.exe
Deleted

C:\WINNT\system32\installer_s.exe
Infected with: Dropped:Trojan.Obfus.Gen

C:\WINNT\system32\installer_s.exe
Disinfection failed

C:\WINNT\system32\installer_s.exe
Deleted

C:\WINNT\system32\Isass.exe
Infected with: DeepScan:Generic.Sdbot.E55038C3

C:\WINNT\system32\Isass.exe
Disinfection failed

C:\WINNT\system32\Isass.exe
Deleted

C:\WINNT\system32\izavwxob.exe
Infected with: Trojan.Obfus.Gen

C:\WINNT\system32\izavwxob.exe
Disinfection failed

C:\WINNT\system32\izavwxob.exe
Deleted

C:\WINNT\system32\kpmtozmb.exe
Infected with: Trojan.Downloader.Agent.BGT

C:\WINNT\system32\kpmtozmb.exe
Disinfection failed

C:\WINNT\system32\kpmtozmb.exe
Deleted

C:\WINNT\system32\lwdcdwba.exe
Infected with: Trojan.Obfus.Gen

C:\WINNT\system32\lwdcdwba.exe
Disinfection failed

C:\WINNT\system32\lwdcdwba.exe
Deleted

C:\WINNT\system32\typsxmfi.exe
Infected with: Trojan.Obfus.Gen

C:\WINNT\system32\typsxmfi.exe
Disinfection failed

C:\WINNT\system32\typsxmfi.exe
Deleted

C:\WINNT\system32\uboxmjqt.exe
Infected with: Trojan.Obfus.Gen

C:\WINNT\system32\uboxmjqt.exe
Disinfection failed

C:\WINNT\system32\uboxmjqt.exe
Deleted





The following was the report/log created which it asked me to send back to BitDefender for tracking purposes:



BitDefender Online Scanner - Real Time Virus Report



Generated at: Fri, Jul 06, 2007 - 13:56:20


--------------------------------------------------------------------------------





Scan Info



Scanned Files
254302

Infected Files
110








Virus Detected



MemScan:Trojan.BHO.BX
14

Trojan.Clicker.Agent.NP
2

Trojan.Dropper.Agent.BPG
6

Trojan.Downloader.Winfixer.O
1

MemScan:Trojan.Agent.AAAT
14

Trojan.Clicker.MNB
4

Generic.Malware.Yd!sp.4F659994
2

Trojan.Obfus.Gen
6

Trojan.BHO.AR
8

Dropped:Trojan.Obfus.Gen
1

MemScan:Trojan.Downloader.JIRZ
3

Exploit.Iframe.Vulnerability
15

Trojan.Downloader.Conhook.AK
6

Generic.Malware.Yd!sp.FE470545
2

Trojan.Downloader.Agent.BGT
3

Backdoor.Pcclient.GV
2

Application.Kazaa.B
1

Trojan.Agent.AAAT
4

Trojan.Vundo.DMF
4

BehavesLike:Trojan.WinlogonHook
5

Win32.Bagle.10.Gen@mm
1

BehavesLike:Win32.ExplorerHijack
1

Trojan.Fotomoto.A
4

DeepScan:Generic.Sdbot.E55038C3
1










--------------------------------------------------------------------------------



This summary of the scan process will be used by the BitDefender Antivirus Lab to create agregate statistics about virus activity around the world.

#12 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 06 July 2007 - 01:11 PM

Hi again,

OK, that's thinned out the Malware. Please now run Combofix again and post the log, I don't need the quarantined-files.txt this time, if there is one. And please also post a fresh HiJackThis log, and let me know how the PC is performing now.

Edit: If HijackThis still doesn't work, rename it to 321.exe and try again. Let me know what happens.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#13 aabliss

aabliss

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 10 July 2007 - 09:33 PM

hi jedi,
Thanks again for your help. I tried to run HJT and couldn't download it (the downloading, saving, or opening of the file gets closed before it finishes) and likewise I couldn't run a renamed version of HJT that I have from a few months ago. It gets closed before I get a chance to push any buttons.

I ran comboFix again and here are the results:

"Owner" - 2007-07-10 19:18:34 - ComboFix 07-07-04.4 - Service Pack 1


((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))


2007-07-06 08:55 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-07-05 15:50 81,920 --a------ C:\WINNT\system32\lpfs.exe
2007-07-05 15:44 <DIR> d---s---- C:\DOCUME~1\Owner\%SystemDrive%
2007-07-05 15:43 51,200 --a------ C:\WINNT\nircmd.exe
2007-06-27 11:13 83,456 --a------ C:\WINNT\system32\ggf.exe
2007-06-19 22:06 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-06-19 20:56 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-19 20:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-06-19 20:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust
2007-06-11 16:42 99,880 --a------ C:\fbksrfbj1.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 19:32:35 -------- d-----w C:\Program Files\AIM
2007-06-09 17:36:14 95,808 ----a-w C:\fbksrfbj3.exe
2007-06-09 17:34:05 100,952 ----a-w C:\fbksrfbj2.exe
2007-06-09 15:32:08 69,632 ----a-w C:\WINNT\system32\JtPeVevI.dll
2007-06-09 15:20:40 -------- d-----w C:\Program Files\Common Files\speechengines
2007-06-09 13:37:50 -------- d-----w C:\Program Files\support.com
2007-06-04 01:17:49 1,608 ----a-w C:\WINNT\system32\snyviuhe.exe
2007-06-03 15:35:45 -------- d-----w C:\Program Files\InterMute
2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINNT\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 13:02 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D4C7057-EAD2-44C6-AD18-9092905F28F1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]
2002-07-17 12:00 163906 --a------ C:\Program Files\Microsoft Money\System\mnyside.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
2007-06-09 11:32 69632 --a------ C:\WINNT\System32\JtPeVevI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{778FEE7A-8F5A-465A-BD3E-69F2952BED7C}]
C:\Program Files\MSN Gaming Zone\horem.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
2006-12-22 17:02 67136 --a------ c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
C:\WINNT\xmlhelper2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a43385f0-7113-496d-96d7-b9b550e3fcca}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a62d2213-2d9b-4d25-b52d-0bc282501d5b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE1AE759-1A46-4FC2-BF4D-646957A1B991}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE6C16C4-16AD-47B6-B250-26AD1829E49A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 13:15]
"WinampAgent"="C:\Program Files\Winamp3\winampa.exe" [2002-07-23 12:58]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 09:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-08 12:17]
"McAfee Guardian"="C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" [2003-01-29 03:01]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 21:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\System32\ctfmon.exe" [2003-04-15 09:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 01:42]
"McAfee.InstantUpdate.Monitor"="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" [2003-02-03 14:13]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 12:00]
"Trust Cleaner"="C:\Program Files\Trust Cleaner\TrustCleaner.exe" []
"66b652e3.exe"="C:\Documents and Settings\Owner\Local Settings\Application Data\66b652e3.exe" []
"uiio"="C:\PROGRA~1\COMMON~1\uiio\uiiom.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"="C:\WINNT\System32\JtPeVevI.dll" [2007-06-09 11:32]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hyparb]
hyparb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32]
winbjt32.dll


Contents of the 'Scheduled Tasks' folder
2007-06-15 05:00:03 C:\WINNT\tasks\McDefragTask.job
2005-04-30 15:23:26 C:\WINNT\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 19:26:04
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-10 19:26:54
C:\ComboFix-quarantined-files.txt ... 2007-07-10 19:26
C:\ComboFix2.txt ... 2007-07-09 16:34
C:\ComboFix3.txt ... 2007-07-05 16:17

--- E O F ---

#14 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 11 July 2007 - 03:20 PM

Hi,

Download HostsXpert from here:
http://www.funkytoad.../HostsXpert.zip

Unzip it. Open the program and click on 'Restore Original Hosts'

OK the prompt, and exit HostsXpert.
Next:

Open notepad and copy/paste the text in the quotebox below into it (do not include the word ‘Quote’)

File::
C:\WINNT\system32\lpfs.exe
C:\WINNT\system32\ggf.exe
C:\fbksrfbj1.exe
C:\fbksrfbj3.exe
C:\fbksrfbj2.exe
C:\WINNT\system32\JtPeVevI.dll
C:\WINNT\system32\snyviuhe.exe
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D4C7057-EAD2-44C6-AD18-9092905F28F1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{778FEE7A-8F5A-465A-BD3E-69F2952BED7C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a43385f0-7113-496d-96d7-b9b550e3fcca}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a62d2213-2d9b-4d25-b52d-0bc282501d5b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE1AE759-1A46-4FC2-BF4D-646957A1B991}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE6C16C4-16AD-47B6-B250-26AD1829E49A}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"66b652e3.exe"=-
"uiio"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hyparb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32]


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog, assuming it will run.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#15 aabliss

aabliss

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 11 July 2007 - 06:32 PM

Hi Jedi,

Things are already working much, much better! Thank you! Here is the ComboFix log after running that script:


"Owner" - 2007-07-11 19:11:56 - ComboFix 07-07-04.4 - Service Pack 1
Command switches used :: C:\Documents and Settings\Owner\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\fbksrfbj1.exe
C:\fbksrfbj2.exe
C:\fbksrfbj3.exe
C:\WINNT\system32\ggf.exe
C:\WINNT\system32\JtPeVevI.dll
C:\WINNT\system32\lpfs.exe
C:\WINNT\system32\snyviuhe.exe


((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


2007-07-06 08:55 <DIR> d-------- C:\WINNT\BDOSCAN8
2007-07-05 15:44 <DIR> d---s---- C:\DOCUME~1\Owner\%SystemDrive%
2007-07-05 15:43 51,200 --a------ C:\WINNT\nircmd.exe
2007-06-19 22:06 <DIR> d-------- C:\DOCUME~1\Owner\DoctorWeb
2007-06-19 20:56 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-19 20:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-06-19 20:56 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\InterTrust


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-20 19:32:35 -------- d-----w C:\Program Files\AIM
2007-06-09 15:20:40 -------- d-----w C:\Program Files\Common Files\speechengines
2007-06-09 13:37:50 -------- d-----w C:\Program Files\support.com
2007-06-03 15:35:45 -------- d-----w C:\Program Files\InterMute
2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINNT\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINNT\system32\muweb.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 13:02 37808 --a------ C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D4C7057-EAD2-44C6-AD18-9092905F28F1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{243B17DE-77C7-46BF-B94B-0B5F309A0E64}]
2002-07-17 12:00 163906 --a------ C:\Program Files\Microsoft Money\System\mnyside.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
C:\WINNT\System32\JtPeVevI.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{778FEE7A-8F5A-465A-BD3E-69F2952BED7C}]
C:\Program Files\MSN Gaming Zone\horem.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
2006-12-22 17:02 67136 --a------ c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
C:\WINNT\xmlhelper2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a43385f0-7113-496d-96d7-b9b550e3fcca}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a62d2213-2d9b-4d25-b52d-0bc282501d5b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE1AE759-1A46-4FC2-BF4D-646957A1B991}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE6C16C4-16AD-47B6-B250-26AD1829E49A}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2003-03-26 13:15]
"WinampAgent"="C:\Program Files\Winamp3\winampa.exe" [2002-07-23 12:58]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 23:32]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-09-16 09:43]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-08 12:17]
"McAfee Guardian"="C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" [2003-01-29 03:01]
"Microsoft Works Update Detection"="C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-16 21:21]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\System32\ctfmon.exe" [2003-04-15 09:00]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 16:18]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE" [2004-02-03 01:42]
"McAfee.InstantUpdate.Monitor"="C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" [2003-02-03 14:13]
"MoneyAgent"="C:\Program Files\Microsoft Money\System\mnyexpr.exe" [2002-07-17 12:00]
"Trust Cleaner"="C:\Program Files\Trust Cleaner\TrustCleaner.exe" []
"66b652e3.exe"="C:\Documents and Settings\Owner\Local Settings\Application Data\66b652e3.exe" []
"uiio"="C:\PROGRA~1\COMMON~1\uiio\uiiom.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"="C:\WINNT\System32\JtPeVevI.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hyparb]
hyparb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32]
winbjt32.dll


Contents of the 'Scheduled Tasks' folder
2007-06-15 05:00:03 C:\WINNT\tasks\McDefragTask.job
2005-04-30 15:23:26 C:\WINNT\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-11 19:16:47
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-11 19:17:39
C:\ComboFix-quarantined-files.txt ... 2007-07-11 19:17
C:\ComboFix2.txt ... 2007-07-10 19:26
C:\ComboFix3.txt ... 2007-07-09 16:34

--- E O F ---



I finally got HJT to run! Here are the results:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:28:30 PM, on 7/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\AIM\aim.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O3 - Toolbar: (no name) - {052b12f7-86fa-4921-8482-26c42316b522} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Trust Cleaner] C:\Program Files\Trust Cleaner\TrustCleaner.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mygmgw.gm.co...om/iNotes6W.cab
O16 - DPF: {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - http://www.googlecac...stall/tload.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181394426203
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn....FreeInstall.cab
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Trustworking System Class - {24E27EA9-FCF3-444F-BD80-20543BA5D946} - (no file)
O22 - SharedTaskScheduler: Windowz Updater - {259BA022-2005-45E9-A965-10EDB9C00618} - (no file)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 9307 bytes

#16 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 12 July 2007 - 12:51 PM

Hi again,

Please run Notepad and paste the following text into a new file, do not include the word ‘quote’:

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D4C7057-EAD2-44C6-AD18-9092905F28F1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{590FFB84-6A29-4797-9C0E-B15DF2C4CDCB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{778FEE7A-8F5A-465A-BD3E-69F2952BED7C}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a43385f0-7113-496d-96d7-b9b550e3fcca}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a62d2213-2d9b-4d25-b52d-0bc282501d5b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{da7ff3f8-08be-4cac-bc00-94d91c6ae7f4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE1AE759-1A46-4FC2-BF4D-646957A1B991}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FDD3B846-8D59-4ffb-8758-209B6AD74ACC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FE6C16C4-16AD-47B6-B250-26AD1829E49A}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"66b652e3.exe"=-
"uiio"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hyparb]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winbjt32]



Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files". Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry.

Next:

Scan with HiJackThis and put a check in the box next to the following items;

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {a19ef336-01d4-48e6-926a-fe7e1c747aed} - (no file)
O3 - Toolbar: (no name) - {052b12f7-86fa-4921-8482-26c42316b522} - (no file)
O16 - DPF: {917623D1-D8E5-11D2-BE8B-00104B06BDE3} (CamImage Class) -
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://download.cdn....FreeInstall.cab
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O22 - SharedTaskScheduler: Trustworking System Class - {24E27EA9-FCF3-444F-BD80-20543BA5D946} - (no file)
O22 - SharedTaskScheduler: Windowz Updater - {259BA022-2005-45E9-A965-10EDB9C00618} - (no file)


Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

Restart.

Scan again with HJT, (with all browsers and windows closed) and post the new log in this thread.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#17 aabliss

aabliss

    Member

  • Full Member
  • Pip
  • 7 posts

Posted 13 July 2007 - 06:30 AM

Hi!! It's nice to have a computer that is working much better, thank you! I ran the fix.reg and did the HJT "fix selected" and restarted. Here is the resulting log from HJT:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:26:02 AM, on 7/13/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\WINNT\system32\slserv.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINNT\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Winamp3\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\WINNT\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE
C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis_v2.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [AdaptecDirectCD] "c:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [McAfee Guardian] "C:\Program Files\McAfee\McAfee Shared Components\Guardian\CMGrdian.exe" /SU
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\System32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\WCESCOMM.EXE"
O4 - HKCU\..\Run: [McAfee.InstantUpdate.Monitor] "C:\Program Files\McAfee\McAfee Shared Components\Instant Updater\RuLaunch.exe" /STARTMONITOR
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Trust Cleaner] C:\Program Files\Trust Cleaner\TrustCleaner.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INETREPL.DLL
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Support - {8828075D-D097-4055-AA02-2DBFA9D85E8A} - http://www.comcastsupport.com/ (file missing)
O9 - Extra button: Help - {97809617-3937-4F84-B335-9BB05EF1A8D4} - http://online.comcast.net/help/ (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://eu-housecall....ivex/hcImpl.cab
O16 - DPF: {3BFFE033-BF43-11D5-A271-00A024A51325} (iNotes6 Class) - https://mygmgw.gm.co...om/iNotes6W.cab
O16 - DPF: {590FFB84-6A29-4797-9C0E-B15DF2C4CDCB} - http://www.googlecac...stall/tload.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1181394426203
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINNT\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINNT\System32\browseui.dll
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINNT\SYSTEM32\slserv.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8303 bytes



How does it look? Everything looks legit to me except that party poker stuff, which shouldn't be on here. Let me know what you think, thanks!!

-Anne

#18 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 13 July 2007 - 06:41 AM

Hi again,

Yes, it looks all clean. :thumbsup:

To remove Party Poker:

Scan with HiJackThis and put a check in the box next to the following items;

O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)


Close all browsers and windows, click on ‘fix selected’ and allow HJT to fix these entries.

And delete this folder, if it exists:

C:\Program Files\PartyGaming.Net

Let me know how it goes.

jedi
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.

#19 jedi

jedi

    aequam memento rebus in arduis servare mentem

  • Emeritus
  • PipPipPipPipPip
  • 15,830 posts

Posted 03 August 2007 - 04:29 AM

Since the issue appears to be resolved this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
jedi

My help is free, but if you wish to help keep these forums running please consider a donation, see This Topic for details.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button