Jump to content


Photo

Zhelatin


  • This topic is locked This topic is locked
5 replies to this topic

#1 beckham

beckham

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 08 June 2007 - 06:41 AM

Please, your help really would be appreciated to help me to remove this problem on my pc. I have enclosed the scan report.

sincerely. beckham

AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:23:15 08/06/2007

+ Scan result:



C:\RECYCLER\S-1-5-21-2465412779-3980001871-338255775-1007\Dc171.exe -> Downloader.Small : No action taken.
C:\Documents and Settings\admin\Cookies\admin@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : No action taken.
C:\Documents and Settings\admin\Cookies\admin@yadro[2].txt -> TrackingCookie.Yadro : No action taken.
C:\3456346345643.exe -> Worm.Zhelatin.ei : No action taken.
C:\Documents and Settings\admin\Desktop\SDFix\backups\backups.zip/backups/syst.exe -> Worm.Zhelatin.ei : No action taken.
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP112\A0013359.exe -> Worm.Zhelatin.ei : No action taken.
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP112\A0013365.exe -> Worm.Zhelatin.ei : No action taken.
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP119\A0014772.exe -> Worm.Zhelatin.ei : No action taken.
C:\xx1232255.exe -> Worm.Zhelatin.ei : No action taken.


::Report end

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 11 June 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 14 June 2007 - 04:34 AM

Hi beckham,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s what do next.

Please run AVG Anti-Spyware again, and let it neutralize everything it finds. Please remember to update it first before doing a complete system scan of your computer.


NEXT:

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.
  • Then, click the "Applications" tab:
    • CHECK everything there.
  • Next, click the "Options" button in the left pane, then click the "Advanced" button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
  • When done, please exit CCleaner.
CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please download Dr.Web CureIt and save it to your desktop:
  • Double-click the cureit.exe file, select "Start", and allow it to run the "Express Scan".
  • This will scan the files currently running in memory and when something is found, click the "Yes" button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
  • Once the short scan has finished, click Options -> Change settings.
  • Choose the "Scan" tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives; a red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Once the scan has finished, it will display a list of the files found and checked by default.
  • If the file "process.exe" was found - uncheck it. This is because this file is related with some of our cleaning tools and the tools need it. Most scanners do flag this file as a bad tool, but there's nothing wrong with it.
  • Then, click "Yes to all" if Dr.Web CureIt asks if you want to cure/move any infected files.
  • When the scan has finished, look if you can click the icon next to the files found: Posted Image
  • If so, click it, and then click the next icon right below and select "Move incurable" as you'll see in next image:

    Posted Image

  • This will move infected files to the %userprofile%\DoctorWeb\quarantine folder if they can't be cured (this is in case if we need samples).
  • After selecting, in the Dr.Web CureIt menu on top, click "File" and choose "Save report list".
  • Save the report to your desktop. The report will be called DrWeb.csv.
  • Close Dr.Web CureIt.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

NEXT:

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):
  • Click on "Kaspersky Online Scanner".
  • You will be prompted to install an ActiveX component from Kaspersky, click "Yes".
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on "Next".
  • Now click on "Scan Settings".
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click "OK".
  • Now under select a target to scan:
    • Select "My Computer".
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the "Save Report As" button.
    • In the "File name:" field, type kavscan.
    • In the "Save as type:" field, select "Text file (*.txt)".
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the latest AVG Anti-Spyware scan.
  • The log from the ComboFix scan.
  • The log from the Dr.Web CureIt scan.
  • The log from the Kaspersky scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

Edited by Sempurna, 14 June 2007 - 04:35 AM.

My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#4 beckham

beckham

    Member

  • Full Member
  • Pip
  • 5 posts

Posted 29 June 2007 - 11:54 AM

Hi beckham,

Welcome to SpywareInfo! :wave:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, hereís what do next.

Please run AVG Anti-Spyware again, and let it neutralize everything it finds. Please remember to update it first before doing a complete system scan of your computer.


NEXT:

Please download CCleaner (freeware) and save it to your desktop:

  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.
  • Then, click the "Applications" tab:
    • CHECK everything there.
  • Next, click the "Options" button in the left pane, then click the "Advanced" button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
  • When done, please exit CCleaner.
CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you donít know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please download Dr.Web CureIt and save it to your desktop:
  • Double-click the cureit.exe file, select "Start", and allow it to run the "Express Scan".
  • This will scan the files currently running in memory and when something is found, click the "Yes" button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a popup to buy it in between, to buy or 50% discount. Just close that popup again.
  • Once the short scan has finished, click Options -> Change settings.
  • Choose the "Scan" tab, remove the mark at "Heuristic analysis".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives; a red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Once the scan has finished, it will display a list of the files found and checked by default.
  • If the file "process.exe" was found - uncheck it. This is because this file is related with some of our cleaning tools and the tools need it. Most scanners do flag this file as a bad tool, but there's nothing wrong with it.
  • Then, click "Yes to all" if Dr.Web CureIt asks if you want to cure/move any infected files.
  • When the scan has finished, look if you can click the icon next to the files found: Posted Image
  • If so, click it, and then click the next icon right below and select "Move incurable" as you'll see in next image:

    Posted Image

  • This will move infected files to the %userprofile%\DoctorWeb\quarantine folder if they can't be cured (this is in case if we need samples).
  • After selecting, in the Dr.Web CureIt menu on top, click "File" and choose "Save report list".
  • Save the report to your desktop. The report will be called DrWeb.csv.
  • Close Dr.Web CureIt.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
NEXT:

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):
  • Click on "Kaspersky Online Scanner".
  • You will be prompted to install an ActiveX component from Kaspersky, click "Yes".
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on "Next".
  • Now click on "Scan Settings".
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click "OK".
  • Now under select a target to scan:
    • Select "My Computer".
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the "Save Report As" button.
    • In the "File name:" field, type kavscan.
    • In the "Save as type:" field, select "Text file (*.txt)".
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the latest AVG Anti-Spyware scan.
  • The log from the ComboFix scan.
  • The log from the Dr.Web CureIt scan.
  • The log from the Kaspersky scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.



Thank you very much for the response,really appreciate it. I followed your instructions and here are the following logs you requested.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 14:06:22 29/06/2007

+ Scan result:



C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP120\A0014795.exe -> Downloader.Small : No action taken.
C:\Documents and Settings\admin\Cookies\admin@rotator.adjuggler[1].txt -> TrackingCookie.Adjuggler : No action taken.
C:\Documents and Settings\admin\Cookies\admin@com[1].txt -> TrackingCookie.Com : No action taken.
C:\Documents and Settings\admin\Cookies\admin@connextra[2].txt -> TrackingCookie.Connextra : No action taken.
C:\Documents and Settings\admin\Cookies\admin@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : No action taken.
C:\Documents and Settings\admin\Cookies\admin@intelli-direct[1].txt -> TrackingCookie.Intelli-direct : No action taken.
C:\Documents and Settings\admin\Cookies\admin@search.live[2].txt -> TrackingCookie.Live : No action taken.
C:\Documents and Settings\admin\Cookies\admin@image.masterstats[1].txt -> TrackingCookie.Masterstats : No action taken.
C:\Documents and Settings\admin\Cookies\admin@tacoda[2].txt -> TrackingCookie.Tacoda : No action taken.
C:\Documents and Settings\admin\Desktop\SDFix\backups\backups.zip/backups/syst.exe -> Worm.Zhelatin.ei : No action taken.
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP120\A0014793.exe -> Worm.Zhelatin.ei : No action taken.
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP120\A0014794.exe -> Worm.Zhelatin.ei : No action taken.


::Report end


"admin" - 2007-06-29 14:35:01 - ComboFix 07-06-27.7 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-29 )))))))))))))))))))))))))))))))


2007-06-29 14:33 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 14:21 <DIR> d-------- C:\Program Files\CCleaner
2007-06-08 13:21 53,248 --a------ C:\WINDOWS\system32\UNRAR.DLL
2007-06-08 13:21 129,024 --a------ C:\WINDOWS\system32\ZipDll.dll
2007-06-08 13:21 115,712 --a------ C:\WINDOWS\system32\UnzDll.dll
2007-06-08 13:21 <DIR> d-------- C:\Program Files\EasyZip
2007-06-08 13:20 297,472 --a------ C:\WINDOWS\uninst.exe
2007-06-08 11:50 <DIR> d-------- C:\Program Files\Enigma Software Group


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-09-15 15:36:29 -------- d-----w C:\Program Files\MSN Messenger
2007-09-13 15:44:38 -------- d-----w C:\Program Files\Zeallsoft
2007-06-29 12:38:58 -------- d-----w C:\Program Files\SpywareBlaster
2007-06-23 11:45:04 -------- d-----w C:\DOCUME~1\admin\APPLIC~1\SiteAdvisor
2007-05-13 18:33:12 -------- d-----w C:\Program Files\Chikka Messenger
2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-04-29 13:10:43 -------- d-----w C:\Program Files\mIRC
2007-04-16 21:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 21:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 21:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 21:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 21:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 21:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 21:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 21:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{089FD14D-132B-48FC-8861-0048AE113215}=C:\Program Files\SiteAdvisor\5020\SiteAdv.dll [2006-12-21 21:50]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 23:54 C:\WINDOWS\SOUNDMAN.EXE]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\5020\SiteAdv.exe" [2006-12-21 21:50]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 16:42]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"ICQ Lite"=C:\Program Files\ICQLite\ICQLite.exe -trayboot

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-06-29 12:48]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\Z]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6b75069d-2d83-11d9-8f37-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{7e33011d-2cd9-11d9-ae96-806d6172696f}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Info.exe folder.htt 480 480

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c6571271-2bf4-11d9-a3a5-806d6172696f}]
AutoRun\command- E:\OEMBranding.exe


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-29 14:35:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-29 14:36:31

--- E O F ---

DR WEB CURE IT

Process.exe;C:\Documents and Settings\admin\Desktop\SDFix\apps;Tool.Prockill;;
VBAOL10.CHM\html/olobjAddressEntries.htm;C:\Program Files\Microsoft Office\OFFICE11\1033\VBAOL10.CHM;Modification of VBS.Petik;;
VBAOL10.CHM;C:\Program Files\Microsoft Office\OFFICE11\1033;Archive contains infected objects;Moved.;
mirc.exe;C:\Program Files\mIRC;Program.mIRC.621;Incurable.Moved.;

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 29, 2007 5:34:12 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 29/06/2007
Kaspersky Anti-Virus database records: 355399
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 40301
Number of viruses found: 3
Number of infected objects: 15 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:42:29

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\admin\Application Data\SiteAdvisor\SiteAdv.csh Object is locked skipped
C:\Documents and Settings\admin\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\admin\Desktop\SDFix\backups_old2\backups.zip/backups/MS_update_0612_KB74062.exe Infected: Trojan-Downloader.Win32.Murlo.ek skipped
C:\Documents and Settings\admin\Desktop\SDFix\backups_old2\backups.zip ZIP: infected - 1 skipped
C:\Documents and Settings\admin\DoctorWeb\Quarantine\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\aston37@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\aston37@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\aston37@hotmail.com\SharingMetadata\Working\database_1458_F393_58F3_723A\dfsr.db Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\aston37@hotmail.com\SharingMetadata\Working\database_1458_F393_58F3_723A\fsr.log Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\aston37@hotmail.com\SharingMetadata\Working\database_1458_F393_58F3_723A\fsrtmp.log Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Messenger\aston37@hotmail.com\SharingMetadata\Working\database_1458_F393_58F3_723A\tmp.edb Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\admin\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\admin\ntuser.dat Object is locked skipped
C:\Documents and Settings\admin\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\mirc621.exe/stream/data0008 Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Downloads\mirc621.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Downloads\mirc621.exe NSIS: infected - 2 skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP145\A0016562.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/1/EnigmaUpdater.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP145\A0016562.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/2/esgi_md5h.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP145\A0016562.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/7/SpyHunter.exe Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP145\A0016562.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/17/Esgiutl1.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP145\A0016562.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/18/SHSched.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP145\A0016562.exe/PRE Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP145\A0016562.exe Ghost Installer: infected - 6 skipped
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP145\A0016562.exe UPX: infected - 6 skipped
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP145\A0016582.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\System Volume Information\_restore{179001E5-6952-451B-A2F3-CCACA9C8CC55}\RP145\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_56000bps External Fax Voice Modem #2.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{53CF83A0-598F-405F-9386-B42011F7E901}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_45c.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\unp188179484.tmp Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thanks again,please advise me on what to do next ?

Sincerely beckham

#5 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 30 June 2007 - 02:14 AM

Hi beckham, :wave:

You're most welcome, beckham. :)

Not much else to do actually. There are no active Zhelatin files on your system. :)

How are things running now? Any persistent problem or suspicious behaviour on your machine that I should know about?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#6 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 25 July 2007 - 07:49 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button