Jump to content


Photo

Please help me remove this trojan


  • This topic is locked This topic is locked
10 replies to this topic

#1 90lxcp

90lxcp

    Member

  • Full Member
  • Pip
  • 52 posts

Posted 11 January 2008 - 11:42 AM

At least I assume that's what it is.

I've read the FAQ and will try to post as you have requested. I ran Spybot and it found a bunch of stuff including some downloaders called Zlob. What is on my machine seems to be very similar to a post I saw on your forum when I did a search. It has hijacked my browser to a site called ucleaner.com and keeps putting fake warnings up on the screen telling me to click here and get rid of the threat. I get a warning that tells me my browser has been changed and do I want to A: keep the new setting or B: go back to the original. The new setting it says is to softwarereferral.com but when I open the browser it has uclean.com in the address line.

Whatever it is has also put up a faulse wallpaper with biohazard symbols and a clickable button to download privacy protection.

Until I ran spybot and AVG spyware I also had several shortcut icons added to my desktop: one for uclean one for privacy protection and one for something I can't remember. I also was getting fake attack warnings.

When I ran AVG it didn't give me a report. I set it the way your posting told me too. Was I supposed to uncheck the only if there is an infection checkmark that was there by default? Also the Kaspersky program told me it would take three days to complete a scan and I thought that was a bit excessive.

Anyway here's the HiJack This file. Please let me know what I should do next. I'm going to take this computer off line and work through my laptop while I can.

When I ran Ad-Aware it found a Trojan and removed it. I thought I'd won. And then it was back.

Thanks for being there.

Okay Nasdaq, here's resubmitted Hijack this file. I don't see any difference.
I turned wordwrap off before I copied it here. Would you like me to delete the Kaspersky file? It's the super long one.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:36 AM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Dealio\kb125\Dealio Deskbar.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Hijack This\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb125\Dealio.dll
O2 - BHO: BDEX System - {D3464F94-A3FE-4675-8D96-49B008E12CD3} - C:\WINDOWS\dnqdlpmsom.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb125\Dealio.dll
O3 - Toolbar: The epxonwo - {D94D49D7-31D6-42E1-A5FE-438C7BFD6498} - C:\WINDOWS\epxonwo.dll (file missing)
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Nigel\Application Data\Dealio\kb125\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O21 - SSODL: bgntlvo - {3F8F7331-63CC-4FC4-A9CB-567E4DC58C72} - C:\WINDOWS\bgntlvo.dll (file missing)
O21 - SSODL: asvdnmo - {C1EBF3C5-D550-4663-B5CF-3FEC8AC33105} - C:\WINDOWS\asvdnmo.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9939 bytes



Kaspersky seemed to get rid of most of the nasties as long as I have the machine off-line, but as soon as I go online they're back with a vengence. Obviously there's still a trojan or two that hasn't been found.

Anyway, here's the Kaspersky log file:



Protection
----------
Total scanned: 345499
Detected: 42
Untreated: 0
Start time: 1/12/2008 1:06:42 PM
Duration: 00:00:00
Finish time: 1/12/2008 1:06:42 PM


Detected
--------
Status Object
------ ------
deleted: adware not-a-virus:AdWare.Win32.Vapsup.xs File: c:\windows\dnqdlpmsom.dll
deleted: adware not-a-virus:AdWare.Win32.Vapsup.xs File: C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP113\A0049893.dll
deleted: adware not-a-virus:AdWare.Win32.Vapsup.xs File: C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP114\A0049941.dll
deleted: adware not-a-virus:AdWare.Win32.Vapsup.xs File: C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP114\A0049960.dll
deleted: adware not-a-virus:AdWare.Win32.Vapsup.xs File: C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP115\A0050030.dll
deleted: adware not-a-virus:AdWare.Win32.Vapsup.xs File: C:\WINDOWS\fqwmwdn.exe
deleted: virus Email-Worm.Win32.Hybris.b File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3D280DB2.EXE//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Hybris.b File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\495561E8.scr//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Klez.h File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\QuarantineD875F61.exe//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Swen File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\10C5373C.exe//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Swen File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\1DAD2EBE.exe//Crypt.Quarantine
deleted: virus Email-Worm.Win32.NetSky.aa File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\5AEA41FF.zip//Crypt.Quarantine/Part-2.txt .exe
deleted: virus Email-Worm.Win32.NetSky.q File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6C8224D6.zip//Crypt.Quarantine/data.rtf .scr
deleted: virus Email-Worm.Win32.NetSky.q File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4A0907E2.zip//Crypt.Quarantine/document.txt .exe
deleted: virus Email-Worm.Win32.NetSky.q File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\54D03371.zip//Crypt.Quarantine/details.txt .pif
deleted: virus Email-Worm.Win32.NetSky.aa File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\4FBE2022.zip//Crypt.Quarantine/Data.txt .exe
deleted: virus Email-Worm.Win32.NetSky.q File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7CAB581D.zip//Crypt.Quarantine/details.txt .pif
deleted: virus Email-Worm.Win32.NetSky.q File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\71E24B18.zip//Crypt.Quarantine/data.rtf .scr
deleted: virus Email-Worm.Win32.NetSky.aa File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\34AD41CA.zip//Crypt.Quarantine/Notice.txt .exe
deleted: virus Email-Worm.Win32.NetSky.q File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\7FF6505C.zip//Crypt.Quarantine/data.rtf .scr
deleted: virus Email-Worm.Win32.NetSky.q File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\6FFA31EC.zip//Crypt.Quarantine/details.txt .pif
deleted: virus Email-Worm.Win32.NetSky.q File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\138A0834.zip//Crypt.Quarantine/data.rtf .scr
deleted: virus Email-Worm.Win32.NetSky.q File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\77E24D33.zip//Crypt.Quarantine/document.txt .exe
deleted: virus Email-Worm.Win32.Hybris.b File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\510402CE.TMP//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Hybris.b File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\51943A30.TMP//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Klez.h File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\519A0E29.TMP//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Swen File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\51A16222.TMP//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Swen File: F:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\51A7361B.TMP//Crypt.Quarantine
deleted: adware not-a-virus:AdWare.Win32.Quick.a File: F:\temp\jaguar.exe//WISE0019.BIN
deleted: adware not-a-virus:AdWare.Win32.NewDotNet File: F:\temp\jaguar.exe//WISE0020.BIN
deleted: adware not-a-virus:AdWare.Win32.EZula.a File: F:\temp\jaguar.exe//WISE0021.BIN
deleted: adware not-a-virus:AdWare.Win32.Gator.3103 File: F:\temp\jaguar.exe//WISE0022.BIN
deleted: Trojan program Trojan-Dropper.Win32.Small.ff File: F:\temp\jaguar.exe//WISE0023.BIN//UPX
deleted: adware not-a-virus:AdWare.Win32.Quick.a File: F:\temp\jaguartdalka.exe//WISE0013.BIN
deleted: adware not-a-virus:AdWare.Win32.NewDotNet File: F:\temp\jaguartdalka.exe//WISE0014.BIN
deleted: Trojan program Trojan-Dropper.Win32.Small.ff File: F:\temp\jaguartdalka.exe//WISE0015.BIN//UPX
deleted: Trojan program Trojan-Downloader.Win32.Wren.d File: F:\temp\jaguartdalka.exe//WISE0023.BIN
deleted: virus Email-Worm.Win32.Hybris.b File: F:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP115\A0050033.EXE//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Hybris.b File: F:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP115\A0050034.scr//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Klez.h File: F:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP115\A0050035.exe//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Swen File: F:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP115\A0050036.exe//Crypt.Quarantine
deleted: virus Email-Worm.Win32.Swen File: F:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP115\A0050037.exe//Crypt.Quarantine


Events
------
Time Event
---- -----
1/10/2008 3:51:55 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
1/10/2008 4:01:07 PM File c:\windows\dnqdlpmsom.dll: detected adware 'not-a-virus:AdWare.Win32.Vapsup.xs'.
1/10/2008 4:01:07 PM Security threats have been detected. You are advised to neutralize them immediately.
1/10/2008 4:01:07 PM File c:\windows\dnqdlpmsom.dll: is still infected, postponed.
1/10/2008 5:39:54 PM File C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP113\A0049893.dll: detected adware 'not-a-virus:AdWare.Win32.Vapsup.xs'.
1/10/2008 5:39:54 PM File C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP113\A0049893.dll: is still infected, postponed.
1/11/2008 9:57:04 AM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
1/11/2008 9:58:41 AM Security threats have been detected. You are advised to neutralize them immediately.
1/11/2008 10:08:00 AM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
1/11/2008 10:09:38 AM Security threats have been detected. You are advised to neutralize them immediately.
1/11/2008 12:02:52 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
1/11/2008 12:04:13 PM Security threats have been detected. You are advised to neutralize them immediately.
1/11/2008 12:57:00 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
1/11/2008 12:58:28 PM Security threats have been detected. You are advised to neutralize them immediately.
1/11/2008 2:59:44 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
1/11/2008 3:01:13 PM Security threats have been detected. You are advised to neutralize them immediately.
1/11/2008 4:16:13 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
1/11/2008 4:17:42 PM Security threats have been detected. You are advised to neutralize them immediately.
1/12/2008 10:07:44 AM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
1/12/2008 10:09:13 AM Security threats have been detected. You are advised to neutralize them immediately.
1/12/2008 1:06:36 PM A full computer scan has never been performed. You are advised to perform a full scan as soon as possible.
1/12/2008 1:06:42 PM Security threats have been detected. You are advised to neutralize them immediately.
1/12/2008 1:06:42 PM The threat signatures are out of date.
1/12/2008 1:14:30 PM File C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP114\A0049941.dll: detected adware 'not-a-virus:AdWare.Win32.Vapsup.xs'.
1/12/2008 1:14:30 PM Security threats have been detected. You are advised to neutralize them immediately.
1/12/2008 1:14:30 PM File C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP114\A0049941.dll: is still infected, postponed.
1/12/2008 1:14:31 PM File C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP114\A0049960.dll: detected adware 'not-a-virus:AdWare.Win32.Vapsup.xs'.
1/12/2008 1:14:31 PM File C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP114\A0049960.dll: is still infected, postponed.
1/12/2008 1:15:19 PM File C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP115\A0050030.dll: detected adware 'not-a-virus:AdWare.Win32.Vapsup.xs'.
1/12/2008 1:15:19 PM File C:\System Volume Information\_restore{ABB9CC13-47C4-4363-9FF8-636B091EE8FD}\RP115\A0050030.dll: is still infected, postponed.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled1.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled1.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterTaskManager.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC1.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC3.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC4.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC5.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCMSVPS.zip/dat.txt: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCMSVPS.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCMSVPS1.zip/dat.txt: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudCMSVPS1.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderrid.zip/epxonwo.dll: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderrid.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderrid1.zip/bgntlvo.dll: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloaderrid1.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd1.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd1.zip/sbRecovery.ini: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd2.zip/sbRecovery.reg: is password protected.
1/12/2008 1:16:23 PM File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ZlobDownloadervcd2.zip/sbRecovery.ini: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/WPWIN.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/123.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/1942.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/2200AD.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/3DFX.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/3DHOME.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/3DLAND.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/3DMARK.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/A.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/A2W.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/A5.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AB3.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ABC.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Abcflow.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ACCUSET.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ACDSEE32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ACLT.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ACME.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ACRODIST.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Acroexch.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ACRORD32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ACROREAD.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ACROUK.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Act.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ACTPMNT.OCX: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Actwin2.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AD.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AD_NET.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ADAPTER.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ADDDEPTH.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ADDRBOOK.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ADMIN.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ADOBE GAMMA LOADER.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ADOBEREG32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ADVANTGE.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Adw30.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Agds16.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Agent.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Agent95.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AHD3.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AHD4.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Ai41.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AIRMOS.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AL.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ALMANAC.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ALMANC32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ALUNSER.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AMIFM.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Amipro.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AMS4.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AMW.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AMW4.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ANGEL.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ANNOUNCE.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ANT.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ANYCLEAN.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AOL.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AOLPHX.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AOLTRAY.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AOLUNINS.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/APP.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/APPARCHV.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/APPCLEAN.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/APPDEL.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/APPLETVIEWER.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/APPMOVE.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/APPROACH.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/APPTPORT.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/APSTUDIO.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Arcbkup.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ARCHIVER.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ARDIAL32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ARTGALRY.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ART-SCAN.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ARTSHOW4.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ARUPLD32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ASAP.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ASBROWSE.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Ascend50.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ASPELL.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ASTEROID.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/ATMCNTRL.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Atmfm.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AUTMANIA.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AUTO.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AUTOSTRT.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AUTOXL.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AVCONSOL.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AW.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AWEDIT32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AWGATE.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AWHOST32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AWONL32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AWRAS32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/AWREM32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/B17.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BAB.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BACKIT.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BACKLOG.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BACKTRAC.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BACKWEB.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BAILEY.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BALDUR.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BANNER.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BASH1.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BATHROOM.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BATTLE2.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BC4000.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BCC.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BCR.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BD40.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Beast.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BGH2.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BGHCFG.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BIBLE.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BIGGAME.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BILLMIND.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BINDER.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BIZFORMS.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BLOODNET.COM: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BODY3WIN.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BOOKMARK.OCX: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BPBOX.OCX: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BRAVO.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BRIDGE.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BS9532.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BTNMENU.OCX: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BUD.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BW.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/BYLEAVE.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/C&c.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/C7.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/C86.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Cafe.exe: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CANVAS.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CAPEZE.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CAPPRO32.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CAPTURE.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CARMEN.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CASINO21.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CAW2.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CBW.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CCHAT.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CCMAIL.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CCPLUS.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CCREGMOD.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CCRITTER.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CCWIN.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CDISSS.OCX: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CENTRAL.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CERTCONS.EXE: is password protected.
1/12/2008 2:10:46 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CF_ENG.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CFSCONV.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CG16EH.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CG32EH.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CGMAIN.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CGMENU.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CGW.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CHANGER.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CHEM.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CHEMDRAW.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CHESS.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CHEXNOW.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CHKVXD.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CHMAGENT.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CHOMP.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CIV.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CKANLYST.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CKRUN.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CKRUN.PIF: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CLARION3.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CLIKAPP.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CLINK.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CLIPPER.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CLNSWEEP.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CM4000.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CMAGENT.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CMAPPFRM.OCX: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CMDLAGNT.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CMUSRPFL.OCX: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CNFNOT32.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CNNTC94.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/COM32UPD.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/COMBATFS.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/COMCTL32.OCX: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/COMPAT.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Conf.exe: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CONQUEST.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CONVDSN.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Convert.exe: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/COPYDEFS.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/Coreldrw.exe: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CORELFLW.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CORELGAL.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CORELPNT.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CPAV.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSweep\clnsweep.cfg/CPD.EXE: is password protected.
1/12/2008 2:10:47 PM File C:\Program Files\Norton SystemWorks\Norton CleanSwe

Edited by 90lxcp, 23 January 2008 - 12:43 PM.


#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,523 posts

Posted 14 January 2008 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 23 January 2008 - 11:55 AM

Hi,

Please resubmit you HijackThis log.

Use NotePad and make sure that the WordWrap function, under the format menu is disable.

This will remove the many blank lines in your log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 90lxcp

90lxcp

    Member

  • Full Member
  • Pip
  • 52 posts

Posted 23 January 2008 - 04:00 PM

Thanks Nasdaq,

Here's the HiJack this file again. Or did you want me to run it again?



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:20:36 AM, on 1/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Dealio\kb125\Dealio Deskbar.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Hijack This\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://softwarerefer...=...6Ojg5&lid=2
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb125\Dealio.dll
O2 - BHO: BDEX System - {D3464F94-A3FE-4675-8D96-49B008E12CD3} - C:\WINDOWS\dnqdlpmsom.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb125\Dealio.dll
O3 - Toolbar: The epxonwo - {D94D49D7-31D6-42E1-A5FE-438C7BFD6498} - C:\WINDOWS\epxonwo.dll (file missing)
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Nigel\Application Data\Dealio\kb125\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O21 - SSODL: bgntlvo - {3F8F7331-63CC-4FC4-A9CB-567E4DC58C72} - C:\WINDOWS\bgntlvo.dll (file missing)
O21 - SSODL: asvdnmo - {C1EBF3C5-D550-4663-B5CF-3FEC8AC33105} - C:\WINDOWS\asvdnmo.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O24 - Desktop Component 0: Privacy Protection - file:///C:\WINDOWS\privacy_danger\index.htm

--
End of file - 9939 bytes

#5 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 24 January 2008 - 08:20 AM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Start by running this tool.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Wait for further Instructions.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#6 90lxcp

90lxcp

    Member

  • Full Member
  • Pip
  • 52 posts

Posted 24 January 2008 - 05:47 PM

Thanks nasdaq. Here's the SDfix file:


SDFix: Version 1.131

Run by Nigel on Thu 01/24/2008 at 02:57 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\Nigel\Desktop\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Default HomePage Value
Restoring Default Desktop Components Value

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\DOCUME~1\Nigel\LOCALS~1\Temp\ac8zt2.dat - Deleted
C:\WINDOWS\asvdnmo.dll - Deleted
C:\WINDOWS\search_res.txt - Deleted





Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\explorer.exe
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 15:09:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

IPC error: 2 The system cannot find the file specified.
scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\fxsclnt.exe"="C:\\WINDOWS\\system32\\fxsclnt.exe:*:Enabled:Microsoft Fax Console"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Disabled:Internet Explorer"
"C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe"="C:\\Program Files\\Yahoo!\\Yahoo! Music Jukebox\\YahooMusicEngine.exe:*:Enabled:AT&T Yahoo! Music Jukebox"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\ttax.exe:LocalSubNet:Enabled:TurboTax"
"C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe"="C:\\Program Files\\TurboTax\\Basic 2006\\32bit\\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

File Backups: - C:\DOCUME~1\Nigel\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes:

Wed 13 Oct 2004 1,694,208 ..SH. --- "C:\Program Files\Messenger\msmsgs.exe"
Mon 19 Nov 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 19 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Fri 14 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp"
Mon 19 Nov 2007 20 A..H. --- "C:\Documents and Settings\Nigel\Application Data\Real\Rhapsody\wmlicbackup\drmv1lic.bak"

Finished!

And here is the new HiJack this log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:09 PM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Dealio\kb125\Dealio Deskbar.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijack This\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb125\Dealio.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb125\Dealio.dll
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Nigel\Application Data\Dealio\kb125\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 9379 bytes

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 25 January 2008 - 10:17 AM

Hello,

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Disable SpywareGuard:

You have SpywareGuard installed. While this is a great program, we need to temporarily disable (not uninstall) the program because it might stop our fix.
  • Right click the running icon ofSpywareGuard, it will open the program.
  • Then go to Menu, file, exit.
  • Then confirm the program is closed.

After all of the fixes are complete it is very important that you enable SpywareGuard again.


Disable AVG Anti-Spyware (formerly ewido):

Please disable AVG Anti-Spyware, as it may interfere with the fix.
  • Open AVG Anti-Spyware by double-clicking the multi-colored box emblazoned with an ‘S’ in the system tray.
  • In the Resident Shield section, toggle the AVG Anti-Spyware active protection ‘off’ by clicking Change state which will then change the protection status to 'inactive'.
  • If you are instructed to reboot at any time during your cleanup, AVG Anti-Spyware will prompt you as to whether you would like to Restart the Resident Shield.
  • Reply ‘no’ and set it to ‘inactive’ for the duration of your cleanup.

Once your log is clean you can re-enable Ewido.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)


Click on Fix Checked when finished and exit HijackThis.

Submit a fresh HijackThis log.

Let me know what problem persists.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 90lxcp

90lxcp

    Member

  • Full Member
  • Pip
  • 52 posts

Posted 25 January 2008 - 03:38 PM

Thanks nasdaq,

That seems (knock on wood so far) to have taken care of it. I don't get any of the warnings or pop ups that I was getting and I haven't had the biohazard wallpaper reappear.

Here's the latest HiJack This file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:24 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Search Settings\SearchSettings.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\PROGRA~1\Yahoo!\YOP\SSDK02.exe
C:\Program Files\Dealio\kb125\Dealio Deskbar.exe
C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Hijack This\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://att.yahoo.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DealioBHO Class - {6A87B991-A31F-4130-AE72-6D0C294BF082} - C:\Program Files\Dealio\kb125\Dealio.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Dealio - {E67C74F4-A00A-4F2C-9FEC-FD9DC004A67F} - C:\Program Files\Dealio\kb125\Dealio.dll
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\PROGRA~1\Symantec\osCheck.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [au] C:\Program Files\Dealio\DealioAU.exe
O4 - HKLM\..\Run: [SearchSettings] C:\Program Files\Search Settings\SearchSettings.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: ymetray.lnk = C:\Program Files\Yahoo!\Yahoo! Music Jukebox\ymetray.exe
O8 - Extra context menu item: Compare Prices with &Dealio - C:\Documents and Settings\Nigel\Application Data\Dealio\kb125\res\DealioSearch.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll
O9 - Extra 'Tools' menuitem: Dealio - {E908B145-C847-4e85-B315-07E2E70DECF8} - C:\Program Files\Dealio\kb125\Dealio.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper20073151.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemreq.../sysreqlab2.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\PROGRA~1\Symantec\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8254 bytes

#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 26 January 2008 - 07:41 AM

Nice Work your log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 90lxcp

90lxcp

    Member

  • Full Member
  • Pip
  • 52 posts

Posted 26 January 2008 - 02:21 PM

Thanks nasdaq, and thanks to all of you. When my computer's not right nothing's right. It's good to have it back.

#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,091 posts

Posted 06 February 2008 - 09:29 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button