Jump to content


Photo

SystemDoctor


  • Please log in to reply
26 replies to this topic

#1 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 21 April 2007 - 09:51 PM

Hello. A few days ago, I got the dreaded systemdoctor popup and it installed somethin on my machine. I get alot more popups and an Explorer.exe error (no disk) When I bootup.

I have been using "spycatcher" and it has been helping to some degree. Please take a look at my HJT log and let me know what needs fixing....thanks.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\data\codec,players\quicktime\qttask.exe
C:\Data\winamp\Winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Data\Printer\HP Software Update\HPWuSchd2.exe
C:\Program Files\xloadnet\xloadnet.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ipwindows\ipwins.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\America's Army\GamePad\nost_LM.exe
C:\Program Files\SpyCatcher 2006\Protector.exe
C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Data\winmx\WinMX\WinMX\15\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimt.../aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.md-weather.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimt.../aimtoolbar.jsp
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.md-weather.com/"); (C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Data\fonts\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\smmvenxp.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Data\fonts\SnagItIEAddin.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [Ptipbmf] rundll32.exe ptipbmf.dll,SetWriteCacheMode
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\data\codec,players\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Data\winamp\Winampa.exe"
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [HP Software Update] "C:\Data\Printer\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\konptlnc.dll",setvm
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\America's Army\GamePad\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....00719/sb02b.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivi...id=pp_454025892
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\n1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11292B1B-336D-4521-B57F-FCE76C46B4EE}: NameServer = 4.2.2.2,4.2.2.1
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe


Thanks in advance
Matt

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 24 April 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 25 April 2007 - 06:31 PM

Just wondering if help is on the way...I know its busy....Thanks in advance

#4 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 26 April 2007 - 01:06 AM

Hi quaf069,

Welcome to SpywareInfo! :wavey:

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, heres what we do first.

Go to the Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

ClickSpring
Cowabanga by OIN
MediaTickets
MediaTickets by OIN
OIN
Outerinfo
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX by OIN
Yazzle Cowabanga by OIN
Yazzle Kobe Balls! By OIN
Yazzle Picster by OIN
Yazzle Snowball Wars by OIN
Yazzle Sudoku by OIN
Zolero Translator

(Anything else with the word "OIN" or "Outerinfo" or "Outer Info Network" or "Yazzle" in them)


NEXT:

Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval, but doesn't spy or do anything "bad". This will change from what we know in 2006, read this article: http://www.clickz.co...cle.php/3561546

Additional info: http://vil.nai.com/v...nt/v_137262.htm

I suggest you remove the program now. Go to Start -> Control Panel -> Add/Remove Programs and remove the following programs (if present):

Viewpoint
Viewpoint Manager
Viewpoint Media Player
Viewpoint Toolbar



If you have problems with Viewpoint regenerating after uninstallation, then please follow these instructions:

Open AOL and go to Help on the toolbar. Select About AOL. Next is the SECRET STEP. You must then press Ctrl + D to access a "secret" panel to disable all of the desktop and IM fancy features that are associated with viewpoint. This is the only way to prevent AOL from re-installing Viewpoint at AOL startup.



NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {1557B435-8242-4686-9AA3-9265BF7525A4} - C:\WINDOWS\system32\smmvenxp.dll
O4 - HKLM\..\Run: [xloadnet] "C:\Program Files\xloadnet\xloadnet.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\konptlnc.dll",setvm
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O15 - Trusted Zone: *.sxload.net (HKLM)
O16 - DPF: {640B39C1-D713-464F-92C3-75BD972B95EE} - http://www.sidestep....00719/sb02b.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivi...id=pp_454025892
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\n1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please go to Start -> Run and type (or copy and paste) the following lines in the Open field, ONE AT A TIME, then click OK:

sc stop "Viewpoint Manager Service"

sc delete "Viewpoint Manager Service"



NEXT:

Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\konptlnc.dll
    C:\WINDOWS\system32\smmvenxp.dll
    C:\Program Files\Viewpoint
    C:\Program Files\xloadnet
    C:\Program Files\Ipwindows


  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it in your next reply.
  • Close OTMoveIt.
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.


NEXT:

Let's run some cleanup and diagnostic scans to make sure we're not leaving anything behind.

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the Windows tab.
  • Select the following:
    • Check everything under the Internet Explorer section.
    • Check everything under the Windows Explorer section.
    • Check everything under the System section.
    • Check ONLY Old Prefetch data under the Advanced section.
  • Then, click the Applications tab:
    • UNCHECK everything there.
  • Next, click the Options button, then click the Advanced button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the Cleaner button, then click the Run Cleaner button (bottom right), then Exit.
CAUTION: Please do NOT use the Issues button. This is a built-in registry cleaner. If you dont know how to use it, you may cause irreparable damage to your system.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please do an online scan with Kaspersky Online Scanner:
  • Click on Kaspersky Online Scanner.
  • You will be prompted to install an ActiveX component from Kaspersky, click Yes.
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click OK.
  • Now under select a target to scan:
    • Select My Computer.
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save Report As button.
    • In the File name: field, type kavscan.
    • In the Save as type: field, select Text file (*.txt).
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The results report from OTMoveIt.
  • The log from the ComboFix scan.
  • The log from the Kaspersky scan.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#5 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 27 April 2007 - 12:50 PM

Dear Sempurna

Thanks a million for all your help. It is greatly appreciated.

Anyways,

I followed all the steps mentioned above and everything was working fine. However, I got stuck at the following places.

1) ComboFix - The application seemed to get stuck. I was not clicking anywhere either. It said it was scanning for infected files, but it must have been at least 30min. I just closed it out.

2) Kaspersky Online Scanner - Again, got stuck. It scanned about 400 files before reaching americasarmy.exe (this is a 2gb game). It was stuck on it for more than 10 minutes.


Shiould I be giving the above features more time....or is there something wrong...

BTW...the computer seems to be functioning better with what was accomplished.

Thanks!

#6 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 30 April 2007 - 11:38 PM

Hi quaf069, :wave:

Im sorry for my late reply. I had lost my Internet access for the last 5 days! :(

Try running ComboFix in Safe Mode and see what happens.

Please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".
For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml


NEXT:

Well try running Kaspersky at a later stage. Right now, lets try this standalone scanner.

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you wont be able to access the Internet to view these instructions.

Please download Dr.Web CureIt and save it to your desktop:

Next, please reboot your computer into Safe Mode by doing the following:
  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the Safe Mode menu item, and then press Enter.
Now scan with Dr.Web CureIt:
  • Double-click the drweb-cureit.exe file. It will then suggest to run an "Express Scan" -- this you should allow.
  • After this (Dr.Web writes "Done" at the bottom left), you click "Options" menu -> "Change settings".
  • Choose the "Scan" tab, uncheck the mark at "Heuristic analysis".
  • Choose the "Actions" tab, and choose "Rename" under all the "Malware" issues. Then click "OK".
  • Back at the main window, you should now mark the drives that you want to scan (a red dot shows which drives have been chosen).
  • Click the green arrow at the right, and the scan will start. The first time Dr.Web finds something, you click "Yes to All", and it will after this automatically fix what is found.
  • After the scan, go to the "View" menu -> "Report list".
  • Then go to the "File" menu -> "Save report list".
  • Save the report to your desktop. The report will be called DrWeb.csv. Copy and paste the contents of the report in your next reply.
  • Close Dr.Web CureIt.
  • REBOOT your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply, together with the ComboFix log (if possible) and a new HijackThis log.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#7 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 28 May 2007 - 06:07 AM

Due to the lack of feedback, this Topic is closed.

[Reopened]

Everyone else please begin a New Topic.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#8 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 18 June 2007 - 02:17 PM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#9 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 18 June 2007 - 03:49 PM

Hey Guys,

Thanks for the help above. The above procedures helped, but more problems have arisen in recent weeks. I continually get popups like crazy. It seems I am dealing with some issus with viruses purityscan.ee and outerinfo. I am getting some outerinfo popups and my antivirus (Antivir guard) keeps picking up on the purityscan, but never deletes it.

Here is my HJ Log. Any help would be appreciated:

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\data\codec,players\quicktime\qttask.exe
C:\Data\winamp\Winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Data\Printer\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\schvost.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\America's Army\GamePad\nost_LM.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Netscape\Netscape\Netscp.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\AIM\aim.exe
C:\Data\bittorrent\utorrent.exe
C:\Data\CD Label Maker\ExPressit CD Label maker\exPressit S.E. 2.2.exe
C:\Program Files\Internet Explorer\IEXPLORE.exe
C:\Data\winmx\WinMX\WinMX\15\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.md-weather.com/"); (C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Data\fonts\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll
O2 - BHO: Thunder Browser Helper - {63B2D652-EAD9-4D6E-93ED-2CC51D22CF02} - C:\WINDOWS\system32\XunLei.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Data\fonts\SnagItIEAddin.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\data\codec,players\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Data\winamp\Winampa.exe"
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [HP Software Update] "C:\Data\Printer\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [qidong] C:\WINDOWS\system32\schvost.exe
O4 - HKLM\..\Run: [wosa] C:\DOCUME~1\n1\LOCALS~1\Temp\woso.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ScanSoft PDF Professional 3.0-reminder] "C:\Program Files\ScanSoft\PDF Professional 3.0\Ereg\ereg.exe" -r "C:\Documents and Settings\All Users\Application Data\ScanSoft\PDF Professional\3\Ereg\ereg.ini"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [SpyCatcher Reminder] "C:\Program Files\SpyCatcher 2006\SpyCatcher.exe" reminder
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [fhrs2] C:\DOCUME~1\n1\LOCALS~1\Temp\crasos.exe
O4 - HKCU\..\Run: [kziu] C:\PROGRA~1\COMMON~1\kziu\kzium.exe
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher 2006\Scheduler daemon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\America's Army\GamePad\nost_LM.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher 2006\Protector.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{11292B1B-336D-4521-B57F-FCE76C46B4EE}: NameServer = 4.2.2.2,4.2.2.1
O20 - AppInit_DLLs: interceptor.dll
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ΢ (΢2007) - Marvell - (no file)


Thanks again

#10 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 19 June 2007 - 03:46 AM

Hi quaf069, :wave:

Youre most welcome. :)

Your HijackThis log is not complete. It is missing the header. Please post all the logs that we ask for in their entirety. There is important information in every line, and we need to see them all. Thank you for your cooperation. :)

OK, heres what we do first.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: Thunder Browser Helper - {63B2D652-EAD9-4D6E-93ED-2CC51D22CF02} - C:\WINDOWS\system32\XunLei.dll
O4 - HKLM\..\Run: [] C:\WINDOWS\system32\scvhost.exe
O4 - HKLM\..\Run: [qidong] C:\WINDOWS\system32\schvost.exe
O4 - HKLM\..\Run: [wosa] C:\DOCUME~1\n1\LOCALS~1\Temp\woso.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKCU\..\Run: [fhrs2] C:\DOCUME~1\n1\LOCALS~1\Temp\crasos.exe
O4 - HKCU\..\Run: [kziu] C:\PROGRA~1\COMMON~1\kziu\kzium.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE



Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Go to the Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

ClickSpring
Cowabanga by OIN
Ipwindows
MediaTickets
MediaTickets by OIN
OIN
Outerinfo
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX by OIN
Yazzle Cowabanga by OIN
Yazzle Kobe Balls! By OIN
Yazzle Picster by OIN
Yazzle Snowball Wars by OIN
Yazzle Sudoku by OIN
Zolero Translator

(Anything else with the word "OIN" or "Outerinfo" or "Outer Info Network" or "Yazzle" in them)


If none of the above programs are listed, then download and run this OIN Uninstaller.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please download Dr.Web CureIt and save it to your desktop:
  • Double-click the cureit.exe file, select "Start", and allow it to run the "Express Scan".
  • This will scan the files currently running in memory and when something is found, click the "Yes" button when it asks you if you want to cure it. This is only a short scan.
  • It could be possible it displays a pop up to buy Dr.Web, or to buy at a 50% discount. Just close that pop up.
  • Once the short scan has finished, click Options -> Change settings:
    • Click the "Scan" tab, remove the mark at "Heuristic analysis".
    • Click the "Actions" tab, and choose "Rename" under all the "Malware" issues. Then click "OK".
  • Back at the main window, mark the drives that you want to scan.
  • Select all drives; a red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Once the scan has finished, it will display a list of the files found and checked by default.
  • If the file "process.exe" was found - uncheck it. This is because this file is related with some of our cleaning tools and the tools need it. Most scanners do flag this file as a bad tool, but there's nothing wrong with it.
  • Then, click "Yes to all" if Dr.Web CureIt asks if you want to cure/move any infected files.
  • When the scan has finished, look if you can click the icon next to the files found: Posted Image
  • If so, click it, and then click the next icon right below and select "Move incurable" as you'll see in next image:

    Posted Image

  • This will move infected files to the %userprofile%\DoctorWeb\quarantine folder if they can't be cured (this is in case if we need samples).
  • After selecting, in the Dr.Web CureIt menu on top, click "File" and choose "Save report list".
  • Save the report to your desktop. The report will be called DrWeb.csv.
  • Close Dr.Web CureIt.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

NEXT:

For this next step, please ensure that ComboFix.exe is on your desktop:
  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    (start copying from "File::")


    File::
    C:\WINDOWS\system32\schvost.exe
    C:\WINDOWS\system32\XunLei.dll
    C:\DOCUME~1\n1\LOCALS~1\Temp\woso.exe
    C:\WINDOWS\retadpu72.exe
    C:\DOCUME~1\n1\LOCALS~1\Temp\crasos.exe
    C:\PROGRA~1\COMMON~1\kziu\kzium.exe
    
    Folder::
    C:\PROGRA~1\COMMON~1\kziu
    

  • Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.


    Posted Image


  • Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the Dr.Web CureIt scan.
  • The logs from the ComboFix scan located at C:\ComboFix.txt and C:\ComboFix2.txt.
  • A new HijackThis log.
(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#11 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 19 June 2007 - 06:44 PM

Sempurna,

Thanks for your prompt reply.


1) I checked and "fixed" what you listed below for th Hijack This log.

2) combo fix would not work as i got an error c:\windows\regedit.exe is missing

3) I ran Dr.WebCure it and it found alot of stuff.. Had it fix/rename what was needed. However

* When the scan has finished, look if you can click the icon next to the files found: IPB Image
* If so, click it, and then click the next icon right below and select "Move incurable" as you'll see in next
image: reboot.

- I could not click the icon.


not sure what to do about combofix? Anywehre I can get that missing file?


Quaf

#12 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 19 June 2007 - 06:44 PM

Sempurna,

Thanks for your prompt reply.


1) I checked and "fixed" what you listed below for th Hijack This log.

2) combo fix would not work as i got an error c:\windows\regedit.exe is missing

3) I ran Dr.WebCure it and it found alot of stuff.. Had it fix/rename what was needed. However

* When the scan has finished, look if you can click the icon next to the files found: IPB Image
* If so, click it, and then click the next icon right below and select "Move incurable" as you'll see in next
image: reboot.

- I could not click the icon.


not sure what to do about combofix? Anywehre I can get that missing file?


Quaf

#13 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 19 June 2007 - 11:06 PM

Hi quaf069, :wave:

Youre most welcome, quaf069.


combo fix would not work as i got an error c:\windows\regedit.exe is missing.

not sure what to do about combofix? Anywehre I can get that missing file?

Yes, there should be a backup copy in your i386 folder. Search for the folder on your system (its location varies from system to system, but is usually C:\).

Copy the backup copy of regedit.exe to the C:\WINDOWS folder.

If you cannot find a copy of the file in your system, copy one over from another computer.

Please let me know if you have trouble with this and running ComboFix thereafter.


NEXT:

OK, while we see if ComboFix will work after the above, please do this next.

Please download CCleaner (freeware) and save it to your desktop:
  • Run the CCleaner installer.
  • During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  • Once installed, run CCleaner and click the "Windows" tab.
  • Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.
  • Then, click the "Applications" tab:
    • CHECK everything there.
  • Next, click the "Options" button in the left pane, then click the "Advanced" button:
    • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".
  • Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.
  • When done, please exit CCleaner.
CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you dont know how to use it, you may cause irreparable damage to your system.


NEXT:

Let's run an online scan to make sure we're not leaving anything behind.

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):
  • Click on "Kaspersky Online Scanner".
  • You will be prompted to install an ActiveX component from Kaspersky, click "Yes".
  • The program will launch and then begin downloading the latest definition files.
  • Once the files have been downloaded click on "Next".
  • Now click on "Scan Settings".
  • In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases
  • Click "OK".
  • Now under select a target to scan:
    • Select "My Computer".
  • This program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the "Save Report As" button.
    • In the "File name:" field, type kavscan.
    • In the "Save as type:" field, select "Text file (*.txt)".
  • Save the file to your desktop.
  • Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.


NEXT:

Please do an online scan with Panda ActiveScan using Internet Explorer (this online scanner only works with IE):
  • Once you are on the Panda site click the "Scan your PC" button located at the bottom of the page.
  • A new window will open... click the "Check Now" button.
  • Enter your "Country".
  • Enter your "State/Province".
  • Enter your "e-mail address".
  • Select either "Home User" or "Company".
  • Click the big "Free Online Scan" button.
  • If it wants to install an ActiveX component allow it.
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes).
  • When the download is complete, click on "Local Disks" to start the scan.
  • When the scan completes, if anything malicious is detected, click the "See Report" button; then "Save Report" and save it to a convenient location. Post the contents of the Panda scan report in your next reply.

NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  • The log from the ComboFix scan (if possible).
  • The log from the Kaspersky scan.
  • The log from the Panda scan.
  • A new HijackThis log.
How are things running now? Please let me know about any problems that persist.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#14 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 20 June 2007 - 06:05 AM

Sempurna,

Thanks again for the prompt reply. I will do as instructed. Just to let you know that I am going away for a few days and will be back on monday. I will let you know how things worked out when I get back!

Thanks!

#15 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 20 June 2007 - 06:46 AM

You're most welcome, quaf069. :)

Catch up with you when you get back, then. Have a good trip! :wave:
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#16 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 26 June 2007 - 09:34 PM

Sempurna,

Still could not get the combofix thing to work. I have the Regedit.exe file in the c:/windows directory. I guess it s corrupt. I could not delete it or override it with the regedit in the i386 folder as i got an "access denied, or full write protected error"

Anyways...Everything else worked ok as far as kasperspy and panda scan. Please see the logs below:


Kasperspy:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 26, 2007 8:58:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/06/2007
Kaspersky Anti-Virus database records: 353955
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 73291
Number of viruses found: 13
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 02:23:05

Infected Object Name / Virus Name / Last Action
C:\Data\Program Files\Altnet\Download Manager\asm.#xe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.e skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe ZIP: infected - 5 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\n1\Application Data\Aim\gleqbnvw\QUAF069\cert8.db Object is locked skipped
C:\Documents and Settings\n1\Application Data\Aim\gleqbnvw\QUAF069\key3.db Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\history.dat Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\parent.lock Object is locked skipped
C:\Documents and Settings\n1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\n1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\History\History.IE5\MSHist012007062620070627\index.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\Perflib_Perfdata_21c.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\~DF174E.tmp Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\~DF17C5.tmp Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\n1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\n1\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\DIGStream\digstream.exe Infected: not-a-virus:Downloader.Win32.DigStream.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0136997.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137005.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137006.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137007.#ll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137008.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137009.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137010.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137011.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137013.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137014.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137015.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP624\A0139475.#ll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147480.#xe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147481.#ll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147494.#xe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147515.#xe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147520.#ll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147521.#ll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147583.#xe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147656.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\snapshot\MFEX-2.#AT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\snapshot\MFEX-3.#AT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0147909.#xe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0148085.#xe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0148090.dll Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0148091.exe Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\regedit.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hzyocpn.dll.ren Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.




Panda Scan in next post

#17 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 26 June 2007 - 09:35 PM

Sempurna,

Still could not get the combofix thing to work. I have the Regedit.exe file in the c:/windows directory. I guess it s corrupt. I could not delete it or override it with the regedit in the i386 folder as i got an "access denied, or full write protected error"

Anyways...Everything else worked ok as far as kasperspy and panda scan. Please see the logs below:


Kasperspy:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 26, 2007 8:58:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/06/2007
Kaspersky Anti-Virus database records: 353955
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 73291
Number of viruses found: 13
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 02:23:05

Infected Object Name / Virus Name / Last Action
C:\Data\Program Files\Altnet\Download Manager\asm.#xe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.e skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe ZIP: infected - 5 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\n1\Application Data\Aim\gleqbnvw\QUAF069\cert8.db Object is locked skipped
C:\Documents and Settings\n1\Application Data\Aim\gleqbnvw\QUAF069\key3.db Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\history.dat Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\parent.lock Object is locked skipped
C:\Documents and Settings\n1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\n1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\History\History.IE5\MSHist012007062620070627\index.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\Perflib_Perfdata_21c.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\~DF174E.tmp Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\~DF17C5.tmp Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\n1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\n1\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\DIGStream\digstream.exe Infected: not-a-virus:Downloader.Win32.DigStream.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0136997.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137005.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137006.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137007.#ll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137008.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137009.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137010.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137011.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137013.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137014.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137015.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP624\A0139475.#ll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147480.#xe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147481.#ll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147494.#xe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147515.#xe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147520.#ll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147521.#ll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147583.#xe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147656.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\snapshot\MFEX-2.#AT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\snapshot\MFEX-3.#AT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0147909.#xe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0148085.#xe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0148090.dll Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0148091.exe Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\regedit.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hzyocpn.dll.ren Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.




Panda Scan in next post

#18 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 26 June 2007 - 09:38 PM

Sempurna,

Still could not get the combofix thing to work. I have the Regedit.exe file in the c:/windows directory. I guess it s corrupt. I could not delete it or override it with the regedit in the i386 folder as i got an "access denied, or full write protected error"

Anyways...Everything else worked ok as far as kasperspy and panda scan. Please see the logs below:


Kasperspy:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 26, 2007 8:58:09 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/06/2007
Kaspersky Anti-Virus database records: 353955
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
Y:\
Z:\

Scan Statistics:
Total number of scanned objects: 73291
Number of viruses found: 13
Number of infected objects: 35
Number of suspicious objects: 0
Duration of the scan process: 02:23:05

Infected Object Name / Virus Name / Last Action
C:\Data\Program Files\Altnet\Download Manager\asm.#xe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.e skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe/BSAVEINST.EXE Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe/snowy.exe Infected: not-a-virus:AdWare.Win32.SaveNow.bl skipped
C:\Data\wallpapers\snowfree.exe ZIP: infected - 5 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\n1\Application Data\Aim\gleqbnvw\QUAF069\cert8.db Object is locked skipped
C:\Documents and Settings\n1\Application Data\Aim\gleqbnvw\QUAF069\key3.db Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\history.dat Object is locked skipped
C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\parent.lock Object is locked skipped
C:\Documents and Settings\n1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\n1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\History\History.IE5\MSHist012007062620070627\index.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\Perflib_Perfdata_21c.dat Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\~DF174E.tmp Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temp\~DF17C5.tmp Object is locked skipped
C:\Documents and Settings\n1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\n1\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\n1\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\DIGStream\digstream.exe Infected: not-a-virus:Downloader.Win32.DigStream.a skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0136997.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137005.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137006.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137007.#ll Infected: not-a-virus:AdWare.Win32.Gator.3124 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137008.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137009.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137010.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137011.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137013.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137014.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP620\A0137015.#ll Infected: not-a-virus:AdWare.Win32.Gator.6041 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP624\A0139475.#ll Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147480.#xe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147481.#ll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147494.#xe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147515.#xe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147520.#ll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147521.#ll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147583.#xe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\A0147656.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\snapshot\MFEX-2.#AT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP655\snapshot\MFEX-3.#AT Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0147909.#xe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0148085.#xe Infected: not-a-virus:AdWare.Win32.Altnet.l skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0148090.dll Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\System Volume Information\_restore{E6CB30BC-0AF6-414B-8834-FCDF4F8913FE}\RP656\A0148091.exe Infected: not-a-virus:AdWare.Win32.Rond.a skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\regedit.exe Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hzyocpn.dll.ren Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.




Panda Scan in next post

#19 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 26 June 2007 - 09:40 PM

Panda Scan



Incident Status Location

Virus:W32/Radoppan.AK Disinfected C:\Data\codec,players\quicktime\QuickTime Read Me.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Call JavaScript.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Change Property.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Check Browser.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Check Plugin.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Control Shockwave or Flash.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Drag Layer.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Go To URL.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Jump Menu Go.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Jump Menu.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Open Browser Window.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Play Sound.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Popup Message.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Preload Images.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Set Nav Bar Image.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Set Text\Set Text of Frame.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Set Text\Set Text of Layer.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Set Text\Set Text of Status Bar.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Set Text\Set Text of Text Field.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Show-Hide Layers.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Swap Image Restore.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Swap Image.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Timeline\Go To Timeline Frame.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Timeline\Play Timeline.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Timeline\Stop Timeline.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Actions\Validate Form.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Events\3.0 and Later Browsers.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Events\4.0 and Later Browsers.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Events\IE 3.0.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Events\IE 4.0.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Events\IE 5.0.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Events\Netscape 3.0.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Behaviors\Events\Netscape 4.0.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Add Remove NS Resize Fix.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\addNSResizeFix.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\AlertDS.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Apply Source Formatting.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Clean Up HTML.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Clean Up Word HTML.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\ConfirmDS.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Create Web Photo Album.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Date.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Date_beforeSave.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\debugSyntaxResults.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Define Access Levels.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\delete set.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Design Notes.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Design Notes_onOpen.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\DesignNotesMultiFile.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\DetailPage.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\DriverInfoDialog.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\duplicate set.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Export Table.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Extension Help.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Fireworks HTML.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Flash Button.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Flash Text.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Format Table.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Import Table Data.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Insert Nav Bar.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\InsertEnt.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Jump Menu.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Layout Cell.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Layout Table.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\layoutViewIntro.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Lessons.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Manage Extensions.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Modify Nav Bar.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Optimize Image in Fireworks.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\PasteFireworksHTML.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Processing.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\rename set.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Rollover.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\SelectDSN.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Set Color Scheme.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Sort Table.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Tabular Data.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Test Data.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\Welcome_onOpen.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\_afterSave.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\_beforeSave.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Commands\_onOpen.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Configuration_ReadMe.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Debugger\instrumentCredit.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Debugger\instrumentIE.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Debugger\instrumentIE4.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Debugger\instrumentNetscape.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Floaters\DWGuidedTourFloater.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Floaters\DWLessonsFloater.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Floaters\DWWelcomeFloater.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Floaters\DWWhatsNewFloater.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Floaters\Lesson1Floater.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Floaters\Lesson2Floater.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Floaters\Lesson3Floater.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Floaters\Lesson4Floater.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Floaters\Lesson5Floater.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Floaters\Lesson6Floater.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Floaters\Lesson7Floater.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Inspectors\base.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Inspectors\date.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Inspectors\description.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Inspectors\keywords.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Inspectors\link.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Inspectors\meta.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Inspectors\refresh.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Inspectors\ssi_translated.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Inspectors\ssi_widget.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Inspectors\style.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Inspectors\title.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Accelerators_Main.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Asset_Context_Insert.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Asset_Context_Nickname.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Asset_Context_Refresh.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Asset_Context_SiteList.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\BTC.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\checklinks.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\CodeNav_Dynamic.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Command_Recording.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Context_Image.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Context_Layer.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Context_QTE_Dynamic.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Context_Table_Header.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\CSHelp.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Debug_Dynamic.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Design Notes Launch Sel.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Design Notes Launch.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Editors_Dynamic.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Edit_Clipboard.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\File_RecentFiles.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\File_Save.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\File_SaveAs.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\File_SaveAsTemplate.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\File_SCSItems.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\File_SiteList.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Flash Source.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Image_Editors_Dynamic.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Import Word HTML.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\LaunchExternalEditor.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Modify Flash Button.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Modify Nav Bar.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Modify_EditableRegionItems.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Modify_EditableRegions.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Modify_FrameTargets.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Modify_Hyperlink.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Modify_Library.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Modify_Table.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Modify_Translators.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Open_Linked_Page.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\PIB_Dynamic.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Plugin_AddToFavorites.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Primary_Editor_Dynamic.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Primary_ImageEditor_Dynamic.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Site_AddToFavorites.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Site_File.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Switch_Views.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Text_AddToFavorites.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Text_CustomStyles.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Text_FontFamilies.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Text_Format.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Text_HTMLStyles.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Text_List.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Text_Size.htm
Virus:W32/Radoppan.AK Disinfected C:\Data\Dreamweaver 4\Configuration\Menus\MM\Text_S

#20 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 26 June 2007 - 09:46 PM

Hijack This Log:


Logfile of HijackThis v1.99.1
Scan saved at 10:03:32 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\data\codec,players\quicktime\qttask.exe
C:\Data\winamp\Winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Data\Printer\HP Software Update\HPWuSchd2.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\America's Army\GamePad\nost_LM.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Data\winmx\WinMX\WinMX\15\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.md-weather.com/"); (C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Data\fonts\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Data\fonts\SnagItIEAddin.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\data\codec,players\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Data\winamp\Winampa.exe"
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [HP Software Update] "C:\Data\Printer\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\America's Army\GamePad\nost_LM.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11292B1B-336D-4521-B57F-FCE76C46B4EE}: NameServer = 4.2.2.2,4.2.2.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ΢ (΢2007) - Marvell - (no file)




Summary: Still having the same issues with all of the popups. Also, I am Using Netscape Navigator and with some websites now I cannot see some frames/toolbars. I can see them on IE.

Thanks again.

Quaf

#21 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 26 June 2007 - 09:53 PM

Hijack This Log:


Logfile of HijackThis v1.99.1
Scan saved at 10:03:32 PM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\data\codec,players\quicktime\qttask.exe
C:\Data\winamp\Winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Data\Printer\HP Software Update\HPWuSchd2.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\America's Army\GamePad\nost_LM.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Data\winmx\WinMX\WinMX\15\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.md-weather.com/"); (C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Data\fonts\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Data\fonts\SnagItIEAddin.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [QuickTime Task] "C:\data\codec,players\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Data\winamp\Winampa.exe"
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [HP Software Update] "C:\Data\Printer\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\America's Army\GamePad\nost_LM.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11292B1B-336D-4521-B57F-FCE76C46B4EE}: NameServer = 4.2.2.2,4.2.2.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ΢ (΢2007) - Marvell - (no file)




Summary: Still having the same issues with all of the popups. Also, I am Using Netscape Navigator and with some websites now I cannot see some frames/toolbars. I can see them on IE.

Thanks again.

Quaf

#22 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 26 June 2007 - 09:56 PM

Sorry for the extra posts....was having some issues connecting to the site

#23 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 27 June 2007 - 03:50 AM

Hi quaf069, :wave:

OK, lets delete some files, and then see if we can fix your regedit problem. Please do this next.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Using Windows Explorer (right-click your "Start" button and select "Explore"), please navigate to and delete the following FILES (if they exist):

C:\WINDOWS\retadpu72.exe
C:\Data\Program Files\Altnet\Download Manager\asm.#xe
C:\Data\wallpapers\snowfree.exe
C:\WINDOWS\system32\hzyocpn.dll.ren


Please let me know if you encountered any problems finding or deleting the files.


NEXT:

For this next step, please ensure that you have a *clean* copy of regedit.exe saved somewhere (you can copy it to you removeable drive from another *clean* computer).

Please download Unlocker by Cedrick "Nitch" Collomb:
  • Install it.
  • Reboot your computer.
  • After reboot, navigate to this file:

    C:\WINDOWS\regedit.exe

  • Right-click on this file and choose "Unlocker".
  • If the folder or file is locked, a window listing of lockers should come up, click to highlight the file path and choose "Unlock" or "Unlock All" (make sure "No action" is chosen in the program).
  • After you unlock it, right-click on the file and choose "Delete".
If the above was successful, then copy over your copy of regedit.exe into the C:\WINDOWS folder.

Then see if you can run ComboFix now. If you can, please post the log it generates along with a new HijackThis log.
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#24 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 28 June 2007 - 09:55 AM

Hey Sempurna,

1. The fiollowing files were deleted per your instruction:


C:\Data\Program Files\Altnet\Download Manager\asm.#xe
C:\Data\wallpapers\snowfree.exe
C:\WINDOWS\system32\hzyocpn.dll.ren

- I could not find the C:\WINDOWS\retadpu72.exe file.

2. I downloaded the unlocker program and it worked great! I copy and pasted in another regedit file fomr another computer. Worked good!



3. Got combofix to run...see the below log:


"n1" - 2007-06-28 10:40:20 - ComboFix 07-06-27.7 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\n1\APPLIC~1.\ErrorProtector Free
C:\DOCUME~1\n1\APPLIC~1.\ErrorProtector Free\Logs\update.log
C:\DOCUME~1\n1\MYDOCU~1.\racle~1
C:\DOCUME~1\n1\MYDOCU~1.\sstem~1
C:\Program Files\icroso~1
C:\Program Files\winpop
C:\temp\tn3
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService
-------\core
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))


2007-06-26 21:01 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-26 16:57 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-06-26 16:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-06-25 21:16 <DIR> d-------- C:\Program Files\CCleaner
2007-06-25 19:56 <DIR> d--h----- C:\WINDOWS\PIF
2007-06-19 18:26 <DIR> d-------- C:\DOCUME~1\n1\DoctorWeb
2007-06-18 10:52 49,152 -ra------ C:\WINDOWS\nircmd.exe
2007-06-18 10:52 170 --a------ C:\combo.vbs
2007-06-18 10:47 18,816 --------- C:\WINDOWS\system32\SAVRKBootTasks.sys
2007-06-18 00:58 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-06-18 00:57 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2007-06-18 00:57 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2007-06-18 00:57 <DIR> d-------- C:\DOCUME~1\n1\APPLIC~1\Simply Super Software
2007-06-17 00:12 <DIR> d-------- C:\WINDOWS\kziu
2007-06-17 00:12 <DIR> d-------- C:\Program Files\Common Files\kziu
2007-06-16 23:57 <DIR> d--hs---- C:\WINDOWS\bmV3
2007-06-16 15:12 <DIR> d-------- C:\DOCUME~1\n1\APPLIC~1\uTorrent
2007-06-12 12:17 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-06-12 12:17 <DIR> d-------- C:\DOCUME~1\n1\APPLIC~1\Zeon
2007-06-12 12:17 <DIR> d-------- C:\DOCUME~1\n1\APPLIC~1\RelevantReach
2007-06-12 12:17 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\InstallShield
2007-06-12 12:16 <DIR> d-------- C:\Program Files\ScanSoft
2007-06-12 12:16 <DIR> d-------- C:\Program Files\Common Files\ScanSoft Shared
2007-06-12 12:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\zeon
2007-06-12 12:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\ScanSoft
2007-06-12 11:54 <DIR> d-------- C:\My Downloads
2007-06-01 15:52 <DIR> d-------- C:\Program Files\BitTorrent


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-28 02:48:06 22,584 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-06-28 02:48:00 99,904 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-06-27 00:23:57 -------- d-----w C:\Program Files\Messenger
2007-06-27 00:22:27 -------- d-----w C:\Program Files\HighMAT CD Writing Wizard
2007-06-27 00:22:09 -------- d-----w C:\Program Files\ESPNRunTime
2007-06-27 00:21:41 -------- d-----w C:\Program Files\DIGStream
2007-06-27 00:20:11 -------- d-----w C:\Program Files\AIM Toolbar
2007-06-27 00:20:11 -------- d-----w C:\Program Files\AIM
2007-06-12 15:16:52 -------- d-----w C:\Program Files\Common Files\InstallShield
2007-05-20 19:48:18 454 ----a-w C:\WINDOWS\system32\close.vbs
2007-05-18 23:57:26 -------- d-----w C:\DOCUME~1\n1\APPLIC~1\Southwest Airlines
2007-05-18 23:57:22 -------- d-----w C:\Program Files\Southwest Airlines
2007-05-18 23:56:55 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-05-13 00:40:18 -------- d-----w C:\Program Files\new_Millenium
2007-05-11 23:31:37 -------- d-----w C:\Program Files\Incomplete
2007-05-05 21:44:28 -------- d--h--w C:\DOCUME~1\n1\APPLIC~1\Move Networks
2007-05-05 21:43:30 938,096 ----a-w C:\Program Files\qmpsetup_win_ie_07030901.exe
2007-05-04 00:56:19 -------- d-----w C:\Program Files\LimeWire
2007-04-28 21:01:14 -------- d-----w C:\DOCUME~1\n1\APPLIC~1\dvdcss
2007-04-28 20:51:45 -------- d-----w C:\Program Files\Fireworks 4
2007-04-18 23:53:32 1,399,175 --sh--w C:\WINDOWS\system32\hjkmp.bak1
2005-07-29 19:24:26 472 --sha-r C:\WINDOWS\bmV3\vApa.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{00C6482D-C502-44C8-8409-FCE54AD9C208}=C:\Data\fonts\SnagItBHO.dll [2005-10-14 08:25]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 12:02]
{0A87E45F-537A-40B4-B812-E2544C21A09F}=C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2004-10-29 18:50 C:\WINDOWS\system32\nwiz.exe]
"Acronis True Image Monitor"="C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe" [2004-12-20 22:24]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [2004-12-20 22:24]
"QuickTime Task"="C:\data\codec" []
"WinampAgent"="C:\Data\winamp\Winampa.exe" [2001-10-01 21:42]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2003-10-31 21:42]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-01-23 06:03]
"SoundMan"="SOUNDMAN.EXE" [2004-02-09 05:54 C:\WINDOWS\SOUNDMAN.EXE]
"DIGStream"="C:\Program Files\DIGStream\digstream.exe" [2005-05-18 15:49]
"DIGServices"="C:\Program Files\ESPNRunTime\DIGServices.exe" [2005-05-19 14:55]
"HP Software Update"="C:\Data\Printer\HP Software Update\HPWuSchd2.exe" [2004-09-13 15:49]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-09-30 00:14]
"PDF3 Registry Controller"="C:\Program Files\ScanSoft\PDF Professional 3.0\\RegistryController.exe" [2005-07-01 02:59]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 14:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-08-04 02:56]


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{24e5e2d2-d0c5-11da-a393-00115b5a2314}]
AutoRun\command- F:\setupSNK.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{adef6570-1f4a-11db-9f74-00115b5a2314}]
AutoRun\command- F:\JDSecure\Windows\JDSecure31.exe


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 10:45:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Acronis True Image Monitor"="\"C:\\Program Files\\Acronis\\TrueImage\\TrueImageMonitor.exe\""


Completion time: 2007-06-28 10:46:33 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-28 10:46

--- E O F ---






4. Please find the below new Hijack This Log





Logfile of HijackThis v1.99.1
Scan saved at 10:49:19 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
C:\data\codec,players\quicktime\qttask.exe
C:\Data\winamp\Winampa.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\DIGStream\digstream.exe
C:\Program Files\ESPNRunTime\DIGServices.exe
C:\Data\Printer\HP Software Update\HPWuSchd2.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
C:\Program Files\America's Army\GamePad\nost_LM.exe
C:\Program Files\Southwest Airlines\Ding\Ding.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Data\winmx\WinMX\WinMX\15\hijackthis\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.md-weather.com/"); (C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\n1\Application Data\Mozilla\Profiles\default\ap5g8tmn.slt\prefs.js)
O2 - BHO: HelperObject Class - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Data\fonts\SnagItBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9EE0F344C385} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Data\fonts\SnagItIEAddin.dll
O3 - Toolbar: &ESPN - {AE6F2894-AF10-4C9C-B16E-1DFC6FF8C0C6} - C:\Program Files\ESPN\Toolbar\DIGToolBar.dll
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Acronis True Image Monitor] "C:\Program Files\Acronis\TrueImage\TrueImageMonitor.exe"
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\data\codec,players\quicktime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinampAgent] "C:\Data\winamp\Winampa.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DIGStream] C:\Program Files\DIGStream\digstream.exe
O4 - HKLM\..\Run: [DIGServices] C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24
O4 - HKLM\..\Run: [HP Software Update] "C:\Data\Printer\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PDF3 Registry Controller] "C:\Program Files\ScanSoft\PDF Professional 3.0\\RegistryController.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: DING!.lnk = C:\Program Files\Southwest Airlines\Ding\Ding.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\digital imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\digital imaging\bin\hpqthb08.exe
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\America's Army\GamePad\nost_LM.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with Scansoft PDF Converter 3.0 - res://C:\Program Files\ScanSoft\PDF Professional 3.0\IEShellExt.dll /100
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{11292B1B-336D-4521-B57F-FCE76C46B4EE}: NameServer = 4.2.2.2,4.2.2.1
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: ΢ (΢2007) - Marvell - (no file)



Quaf

#25 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 29 June 2007 - 06:12 AM

Hi Quaf,

Your system appears to have cleared nicely. :)

Just a leftover to fix. Please delete this FILE:

C:\WINDOWS\system32\hjkmp.bak1


How are things running now? Any persistent problem or suspicious behavior on your machine that I should know about?
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo

#26 quaf069

quaf069

    Advanced Member

  • Full Member
  • PipPipPip
  • 129 posts

Posted 02 July 2007 - 09:00 PM

yes eveything seems to be working fine! Thaks So much!

#27 Sempurna

Sempurna

    Forum Deity

  • Retired Staff
  • PipPipPipPipPip
  • 3,838 posts

Posted 02 July 2007 - 11:42 PM

Hi Quaf, :wave:

Youre most welcome Quaf. Im glad to hear that things are working better now. :)

Just some loose ends to tie up, and then we can let you go home. :)

Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Click the green "CleanUp!" button.
  • If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet, you should allow it to do so.
  • In the left pane, it will display a list of tools and other related files that you may have downloaded or used during our cleanup process, plus backup folders that were created with the bad files present. These are not needed anymore, so OTMoveIt will proceed to delete them.
  • Do NOT edit anything in that window!
  • Don't worry if it displays some tools you didn't download or use.
  • Click "Yes" when it asks to begin the cleanup process.
  • Then, please reboot your computer.

NEXT:

Reconfigure Windows XP to disable viewing of hidden files/folders:
  • Click Start -> My Computer.
  • Select the "Tools" menu and click "Folder Options". Select the "View" tab.
  • Under the "Hidden files and folders" heading check "Do not show hidden files and folders".
  • Check the "Hide file extensions for known file types" option.
  • Check the "Hide protected operating system files (recommended)" option.
  • Click "Yes" to confirm. Click "OK".

NEXT:

To create a new system restore point:
  • Go to Start Menu -> All Programs -> Accessories -> System Tools -> System Restore.
  • Click "Create A Restore Point" then click "Next". Give it a name and then click "Create".
  • When the confirmation screen shows the restore point has been created click "Close".
  • Then go to Start -> Run and type in (or copy and paste):

    cleanmgr.

  • Click "OK".
  • Disk Cleanup will open and start calculating the amount of space that can be freed.
  • Once thats finished it will open the Disk Cleanup options screen, click the "More Options" tab.
  • Click "Clean Up" in the "System Restore" section and choose "Yes" at the confirmation window.
This will remove all previous restore points except the newly created one.


NEXT:

Your version of Sun Java is out-of-date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older Java version components and update:
  • CLICK HERE to download the offline installer.
    • Select "Java Runtime Environment (JRE) 6u1" and click the "Download" button to the right.
    • Check the box that says "Accept License Agreement".
    • Click on the link to download "Windows Offline Installation, Multi-language".
    • Save the file to your desktop.
  • Next, uninstall your currently installed version from Add/Remove Programs.
  • If you have older versions listed uninstall them also. If you simply update to the new version it leaves the older versions still installed, complete with previous vulnerabilities.
  • Examples of older versions in Add/Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 2
    • Java™ SE Runtime Environment 6
  • Reboot your system.
  • Install the new version by double-clicking on the file you downloaded.

NEXT:

Everything looks great --- your HijackThis log appears to be clean. :)

Please take some time reading this list; it is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  • Windows Updates (a must!)
    It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. You can either click on the link above and bookmark the updates page, or open Internet Explorer, then go to the Tools menu -> Windows Update, and follow the online instructions from there.

  • Firewall (a must!)
    It is definitely a must have. Some good FREE versions are Comodo, Outpost, or ZoneAlarm.
    Test your Firewall and make sure it is working properly.
    Note: You must only use 1 (one) firewall at a time because if you have 2 or more firewalls running at the same time, they will conflict with each other and make your security less reliable. Please also remember to turn off Windows Firewall once you have installed a new firewall.

  • Also make sure to run your antivirus software regularly, and to keep it up-to-date.

  • Please consider using an alternate browser. Mozilla's Firefox browser is fantastic; it is much more secure than Internet Explorer, immune to almost all known browser hijackers, and also has the best built-in popup blocker (as an added benefit!) that I have ever seen. If you do decide to install Firefox, please take a moment to read Switching from IE to Firefox.

  • SpywareBlaster
    This is a great FREE prevention tool to keep nasties from installing on your system.
    Tutorial: How to use!

  • IE-SPYAD
    This FREE tool adds over 15,000 items to your IE Restricted Zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    Tutorial: How to use!

  • SnoopFree Privacy Shield
    This compact and powerful FREE tool is a real-time monitoring program that warns you whenever spyware tries to compromise your system.
    Note: Although it can delete suspicious files, it is best to check with your friendly neighborhood security analyst before attempting to delete anything. Some perfectly legitimate files have behavioral characteristics that may be flagged by this dynamic tool as being potentially malicious.

  • Spybot - Search & Destroy
    This is a very powerful FREE tool that can search for and annihilate nasties that make it onto your system. Please also remember to enable Spybot's "Immunize" and "TeaTimer" features for realtime protection.
    Tutorial: How to use!

  • Ad-Aware SE Personal 1.06r1
    This is another very powerful FREE tool that searches for and kills nasties that infect your system. Ad-Aware SE and Spybot Search & Destroy compliment each other very well.
    Tutorial: How to use!
    Note: Please do NOT install the new Ad-Aware 2007 version as it is not as good as the older SE version.

  • I suggest that you download and install one or two of these FREE and good anti-trojan programs to use for ad-hoc scanning on your system:
    a-squared Free
    AVG Anti-Spyware Free
    SUPERAntiSpyware Free Edition

  • I would also suggest you perform an online virus scan once in a while because what one virus scanner can't find, another one maybe can:
    BitDefender Online Scanner
    F-Secure Online Scanner
    Panda ActiveScan
    Dr.Web CureIt <-- This is not really an online scanner, as it is a standalone utility. You need to download a new copy for updated virus definitions, but it can be run in Safe Mode, unlike the online scanners above.
Please also read Tony Klein's excellent article How I got Infected in the First Place and this CastleCops article Malware Prevention: Prevent Re-infection.

Hopefully this should take care of your problems! Good luck! :D
My help is free, but if you wish to help keep these forums running please consider a donation, see this topic for details.

--------------------

We are each of us angels with but one wing. And we can only fly embracing each other.
Luciano De Crescenzo




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button