Jump to content


Photo

Computer keeps disconnecting from network every 1/2 hour, very slow


  • This topic is locked This topic is locked
34 replies to this topic

#1 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 25 April 2007 - 02:34 PM

Co-worker's computer has been disconnecting from the internet every 1/2 hour. We're all hooked up to the same wireless access point, and everyone else's computer and internet has been fine, so I thought it was safe to assume the problem was localized to her computer. We swapped out wireless adapters, and the problem still exists. I thought the problem was spyware.

Ran Adaware, spybot. It removed a bunch of spyware files. Then I ran trojan hunter, and that removed a few files too. My apologies for not writing down which files it removed but I thought the problem would be resolved. Then I ran symantec antivirus on it. It kept scanning email messages that the it said were being sent out from her computer, but we had no idea what messages it was referring to. Other than that, it's caught nothing. All of the msgs from symantec say that the emails were refused. Is there any way we can fix this? We've rerun adaware, spybot, and trojan hunter and now do not catch anything. We also ran Trendmicro and got nothing also.

Here's her hijack this log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:28:14 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Shirley Liu\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [atmdiag] C:\WINDOWS\system32\atmconf.exe
O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\ytz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ytz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ytz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ytz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ytz.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\ytz.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O20 - AppInit_DLLs: confatm.dll atmstat.dll confdrv.dll drvstat.dll e1.dll
O20 - Winlogon Notify: atmmgr - C:\WINDOWS\SYSTEM32\atmmgr32.dll
O20 - Winlogon Notify: drvmgr - C:\WINDOWS\SYSTEM32\drvmgr32.dll
O20 - Winlogon Notify: msjtwinr - C:\WINDOWS\system32\msjtwinr.dll (file missing)
O20 - Winlogon Notify: sfcfdmsc - C:\WINDOWS\system32\sfcfdmsc.dll
O20 - Winlogon Notify: wmvmgr - wmvmgr32.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 7376 bytes

#2 SWI Support Robot

SWI Support Robot

    Helper robot

  • SWI Bot
  • PipPipPipPipPip
  • 23,520 posts

Posted 28 April 2007 - 06:30 AM

Welcome to SWI. We apologize for the delay; our helpers have been very busy.
If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

Thank you for your patience.

[this is an automated reply]
This is an automated message. It does not count as help.

#3 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 01 May 2007 - 10:08 AM

I need to find out more about these files.
It looks like you have a new variant of the Warezov Mail infection.

Submit the files in bold to the following link for a scan, then post the results in your next message for me to see.
http://virusscan.jotti.org/


C:\WINDOWS\system32\atmconf.exe
C:\WINDOWS\system32\drvconf.exe
c:\windows\system32\ytz.dll
C:\WINDOWS\SYSTEM32\atmmgr32.dll
C:\WINDOWS\SYSTEM32\drvmgr32.dll
C:\WINDOWS\system32\sfcfdmsc.dll

Wait for further instructions.

I strongly suggests that you do not delete the files especially ytz.dll which will cause to loose your Internet connection and will have to reinstall I.E.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#4 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 12 May 2007 - 08:48 AM

Due to the lack of feedback this Topic is closed.

[Reopened]

Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#5 cnm

cnm

    Mother Lion of SWI

  • Administrators
  • PipPipPipPipPip
  • 25,317 posts

Posted 16 May 2007 - 02:36 PM

Reopened at request of topic owner.

Microsoft MVP Windows Security 2005-2006
How camest thou in this pickle? -- William Shakespeare:(1564-1616)
The various helper groups here
UNITE


#6 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 16 May 2007 - 02:54 PM

Reopened at request of topic owner.


Thanks, sorry for not replying quickly enough. Ran the scans. It doesn't look good.
I'm having problems scanning the last file. The computer is running too slow.
I will post it however if I can access the website.

C:\WINDOWS\system32\atmconf.exe
The file you uploaded is 0 bytes. It is very likely a
firewall or a piece of malware is prohibiting you from uploading
this file

C:\WINDOWS\system32\drvconf.exe

A-Squared Found nothing
AntiVir Found WORM/Warezov.JP.2
ArcaVir Found Worm.Warezov.Jp
Avast Found nothing
AVG Antivirus Found I-Worm/Stration.CVY
BitDefender Found Win32.Warezov.XO@mm
ClamAV Found Worm.Stration.ADG
Dr.Web Found Win32.HLLM.Limar
F-Prot Antivirus Found W32/EmailWorm.JSO
F-Secure Anti-Virus Found Email-Worm.Win32.Warezov.jp
Fortinet Found W32/Stration.JP@mm
Kaspersky Anti-Virus Found Email-Worm.Win32.Warezov.jp
NOD32 Found Win32/Stration.ZA
Norman Virus Control Found W32/Stration.FDG
Panda Antivirus Found W32/Spamta.WS.worm
Rising Antivirus Found Worm.Mail.Warezov.jd
VirusBuster Found nothing
VBA32 Found MalwareScope.Worm.Warezov.1

c:\windows\system32\ytz.dll

A-Squared Found nothing
AntiVir Found TR/Vqten.A.7
ArcaVir Found Trojan.Agent.Afg
Avast Found Win32:Agent-GPJ
AVG Antivirus Found PSW.Generic3.ZSF
BitDefender Found Trojan.Vqten.A
ClamAV Found nothing
Dr.Web Found Trojan.Vqten
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan.Win32.Agent.afg
Fortinet Found NetVQ!tr
Kaspersky Anti-Virus Found Trojan.Win32.Agent.afg
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found Trojan.Vqten

C:\WINDOWS\SYSTEM32\atmmgr32.dll

A-Squared Found Email-Worm.Win32.Warezov.ke
AntiVir Found WORM/Warezov.KE.1
ArcaVir Found Worm.Warezov.Ke
Avast Found Win32:Warezov-BVK
AVG Antivirus Found I-Worm/Stration.BXJ
BitDefender Found Win32.Warezov.QB@mm
ClamAV Found Worm.Stration.XR-16
Dr.Web Found Win32.HLLM.Limar
F-Prot Antivirus Found W32/EmailWorm.PR
F-Secure Anti-Virus Found Email-Worm.Win32.Warezov.ke
Fortinet Found W32/Stration.DQ@mm
Kaspersky Anti-Virus Found Email-Worm.Win32.Warezov.ke
NOD32 Found Win32/Stration
Norman Virus Control Found W32/Stration.EYZ
Panda Antivirus Found nothing
Rising Antivirus Found Worm.Mail.Warezov.wg
VirusBuster Found Trojan.Opnis.Gen.17
VBA32 Found MalwareScope.Worm.Warezov.1

drvmgr32.dll

A-Squared Found Email-Worm.Win32.Warezov.jp
AntiVir Found WORM/Warezov.NL.1
ArcaVir Found Worm.Warezov.Jp
Avast Found Win32:Warezov-BCX
AVG Antivirus Found I-Worm/Stration.CVW
BitDefender Found Win32.Warezov.XO@mm
ClamAV Found Worm.Stration.ADF
Dr.Web Found Win32.HLLM.Limar
F-Prot Antivirus Found W32/EmailWorm.JAR
F-Secure Anti-Virus Found Email-Worm.Win32.Warezov.jp
Fortinet Found W32/Stration.JP@mm
Kaspersky Anti-Virus Found Email-Worm.Win32.Warezov.jp
NOD32 Found Win32/Stration.ZA
Norman Virus Control Found W32/Stration.FCZ
Panda Antivirus Found nothing
Rising Antivirus Found Worm.Mail.Warezov.jh
VirusBuster Found nothing
VBA32 Found Email-Worm.Win32.Warezov.jp

#7 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 16 May 2007 - 03:34 PM

This the type of infection we are dealing with.
The Warezov infection is a mass-mailing worm. It harvests e-mail addresses from the infected computer and uses its own SMTP engine to send a copy of itself via e-mail to the harvested addresses.

Optional - VIEWPOINT MANAGER
Viewpoint Manager is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad". This will change from what we know in 2006 read this article: http://www.clickz.co...cle.php/3561546
Additional info: http://vil.nai.com/v...nt/v_137262.htm
I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
Your call.

Next:

Download LSPfix
Unzip the file to a folder on your desktop.
Double-click to run
Select: (Advanced) "I know what I'm doing"
Select: ytz.dll (left pane)
Click the right arrow to bring it to REMOVE (right pane).
Then click the FINISH button. Restart your computer.

On restart Open Windows Explorer, locate and delete:

C:\WINDOWS\system32\ytz.dll <--this file

=*=

Disable Trojan Hunter Guard:
Please disable Trojan Hunter Guard, as it may interfere with the fix.

To disable Trojan Hunter Guard:
  • Go to TrojanHunter Guard in the lower right corner of your screen. It is a light blue icon with a magnifying glass that can be difficult to see but the handle is red.
  • Right click it and select settings. Uncheck "Load at startup" and "Enabled"
Once your log is clean you can re-enable Trojan Hunter Guard.

=*=

[*]Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [atmdiag] C:\WINDOWS\system32\atmconf.exe
O4 - HKLM\..\Run: [drvdiag] C:\WINDOWS\system32\drvconf.exe
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')
O20 - AppInit_DLLs: confatm.dll atmstat.dll confdrv.dll drvstat.dll e1.dll
O20 - Winlogon Notify: atmmgr - C:\WINDOWS\SYSTEM32\atmmgr32.dll
O20 - Winlogon Notify: drvmgr - C:\WINDOWS\SYSTEM32\drvmgr32.dll
O20 - Winlogon Notify: msjtwinr - C:\WINDOWS\system32\msjtwinr.dll (file missing)
O20 - Winlogon Notify: sfcfdmsc - C:\WINDOWS\system32\sfcfdmsc.dll
O20 - Winlogon Notify: wmvmgr - wmvmgr32.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.

Delete these files in bold if found.

Files
confatm.dll atmstat.dll confdrv.dll drvstat.dll e1.dll Locate and delete these file. Probably in C:\Windows or c:\Windows\system32 folder.
C:\WINDOWS\system32\atmconf.exe
C:\WINDOWS\system32\drvconf.exe
C:\WINDOWS\SYSTEM32\atmmgr32.dll
C:\WINDOWS\system32\sfcfdmsc.dll

Restart the computer to reset the registry.

Submit a fresh HijackThis log for review. Let me know What problem remains.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#8 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 16 May 2007 - 05:24 PM

I found, but could not delete the C:\\WINDOWS\system32\sfcfdmsc.dll.
Said system file was in use and could not be deleted. I also tried deleting it from safe mode, and that didn't work also. Computer runs slightly better...but I am certain there are still problems. I keep having problems trying to delete the WinMedia files you listed in the other ones. They keep reappearing in the Hijack this log.
Thanks!


R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vtmesys] advetiro.exe
O4 - HKLM\..\Run: [sacmemds] C:\WINDOWS\system32\smcntlwio.exe
O4 - HKLM\..\Run: [vbmsession] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [dpmdllep] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [dstiosys] C:\WINDOWS\system32\plsitctl.exe
O4 - HKLM\..\Run: [cvmsyslpd] C:\WINDOWS\system32\sdservss.exe
O4 - HKLM\..\Run: [tymsetvc] C:\WINDOWS\system32\osskhbd.exe
O4 - HKLM\..\Run: [winsplog] C:\WINDOWS\system32\wsmmlog.exe
O4 - HKLM\..\Run: [statlcmi] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [p2snetis] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [vaddiag] C:\WINDOWS\system32\vadconf.exe
O4 - HKLM\..\Run: [xxndiag] C:\WINDOWS\c.6.0.exe
O4 - HKLM\..\Run: [jfgdiag] C:\WINDOWS\system32\jfgconf.exe
O4 - HKLM\..\Run: [csrcss.exe] C:\WINDOWS\csrcss.exe -s
O4 - HKLM\..\Run: [cscrsc.exe] C:\WINDOWS\system32\sys_rsc.exe -s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O20 - AppInit_DLLs: e1.dll confxxn.dll confvad.dll vadstat.dll confjfg.dll jfgstat.dll
O20 - Winlogon Notify: atmmgr - C:\WINDOWS\SYSTEM32\atmmgr32.dll
O20 - Winlogon Notify: jfgmgr - C:\WINDOWS\SYSTEM32\jfgmgr32.dll
O20 - Winlogon Notify: sfcfdmsc - C:\WINDOWS\system32\sfcfdmsc.dll
O20 - Winlogon Notify: vadmgr - C:\WINDOWS\SYSTEM32\vadmgr32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation

#9 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 17 May 2007 - 07:36 AM

You do have other infections.

Unfortunately your last HijackThis log is not complete. It's missing the top section.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:28:14 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
etc....


Please resubmit.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#10 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 17 May 2007 - 08:59 AM

You do have other infections.

Unfortunately your last HijackThis log is not complete. It's missing the top section.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:28:14 PM, on 4/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
etc....


Please resubmit.


Sorry about that. It's getting tougher to obtain these logs. The computer keeps restarting and occasionally I will get the blue screen of death about the IRQL being less than or equal to. Can I run it in safe mode next time?

C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\WINDOWS\system32\wsmmlog.exe
C:\WINDOWS\system32\vadconf.exe
C:\WINDOWS\c.6.0.exe
C:\WINDOWS\system32\jfgconf.exe
C:\WINDOWS\csrcss.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\sys_rsc.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\Shirley Liu\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vtmesys] advetiro.exe
O4 - HKLM\..\Run: [sacmemds] C:\WINDOWS\system32\smcntlwio.exe
O4 - HKLM\..\Run: [vbmsession] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [dpmdllep] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [dstiosys] C:\WINDOWS\system32\plsitctl.exe
O4 - HKLM\..\Run: [cvmsyslpd] C:\WINDOWS\system32\sdservss.exe
O4 - HKLM\..\Run: [tymsetvc] C:\WINDOWS\system32\osskhbd.exe
O4 - HKLM\..\Run: [winsplog] C:\WINDOWS\system32\wsmmlog.exe
O4 - HKLM\..\Run: [statlcmi] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [p2snetis] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [vaddiag] C:\WINDOWS\system32\vadconf.exe
O4 - HKLM\..\Run: [xxndiag] C:\WINDOWS\c.6.0.exe
O4 - HKLM\..\Run: [jfgdiag] C:\WINDOWS\system32\jfgconf.exe
O4 - HKLM\..\Run: [csrcss.exe] C:\WINDOWS\csrcss.exe -s
O4 - HKLM\..\Run: [cscrsc.exe] C:\WINDOWS\system32\sys_rsc.exe -s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O20 - AppInit_DLLs: e1.dll confxxn.dll confvad.dll vadstat.dll confjfg.dll jfgstat.dll
O20 - Winlogon Notify: atmmgr - C:\WINDOWS\SYSTEM32\atmmgr32.dll
O20 - Winlogon Notify: jfgmgr - C:\WINDOWS\SYSTEM32\jfgmgr32.dll
O20 - Winlogon Notify: sfcfdmsc - C:\WINDOWS\system32\sfcfdmsc.dll
O20 - Winlogon Notify: vadmgr - C:\WINDOWS\SYSTEM32\vadmgr32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10311 bytes

#11 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 18 May 2007 - 06:44 AM

This problem "IRQL not less than equal" is most likely tied to a bad driver or some hardware problems.

Search google for the string "IRQL not less than equal" (include the quotes).
Did you install some new hardware recently?
Is the computer air flow hot?

How long can the computer stay on a working condition before your get the error or the BSOD.

I would disconnect the computer for the LAN and the Internet until we see what we can remove. You have a number of worms and virus. I would myself reformat the computer. But at this time if you are having hardward or driver issues at may not be recommended just yet.

Do you have the time to execute this.

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Wait for further Instructions.

I realy need to see a complete log in normal mode otherwise I will not see some of the hidden processes.
Even your last LOG is INCOMPLETE. Look at the first log you submitted.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#12 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 18 May 2007 - 10:07 AM

Ran SD Fix-

SDFix: Version 1.84

Run by Administrator - Fri 05/18/2007 - 9:49:12.87

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
EXAMPLE
ntldr.sys

ImagePath:
\??\C:\WINDOWS\system32\main.sys
\??\C:\ntldr.sys

EXAMPLE - Deleted
ntldr.sys - Deleted


ndis.sys Infected!

Patched File copied to Backups Folder
Attempting to replace ndis.sys with original version...

Original ndis.sys Restored


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\CP1041.NLS - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\osskhbd.exe - Deleted
C:\WINDOWS\system32\plsitctl.exe - Deleted
C:\WINDOWS\system32\sdservss.exe - Deleted
C:\WINDOWS\system32\smcntlwio.exe - Deleted
C:\WINDOWS\system32\wsmmlog.exe - Deleted
C:\WINDOWS\wpcjmd.log - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\netyiamy.exe"="C:\\WINDOWS\\system32\\netyiamy.exe:*:Enabled:Server"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\netyiamy.exe"="C:\\WINDOWS\\system32\\netyiamy.exe:*:Enabled:Server"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP741\A0072911.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP756\A0076538.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP766\A0079024.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP774\A0081428.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776\A0083025.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776\A0083049.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776\A0083082.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776\A0083084.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776\A0083086.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776\A0083087.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776\A0083088.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776\A0083110.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777\A0083124.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777\A0083144.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777\A0083167.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0084179.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0084180.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0084182.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0084183.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0084184.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0086206.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0091238.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0092233.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0093233.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0141486.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0141488.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0141489.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0141490.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0155579.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0155581.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0155582.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0155583.dll
C:\WINDOWS\SYSTEM32\atmmgr32.dll
C:\WINDOWS\SYSTEM32\atmprf32.dll
C:\WINDOWS\SYSTEM32\atmstat.dll
C:\WINDOWS\SYSTEM32\confatm.dll
C:\WINDOWS\SYSTEM32\confjfg.dll
C:\WINDOWS\SYSTEM32\confswf.dll
C:\WINDOWS\SYSTEM32\confxxn.dll
C:\WINDOWS\SYSTEM32\d8dv6c.dll
C:\WINDOWS\SYSTEM32\hemwrx2.dll
C:\WINDOWS\SYSTEM32\jfgmgr32.dll
C:\WINDOWS\SYSTEM32\jfgprf32.dll
C:\WINDOWS\SYSTEM32\jfgstat.dll
C:\WINDOWS\SYSTEM32\lv73l11.dll
C:\WINDOWS\SYSTEM32\risdjv.dll
C:\WINDOWS\SYSTEM32\swfmgr32.dll
C:\WINDOWS\SYSTEM32\swfprf32.dll
C:\WINDOWS\SYSTEM32\swfstat.dll
C:\WINDOWS\SYSTEM32\xxnprf32.dll
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777\A0083123.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0084185.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0091239.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0141487.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0141491.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0155578.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0155580.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0155584.exe
C:\WINDOWS\SYSTEM32\advetiro.exe
C:\WINDOWS\SYSTEM32\ansconf.exe
C:\WINDOWS\SYSTEM32\atmconf.exe
C:\WINDOWS\SYSTEM32\atmperf.exe
C:\WINDOWS\SYSTEM32\drvconf.exe
C:\WINDOWS\SYSTEM32\igfhzgyx.exe
C:\WINDOWS\SYSTEM32\jfgconf.exe
C:\WINDOWS\SYSTEM32\jfgperf.exe
C:\WINDOWS\SYSTEM32\ldmprocs.exe
C:\WINDOWS\SYSTEM32\netyiamy.exe
C:\WINDOWS\SYSTEM32\ng1iejsx.exe
C:\WINDOWS\SYSTEM32\swfconf.exe
C:\WINDOWS\SYSTEM32\swfperf.exe
C:\WINDOWS\SYSTEM32\upd1179409657.exe
C:\WINDOWS\SYSTEM32\uvg6f0.exe
C:\WINDOWS\SYSTEM32\winnbnox.exe
C:\WINDOWS\SYSTEM32\wmvconf.exe
C:\WINDOWS\SYSTEM32\xxnperf.exe
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2561.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2562.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2563.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2564.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2565.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2566.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2567.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2568.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2569.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2570.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2571.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2572.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2573.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2574.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc457.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc458.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc505.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc506.tmp

Finished

new hijack this log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:03:30 AM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\netyiamy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\c.6.0.exe
C:\WINDOWS\system32\jfgconf.exe
C:\WINDOWS\csrcss.exe
C:\WINDOWS\system32\sys_rsc.exe
C:\WINDOWS\system32\atmconf.exe
C:\WINDOWS\system32\winnbnox.exe
C:\WINDOWS\fdd.exe
C:\Program Files\Symantec AntiVirus\DoScan.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\Shirley Liu\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\netwsmlx.exe
C:\WINDOWS\system32\smdlsset.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\sfcfdmsc.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vbmsession] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [dpmdllep] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [statlcmi] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [xxndiag] C:\WINDOWS\c.6.0.exe
O4 - HKLM\..\Run: [jfgdiag] C:\WINDOWS\system32\jfgconf.exe
O4 - HKLM\..\Run: [csrcss.exe] C:\WINDOWS\csrcss.exe -s
O4 - HKLM\..\Run: [cscrsc.exe] C:\WINDOWS\system32\sys_rsc.exe -s
O4 - HKLM\..\Run: [atmdiag] C:\WINDOWS\system32\atmconf.exe
O4 - HKLM\..\Run: [crmssrlt] winnbnox.exe
O4 - HKLM\..\Run: [fdd] C:\WINDOWS\fdd.exe s
O4 - HKLM\..\Run: [dlmicss] C:\WINDOWS\system32\netwsmlx.exe
O4 - HKLM\..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [crmssrlt] winnbnox.exe
O4 - HKCU\..\Run: [dlmicss] C:\WINDOWS\system32\netwsmlx.exe
O4 - HKCU\..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\yaubhtzhgvosj.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O20 - AppInit_DLLs: e1.dll confxxn.dll confjfg.dll jfgstat.dll confatm.dll atmstat.dll confswf.dll swfstat.dll
O20 - Winlogon Notify: atmmgr - C:\WINDOWS\SYSTEM32\atmmgr32.dll
O20 - Winlogon Notify: jfgmgr - C:\WINDOWS\SYSTEM32\jfgmgr32.dll
O20 - Winlogon Notify: sfcfdmsc - C:\WINDOWS\system32\sfcfdmsc.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 10362 bytes

#13 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 18 May 2007 - 02:52 PM

Print this topic it will make it easier for you to follow the instructions and complete all of the necessary steps.

Please follow these instructions in this order.

1. Please download The Avenger by Swandog46 to your Desktop.
  • Click on Avenger.zip to open the file
  • Extract avenger.exe to your desktop DO NOT RUN IT JUST YET
Download LSPfix
Unzip the file to a folder on your desktop.
Double-click to run
Select: (Advanced) "I know what I'm doing"
Select: yaubhtzhgvosj.dll (left pane)
Click the right arrow to bring it to REMOVE (right pane).
Then click the FINISH button. Restart your computer.

On restart Open Windows Explorer, locate and delete:
---> the bad file(s).
C:\WINDOWS\system32\lspak.dll <--this file

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [vbmsession] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [dpmdllep] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [statlcmi] C:\WINDOWS\system32\netyiamy.exe
O4 - HKLM\..\Run: [xxndiag] C:\WINDOWS\c.6.0.exe
O4 - HKLM\..\Run: [jfgdiag] C:\WINDOWS\system32\jfgconf.exe
O4 - HKLM\..\Run: [csrcss.exe] C:\WINDOWS\csrcss.exe -s
O4 - HKLM\..\Run: [cscrsc.exe] C:\WINDOWS\system32\sys_rsc.exe -s
O4 - HKLM\..\Run: [atmdiag] C:\WINDOWS\system32\atmconf.exe
O4 - HKLM\..\Run: [crmssrlt] winnbnox.exe
O4 - HKLM\..\Run: [fdd] C:\WINDOWS\fdd.exe s
O4 - HKLM\..\Run: [dlmicss] C:\WINDOWS\system32\netwsmlx.exe
O4 - HKLM\..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe
O4 - HKCU\..\Run: [crmssrlt] winnbnox.exe
O4 - HKCU\..\Run: [dlmicss] C:\WINDOWS\system32\netwsmlx.exe
O4 - HKCU\..\Run: [cpssystem] C:\WINDOWS\system32\smdlsset.exe
O20 - AppInit_DLLs: e1.dll confxxn.dll confjfg.dll jfgstat.dll confatm.dll atmstat.dll confswf.dll swfstat.dll
O20 - Winlogon Notify: atmmgr - C:\WINDOWS\SYSTEM32\atmmgr32.dll
O20 - Winlogon Notify: jfgmgr - C:\WINDOWS\SYSTEM32\jfgmgr32.dll
O20 - Winlogon Notify: sfcfdmsc - C:\WINDOWS\system32\sfcfdmsc.dll


Click on Fix Checked when finished and exit HijackThis.

We will now delete the bad files using the Avenger tool downloaded earlier.

2. Copy all the text in Bold contained in the code box below (including the first line, which is a command to the tool Files to delete: to your Clipboard by highlighting it and pressing (Ctrl+C):

Files to Delete:

C:\WINDOWS\system32\netyiamy.exe
C:\WINDOWS\c.6.0.exe
C:\WINDOWS\system32\jfgconf.exe
C:\WINDOWS\csrcss.exe
C:\WINDOWS\system32\sys_rsc.exe
C:\WINDOWS\system32\atmconf.exe
C:\WINDOWS\system32\winnbnox.exe
C:\WINDOWS\fdd.exe
C:\WINDOWS\system32\netwsmlx.exe
C:\WINDOWS\system32\smdlsset.exe
C:\WINDOWS\System32\sfcfdmsc.exe
C:\WINDOWS\SYSTEM32\atmmgr32.dll
C:\WINDOWS\SYSTEM32\jfgmgr32.dll
C:\WINDOWS\system32\sfcfdmsc.dll
C:\WINDOWS\SYSTEM32\atmprf32.dll
C:\WINDOWS\SYSTEM32\atmstat.dll
C:\WINDOWS\SYSTEM32\confatm.dll
C:\WINDOWS\SYSTEM32\confjfg.dll
C:\WINDOWS\SYSTEM32\confswf.dll
C:\WINDOWS\SYSTEM32\confxxn.dll
C:\WINDOWS\SYSTEM32\d8dv6c.dll
C:\WINDOWS\SYSTEM32\hemwrx2.dll
C:\WINDOWS\SYSTEM32\jfgprf32.dll
C:\WINDOWS\SYSTEM32\jfgstat.dll
C:\WINDOWS\SYSTEM32\lv73l11.dll
C:\WINDOWS\SYSTEM32\risdjv.dll
C:\WINDOWS\SYSTEM32\swfmgr32.dll
C:\WINDOWS\SYSTEM32\swfprf32.dll
C:\WINDOWS\SYSTEM32\swfstat.dll
C:\WINDOWS\SYSTEM32\xxnprf32.dll
C:\WINDOWS\SYSTEM32\advetiro.exe
C:\WINDOWS\SYSTEM32\ansconf.exe
C:\WINDOWS\SYSTEM32\atmperf.exe
C:\WINDOWS\SYSTEM32\drvconf.exe
C:\WINDOWS\SYSTEM32\igfhzgyx.exe
C:\WINDOWS\SYSTEM32\jfgperf.exe
C:\WINDOWS\SYSTEM32\ldmprocs.exe
C:\WINDOWS\SYSTEM32\ng1iejsx.exe
C:\WINDOWS\SYSTEM32\swfconf.exe
C:\WINDOWS\SYSTEM32\swfperf.exe
C:\WINDOWS\SYSTEM32\upd1179409657.exe
C:\WINDOWS\SYSTEM32\uvg6f0.exe
C:\WINDOWS\SYSTEM32\wmvconf.exe
C:\WINDOWS\SYSTEM32\xxnperf.exe


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.


3. Now, start The Avenger program by clicking on its icon on your desktop.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done
  • Now click on the Green Light to begin execution of the script
  • Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
  • It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Restart the computer normally to complete this fix.

When done,

Download SmitfraudFix (by S!Ri).
Extract all the content to a folder named SmitfraudFix on your Desktop.

Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

Then restart the computer normally again. Post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with a new HijackThis log.

Include the content of c:\avenger.txt into your reply along with a fresh HijackThis log by using Add/Reply.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#14 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 18 May 2007 - 04:57 PM

The BSOD has stopped happening, the computer is running slightly better...starting to look good! Thanks.
Here are the new logs:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\ugebkegp

*******************

Script file located at: \??\C:\WINDOWS\system32\voowynnk.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\netyiamy.exe deleted successfully.
File C:\WINDOWS\c.6.0.exe deleted successfully.
File C:\WINDOWS\system32\jfgconf.exe deleted successfully.


File C:\WINDOWS\csrcss.exe not found!
Deletion of file C:\WINDOWS\csrcss.exe failed!

Could not process line:
C:\WINDOWS\csrcss.exe
Status: 0xc0000034



File C:\WINDOWS\system32\sys_rsc.exe not found!
Deletion of file C:\WINDOWS\system32\sys_rsc.exe failed!

Could not process line:
C:\WINDOWS\system32\sys_rsc.exe
Status: 0xc0000034

File C:\WINDOWS\system32\atmconf.exe deleted successfully.
File C:\WINDOWS\system32\winnbnox.exe deleted successfully.
File C:\WINDOWS\fdd.exe deleted successfully.
File C:\WINDOWS\system32\netwsmlx.exe deleted successfully.
File C:\WINDOWS\system32\smdlsset.exe deleted successfully.
File C:\WINDOWS\System32\sfcfdmsc.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\atmmgr32.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\jfgmgr32.dll deleted successfully.
File C:\WINDOWS\system32\sfcfdmsc.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\atmprf32.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\atmstat.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\confatm.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\confjfg.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\confswf.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\confxxn.dll deleted successfully.


File C:\WINDOWS\SYSTEM32\d8dv6c.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\d8dv6c.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\d8dv6c.dll
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\hemwrx2.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\hemwrx2.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\hemwrx2.dll
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\jfgprf32.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\jfgstat.dll deleted successfully.


File C:\WINDOWS\SYSTEM32\lv73l11.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\lv73l11.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\lv73l11.dll
Status: 0xc0000034



File C:\WINDOWS\SYSTEM32\risdjv.dll not found!
Deletion of file C:\WINDOWS\SYSTEM32\risdjv.dll failed!

Could not process line:
C:\WINDOWS\SYSTEM32\risdjv.dll
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\swfmgr32.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\swfprf32.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\swfstat.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\xxnprf32.dll deleted successfully.
File C:\WINDOWS\SYSTEM32\advetiro.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\ansconf.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\atmperf.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\drvconf.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\igfhzgyx.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\jfgperf.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\ldmprocs.exe deleted successfully.


File C:\WINDOWS\SYSTEM32\ng1iejsx.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\ng1iejsx.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\ng1iejsx.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\swfconf.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\swfperf.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\upd1179409657.exe deleted successfully.


File C:\WINDOWS\SYSTEM32\uvg6f0.exe not found!
Deletion of file C:\WINDOWS\SYSTEM32\uvg6f0.exe failed!

Could not process line:
C:\WINDOWS\SYSTEM32\uvg6f0.exe
Status: 0xc0000034

File C:\WINDOWS\SYSTEM32\wmvconf.exe deleted successfully.
File C:\WINDOWS\SYSTEM32\xxnperf.exe deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


SmitFraudFix v2.183

Scan done at 16:35:17.57, Fri 05/18/2007
Run from C:\Documents and Settings\Shirley Liu\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{5368C42B-6304-45B2-B38A-5499673C5CE2}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\..\{5BCA2C33-E96D-4ABE-97ED-502A87B9F49A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5368C42B-6304-45B2-B38A-5499673C5CE2}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\..\{5BCA2C33-E96D-4ABE-97ED-502A87B9F49A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5368C42B-6304-45B2-B38A-5499673C5CE2}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\..\{5BCA2C33-E96D-4ABE-97ED-502A87B9F49A}: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.1.254


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:52:34 PM, on 5/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\liscrts.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Shirley Liu\Desktop\HiJackThis_v2.exe
C:\WINDOWS\system32\svchost.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe
O4 - HKLM\..\Run: [smiproc] C:\WINDOWS\system32\ldmprocs.exe
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe
O4 - HKCU\..\Run: [smiproc] C:\WINDOWS\system32\ldmprocs.exe
O4 - HKUS\S-1-5-21-3224913011-1694365671-1429824503-1007\..\Run: [Sonic RecordNow!] (User 'Sheila Liao')
O4 - HKUS\S-1-5-21-3224913011-1694365671-1429824503-1007\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup (User 'Sheila Liao')
O4 - HKUS\S-1-5-21-3224913011-1694365671-1429824503-500\..\Run: [Sonic RecordNow!] (User 'Administrator')
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O20 - AppInit_DLLs: e1.dll
O20 - Winlogon Notify: atmmgr - atmmgr32.dll (file missing)
O20 - Winlogon Notify: jfgmgr - jfgmgr32.dll (file missing)
O20 - Winlogon Notify: sfcfdmsc - C:\WINDOWS\system32\sfcfdmsc.dll (file missing)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7875 bytes

#15 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 19 May 2007 - 07:56 AM

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKLM\..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe
O4 - HKLM\..\Run: [smiproc] C:\WINDOWS\system32\ldmprocs.exe
O4 - HKCU\..\Run: [expcrt] C:\WINDOWS\system32\liscrts.exe
O4 - HKCU\..\Run: [smiproc] C:\WINDOWS\system32\ldmprocs.exe
O20 - AppInit_DLLs: e1.dll
O20 - Winlogon Notify: atmmgr - atmmgr32.dll (file missing)
O20 - Winlogon Notify: jfgmgr - jfgmgr32.dll (file missing)
O20 - Winlogon Notify: sfcfdmsc - C:\WINDOWS\system32\sfcfdmsc.dll (file missing)


Click on Fix Checked when finished and exit HijackThis.

Make sure you can see hidden files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
Delete these files in bold if found.

C:\WINDOWS\system32\liscrts.exe
C:\WINDOWS\system32\ldmprocs.exe
C:\WINDOWS\system32\liscrts.exe
C:\WINDOWS\system32\ldmprocs.exe
e1.dll <- locate this file and delete.

Restart the computer to reset the registry.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found: Posted Image
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
    Posted Image
    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply. You can use Notepad to open the DrWeb.cvs report.
Include a fresh HijackThis log for review.

Let me know what problem persist.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#16 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 21 May 2007 - 11:35 AM

Could not delete e1.dll. Access was denied, and it said file was currently in use. Could not find the ldmprocs.exe file. The others, I deleted.

Dr. Web scan

e1.dll;c:\windows\system32;Win32.HLLM.Limar;Will be cured after reboot.;
nvstatld.dll;c:\windows\system32;Trojan.Proxy.1801;Deleted.;
ddtvgvrgvt[1].jpg;C:\Documents and Settings\Sheila Liao\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H;Trojan.Inject.260;Deleted.;
ecfndijn3fre[1].jpg;C:\Documents and Settings\Sheila Liao\Local Settings\Temporary Internet Files\Content.IE5\OT2JQP0H;BackDoor.Mailbot;Deleted.;
Process.exe;C:\Documents and Settings\Shirley Liu\Desktop\SmitfraudFix\SmitfraudFix;Tool.Prockill;Incurable.Moved.;
restart.exe;C:\Documents and Settings\Shirley Liu\Desktop\SmitfraudFix\SmitfraudFix;Tool.ShutDown.11;Incurable.Moved.;
ddtvgvrgvt[1].jpg;C:\Documents and Settings\Shirley Liu\Local Settings\Temporary Internet Files\Content.IE5\4HQVW1YR;Trojan.Inject.260;Deleted.;
pcewbnj[1].jpg;C:\Documents and Settings\Shirley Liu\Local Settings\Temporary Internet Files\Content.IE5\4HQVW1YR;Trojan.Proxy.1805;Deleted.;
ddtvgvrgvt[1].jpg;C:\Documents and Settings\Shirley Liu\Local Settings\Temporary Internet Files\Content.IE5\IPK9MNCJ;Trojan.Inject.260;Deleted.;
pcewbnj[1].jpg;C:\Documents and Settings\Shirley Liu\Local Settings\Temporary Internet Files\Content.IE5\IPK9MNCJ;Trojan.Proxy.1805;Deleted.;
ddtvgvrgvt[1].jpg;C:\Documents and Settings\Shirley Liu\Local Settings\Temporary Internet Files\Content.IE5\SD67W9A7;Trojan.Inject.260;Deleted.;
pcewbnj[1].jpg;C:\Documents and Settings\Shirley Liu\Local Settings\Temporary Internet Files\Content.IE5\SD67W9A7;Trojan.Proxy.1805;Deleted.;
Dc1489.tmp;C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008;Win32.HLLM.Limar;Deleted.;
Dc3076.tmp;C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008;Win32.HLLM.Limar.based;Deleted.;
Process.exe;C:\SDFix\apps;Tool.Prockill;Incurable.Moved.;
A0071447.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735;Win32.HLLM.Limar;Deleted.;
A0071456.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735;Win32.HLLM.Limar;Deleted.;
A0072454.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735;Win32.HLLM.Limar;Deleted.;
A0072457.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735;Win32.HLLM.Limar;Deleted.;
A0072466.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP735;Win32.HLLM.Limar;Deleted.;
A0072518.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP736;Win32.HLLM.Limar;Deleted.;
A0072556.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP736;Win32.HLLM.Limar;Deleted.;
A0072639.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737;Win32.HLLM.Limar;Deleted.;
A0072643.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP737;Win32.HLLM.Limar;Deleted.;
A0072707.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP738;Win32.HLLM.Limar;Deleted.;
A0072759.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP739;Win32.HLLM.Limar;Deleted.;
A0072762.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP739;Win32.HLLM.Limar;Deleted.;
A0072795.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP739;Win32.HLLM.Limar;Deleted.;
A0072815.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP739;Win32.HLLM.Limar;Deleted.;
A0072865.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP740;Win32.HLLM.Limar;Deleted.;
A0072868.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP740;Win32.HLLM.Limar;Deleted.;
A0072910.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP741;Win32.HLLM.Limar;Deleted.;
A0072911.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP741;Win32.HLLM.Limar;Deleted.;
A0072914.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP741;Win32.HLLM.Limar;Deleted.;
A0072974.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP742;Win32.HLLM.Limar;Deleted.;
A0073013.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP743;Win32.HLLM.Limar;Deleted.;
A0073081.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP743;Win32.HLLM.Limar;Deleted.;
A0073153.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP744;Win32.HLLM.Limar;Deleted.;
A0073241.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP745;Win32.HLLM.Limar;Deleted.;
A0074239.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP746;Win32.HLLM.Limar;Deleted.;
A0074241.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP746;Win32.HLLM.Limar;Deleted.;
A0074273.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP746;Win32.HLLM.Limar;Deleted.;
A0074292.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP747;Win32.HLLM.Limar;Deleted.;
A0074309.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP747;Win32.HLLM.Limar;Deleted.;
A0074347.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752;Win32.HLLM.Limar;Deleted.;
A0074350.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752;Win32.HLLM.Limar;Deleted.;
A0074401.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP752;Win32.HLLM.Limar;Deleted.;
A0075399.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP754;Win32.HLLM.Limar;Deleted.;
A0075402.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP754;Win32.HLLM.Limar;Deleted.;
A0076401.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP754;Win32.HLLM.Limar;Deleted.;
A0076412.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP754;Win32.HLLM.Limar;Deleted.;
A0076451.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP755;Win32.HLLM.Limar;Deleted.;
A0076490.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP756;Win32.HLLM.Limar;Deleted.;
A0076534.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP756;Win32.HLLM.Limar;Deleted.;
A0076536.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP756;Win32.HLLM.Limar;Deleted.;
A0076538.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP756;Win32.HLLM.Limar;Deleted.;
A0076541.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP756;Win32.HLLM.Limar;Deleted.;
A0076579.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP757;Win32.HLLM.Limar;Deleted.;
A0077579.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP758;Win32.HLLM.Limar;Deleted.;
A0077616.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP758;Win32.HLLM.Limar;Deleted.;
A0077639.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP759;Win32.HLLM.Limar;Deleted.;
A0077722.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP760;Win32.HLLM.Limar;Deleted.;
A0077768.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP761;Win32.HLLM.Limar;Deleted.;
A0077808.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP761;Win32.HLLM.Limar;Deleted.;
A0077827.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP761;Win32.HLLM.Limar;Deleted.;
A0077889.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP762;Win32.HLLM.Limar;Deleted.;
A0077935.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP763;Win32.HLLM.Limar;Deleted.;
A0077938.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP763;Win32.HLLM.Limar;Deleted.;
A0077997.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP764;Win32.HLLM.Limar;Deleted.;
A0078023.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP765;Win32.HLLM.Limar;Deleted.;
A0078024.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP765;Win32.HLLM.Limar;Deleted.;
A0078027.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP765;Win32.HLLM.Limar;Deleted.;
A0079023.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP766;Win32.HLLM.Limar;Deleted.;
A0079027.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP766;Win32.HLLM.Limar;Deleted.;
A0079050.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP766;Win32.HLLM.Limar;Deleted.;
A0079076.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP766;Win32.HLLM.Limar;Deleted.;
A0079079.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP766;Win32.HLLM.Limar;Deleted.;
A0079089.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP767;Win32.HLLM.Limar;Deleted.;
A0079101.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP767;Win32.HLLM.Limar;Deleted.;
A0079129.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP768;Win32.HLLM.Limar;Deleted.;
A0079170.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP769;Win32.HLLM.Limar;Deleted.;
A0079173.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP769;Win32.HLLM.Limar;Deleted.;
A0079205.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP770;Win32.HLLM.Limar;Deleted.;
A0079230.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP771;Win32.HLLM.Limar;Deleted.;
A0079246.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP771;Win32.HLLM.Limar;Deleted.;
A0079275.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP772;Win32.HLLM.Limar;Deleted.;
A0080274.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP773;Win32.HLLM.Limar;Deleted.;
A0080291.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP773;Win32.HLLM.Limar;Deleted.;
A0080313.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP774;Win32.HLLM.Limar;Deleted.;
A0080327.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP774;Win32.HLLM.Limar;Deleted.;
A0081366.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP774;Win32.HLLM.Limar;Deleted.;
A0081400.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP774;Win32.HLLM.Limar;Deleted.;
A0081426.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP774;Win32.HLLM.Limar;Deleted.;
A0081427.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP774;Win32.HLLM.Limar;Deleted.;
A0081428.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP774;Win32.HLLM.Limar;Deleted.;
A0081431.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP774;Win32.HLLM.Limar;Deleted.;
A0081443.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP774;Win32.HLLM.Limar;Deleted.;
A0081460.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP774;Win32.HLLM.Limar;Deleted.;
A0081488.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP775;Adware.Msearch;Incurable.Moved.;
A0081489.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP775;Adware.Msearch;Incurable.Moved.;
A0081514.DLL;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP775;Adware.Websearch;Incurable.Moved.;
A0081516.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP775;Win32.HLLM.Limar;Deleted.;
A0081562.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP775;Win32.HLLM.Limar;Deleted.;
A0081596.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP775;Win32.HLLM.Limar;Deleted.;
A0082988.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0082999.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083014.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083024.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083025.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Trojan.Popuper;Deleted.;
A0083028.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083049.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Trojan.Popuper;Deleted.;
A0083055.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083082.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Trojan.Popuper;Deleted.;
A0083083.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083084.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083086.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083087.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083088.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083091.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083110.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Trojan.Popuper;Deleted.;
A0083113.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776;Win32.HLLM.Limar;Deleted.;
A0083123.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777;Win32.HLLM.Limar;Deleted.;
A0083124.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777;Trojan.Popuper;Deleted.;
A0083128.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777;Win32.HLLM.Limar;Deleted.;
A0083144.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777;Trojan.Popuper;Deleted.;
A0083147.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777;Win32.HLLM.Limar;Deleted.;
A0083165.dll:fork2;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777;Trojan.MulDrop.5876;Deleted.;
A0083167.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777;Trojan.Popuper;Deleted.;
A0083170.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777;Win32.HLLM.Limar;Deleted.;
A0084179.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Trojan.Popuper;Deleted.;
A0084183.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Win32.HLLM.Limar;Deleted.;
A0084184.dll\data001;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0084184.dll;Win32.HLLM.Limar;;
A0084184.dll\data004;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0084184.dll;Win32.HLLM.Limar;;
A0084184.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Archive contains infected objects;Moved.;
A0084185.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Win32.HLLM.Limar;Deleted.;
A0084188.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Win32.HLLM.Limar;Deleted.;
A0086206.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Trojan.Popuper;Deleted.;
A0086214.dll:fork2;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Trojan.MulDrop.5876;Deleted.;
A0087214.dll:fork2;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Trojan.MulDrop.5876;Deleted.;
A0091238.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Win32.HLLM.Limar;Deleted.;
A0091239.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Trojan.Popuper;Deleted.;
A0092233.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Trojan.Popuper;Deleted.;
A0092236.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778;Win32.HLLM.Limar;Deleted.;
A0093233.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;Trojan.Popuper;Deleted.;
A0093236.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;Win32.HLLM.Limar;Deleted.;
A0095269.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;Win32.HLLM.Limar;Deleted.;
A0095284.dll:fork2;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;Trojan.MulDrop.5876;Deleted.;
A0095288.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;Win32.HLLM.Limar;Deleted.;
A0095615.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;Win32.HLLM.Limar;Deleted.;
A0095616.sys;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;BackDoor.Bulknet;Deleted.;
A0095617.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;Trojan.MulDrop.5876;Deleted.;
A0096286.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;Win32.HLLM.Limar;Deleted.;
A0097312.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;Win32.HLLM.Limar;Deleted.;
A0097324.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;Win32.HLLM.Limar;Deleted.;
A0098356.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779;Win32.HLLM.Limar;Deleted.;
A0098402.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP780;Win32.HLLM.Limar;Deleted.;
A0100423.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Win32.HLLM.Limar;Deleted.;
A0100433.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Win32.HLLM.Limar;Deleted.;
A0105435.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Win32.HLLM.Limar;Deleted.;
A0109446.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Win32.HLLM.Limar;Deleted.;
A0118458.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Trojan.Proxy.1801;Deleted.;
A0120459.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;BackDoor.Mailbot;Deleted.;
A0120462.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Trojan.Inject.260;Deleted.;
A0120464.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Trojan.Proxy.1801;Deleted.;
A0121460.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Trojan.Inject.260;Deleted.;
A0121462.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Trojan.Proxy.1801;Deleted.;
A0123471.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;BackDoor.Mailbot;Deleted.;
A0123474.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Trojan.Inject.260;Deleted.;
A0123476.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Trojan.Proxy.1801;Deleted.;
A0124471.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;BackDoor.Mailbot;Deleted.;
A0124474.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Trojan.Inject.260;Deleted.;
A0124476.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Trojan.Proxy.1801;Deleted.;
A0125464.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Win32.HLLM.Limar;Deleted.;
A0125472.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Trojan.Proxy.1801;Deleted.;
A0128468.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782;Win32.HLLM.Limar;Deleted.;
A0131473.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP783;Win32.HLLM.Limar;Deleted.;
A0135483.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0136486.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;BackDoor.Mailbot;Deleted.;
A0136490.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Inject.260;Deleted.;
A0141486.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0141487.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0141488.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0141489.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0141490.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0141491.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0141492.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0141493.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0141494.exe\data002;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0141494.exe;Win32.HLLM.Limar;;
A0141494.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Archive contains infected objects;Moved.;
A0141495.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0141498.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0143493.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0143499.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Proxy.1801;Deleted.;
A0147543.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0147546.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Vqten;Deleted.;
A0150574.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Proxy.1805;Deleted.;
A0150579.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0151584.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Inject.260;Deleted.;
A0151585.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Proxy.1805;Deleted.;
A0152587.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Inject.260;Deleted.;
A0152588.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Proxy.1805;Deleted.;
A0152589.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Proxy.1801;Deleted.;
A0154586.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Inject.260;Deleted.;
A0154587.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Proxy.1805;Deleted.;
A0154588.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Trojan.Proxy.1801;Deleted.;
A0155578.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0155579.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0155580.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0155581.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0155582.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0155583.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0155584.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785;Win32.HLLM.Limar;Deleted.;
A0155598.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Trojan.Inject.260;Deleted.;
A0155599.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Trojan.Proxy.1805;Deleted.;
A0155600.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Trojan.Proxy.1801;Deleted.;
A0155603.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155604.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155605.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155607.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155612.sys;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Trojan.Spambot;Deleted.;
A0155613.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;BackDoor.Mailbot;Deleted.;
A0155622.sys;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Trojan.Spambot;Deleted.;
A0155623.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;BackDoor.Mailbot;Deleted.;
A0155658.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Trojan.Proxy.1805;Deleted.;
A0155659.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Trojan.Proxy.1801;Deleted.;
A0155667.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155676.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155679.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155688.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Trojan.Proxy.1805;Deleted.;
A0155697.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;BackDoor.IRC.Sdbot.1337;Deleted.;
A0155698.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155699.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155700.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155701.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155702.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155703.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155705.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155706.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155710.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155711.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155714.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155717.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155721.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155722.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155725.dll\data003;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155725.dll;Win32.HLLM.Limar;;
A0155725.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Archive contains infected objects;Moved.;
A0155727.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155729.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155731.exe;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Win32.HLLM.Limar;Deleted.;
A0155768.dll;C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786;Trojan.Proxy.1801;Deleted.;
at1.exe;C:\WINDOWS;Trojan.DownLoader.21466;Deleted.;
cxbrtewfgtre.exe;C:\WINDOWS;BackDoor.Mailbot;Deleted.;
idl32.exe;C:\WINDOWS;Win32.HLLM.Limar;Deleted.;
jtrerrthre.exe;C:\WINDOWS;Trojan.Proxy.1805;Deleted.;
my-007-911.exe;C:\WINDOWS;Trojan.Spambot;Deleted.;
tgrftgrf.exe;C:\WINDOWS;Trojan.Inject.260;Deleted.;
crslc.exe;C:\WINDOWS\SYSTEM32;Win32.HLLM.Limar;Deleted.;
dmsemf32.dll;C:\WINDOWS\SYSTEM32;Win32.HLLM.Limar;Deleted.;
e1.dll;C:\WINDOWS\SYSTEM32;Win32.HLLM.Limar;Will be cured after reboot.;
fElBW6k.dll;C:\WINDOWS\SYSTEM32;Win32.HLLM.Limar;Deleted.;
GTDownDE_87.ocx;C:\WINDOWS\SYSTEM32;Adware.Gdown;Incurable.Moved.;
ipxwscri.dll;C:\WINDOWS\SYSTEM32;Win32.HLLM.Limar;Deleted.;
Process.exe;C:\WINDOWS\SYSTEM32;Tool.Prockill;Incurable.Moved.;
w1OtY6220VG.dll;C:\WINDOWS\SYSTEM32;Win32.HLLM.Limar;Deleted.;
ws2_32.dll:fork2;C:\WINDOWS\SYSTEM32;Trojan.MulDrop.5876;Deleted.;

New Hijackthis log

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:30:20 AM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\services.exe
C:\Documents and Settings\Shirley Liu\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O20 - AppInit_DLLs: e1.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7027 bytes

#17 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 21 May 2007 - 12:58 PM

De. Web should have delete this file after the restart.

Try to fix this item now.

Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')
O20 - AppInit_DLLs: e1.dll


Click on Fix Checked when finished and exit HijackThis.

Restart the computer normally.


Download the Registry Search Tool from here:
http://www.billsway....les/RegSrch.zip

Unzip to your Desktop and double click on regsrch.vbs
(if you have script protection, please allow this to run)

In the dialog that opens enter the following:
WinMedia]

Press 'OK'

The search will run for a while then alert you when it is finished.

Press 'OK' and copy the contents of the WordPad window and post in this thread.

Submit also a fresh HijackThis log.

Let me know what problem persist.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#18 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 21 May 2007 - 01:38 PM

It says there were no instances of WinMedia] found.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 1:28:29 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Shirley Liu\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6964 bytes

#19 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 21 May 2007 - 03:16 PM

Ie.dll is gone,

My bad, I sould have requested that you search of this string

WinMedia

Can your repeat the registry search and let me see the result.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#20 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 21 May 2007 - 03:30 PM

REGEDIT4
; RegSrch.vbs © Bill James

; Registry search results for string "Winmedia" 5/21/2007 3:22:52 PM

; NOTE: This file will be deleted when you close WordPad.
; You must manually save this file to a new location if you want to refer to it again later.
; (If you save the file with a .reg extension, you can use it to restore any Registry changes you make to these values.)


[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"WinMedia"="svchost"

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"WinMedia"="svchost"

#21 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 21 May 2007 - 03:37 PM

; Purpose: Remove traces in the registry.
;
; Instructions: Copy and paste this text IN BOLD into a text editor such as Notepad.
;
; Save this text as Fix.reg. Make sure the "Save as type:" is "All Files (*.*)" and save it to your desktop.

REGEDIT4

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"WinMedia"=-

[HKEY_USERS\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Run]
"WinMedia"=-



; Double-click on Fix.reg. When it asks you to merge the information to the registry click Yes.

If you need help on "How to Make a .Reg File"
See: http://www.nellie2.co.uk/file.htm

Restart the computer after the fix.

Submit a fresh HijackThis log.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#22 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 21 May 2007 - 04:03 PM

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:02:06 PM, on 5/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Shirley Liu\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6832 bytes

#23 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 21 May 2007 - 04:53 PM

One more thing I forgot to add - I currently have the Symantec email monitoring system shut off.
The reason being, when I turn it on, it was going absolutely crazy with all the spam that this computer
was sending out. The computer's running a lot better recently, so I thought I'd turn it on again and see
what happened....again, the email monitor thing is still going crazy.

Btw, just wanted to say thanks for all the help. Despite that remaining problem, the BSOD is gone and
the computer is running a lot smoother!

#24 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 22 May 2007 - 06:53 AM

Your log is clean.

See what this tool will find.

Please perform an online virus scan with F-Secure Online Scanner.

Please navigate (using Internet Explorer, other browsers won't work) to the following site: http://support.f-sec...home/ols3.shtml
  • Click the Online Virus Scanner link. (Bottom of the page)
  • When prompted, choose to install the software.
  • After the software has installed, click Accept.
  • Click Custom Scan and check the option for Scan inside archives, then click Start.
  • The necessary databases will then be downloaded, and the scan will then start automatically. Please be patient as this scan will take a while to complete.
  • If any infections are found then once the scan has finished the "cleaning" screen will be displayed. Choose Automatic cleaning (recommended).
  • After cleaning has finished, then the Finish screen will be displayed. Choose Show Report.
  • In order to post the report, press CTRL+A on your keyboard to highlight all the text. Then copy and paste that information into this thread, along with a new HijackThis log.

nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#25 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 22 May 2007 - 03:11 PM

Scanning Report
Tuesday, May 22, 2007 08:57:39 - 15:05:35
Computer name: DELL-STATIONACC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 195 malware found
Backdoor.Win32.SdBot.ayk (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155730.exe (Renamed & Submitted)
C:\avenger\backup.zip\avenger\advetiro.exe
C:\avenger\backup.zip\avenger\winnbnox.exe
Backdoor.Win32.SdBot.bgc (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155712.exe (Renamed & Submitted)
C:\Documents and Settings\Shirley Liu\Local Settings\Temp\ljlrqm.exe (Renamed & Submitted)
C:\avenger\backup.zip\avenger\igfhzgyx.exe
Email-Worm.Win32.Warezov.dq (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155724.exe (Renamed & Submitted)
C:\avenger\backup.zip\avenger\atmconf.exe
C:\avenger\backup.zip\avenger\sfcfdmsc.dll
C:\avenger\backup.zip\avenger\swfconf.exe
Email-Worm.Win32.Warezov.fs (virus)
C:\avenger\backup.zip\avenger\atmprf32.dll
Email-Worm.Win32.Warezov.hd (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155709.dll (Renamed & Submitted)
C:\avenger\backup.zip\avenger\confxxn.dll
Email-Worm.Win32.Warezov.he (virus)
C:\avenger\backup.zip\avenger\fdd.exe
Email-Worm.Win32.Warezov.jp (virus)
C:\Documents and Settings\Shirley Liu\DoctorWeb\Quarantine\A0084184.dll (Renamed & Submitted)
C:\Documents and Settings\Shirley Liu\DoctorWeb\Quarantine\A0155725.dll (Renamed & Submitted)
C:\avenger\backup.zip\avenger\drvconf.exe
C:\avenger\backup.zip\avenger\swfmgr32.dll
C:\avenger\backup.zip\avenger\swfprf32.dll
Email-Worm.Win32.Warezov.ka (virus)
C:\avenger\backup.zip\avenger\sfcfdmsc.exe
Email-Worm.Win32.Warezov.ke (virus)
C:\avenger\backup.zip\avenger\atmmgr32.dll
C:\avenger\backup.zip\avenger\atmperf.exe
C:\avenger\backup.zip\avenger\atmstat.dll
C:\avenger\backup.zip\avenger\confatm.dll
Email-Worm.Win32.Warezov.ky (virus)
C:\WINDOWS\SYSTEM32\langopen.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155776.dll (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155778.dll (Renamed & Submitted)
Email-Worm.Win32.Warezov.la (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155787.dll (Renamed & Submitted)
Email-Worm.Win32.Warezov.lf (virus)
C:\avenger\backup.zip\avenger\ansconf.exe
C:\avenger\backup.zip\avenger\wmvconf.exe
Email-Worm.Win32.Warezov.ln (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155775.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP766\A0079024.dll (Renamed & Submitted)
Email-Worm.Win32.Warezov.lq (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155669.dll (Renamed & Submitted)
Email-Worm.Win32.Warezov.md (virus)
C:\avenger\backup.zip\avenger\c.6.0.exe
Email-Worm.Win32.Warezov.mg (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155732.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155733.dll (Renamed & Submitted)
C:\avenger\backup.zip\avenger\jfgmgr32.dll
C:\avenger\backup.zip\avenger\xxnperf.exe
C:\avenger\backup.zip\avenger\xxnprf32.dll
Email-Worm.Win32.Warezov.mo (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155777.dll (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155779.dll (Renamed & Submitted)
Email-Worm.Win32.Warezov.ne (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155771.exe (Renamed & Submitted)
Email-Worm.Win32.Warezov.nl (virus)
C:\avenger\backup.zip\avenger\upd1179409657.exe
NetworkWorm.ZO (virus)
C:\Documents and Settings\Shirley Liu\Desktop\aswclnr.exe (Submitted)
SpamTool.Win32.Agent.u (virus)
C:\SDFix\backups\backups.zip\backups\ndis.sys
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System
System
System
System
System
System
System
Trojan-Downloader.Win32.Agent.bnm (virus)
C:\WINDOWS\SYSTEM32\mstscex.dll (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\oleauth32.dll (Renamed & Submitted)
Trojan-Downloader.Win32.Tiny.gl (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155769.exe (Renamed)
Trojan-PSW.Win32.Agent.lf (virus)
C:\WINDOWS\SYSTEM32\DRIVERS\kcp.sys (Renamed & Submitted)
Trojan-Proxy.Win32.Slaper.p (virus)
C:\WINDOWS\esgfsefrf.exe (Renamed & Submitted)
C:\WINDOWS\nybtyhrtg.exe (Renamed & Submitted)
C:\WINDOWS\rtfybgtrvfcgtr.exe (Renamed & Submitted)
C:\WINDOWS\wrefergghtr.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155614.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155615.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155616.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155617.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155624.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155625.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155626.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155627.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155770.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0136487.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0136488.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0120458.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0120460.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0120461.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0121459.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0123469.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0123470.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0123472.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0123473.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0124469.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0124470.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0124472.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0124473.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0125470.exe (Renamed & Submitted)
C:\SDFix\backups\backups.zip\backups\osskhbd.exe
C:\SDFix\backups\backups.zip\backups\plsitctl.exe
C:\SDFix\backups\backups.zip\backups\sdservss.exe
C:\SDFix\backups\backups.zip\backups\smcntlwio.exe
C:\SDFix\backups\backups.zip\backups\wsmmlog.exe
Trojan-Proxy.Win32.Slaper.u (virus)
C:\WINDOWS\thghergre.exe (Renamed & Submitted)
Trojan.Win32.Agent.afg (virus)
C:\WINDOWS\SYSTEM32\eefgd.dll (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\nbw.dll (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\ofwem.dll (Renamed & Submitted)
C:\WINDOWS\SYSTEM32\yaubhtzhgvosj.dll (Renamed & Submitted)
Trojan.Win32.Pakes (virus)
C:\WINDOWS\ntyrebgrtvfcd.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155720.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155780.dll:fork2 (Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0120463.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0121461.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0123475.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0124475.exe (Renamed & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0125471.exe (Renamed & Submitted)
C:\avenger\backup.zip\avenger\netyiamy.exe
Trojan.Win32.Patched.q (virus)
C:\WINDOWS\SYSTEM32\winlogon.exe (Disinfected & Submitted)
C:\WINDOWS\SYSTEM32\DLLCACHE\winlogon.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155588.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0135480.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0136480.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0137480.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0138480.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0139480.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0140480.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0141485.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0142485.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0143490.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0144490.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0146538.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0147565.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0148565.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0149565.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0150565.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0150577.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0151577.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0152577.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0153577.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0154577.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0155577.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP783\A0130470.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP783\A0131470.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP783\A0132470.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP783\A0132480.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP783\A0133480.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP783\A0134480.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0100421.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0100431.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0101431.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0102431.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0103431.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0104431.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0105433.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0106433.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0107433.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0108433.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0109433.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0109442.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0110442.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0111445.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0112448.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0113448.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0114448.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0115448.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0116451.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0117451.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0119451.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0120451.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0121451.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0122458.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0123458.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0123461.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0124461.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0125461.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0126461.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0127461.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0128465.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0128470.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP782\A0129470.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP780\A0098399.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP780\A0099399.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0095251.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0095266.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0095283.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0095285.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0096283.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0096293.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0096299.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0097299.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0097310.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0097322.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0098322.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP779\A0098353.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0086205.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0086215.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0087215.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777\A0083143.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP777\A0083166.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776\A0083081.exe (Disinfected & Submitted)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP776\A0083109.exe (Disinfected & Submitted)
W32/Horst.gen33 (virus)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155677.exe (Submitted)

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 132747
System: 5103
Not scanned: 18
Actions:
Disinfected: 85
Renamed: 63
Deleted: 0
None: 47
Submitted: 149
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\WINDOWS\$NTUNINSTALLKB837001$\DAO360.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\CALLCONT.DLL
C:\WINDOWS\$NTUNINSTALLKB835732$\RTCDLL.DLL
C:\WINDOWS\$NTUNINSTALLKB828741$\CATSRV.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0136492.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP785\A0151587.DLL
arrow1.gif
C:\PROGRAM FILES\AUDIBLE\BIN\CDLOG.INI
C:\PROGRAM FILES\AUDIBLE\BIN\PLUGINS\DEVICE\APROXIOSDK.DLL
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterdisabled.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallBypass1.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Stration.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinVBatz.zip\sbRecovery.reg
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinVBatz1.zip\sbRecovery.reg

--------------------------------------------------------------------------------

Options
Scanning engines:
F-Secure Libra: 2.4.2, 2007-05-22
F-Secure AVP: 7.0.171, 2007-05-22
F-Secure Orion: 1.2.37, 2007-05-22
F-Secure Blacklight: 1.0.53
F-Secure Draco: 1.0.35, 0260-23-12
F-Secure Pegasus: 1.19.0, 2007-04-14
Scanning options:
Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
Scan inside archives
Use Advanced heuristics

#26 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 22 May 2007 - 03:14 PM

Here's the new Hijack this log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:13:15 PM, on 5/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\services.exe
C:\Documents and Settings\Shirley Liu\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6965 bytes

#27 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 23 May 2007 - 06:46 AM

Do you know what this is? "Pointe-server"
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
If not fix it with HijackThis and restart the computer normally.


The WinMedia O4 items have returned?
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')

Search your computer for all copies of this file svchost.exe

You should have only one, in this folder.
C:\WINDOWS\System32\svchost.exe

Do you have any others?
Is so in what folder(s)

Run the SDFix tool again as requested in post No. 11.
Let me see the results.

Next,

Download and Save blacklight to your desktop.
F-Secure Blacklight: http://www.f-secure.com/blacklight
Double-click blbeta.exe then accept the agreement.
click > scan then > next,
You'll see a list of all items found.
Don't choose for rename yet! I want to see the log first, because legit items can also be present there...
There must be also a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#28 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 23 May 2007 - 10:27 AM

Pointe-server is actually our company intranet address, so that should be ok as far as I know.

I found multiple copies of svchost.exe.

svchost C:\I386
svchost.exe-2d5fbd18.pf c:\Windows\prefetch
svchost c:\windows\system32
svchost c:\windows\servicepackfiles\i386

SDFix log

SDFix: Version 1.84

Run by Administrator - Wed 05/23/2007 - 9:08:38.56

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\wpcjmd.log - Deleted



Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\system32\\netyiamy.exe"="C:\\WINDOWS\\system32\\netyiamy.exe:*:Enabled:Server"
"C:\\WINDOWS\\Explorer.EXE"="C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\WINDOWS\\system32\\netyiamy.exe"="C:\\WINDOWS\\system32\\netyiamy.exe:*:Enabled:Server"


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0084180.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP778\A0084182.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155670.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155672.dll
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155673.dll
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc3123.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155671.exe
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP786\A0155674.exe
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2561.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2562.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2563.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2564.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2565.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2566.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2567.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2568.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2569.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2570.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2571.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2572.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2573.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc2574.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc457.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc458.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc505.tmp
C:\RECYCLER\S-1-5-21-3224913011-1694365671-1429824503-1008\Dc506.tmp

Finished

Blacklight log

05/23/07 09:41:04 [Info]: BlackLight Engine 1.0.61 initialized
05/23/07 09:41:04 [Info]: OS: 5.1 build 2600 (Service Pack 2)
05/23/07 09:41:05 [Note]: 7019 4
05/23/07 09:41:05 [Note]: 7005 0
05/23/07 09:41:09 [Note]: 7006 0
05/23/07 09:41:09 [Note]: 7011 1852
05/23/07 09:41:09 [Note]: 7026 0
05/23/07 09:41:09 [Note]: 7026 0
05/23/07 09:41:17 [Note]: FSRAW library version 1.7.1021
05/23/07 10:07:30 [Note]: 7007 0

#29 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 23 May 2007 - 10:31 AM

Btw, for what its worth, I ran the Symantec email scanner that scans outgoing emails. Before it would go crazy sending out a ton of spam, but apparently, this computer has now stopped sending spam emails.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:28:26 AM, on 5/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Shirley Liu\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6966 bytes

#30 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 23 May 2007 - 03:36 PM

Great news.

Can you now fix these items with HijackThis.

O4 - HKUS\S-1-5-18\..\Run: [WinMedia] svchost (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [WinMedia] svchost (User 'Default user')


Then restart the computer.

If you now scan with HijackThis are the items gone.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#31 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 23 May 2007 - 04:20 PM

Looks like it....here's the new log.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 4:15:49 PM, on 5/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\PROGRA~1\SYMANT~2\VPTray.exe
C:\program files\umsd tools2.33\umsd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Documents and Settings\Shirley Liu\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://pointe-server/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools2.33\umsd.exe sys_auto_run C:\Program Files\UMSD Tools2.33
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: MA101 Configuration Utility .lnk = C:\Program Files\NETGEAR\MA101 USB Adapter Configuration Utility\WlanMonitor.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-sec...m/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.wea...Transporter.cab?
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Unknown owner - C:\PROGRA~1\SYMANT~1\SYMANT~1\Rtvscan.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6799 bytes

#32 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 24 May 2007 - 07:39 AM

Nice Work your log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#33 mistersmith

mistersmith

    Member

  • Full Member
  • Pip
  • 40 posts

Posted 24 May 2007 - 09:24 AM

Nice Work your log is clean.

Please read this Prevention page with lots of info and tips how to prevent this in the future.
http://users.telenet...prevention.html


THANK YOU!! :D

#34 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 24 May 2007 - 09:27 AM

Glad we could help. :wave:
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760

#35 nasdaq

nasdaq

    Forum Deity

  • Global Moderator
  • PipPipPipPipPip
  • 49,081 posts

Posted 04 June 2007 - 08:16 AM

Glad we could help. :)

If you need this topic reopened, please tell the moderating team by replying here with the address of the thread. This applies only to the original topic starter. Everyone else please begin a New Topic.
nasdaq

Favorite tools: [ SpywareBlaster ] [ Spybot ] [ AdAware ] [ HijackThis ]
[ Housecall online virus scan ] [ Bitdefender online virus scan ]
[ AVG antivirus ] [ Sunbelt Personal Firewall ] [ ZoneAlarm firewall ]

My help is free, but if we have helped you in anyway,please considerDonating ,
see this topic for details.
We need members like you.

========
Shouldn't water be worth more than diamonds?
Adam Smith Glasgow, 1760




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

Member of ASAP and UNITE
Support SpywareInfo Forum - click the button