Major infection...

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Error1355

Thread Starter
Joined
Nov 22, 2005
Messages
25
My brother apparently was looking to download some "Free online games" and all this junk happened.

Here is a hijack this log... Please help! ;_;

Logfile of HijackThis v1.99.1
Scan saved at 11:35:43 AM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\paytime.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\paytime.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\deleted later\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search.com/partner/primenet
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Teh Internetz!
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp7ACD.tmp
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe" /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Transfer with Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://*.billingnow.com
O15 - Trusted Zone: http://*.reliablestats.com
O15 - Trusted Zone: http://*.winantispyware.com
O15 - Trusted Zone: http://*.winantivirus.com
O15 - Trusted Zone: http://*.winantiviruspro.com
O15 - Trusted Zone: http://*.winfixer.com
O15 - Trusted Zone: http://*.winnanny.com
O15 - Trusted Zone: http://*.winsoftware.com
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
 
Joined
Feb 15, 2004
Messages
12,302
hi, welcome to TSG.



you don't appear to have a firewall, even if you have a router you still need
a software frewall, downlaod the one from the link below!

Filseclab Personal Firewall Professional Edition

http://www.filseclab.com/eng/download/downloads.htm

http://www.wilderssecurity.com/showthread.php?t=92710


Also, if you don't have an anti virus programme downoad this one below, install it, update it and run a full system scan?


Anti-vir

http://www.free-av.com/



Download DelDomains.inf from here:

http://www.mvps.org/winhelp2002/DelDomains.inf

Rightclick DelDomains.inf and choose install.

Download the pocket killbox

http://www.bleepingcomputer.com/files/killbox.php



* Click here to download smitRem.zip.


for W2k & XP

http://noahdfear.geekstogo.com/click counter/click.php?id=1




* Save the file to your desktop.
* Unzip smitRem.zip to extract the two files it contains.
* Do not do anything with it yet. You will run the RunThis.bat file later in safe mode.



*Download Cleanup from Here


http://www.stevengould.org/software/cleanup/download.html




* A window will open and choose SAVE, then DESKTOP as the destination.
* On your Desktop, click on Cleanup40.exe icon.
* Then, click RUN and place a checkmark beside "I Agree"
* Then click NEXT followed by START and OK.
* A window will appear with many choices, keep all the defaults as set when the Slide Bar to the left is set to Standard Quality.
* Click OK
* DO NOT RUN IT YET



* Download the trial version of Ewido Security Suite.



http://www.ewido.net/en/


* Install ewido.
* During the installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
* Launch ewido
* It will prompt you to update click the OK button and it will go to the main screen
* On the left side of the main screen click update
* Click on Start and let it update.
* DO NOT run a scan yet. You will do that later in safe mode.



* Click here for info on how to boot to safe mode if you don't already know how.


http://service1.symantec.com/SUPPOR...2001052409420406?OpenDocument&src=sec_doc_nam



* Now copy these instructions to notepad and save them to your desktop. You will need them to refer to in safe mode.


* Restart your computer into safe mode now. Perform the following steps in safe mode:


* Run Hijack This again and put a check by these. Close ALL windows except HijackThis and click "Fix checked"



R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.search.com/partner/primenet
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Teh Internetz!
O2 - BHO: HomepageBHO - {e0103cd4-d1ce-411a-b75b-4fec072867f4} - C:\WINDOWS\system32\hp7ACD.tmp
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present



Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill.
In the Full Path of File to Delete box, copy and paste each of the following
lines one at a time then click on the button that has the red circle with the
X in the middle after you enter each file. It will ask for confirmation to
delete the file. Click Yes. Continue with that same procedure until you have
copied and pasted all of these in the Paste Full Path of File to Delete box.



Note: It is possible that Killbox will tell you that one or more files do not
exist. If that happens, just continue on with all the files. Be sure you
don't miss any.


c:\secure32.html
C:\WINDOWS\system32\nvctrl.exe
C:\WINDOWS\system32\mssearchnet.exe
C:\WINDOWS\system32\hp7ACD.tmp
C:\WINDOWS\system32\paytime.exe




* Open the smitRem folder, then double click the RunThis.bat file to start the tool. Follow the prompts on screen.
Wait for the tool to complete and disk cleanup to finish.



* Run Ewido:

* Click on scanner
* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop






* Run Cleanup:

* Click on the "Cleanup" button and let it run.
* Once its done, close the program.


* Go to Control Panel > Internet Options. Click on the Programs tab then
click the "Reset Web Settings" button. Click Apply then OK.



* Next go to Control Panel > Display. Click on the "Desktop" tab then click
the "Customize Desktop" button. Click on the "Web" tab. Under "Web Pages" you
should see an entry checked called something like "Security info" or similar.
If it is there, select that entry and click the "Delete" button. Click OK
then Apply and OK.


* Restart back into Windows normally now.



Run an online antivirus check from

http://www.kaspersky.com/virusscanner





* Run ActiveScan online virus scan here

http://www.pandasoftware.com/products/activescan.htm


When the scan is finished, anything that it cannot clean have it delete it. Make a note of the file location of anything that cannot be deleted so you can delete it yourself.
- Save the results from the scan!



post another hijack this log, the ewido and active scan logs and
the contents of smitfiles.txt from the smitRem folder
 

Error1355

Thread Starter
Joined
Nov 22, 2005
Messages
25
I've noticed the computer running better, but the firewall keeps blocking something that it says is a trojan. >_>

Logfile of HijackThis v1.99.1
Scan saved at 5:23:38 PM, on 12/29/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\AVPersonal\AVGNT.EXE
C:\Program Files\AVPersonal\AVGUARD.EXE
C:\Program Files\AVPersonal\AVWUPSRV.EXE
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\oodag.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Filseclab\FilMsg.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Filseclab\xfilter\xfilter.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\mIRC\mirc.exe
C:\deleted later\HijackThis.exe

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [XFILTER] "C:\Program Files\Filseclab\xfilter\xfilter.exe" -a
O4 - HKLM\..\Run: [AVGCtrl] "C:\Program Files\AVPersonal\AVGNT.EXE" /min
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Filseclab Messenger.lnk = ?
O4 - Global Startup: Forget Me Not.lnk = C:\Program Files\Broderbund\AG CreataCard\AGRemind.exe
O8 - Extra context menu item: &Google Search - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://C:\Program Files\Google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://C:\Program Files\Google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://C:\Program Files\Google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://C:\Program Files\Google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Transfer with Image Converter 2 - C:\Program Files\Sony\Image Converter 2\menu.htm
O8 - Extra context menu item: Translate Page into English - res://C:\Program Files\Google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra 'Tools' menuitem: &Magic Nettrace - {92848C13-5482-49CB-B31C-CA8D74EFF508} - C:\Program Files\Magic NetTrace\MTIE.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O10 - Unknown file in Winsock LSP: c:\program files\filseclab\xfilter\xfilter.dll
O16 - DPF: {54B52E52-8000-4413-BD67-FC7FE24B59F2} (EARTPatchX Class) - http://simcity.ea.com/update/EARTPX.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/activedata/SymAData.dll
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O16 - DPF: {E77C0D62-882A-456F-AD8F-7C6C9569B8C7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/activedata/ActiveData.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Filter: text/html - (no CLSID) - (no file)
O18 - Filter: text/plain - (no CLSID) - (no file)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir Service (AntiVirService) - H+BEDV Datentechnik GmbH - C:\Program Files\AVPersonal\AVGUARD.EXE
O23 - Service: AntiVir Update (AVWUpSrv) - H+BEDV Datentechnik GmbH, Germany - C:\Program Files\AVPersonal\AVWUPSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O&O Defrag - O&O Software GmbH - C:\WINDOWS\System32\oodag.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 3:04:19 PM, 12/29/2005
+ Report-Checksum: 4AA49612

+ Scan result:

C:\!KillBox\nvctrl.exe -> Downloader.Zlob.dl : Cleaned with backup
C:\!KillBox\paytime.exe -> Hijacker.StartPage.agq : Cleaned with backup
:mozilla.26:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.28:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.29:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Statcounter : Cleaned with backup
:mozilla.41:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.42:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.47:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Burstnet : Cleaned with backup
:mozilla.48:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Burstbeacon : Cleaned with backup
:mozilla.56:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.57:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.58:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.59:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Com : Cleaned with backup
:mozilla.132:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.133:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.134:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.135:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Serving-sys : Cleaned with backup
:mozilla.137:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.138:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.139:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.140:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.141:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
:mozilla.432:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.436:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
:mozilla.437:C:\Documents and Settings\J SHERMAN\Application Data\Mozilla\Firefox\Profiles\default.uw1\cookies.txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][1].txt -> Spyware.Cookie.2o7 : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][2].txt -> Spyware.Cookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][2].txt -> Spyware.Cookie.Euroclick : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][2].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][2].txt -> Spyware.Cookie.Com : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][2].txt -> Spyware.Cookie.Sexcounter : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][1].txt -> Spyware.Cookie.Clickzs : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][1].txt -> Spyware.Cookie.Adjuggler : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][1].txt -> Spyware.Cookie.Liveperson : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][1].txt -> Spyware.Cookie.Statcounter : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][1].txt -> Spyware.Cookie.Burstnet : Cleaned with backup
C:\Documents and Settings\J SHERMAN\Cookies\j [email protected][1].txt -> Spyware.Cookie.Myaffiliateprogram : Cleaned with backup
C:\Program Files\MediaPipe\altpayV2.exe -> Adware.WeirWeb : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP792\A0124721.dll -> Spyware.Wheaterbug : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP792\A0124754.exe -> Adware.WeirWeb : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP829\A0130929.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP829\A0130932.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP829\A0130934.dll -> Spyware.SpywareNo : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP829\A0130935.dll -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP830\A0130959.exe -> Adware.SpySheriff : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP831\A0130965.exe -> Not-A-Virus.Hoax.Win32.Renos.aj : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP831\A0131003.exe -> Downloader.Zlob.dl : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP831\A0131005.exe -> Hijacker.StartPage.agq : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP831\A0131017.exe -> Adware.Spyaxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP831\A0131018.dll -> Downloader.SpyAxe : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP831\A0131022.exe -> Downloader.Zlob.dm : Cleaned with backup


::Report End
 

Error1355

Thread Starter
Joined
Nov 22, 2005
Messages
25
The post was too big, so here is another log.


Creation date of the report file: Thursday, December 29, 2005 12:43

AntiVir®/XP (2000 + NT) PersonalEdition Classic
Build 1114 of 04.11.2005
Mainprogram 6.32.00.51 of 03.11.2005
VDF file 6.33.0.64 (0) of 25.12.2005


This program is for PERSONAL USE only.
Any other use is PROHIBITED.
Informations regarding commercial versions of AntiVir may be obtained from:
www.hbedv.com.


Scanning for 269002 virus strains and unwanted programs.

Licensed for: AntiVir Personal Edition
Serial number: 0000149991-WURGE-0001

Please enter the workstation and
contact name with phone number in this form:

Name ___________________________________________

Street ___________________________________________

Town ___________________________________________

Phone/Fax ___________________________________________

Email ___________________________________________

Platform: Windows NT Workstation
Windows version: 5.1 Build 2600 (Service Pack 2)
Username: J SHERMAN
Computername: DG10F141
Processor: Pentium
Working memory: 523260 KB free

Version information:
AVWIN.DLL : 6.32.00.51 561192 04.11.2005 07:50:54
AVEWIN32.DLL : 6.33.0.70 1008128 19.12.2005 17:05:16
AVGNT.EXE : 6.32.00.02 180327 03.11.2005 17:06:56
AVGUARD.EXE : 6.32.00.12 208424 03.11.2005 17:06:58
GUARDMSG.DLL : 6.30.00.02 94248 01.02.2005 10:24:12
AVGCMSG.DLL : 6.32.00.01 295029 03.11.2005 17:06:58
AVGNTDW.SYS : 6.31.00.01 32896 29.04.2005 08:07:16
AVPACK32.DLL : 6.32.00.02 319528 03.11.2005 16:57:42
AVGETVER.DLL : 6.30.00.00 24576 28.01.2005 17:10:20
AVSHLEXT.DLL : 6.30.00.01 40960 28.01.2005 17:10:22
AVSched32.EXE : 6.32.00.01 110632 20.09.2005 14:16:26
AVSched32.DLL : 6.30.00.00 122880 01.02.2005 10:24:12
AVREG.DLL : 6.31.00.05 41000 07.09.2005 16:34:50
AVRep.DLL : 6.33.00.50 1605672 22.12.2005 11:40:02
INETUPD.EXE : 6.32.00.53 262203 04.11.2005 07:49:30
INETUPD.DLL : 6.32.00.53 143360 04.11.2005 07:49:30
CTL3D32.DLL : 2.31.000 27136 29.08.2002 06:00:00
MFC42.DLL : 6.02.4131.0 1028096 04.08.2004 02:56:42
MSVCRT.DLL : 7.0.2600.2180 (xpsp_sp2_rtm.0408
MSVCRT.DLL : 7.0.2600.2180 343040 04.08.2004 02:56:44
CTL3DV2.DLL : 2.31.000 27632 04.09.1996 14:01:24

Configuration file:

Name of configuration file: C:\Program Files\AVPersonal\AVWIN.INI
Name of report file: C:\Program Files\AVPersonal\LOGFILES\AVWIN.LOG
Start path: C:\Program Files\AVPersonal
Command line: /ah /bask /ns
Start mode: Selected drives

Mode of report file:
[ ] Do not create report
[X] Overwrite report
[ ] Append new report

Data in report file:
[X] Infected files
[ ] Infected files with paths
[ ] All scanned files
[ ] Full information

Abridge report file:
[ ] Abridge report file

Warnings in report:
[X] Access denied/file locked
[X] Wrong file size in directory
[X] Wrong creation time in directory
[ ] COM file is too large
[X] Invalid start address
[X] Invalid EXE header
[X] Possibly damaged

Summary report:
[X] Create summary report
Output file: AVWIN.ACT
Maximum number of entries: 100

Where to search:
[X] Memory
[X] Boot record of selected drives
[ ] Report unknown boot sectors
[ ] All files
[X] Program files
Extensions: .386 .?HT* .ACM .ADE .ADP .ANI .APP .ASD .ASF .ASP .ASX .AWX .AX .BAS .BAT .BIN .BOO .CDF .CHM .CLASS .CMD .CNV .COM .CPL .CRT .CSH .DLL .DLO .DO? .DRV .EMF .EML .EXE* .FLT .FOT .HLP .HT* .INF .INI .INS .ISP .J2K .JAR .JFF .JFI .JFIF .JIF .JMH .JNG .JP2 .JPE .JPEG .JPG .JS* .JSE .LNK .MD? .MDB .MOD .MS? .NWS .OBJ .OCX .OLB .OSD .OV? .PCD .PDR .PGM .PHP .PIF .PKG .PL* .PNG .POT .PPS .PPT .PRG .RAR .REG .RPL .RTF .SBF .SCR .SCRIPT .SCT .SH .SHA .SHB .SHS .SHTM* .SPL .SWF .SYS .TLB .TMP .TSP .TTF .URL .VB? .VCS .VLM .VXD .VXO .WIZ .WLL .WMD .WMS .WMZ .WPC .WSC .WSF .WSH .WWK .XL? .XML .ZIP

Response in case of a detection:
[X] Repair with prompt
[ ] Repair without prompt
[ ] Delete with prompt
[ ] Delete without prompt
[ ] Write in report file only
[X] Acoustic alarm

Response in case of destroyed files:
[X] Delete with prompt
[ ] Delete without prompt
[ ] Ignore

Response in case of destroyed files:
[X] No change
[ ] Current system time
[ ] Correct date

Drag&drop settings:
[X] Scan subdirectories

Profile settings:
[X] Scan subdirectories

Archive options
[X] Search archive
[X] All archive types

Miscellaneous options:
Temporary path: %TEMP% -> C:\DOCUME~1\JSHERM~1\LOCALS~1\Temp
[X] Overwrite infected files
[ ] Detect idle time
[X] Allow interruptions of scan
[X] Load AVWin®/NT Guard on System start

General settings:
[X] Save options on exiting AntiVir
Priority: medium

Drives:
A: Floppy drive
C: Hard disk
D: CD-ROM
F: CD-ROM

Start of scan: Thursday, December 29, 2005 12:43

Memory test OK
Master boot record of hard disk HD0 OK
Boot record of drive C: OK

Drive: C:
Volume ID: Serial No.: AA-50E9
Access denied! Error during file opening!
Error code: 0x0002
C:\

WARNING! Access error/file locked!
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
CoolWWWSearchWCADW.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearchWCADW1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearchWCADW10.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearchWCADW11.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearchWCADW2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearchWCADW3.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearchWCADW4.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearchWCADW5.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearchWCADW6.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearchWCADW7.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearchWCADW8.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
CoolWWWSearchWCADW9.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit10.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit11.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit12.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit13.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit14.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit15.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit16.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit17.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit18.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit19.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit3.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit4.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit5.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit6.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit7.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit8.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DSOExploit9.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DyFuCA.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
DyFuCAInternetOptimizer.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ExactAdvertisingBargainsBuddy.zip
ArchiveType: ZIP
HotKeysHook.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechISTbar.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechISTsvcUpdater.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechPowerScan.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSidefind.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind10.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind11.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind12.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind13.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind14.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind15.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind16.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind17.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind18.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind19.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind20.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind21.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind22.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind23.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind24.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind25.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind26.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind27.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind28.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind29.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind3.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind30.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind31.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind32.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind4.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind5.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind6.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind7.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind8.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ISearchTechSideFind9.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
MiniBug.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
MiniBug1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Missinghelpfile.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Missinghelpfile1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
MissingsharedDLL.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
MissingsharedDLL1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
MissingsharedDLL2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
OTXMedia.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
OTXMedia1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
OTXMedia2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
SearchForIt.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
SexList.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ShopAtHome.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ShopAtHome1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ShopAtHome2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ShopAtHome3.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ShopAtHome4.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ShopAtHome5.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
ShopAtHome6.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
SmitfraudC.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
SmitfraudC1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
SmitfraudC2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
SmitfraudC3.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
SpySheriff.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
SpySheriff1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
SpySheriff2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Tango.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Vcodec.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Vcodec1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent10.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent11.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent12.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent13.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent14.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent3.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent4.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent5.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent6.zip
ArchiveType: ZIP
WildTangent7.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent8.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WildTangent9.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsActiveDesktop.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsExplorer.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsSecurityCenterAntiVirusDisableNotify.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsSecurityCenterAntiVirusOverride.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsSecurityCenterAntiVirusOverride1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsSecurityCenterFirewallOverride.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
WindowsSecurityCenterUpdateDisableNotify.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath1.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath10.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath11.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath12.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath13.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath14.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath15.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath16.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath17.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath18.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath19.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath2.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath20.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath21.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath22.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath23.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath24.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath25.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath26.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath27.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath28.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath29.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath3.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath4.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath5.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath6.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath7.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath8.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Wrongapppath9.zip
ArchiveType: ZIP
NOTE! The whole archive is password protected
Access denied! Error during file opening!
Error code: 0x0002
C:\Documents and Settings\J SHERMAN\Desktop\John's Folder\Media\Programs\WinAmp\Version 5.01

WARNING! Access error/file locked!
C:\Documents and Settings\J SHERMAN\Local Settings\Temp
dismountpreview031.zip
ArchiveType: ZIP
impnjaod.exe
[DETECTION] Is the Trojan horse TR/Dialer.AY.6
WAS DELETED!
C:\Documents and Settings\J SHERMAN\Local Settings\Temporary Internet Files\Content.IE5\BU3PH9FZ
wbkE6.tmp
[DETECTION] Contains signature of the exploits EXP/VBS.Phel.I
WAS DELETED!
C:\Documents and Settings\J SHERMAN\Local Settings\Temporary Internet Files\Content.IE5\I1SZQXQ1
gdnUS2332[1].exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.ayl.0
WAS DELETED!
C:\Documents and Settings\J SHERMAN\Local Settings\Temporary Internet Files\Content.IE5\UF4NJCP8
b[1].htm
[DETECTION] Contains signature of the exploits EXP/JS.CVE2005-1790
WAS DELETED!
f[1].htm
[DETECTION] Contains signature of the exploits EXP/JS.CVE2005-1790
WAS DELETED!
C:\mIRC
mirc.zip
ArchiveType: ZIP
C:\Program Files\WinRAR
rarnew.dat
ArchiveType: RAR
NOTE! The archive is created by multiple volumes
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP830
A0130957.exe
[DETECTION] Is the Trojan horse TR/Click.Spywad.l
WAS DELETED!
C:\WINDOWS
soft.exe
[DETECTION] Is the Trojan horse TR/Click.Spywad.l
WAS DELETED!
C:\WINDOWS\SYSTEM32
hp7ACD.tmp
[DETECTION] Contains signature of the worm WORM/Ider.A.Rkit
Could not be deleted!
ld7AEC.tmp
[DETECTION] Is the Trojan horse TR/Dldr.Zlob.CV
Could not be deleted!
C:\WINDOWS\SYSTEM32\CONFIG
DEFAULT
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
SAM
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
SECURITY
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
SOFTWARE
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!
SYSTEM
Access denied! Error during file opening!
Error code: 0x000D
WARNING! Access error/file locked!

End of scan: Thursday, December 29, 2005 13:17
Time taken: 34:38 min


10593 directories were scanned
207568 files were scanned
9 warning messages were issued
7 files were deleted
0 files were repaired
9 detections

I couldn't find a smitRem.txt file in the smitRem folder.
 
Joined
Feb 15, 2004
Messages
12,302
have you got the ewido log, kaspersky and panda?

If you haven't run kaspersky or panda please do so as they will tell us where the rest of these pests are then we can remove them with the killbox!


have hijack this fix this one!

O4 - HKCU\..\Run: [PayTime] C:\WINDOWS\system32\paytime.exe



go to this site and download these tools and once you get both
adaware Se 1.6 and spybot, update both of them.

Set adaware to do a full system scan and deselect, "search for neglible risk
entries". Click next to start the scan. Delete everything adaware finds.

reboot and now run spybot

Spybot: Search and destroy.

Delete what spybot finds marked in red. After updating spybot hit the
immunize button.

reboot again


With CWshredder close all browsers and programmes and select the FIX button.



Go here and download Microsoft Antispyware Beta. First in the top menu click
File then Check for updates to download the definitons updates.

After updating look in the right side of the main window under "Run Quick
Scan Now" and click Spyware scan options. In that window put a tick by Run a
full system scan and then put a check by all three options below that then
click Run Scan now.

When the scan is finished, let it fix anything that it finds (have it
quarantine the items that have that option rather than delete just in case.
It is a beta program and there may be false positives)

Restart your computer.


All tools can be downloaded at the link below and found on that page!


. Microsoft® Windows AntiSpyware
. Trend micro CWShredder
. SpyBot search and destroy
. AdAware SE personal


http://www.majorgeeks.com/downloads31.html



post another log!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top