1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: trojan troubles

Discussion in 'Virus & Other Malware Removal' started by tonedown49, Jul 9, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. tonedown49

    tonedown49 Thread Starter

    Joined:
    Apr 8, 2005
    Messages:
    53
    Have a trojan virus. My anti-virus keeps detecting, but can't seem to delete it. Shows as WINNT/system32/oppolo.dll. Now, I can't even boot up (except for safe mode); just gets to the "Windows is starting up" and turns off and reboots. Kept trying to run a Hijack This log, but it keeps generating errors and shutting down, even in safe mode. Did manage to save this somehow:
    Logfile of HijackThis v1.99.1
    Scan saved at 9:11:49 PM, on 7/6/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINNT\system32\LxrJD31s.exe
    C:\WINNT\system32\pctspk.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
    C:\WINNT\System32\sistray.EXE
    C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
    C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINNT\retadpu1000106.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
    C:\WINNT\system32\mshta.exe
    C:\WINNT\System32\msdtc.exe
    C:\WINNT\system32\cmd.exe
    C:\Documents and Settings\Tony Owen\ie_update3r.exe
    C:\WINNT\ieupdr.exe
    C:\WINNT\system32\mshta.exe
    C:\WINNT\system32\mshta.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Documents and Settings\Tony Owen\My Documents\HJT\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
    O4 - HKLM\..\Run: [Excite Toolbar] C:\PROGRA~1\Excite\Toolbar\ExLaunch.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [TgAddServer] "c:\@Home\tioga\bin\tgfix" /fds "http://www/download/tioga"
    O4 - HKLM\..\Run: [Tgcmd] "c:\@Home\tioga\bin\tgcmd.exe" /server /nosystray
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
    O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
    O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F 310
    O4 - HKLM\..\Run: [Winmplayer] "C:\WINNT\system32\KB_963491.exe"
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
    O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: @Home - {5957B14A-F356-4D51-B440-9B8ABC40D431} - http://home.excite.com (file missing) (HKCU)
    O10 - Broken Internet access because of LSP provider 'farlsp.dll' missing
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O15 - Trusted Zone: http://www.myspace.com
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/game...s/y/dot2_x.cab
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/game...ts/y/tt2_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/game.../y/mjst4_x.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-12.cab
    O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2...ll/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
    O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.98/images/PopupSh.ocx
    O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download...basetup162.cab
    O18 - Protocol: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} - C:\WINNT\System32\nodeipproc.dll (file missing)
    O20 - AppInit_DLLs:
    O23 - Service: ADOUA - Unknown owner - C:\DOCUME~1\TONYOW~1\LOCALS~1\Temp\ADOUA.exe (file missing)
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
    O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe (file missing)
    O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

    Any assistance would be most appreciated.
     
  2. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    Hi tonedown49,
    You may want to print this out, or save it as a Notepad document on your Desktop, since you won't have Internet access in Safe Mode.
    -----------------------------------------------------------
    Stop Processes Prior to Deletion
    Close ALL open windows. Use Ctrl-Alt-Delete together, choose to bring up the task manager.
    Under the processes tab, if it is visible, check the box 'Show processes from all users'.
    One at a time, highlight each of these that are listed and "End Process":

    retadpu1000106.exe
    ie_update3r.exe
    ieupdr.exe

    ----------------------------------------------------------
    Download and Install CCleaner
    • Download CCleaner from here
    • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
    • Click OK
    • Click Next
    • Click I agree
    • Click Next
    • Click Install
    • Once the installation has finished, click Finish
    Don't run it yet.
    -----------------------------------------------------------
    Use Add/Remove Programs In Control Panel
    From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
    Highlight each Entry, as follows, one by one, if it exists, and choose Remove :
    Empire Poker
    Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
    -----------------------------------------------------------
    Remove log items with HighjackThis. Start HijackThis.
    Click Do System Scan Only. When the Scan is complete, Check the following entries:
    (Some of these lines may be missing)
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html
    R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
    O4 - HKLM\..\Run: [TgAddServer] "c:\@Home\tioga\bin\tgfix" /fds "http://www/download/tioga"
    O4 - HKLM\..\Run: [Tgcmd] "c:\@Home\tioga\bin\tgcmd.exe" /server /nosystray
    O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F 310
    O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
    O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePoker\EmpirePoker.exe (file missing)
    O15 - Trusted Zone: http://www.myspace.com
    O20 - AppInit_DLLs:
    O23 - Service: ADOUA - Unknown owner - C:\DOCUME~1\TONYOW~1\LOCALS~1\Temp\ADOUA.exe (file missing)
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe (file missing)

    Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked.
    -----------------------------------------------------------
    Stop and Disable Services
    Go to Start, Run OR Start, Programs, Accessories, Command Prompt and type Services.msc and click OK (If you use the command prompt, you type services.msc, hit enter, and type exit to get out).
    Under the Extended Tab, Scroll down and find the service.

    ADOUA

    Click once on the service to highlight it.
    Right-Click on the service. Click on Properties
    Select the General tab.
    Next to Service Status, click Stop.
    Click the Arrow-down tab on the right-hand side of the Start-up Type box.
    From the drop-down menu, click on Disabled
    Click Apply , then OK
    Repeat the above procedure for the Service named Tmntsrv

    Delete one of the Services
    Open HiJackThis. Click on Config, Misc Tools, Delete an NT Service
    Type ADOUA in the space provided and click OK
    The program will ask you to REBOOT --- Accept.

    REBOOT into SAFE MODE (tap F8 key repeatedly while booting until menu comes up; choose Safe Mode)
    Using Windows Explorer (My Computer), locate and DELETE the following files (if still present):

    C:\Documents and Settings\Tony Owen\Local Settings\Temp\ADOUA.exe
    C:\Documents and Settings\Tony Owen\ie_update3r.exe
    C:\WINNT\ieupdr.exe
    -----------------------------------------------------------
    REBOOT back into Normal Mode
    -----------------------------------------------------------
    Start CCleaner
    Run CCleaner Cleaning Scan. This will remove all Temp files, cookies, and Internet History.
    Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
    Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
    -----------------------------------------------------------
    Post a New HJT Log
    Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
    When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.

    askey127
     
  3. tonedown49

    tonedown49 Thread Starter

    Joined:
    Apr 8, 2005
    Messages:
    53
    Followed your instructions, but I did notice that the last line item of the HJT that you had me fix is still there. I figured out that I can open up in normal mode as long as I am disconnected from my LAN, but within 30 seconds of plugging it back up, it begins its endless cycle of rebooting. Here's the latest Hijack This log:
    Logfile of HijackThis v1.99.1
    Scan saved at 11:01:46 PM, on 7/10/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINNT\system32\LxrJD31s.exe
    C:\WINNT\system32\pctspk.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
    C:\WINNT\system32\D0CgPqEt.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    c:\program files\internet explorer\iexplore.exe
    C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
    C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINNT\system32\KB_963491.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\PCSecurityShield\ShieldAntivirus\vrrw32.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - [SASInprocServer32] (file missing)
    O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: H - {7AD924F3-6353-4f92-B034-A900434ECCAF} - xcvbbnnm.dll (file missing)
    O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINNT\xhelper.dll
    O2 - BHO: (no name) - {B2397521-DB70-4EFB-B9FA-C209F0DCC18E} - C:\WINNT\system32\oppol.dll
    O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [SiS Tray] C:\WINNT\System32\sistray.EXE
    O4 - HKLM\..\Run: [Excite Toolbar] C:\PROGRA~1\Excite\Toolbar\ExLaunch.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
    O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
    O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Winmplayer] "C:\WINNT\system32\KB_963491.exe"
    O4 - HKLM\..\Run: [Microsoft] C:\WINNT\wuauclt.exe
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
    O4 - HKCU\..\Run: [userinit] C:\WINNT\system32\ntos.exe
    O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: @Home - {5957B14A-F356-4D51-B440-9B8ABC40D431} - http://home.excite.com (file missing) (HKCU)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
    O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.98/images/PopupSh.ocx
    O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
    O18 - Protocol: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} - C:\WINNT\System32\nodeipproc.dll (file missing)
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: oppol - C:\WINNT\system32\oppol.dll
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
    O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe (file missing)
    O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
     
  4. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    tonedown49,
    Go to Start, Control Panel or Start, Settings, Control Panel
    Double click Security Center
    In the Virus Protection bar, way over on the right, click the small down arrow and write down what it says about which AntiVirus is the default and whether it's up to date.
    -----------------------------------------------------------
    Set Your Computer to Show All Files
    1. Click Start.
    2. Click My Computer.
    3. Select the Tools menu and click Folder Options.
    4. Select the View Tab.
    5. Under the Hidden files and folders heading, select Show hidden files and folders.
    6. Uncheck Hide protected operating system files (recommended).
    7. Click Yes to confirm.
    8. Uncheck the Hide file extensions for known file types.
    9. Click OK.
    In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.
    -----------------------------------------------------------
    Run CCleaner Cleaning Scan. This will remove all Temp files, cookies, and Internet History.
    If it's not already running, Start CCleaner.
    Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
    Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
    ------------------------------------------------
    Download and Run ComboFix-----------------------------------------------------
    Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
    Go here to run an online scannner from Kaspersky.
    • Click on "Kaspersky Online Scanner"
    • A new smaller window will pop up. Press on "Accept". After reading the contents.
    • Now Kaspersky will update the anti-virus database. Let it run.
    • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
    • Then click on "My Computer", and the scan will start.
    • Once finished, save the log to your Desktop as filename KAV.txt

    Please post back the Combofix log, the contents of KAV.txt and your notes from the Security Center.

    askey127
     
  5. tonedown49

    tonedown49 Thread Starter

    Joined:
    Apr 8, 2005
    Messages:
    53
    Thanks for your help so far. Right after I ran the ComboFix, I was able to connect to the internet again. That's a huge plus because before that I was driving back and forth to my sister's just to post these and download your instructions.
    You asked me to find some info in my Security Center, but I don't find a SC in my control panel. I do know that I have The Shield Antivirus (ViRobot v. 4.0) and it updates biweekly and runs a full system scan, with real-time monitoring in between. But the day I came home to find all these problems, my anti-virus and firewall were both diabled. Here are the two logs you requested:
    "Tony Owen" - 07/12/2007 21:38:01 - ComboFix 07-07-13 - Service Pack 4


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINNT\system32\ayfpvarr.dll
    C:\WINNT\system32\jcblysfl.exe
    C:\WINNT\system32\qykkwhxw.exe
    C:\WINNT\system32\uxgjrqsl.exe
    C:\WINNT\system32\xpnfnurh.exe
    C:\WINNT\system32\loppo.bak1
    C:\WINNT\system32\loppo.bak2
    C:\WINNT\system32\loppo.ini
    C:\WINNT\system32\loppo.ini2
    C:\WINNT\system32\loppo.tmp


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\c.exe
    C:\DOCUME~1\TONYOW~1\APPLIC~1.\mantec~1
    C:\Program Files\Common Files\{286C7~1
    C:\Program Files\Common Files\{386C7~1
    C:\Program Files\Common Files\{386C7~1\Uninstall.exe
    C:\setup.exe
    C:\temp\0b9
    C:\temp\0b9\tmpTF.log
    C:\temp\iee
    C:\temp\iee\tmpZTF.log
    C:\temp\tn3
    C:\WINNT\mantec~1
    C:\WINNT\system32\drivers\core.cache.dsk
    C:\WINNT\system32\drivers\core.sys
    C:\WINNT\system32\KB01625238.exe
    C:\WINNT\system32\KB92620748.exe
    C:\WINNT\system32\lgthahpb.exe
    C:\WINNT\system32\o02PrEz
    C:\WINNT\system32\qwesddddd.dll
    C:\WINNT\system32\win
    C:\WINNT\system32\WINDBG48.sys
    C:\WINNT\system32\wsnpoem
    C:\WINNT\system32\wumhpvdf.exe
    C:\WINNT\system32\X2
    C:\WINNT\system32\X2\mwspasrt83122.exe
    C:\WINNT\system32\X3
    C:\WINNT\system32\X3\w73r.exe
    C:\WINNT\system32\X4
    C:\WINNT\system32\X9
    C:\WINNT\system32\xcvbbnnm.dll
    C:\WINNT\wr.txt


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_CORE
    -------\LEGACY_WINDBG48
    -------\core
    -------\RpcApi


    ((((((((((((((((((((((((( Files Created from 2007-06-13 to 2007-07-13 )))))))))))))))))))))))))))))))


    2007-07-11 18:55 51,200 --a------ C:\WINNT\nircmd.exe
    2007-07-10 21:56 <DIR> d-------- C:\Program Files\CCleaner
    2007-07-09 23:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SUPERAntiSpyware.com
    2007-07-09 23:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-07-09 23:18 <DIR> d-------- C:\DOCUME~1\TONYOW~1\APPLIC~1\SUPERAntiSpyware.com
    2007-07-09 20:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-06 22:35 <DIR> d-------- C:\WINNT\system32\FlashAX
    2007-07-06 20:51 13,573 --a------ C:\WINNT\system32\KB_963491.exe
    2007-07-04 00:48 626,688 --a------ C:\WINNT\system32\msvcr80.dll
    2007-07-04 00:25 1 --a------ C:\WINNT\system32\ps.dat
    2007-07-04 00:22 84,480 --a------ C:\WINNT\h8bk8hld.exe
    2007-07-03 21:19 285,273 --a------ C:\WINNT\system32\oppol.dll
    2007-07-03 10:24 126,976 --a------ C:\WINNT\xhelper.dll
    2007-07-02 22:47 22,592 --a------ C:\WINNT\system32\D0CgPqEt.exe


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2165-11-13 02:36:37 -------- d---a-w C:\Program Files\Snapshot Viewer
    2165-11-09 02:52:35 999,760 ----a-w C:\winamp277_std.exe
    2165-05-11 05:03:35 137 ---ha-w C:\PCEA-9993-6244-4144-4403.DAT
    2007-07-10 14:34:46 -------- d---a-w C:\Program Files\Windows NT
    2007-07-08 00:28:22 -------- d--ha-w C:\Program Files\WindowsUpdate
    2007-07-07 08:13:43 3,690,528 ----a-w C:\WINNT\system32\drivers\vrcore.sys
    2007-06-02 23:51:35 -------- d-----w C:\DOCUME~1\TONYOW~1\APPLIC~1\U3
    2007-04-20 00:56:34 70 ----a-w C:\WINNT\OH4WIN.REG
    2006-07-24 05:22:48 0 ----a-w C:\DOCUME~1\TONYOW~1\APPLIC~1\internaldb41.dat
    2004-03-17 23:13:46 1,028,368 ----a-w C:\Program Files\vbrun60sp6.exe
    2003-09-13 05:29:47 407,040 ----a-w C:\Program Files\kmd.exe
    2002-05-12 03:21:59 271 ---h--w C:\Program Files\desktop.ini
    2002-05-12 03:21:59 21,952 ---h--w C:\Program Files\folder.htt
    2001-12-24 06:56:39 4,341,906 ----a-w C:\Program Files\Cdm32s_480.zip
    1998-12-09 02:53:54 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
    1998-12-09 02:53:54 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
    1998-12-09 02:53:54 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
    1998-12-09 02:53:54 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
    1998-12-09 02:53:54 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
    1998-12-09 02:53:54 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    04-12-14 01:56 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{316AEF8D-3C37-423E-9E6E-13820A9DC37A}]
    04-01-14 15:19 53248 --a------ C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    05-05-31 01:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{79B7C985-1815-4A75-BE9D-BB5B0157CB53}]
    07-07-03 21:19 285273 --a------ C:\WINNT\system32\oppol.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7AD924F3-6353-4f92-B034-A900434ECCAF}]

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
    07-07-03 10:24 126976 --a------ C:\WINNT\xhelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E22F9B9D-1A1F-473E-BED6-D8BC152441F4}]
    04-08-04 20:10 77824 --a------ C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe" [03-06-19 13:05 C:\WINNT\system32\mobsync.exe]
    "Excite Toolbar"="C:\PROGRA~1\Excite\Toolbar\ExLaunch.exe" [06-10-17 17:37 ]
    "CountrySelection"="pctptt.exe" [01-03-22 04:08 C:\WINNT\system32\pctptt.exe]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [06-10-17 17:37 ]
    "MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [06-10-17 17:37 ]
    "LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [06-10-17 17:37 ]
    "LoadQM"="loadqm.exe" [00-05-03 17:23 C:\WINNT\loadqm.exe]
    "dwStart"="C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe" [04-08-04 20:13 ]
    "Vrmon"="C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe" [06-01-18 17:07 ]
    "VrSchedule"="C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe" [04-03-03 16:38 ]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 09:36 ]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ssgrate.exe"="" []
    "PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [06-10-17 17:37 ]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [06-12-20 13:55 ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oppol]
    C:\WINNT\system32\oppol.dll --a------ 07-07-03 21:19 285273 C:\WINNT\system32\oppol.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll


    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\5ee14856-47c9-4f22-9377-671fc1021992
    C:\WINNT\System32\nmqbxmb.exe

    Contents of the 'Scheduled Tasks' folder
    2007-07-12 06:00:30 C:\WINNT\tasks\At1.job
    2007-07-12 15:00:30 C:\WINNT\tasks\At10.job
    2007-07-12 16:00:30 C:\WINNT\tasks\At11.job
    2007-07-12 17:00:30 C:\WINNT\tasks\At12.job
    2007-07-12 18:00:30 C:\WINNT\tasks\At13.job
    2007-07-12 19:00:30 C:\WINNT\tasks\At14.job
    2007-07-12 20:00:34 C:\WINNT\tasks\At15.job
    2007-07-12 21:00:30 C:\WINNT\tasks\At16.job
    2007-07-12 22:00:30 C:\WINNT\tasks\At17.job
    2007-07-12 23:00:30 C:\WINNT\tasks\At18.job
    2007-07-13 00:00:30 C:\WINNT\tasks\At19.job
    2007-07-12 07:00:30 C:\WINNT\tasks\At2.job
    2007-07-13 01:00:30 C:\WINNT\tasks\At20.job
    2007-07-13 02:00:30 C:\WINNT\tasks\At21.job
    2007-07-13 03:00:30 C:\WINNT\tasks\At22.job
    2007-07-12 04:00:30 C:\WINNT\tasks\At23.job
    2007-07-12 05:00:30 C:\WINNT\tasks\At24.job
    2007-07-12 08:00:30 C:\WINNT\tasks\At3.job
    2007-07-12 09:00:30 C:\WINNT\tasks\At4.job
    2007-07-12 10:00:30 C:\WINNT\tasks\At5.job
    2007-07-12 11:00:30 C:\WINNT\tasks\At6.job
    2007-07-12 12:00:30 C:\WINNT\tasks\At7.job
    2007-07-12 13:00:33 C:\WINNT\tasks\At8.job
    2007-07-12 14:00:30 C:\WINNT\tasks\At9.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-12 22:02:04
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-12 22:04:23 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 07-07-12 22:04

    --- E O F ---
     
  6. tonedown49

    tonedown49 Thread Starter

    Joined:
    Apr 8, 2005
    Messages:
    53
    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Friday, July 13, 2007 8:37:19 AM
    Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
    Kaspersky Online Scanner version: 5.0.93.0
    Kaspersky Anti-Virus database last update: 13/07/2007
    Kaspersky Anti-Virus database records: 361879
    -------------------------------------------------------------------------------
    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true
    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    Scan Statistics:
    Total number of scanned objects: 68078
    Number of viruses found: 54
    Number of infected objects: 261
    Number of suspicious objects: 0
    Duration of the scan process: 03:09:05
    Infected Object Name / Virus Name / Last Action
    C:\@Home\tioga\bin\tgcmd.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0003 Infected: not-a-virus:AdWare.Win32.GigatechSuperBar skipped
    C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0004 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
    C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0006 Infected: Trojan-Downloader.Win32.Keenval.m skipped
    C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t skipped
    C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
    C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
    C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    C:\Documents and Settings\Default User\My Documents\Data\all_files2.exe NSIS: infected - 10 skipped
    C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0003 Infected: not-a-virus:AdWare.Win32.GigatechSuperBar skipped
    C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0004 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
    C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0006 Infected: Trojan-Downloader.Win32.Keenval.m skipped
    C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t skipped
    C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
    C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
    C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    C:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe NSIS: infected - 10 skipped
    C:\Documents and Settings\Default User.WINNT\Local Settings\Temporary Internet Files\Content.IE5\RLA19YNM\checkin[1].htm Infected: Trojan-Downloader.VBS.Small.co skipped
    C:\Documents and Settings\Tony Owen\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Tony Owen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Tony Owen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Tony Owen\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Tony Owen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Tony Owen\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Tony Owen\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Accessories\EXPL32\dll32NT.hlp Infected: Backdoor.IRC.Cloner skipped
    C:\Program Files\Accessories\EXPL32\ncp.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
    C:\Program Files\Accessories\EXPL32\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
    C:\Program Files\Ahead\Nero PhotoShow\data\Xtras\mssysmgr.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe Infected: Trojan.Win32.Patched.af skipped
    C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.ex_ Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\Program Files\Excite\Toolbar\ExLaunch.exe Infected: Trojan.Win32.Patched.af skipped
    C:\Program Files\Excite\Toolbar\ExLaunch.ex_ Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe Infected: Trojan.Win32.Patched.af skipped
    C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.ex_ Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0007 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0008/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.av skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0008/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0009/data0002 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0009 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0011/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0011 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0014 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0015 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0021/bdeinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0021 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0022/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0022 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0025/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0025 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0026/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0026 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0029/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0029 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0030/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0030 Infected: Trojan.Win32.Krepper.y skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0032/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0032/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0032 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe Inno: infected - 28 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0007 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0008/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.av skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0008/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0009 Infected: not-a-virus:AdWare.Win32.DownloadWare.a skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0012/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0012 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0015 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0016 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0020/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0020 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0021/bdesecureinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0021/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0021/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0021 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0024/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0024 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0025/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0025 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0028/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0028 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0029/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0029 Infected: Trojan.Win32.Krepper.y skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe Inno: infected - 26 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (1).exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (1).exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (1).exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (1).exe Inno: infected - 3 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (2).exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (2).exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (2).exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (2).exe Inno: infected - 3 skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    C:\Program Files\Kazaa\My Shared Folder\kmd171gu_en.exe Inno: infected - 3 skipped
    C:\Program Files\PCSecurityShield\The Shield Firewall\files\NetTime.dat Object is locked skipped
    C:\Program Files\PCSecurityShield\The Shield Firewall\files\UserPrivacy.dat Object is locked skipped
    C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe Infected: Trojan.Win32.Patched.af skipped
    C:\Program Files\PCSecurityShield\The Shield Firewall\Run.bin Object is locked skipped
    C:\QooBox\Quarantine\C\Program Files\Common Files\{386C7~1\Uninstall.exe.vir/stream/data0002 Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
    C:\QooBox\Quarantine\C\Program Files\Common Files\{386C7~1\Uninstall.exe.vir/stream Infected: not-a-virus:AdWare.Win32.Softomate.u skipped
    C:\QooBox\Quarantine\C\Program Files\Common Files\{386C7~1\Uninstall.exe.vir NSIS: infected - 2 skipped
    C:\QooBox\Quarantine\C\WINNT\system32\ayfpvarr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
    C:\QooBox\Quarantine\C\WINNT\system32\jcblysfl.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINNT\system32\KB01625238.exe.vir Infected: Trojan-Downloader.Win32.Agent.bnn skipped
    C:\QooBox\Quarantine\C\WINNT\system32\KB92620748.exe.vir Infected: Trojan-Spy.Win32.Bancos.aco skipped
    C:\QooBox\Quarantine\C\WINNT\system32\lgthahpb.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
    C:\QooBox\Quarantine\C\WINNT\system32\qykkwhxw.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINNT\system32\uxgjrqsl.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINNT\system32\wumhpvdf.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
    C:\QooBox\Quarantine\C\WINNT\system32\X2\mwspasrt83122.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
    C:\QooBox\Quarantine\C\WINNT\system32\X2\mwspasrt83122.exe.vir NSIS: infected - 1 skipped
    C:\QooBox\Quarantine\C\WINNT\system32\X3\w73r.exe.vir Infected: Trojan-Downloader.Win32.Small.eqn skipped
    C:\QooBox\Quarantine\C\WINNT\system32\xpnfnurh.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\catchme2007-07-12_220200.46.zip/core.sys Infected: Rootkit.Win32.Agent.eq skipped
    C:\QooBox\Quarantine\catchme2007-07-12_220200.46.zip ZIP: infected - 1 skipped
    C:\SearchInstall.exe Infected: not-a-virus:AdWare.Win32.SearchSquire.b skipped
    C:\unzipped\cspmario\spmario.exe/data Infected: Trojan.Win32.StartPage.oz skipped
    C:\unzipped\cspmario\spmario.exe/data Infected: Trojan-Clicker.Win32.Delf.ar skipped
    C:\unzipped\cspmario\spmario.exe SetupFactory: infected - 2 skipped
    C:\WINNT\bl4ck.com Infected: Trojan-Downloader.Win32.Small.bsq skipped
    C:\WINNT\CSC\00000001 Object is locked skipped
    C:\WINNT\Debug\ipsecpa.log Object is locked skipped
    C:\WINNT\Debug\oakley.log Object is locked skipped
    C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
    C:\WINNT\Helper101.dll Infected: Trojan-Clicker.Win32.Delf.r skipped
    C:\WINNT\SchedLgU.Txt Object is locked skipped
    C:\WINNT\security\logs\scepol.log Object is locked skipped
    C:\WINNT\SexNow.exe Infected: not-a-virus:porn-Dialer.Win32.Generic skipped
    C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINNT\system32\Cache\trafficgen-fran.exe/data0002 Infected: not-a-virus:AdWare.Win32.HotSearchBar.d skipped
    C:\WINNT\system32\Cache\trafficgen-fran.exe NSIS: infected - 1 skipped
    C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINNT\system32\config\default Object is locked skipped
    C:\WINNT\system32\config\default.LOG Object is locked skipped
    C:\WINNT\system32\config\SAM Object is locked skipped
    C:\WINNT\system32\config\SAM.LOG Object is locked skipped
    C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINNT\system32\config\SECURITY Object is locked skipped
    C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINNT\system32\config\software Object is locked skipped
    C:\WINNT\system32\config\software.LOG Object is locked skipped
    C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINNT\system32\config\system Object is locked skipped
    C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
    C:\WINNT\system32\D0CgPqEt.exe Infected: Backdoor.Win32.VB.kb skipped
    C:\WINNT\system32\hvvim92c.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
    C:\WINNT\system32\KB_963491.exe Infected: Trojan-Downloader.Win32.Murlo.fe skipped
    C:\WINNT\system32\NeroCheck.exe Infected: Trojan.Win32.Patched.af skipped
    C:\WINNT\system32\NeroCheck.ex_ Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\WINNT\system32\oppol.dll Object is locked skipped
    C:\WINNT\system32\Perflib_Perfdata_31c.dat Object is locked skipped
    C:\WINNT\system32\sistray.EX_ Infected: Trojan-Downloader.Win32.Agent.awf skipped
    C:\WINNT\system32\task32a.exe/nt32.ini Infected: IRC-Worm.IRC.Froze skipped
    C:\WINNT\system32\task32a.exe/gg.bat Infected: Backdoor.IRC.Cloner.g skipped
    C:\WINNT\system32\task32a.exe/httpsearch.ini Infected: Backdoor.IRC.Cloner.g skipped
    C:\WINNT\system32\task32a.exe/mdm.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
    C:\WINNT\system32\task32a.exe/dll32NT.hlp Infected: Backdoor.IRC.Cloner skipped
    C:\WINNT\system32\task32a.exe/xvpll.hlp Infected: Backdoor.IRC.Cloner.q skipped
    C:\WINNT\system32\task32a.exe/ncp.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
    C:\WINNT\system32\task32a.exe/v.exe Infected: not-a-virus:RiskTool.Win32.Hideout skipped
    C:\WINNT\system32\task32a.exe/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
    C:\WINNT\system32\task32a.exe/taskmngr.exe Infected: Backdoor.Win32.mIRC-based skipped
    C:\WINNT\system32\task32a.exe Vise: infected - 10 skipped
    C:\WINNT\WindowsUpdate.log Object is locked skipped
     
  7. tonedown49

    tonedown49 Thread Starter

    Joined:
    Apr 8, 2005
    Messages:
    53
    F:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0003 Infected: not-a-virus:AdWare.Win32.GigatechSuperBar skipped
    F:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0004 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
    F:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0006 Infected: Trojan-Downloader.Win32.Keenval.m skipped
    F:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t skipped
    F:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
    F:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
    F:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    F:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    F:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    F:\Documents and Settings\Default User\My Documents\Data\all_files2.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    F:\Documents and Settings\Default User\My Documents\Data\all_files2.exe NSIS: infected - 10 skipped
    F:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0003 Infected: not-a-virus:AdWare.Win32.GigatechSuperBar skipped
    F:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0004 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
    F:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0006 Infected: Trojan-Downloader.Win32.Keenval.m skipped
    F:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t skipped
    F:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
    F:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
    F:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    F:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    F:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    F:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
    F:\Documents and Settings\Default User\My Documents\Data\Data\all_files2.exe NSIS: infected - 10 skipped
    F:\Documents and Settings\Tony Owen\Local Settings\Temp\ICD3.tmp\GRInstall.exe/data0002 Infected: not-a-virus:AdWare.Win32.Sahat.w skipped
    F:\Documents and Settings\Tony Owen\Local Settings\Temp\ICD3.tmp\GRInstall.exe NSIS: infected - 1 skipped
    F:\Program Files\Accessories\EXPL32\dll32NT.hlp Infected: Backdoor.IRC.Cloner skipped
    F:\Program Files\Accessories\EXPL32\ncp.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
    F:\Program Files\Accessories\EXPL32\psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0007 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0008/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.av skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0008/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0009/data0002 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0009 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0011/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0011 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0014 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0015 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0021/bdeinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0021 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0022/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0022 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0025/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0025 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0026/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0026 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0029/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0029 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0030/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0030 Infected: Trojan.Win32.Krepper.y skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0032/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0032/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe/data0032 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd15_en.exe Inno: infected - 28 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0007 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0008/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.av skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0008/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0009 Infected: not-a-virus:AdWare.Win32.DownloadWare.a skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0012/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0012 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0015 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0016 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0020/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0020 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0021/bdesecureinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0021/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0021/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0021 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0024/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0024 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0025/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0025 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0028/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0028 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0029/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe/data0029 Infected: Trojan.Win32.Krepper.y skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd161_en.exe Inno: infected - 26 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (1).exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (1).exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (1).exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (1).exe Inno: infected - 3 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (2).exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (2).exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (2).exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en (2).exe Inno: infected - 3 skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
    F:\Program Files\Kazaa\My Shared Folder\kmd171gu_en.exe Inno: infected - 3 skipped
    F:\SearchInstall.exe Infected: not-a-virus:AdWare.Win32.SearchSquire.b skipped
    F:\sxs.exe Object is locked skipped
    F:\unzipped\cspmario\spmario.exe/data Infected: Trojan.Win32.StartPage.oz skipped
    F:\unzipped\cspmario\spmario.exe/data Infected: Trojan-Clicker.Win32.Delf.ar skipped
    F:\unzipped\cspmario\spmario.exe SetupFactory: infected - 2 skipped
    F:\WINNT\Helper101.dll Infected: Trojan-Clicker.Win32.Delf.r skipped
    F:\WINNT\system32\Cache\trafficgen-fran.exe/data0002 Infected: not-a-virus:AdWare.Win32.HotSearchBar.d skipped
    F:\WINNT\system32\Cache\trafficgen-fran.exe NSIS: infected - 1 skipped
    F:\WINNT\system32\hvvim92c.ini Infected: not-a-virus:AdWare.Win32.Sahat.ao skipped
    F:\WINNT\system32\task32a.exe/nt32.ini Infected: IRC-Worm.IRC.Froze skipped
    F:\WINNT\system32\task32a.exe/gg.bat Infected: Backdoor.IRC.Cloner.g skipped
    F:\WINNT\system32\task32a.exe/httpsearch.ini Infected: Backdoor.IRC.Cloner.g skipped
    F:\WINNT\system32\task32a.exe/mdm.exe Infected: not-a-virus:RiskTool.Win32.HideWindows skipped
    F:\WINNT\system32\task32a.exe/dll32NT.hlp Infected: Backdoor.IRC.Cloner skipped
    F:\WINNT\system32\task32a.exe/xvpll.hlp Infected: Backdoor.IRC.Cloner.q skipped
    F:\WINNT\system32\task32a.exe/ncp.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
    F:\WINNT\system32\task32a.exe/v.exe Infected: not-a-virus:RiskTool.Win32.Hideout skipped
    F:\WINNT\system32\task32a.exe/psexec.exe Infected: not-a-virus:RiskTool.Win32.PsExec.13 skipped
    F:\WINNT\system32\task32a.exe/taskmngr.exe Infected: Backdoor.Win32.mIRC-based skipped
    F:\WINNT\system32\task32a.exe Vise: infected - 10 skipped

    Scan process completed.
     
  8. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    tonedown49,
    ----------------------------------------------------
    I am sorry to be the bearer of bad news but unfortunately, you have several very dangerous infections, Backdoor.IRC.Cloner.g and Backdoor.Win32.mIRC.
    Either of these can give remote intruders complete control of your computer, which can include logging key strokes, stealing information, etc.
    This results from the risky PC behaviors evidenced in the log : NO up to date Antivirus, combined with using Kazaa for P2P file sharing from undocumented sources.

    You are strongly advised to do the following immediately:
    • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
    • Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
    • From a clean computer, change *ALL* of your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
    Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

    Because of the infection's backdoor functionality, the basic security of your PC is very likely compromised, and there is no way to be sure it can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action is to reformat the hard drive and reinstall the Windows Operating System. The reason for this is that the infection can make undetectable changes to your security settings, which may enable a re-installation of the infection after the machine is "cleaned" and reconnected to the internet. (This infection can, in effect, leave a "cellar door" unlocked so it can come back later and gain entry).
    If you do not have the resources to reinstall your OS and would like me to attempt to clean your machine, I will be happy to do so. This is your choice to make.
    This machine is heavily infected and at best will require a long removal process.

    To help you make a more informed decision, please read the following articles:
    Should you have any questions, please feel free to ask.

    askey127
     
  9. tonedown49

    tonedown49 Thread Starter

    Joined:
    Apr 8, 2005
    Messages:
    53
    I would really appreciate anything you could do to help me clean this PC. Unfortunately, my brother was nice enough to lose the backup CD for my operating system. I read the articles you linked to me, they're a little over my head. I'll do whatever I need to do. If it means unhooking my connection and corresponding through another computer, then I will.
    I really don't understand the part about my anti-virus not being up-to-date. It's scheduled to update every Monday and Friday morning. When I get up, it always shows to have updated, ran, and deleted/repaired what it's found. If my anti-virus and firewall are crap, I'll be happy to buy a different one, if that's what it takes to prevent this from happening again.
     
  10. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    What it all means is this.
    You have an old AntiVirus Engine. PC-cillin 2000 came out in 2000.
    You have a very large number of trojans now on your machine, some of which can monitor everything on the machine and do whatever they please.
    If you have used the machine for any purchases or other transactions, the chances are significant that your account numbers and passwords have been stolen. The infections exist just for that purpose.

    Fixing your machine is no certainty, and even if it ever appears to be clean, your Windows installation may have been corrupted to allow the infections to be re-installed later.

    If you have no ability to reformat and re-install Windows, I will try to help clean this, but there are no guarantees, especially with a machine this heavily infected.

    That said, Let's go:
    Print this out or save it to a notepad file on your desktop.
    -----------------------------------------------------------
    Download LSPFix from here : www.cexx.org/lspfix.htm
    DON'T RUN LSPFIX NOW. Run it ONLY if internet connectivity is lost at any time during these fixes.
    To Run LSPFix, first disconnect from the internet, and close all browser windows.
    Run LSPFix. Click the "I know what I'm doing" button.

    Click Finish. Don't use the "X" in the upper right hand corner to close the window, or the program won't execute.
    Reboot Windows.
    -----------------------------------------------------------
    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to a folder named \SDFix\ located in %systemdrive%
    (That's whatever Drive contains the Windows Directory, typically it will be C:\SDFix\)

    Please then reboot your computer in Safe Mode by doing the following :
    • Restart your computer
    • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    • Instead of Windows loading as normal, the Advanced Options Menu should appear;
    • Select the first option, to run Windows in Safe Mode, then press Enter.
    • Choose your usual account.
    • Open the extracted SDFix folder and double click RunThis.bat to start the script.
    • Type Y to begin the cleanup process.
    • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    • Press any Key and it will restart the PC.
    • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
      (Report.txt will also be copied to Clipboard ready for posting back on the forum).
    • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

    askey127
     
  11. tonedown49

    tonedown49 Thread Starter

    Joined:
    Apr 8, 2005
    Messages:
    53
    I appreciate your help. If you think I should reformat, I will. I do have access to a Windows XP CD, just not my old Windows NT back-up. I just didn't know if I could switch over like that. I'm just a poor, lowly student; hate to spend more money than I have to. I'm really not concerned about personal info, don't really use the computer for that kind of thing.
    I've never had PC-cillin, think the guy that loaded my Windows originally just put that on, but I had Norton for the first couple of years, then switched to The Shield Antivirus 3 years ago.
     
  12. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    You can't legally use someone else's Windows CD to re-install the system on your PC.

    If you have nothing critical on the machine, go ahead and follow my last instruction.
     
  13. tonedown49

    tonedown49 Thread Starter

    Joined:
    Apr 8, 2005
    Messages:
    53
    I bought the computer and the Windows XP for my sister, figured it would be okay for me to use it. Here are the logs:

    SDFix: Version 1.92

    Run by Tony Owen on Mon 07/16/2007 at 10:09p

    Microsoft Windows 2000 [Version 5.00.2195]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    core

    ImagePath:
    system32\drivers\core.sys

    core - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File

    Rebooting...


    Normal Mode:
    Checking Files:

    Trojan Files Found:

    C:\DOCUME~1\TONYOW~1\LOCALS~1\Temp\abc123.pid - Deleted
    C:\WINNT\b104.exe - Deleted
    C:\WINNT\b136.exe - Deleted
    C:\WINNT\Downloaded Program Files\UERS_9999_N91S1502NetInstaller.exe - Deleted
    C:\WINNT\retadpu11.exe - Deleted
    C:\WINNT\system32KBRunOnce2.tm_ - Deleted
    C:\WINNT\system32KBRunOnce2.t__ - Deleted
    C:\WINNT\system32\alog.txt - Deleted
    C:\WINNT\system32\drivers\core.cache.dsk - Deleted
    C:\WINNT\system32\drivers\core.sys - Deleted
    C:\WINNT\system32\help.txt - Deleted
    C:\WINNT\system32\KBRunOnce2.t__ - Deleted
    C:\WINNT\system32\ps.dat - Deleted
    C:\WINNT\wr.txt - Deleted


    Folder C:\Program Files\InetGet2 - Removed

    Removing Temp Files...

    ADS Check:

    C:\WINNT
    No streams found.

    C:\WINNT\system32
    No streams found.

    C:\WINNT\system32\svchost.exe
    No streams found.

    C:\WINNT\system32\ntoskrnl.exe
    No streams found.



    Final Check:

    Remaining Services:
    ------------------



    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip

    Files with Hidden Attributes:

    C:\Documents and Settings\Tony Owen\Application Data\U3\temp\Launchpad Removal.exe
    C:\Program Files\Ahead\Nero PhotoShow\data\Nero PhotoShow Elite.exe
    C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
    C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
    C:\Program Files\Common Files\?ecurity\smss.exe
    C:\Program Files\F?nts\r?gedit.exe
    C:\Documents and Settings\Tony Owen\Application Data\Microsoft\Word\~WRL0003.tmp
    C:\Documents and Settings\Tony Owen\Application Data\Microsoft\Word\~WRL0005.tmp
    C:\Documents and Settings\Tony Owen\Application Data\Microsoft\Word\~WRL0931.tmp
    C:\Documents and Settings\Tony Owen\Application Data\Microsoft\Word\~WRL1342.tmp
    C:\Documents and Settings\Tony Owen\Application Data\Microsoft\Word\~WRL1431.tmp
    C:\Documents and Settings\Tony Owen\Application Data\Microsoft\Word\~WRL1681.tmp
    C:\Documents and Settings\Tony Owen\Application Data\Microsoft\Word\~WRL2812.tmp
    C:\Documents and Settings\Tony Owen\My Documents\skoo\~WRL2558.tmp
    C:\Documents and Settings\Tony Owen\My Documents\skoo\~WRL4074.tmp
    C:\WINNT\system32\loppo.tmp

    Finished
    Logfile of HijackThis v1.99.1
    Scan saved at 10:30:19 PM, on 7/16/2007
    Platform: Windows 2000 SP4 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINNT\System32\smss.exe
    C:\WINNT\system32\winlogon.exe
    C:\WINNT\system32\services.exe
    C:\WINNT\system32\lsass.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\system32\spoolsv.exe
    C:\WINNT\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINNT\system32\LxrJD31s.exe
    C:\WINNT\system32\pctspk.exe
    C:\WINNT\system32\regsvc.exe
    C:\WINNT\system32\MSTask.exe
    C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
    C:\WINNT\System32\WBEM\WinMgmt.exe
    C:\WINNT\System32\mspmspsv.exe
    C:\WINNT\system32\svchost.exe
    C:\WINNT\Explorer.EXE
    C:\WINNT\system32\notepad.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
    C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    c:\program files\internet explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Palm\HOTSYNC.EXE
    C:\Program Files\Hijackthis\HijackThis.exe
    C:\Program Files\PCSecurityShield\ShieldAntivirus\vrrw32.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = actsvr.comcastonline.com:8100
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = cdn
    F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - [SASInprocServer32] (file missing)
    O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
    O2 - BHO: (no name) - {446444DA-D03D-DAC5-1A12-F88DB92081CB} - C:\WINNT\system32\xdauvrme.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINNT\xhelper.dll
    O2 - BHO: (no name) - {9AB8440F-1CE3-4C52-A8D6-A197E77563EA} - C:\WINNT\system32\oppol.dll
    O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
    O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
    O4 - HKLM\..\Run: [Excite Toolbar] C:\PROGRA~1\Excite\Toolbar\ExLaunch.exe
    O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O4 - HKLM\..\Run: [MediaFace Integration] C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe
    O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
    O4 - HKLM\..\Run: [LoadQM] loadqm.exe
    O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
    O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
    O4 - Startup: HotSync Manager.LNK = C:\Palm\HOTSYNC.EXE
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
    O9 - Extra button: @Home - {5957B14A-F356-4D51-B440-9B8ABC40D431} - http://home.excite.com (file missing) (HKCU)
    O12 - Plugin for .mp3: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin4.dll
    O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
    O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/games/clients/y/jt0_x.cab
    O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
    O16 - DPF: Yahoo! Dominoes - http://download.games.yahoo.com/games/clients/y/dot2_x.cab
    O16 - DPF: Yahoo! Freecell Solitaire - http://yog55.games.scd.yahoo.com/yog/y/fs10_x.cab
    O16 - DPF: Yahoo! Literati - http://download.games.yahoo.com/games/clients/y/tt2_x.cab
    O16 - DPF: Yahoo! MahJong Solitaire - http://download.games.yahoo.com/games/clients/y/mjst4_x.cab
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-12.cab
    O16 - DPF: {4FE89055-5300-469E-AFAD-DEB3181EDE76} (PearsonAsstX Control) - http://www.mathxl.com/applets/PearsonInstallAsst.cab
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.98/images/PopupSh.ocx
    O16 - DPF: {C4DD6732-1E82-4AE7-BD94-180331B84082} (DeltaCVX Control) - http://www.mathxl.com/applets/DeltaCVX.cab
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/jackpotcity/FlashAX.cab
    O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
    O18 - Protocol: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} - C:\WINNT\System32\nodeipproc.dll (file missing)
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: oppol - C:\WINNT\system32\oppol.dll
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
    O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINNT\SYSTEM32\LxrJD31s.exe
    O23 - Service: W2k PCtel speaker phone (Pctspk) - PCtel, Inc. - C:\WINNT\system32\pctspk.exe
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe (file missing)
    O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
     
  14. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    If that Windows CD has been used on another computer, you can't legally install it on this one.
    -----------------------------------------------------------
    Remove log items with HighjackThis. Start HijackThis.
    Click Do System Scan Only. When the Scan is complete, Check the following entries:
    (Some of these lines may be missing)

    O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - [SASInprocServer32] (file missing)
    O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
    O2 - BHO: (no name) - {446444DA-D03D-DAC5-1A12-F88DB92081CB} - C:\WINNT\system32\xdauvrme.dll
    O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINNT\xhelper.dll
    O2 - BHO: (no name) - {9AB8440F-1CE3-4C52-A8D6-A197E77563EA} - C:\WINNT\system32\oppol.dll
    O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
    O4 - HKLM\..\Run: [Excite Toolbar] C:\PROGRA~1\Excite\Toolbar\ExLaunch.exe
    O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
    O9 - Extra button: @Home - {5957B14A-F356-4D51-B440-9B8ABC40D431} - http://home.excite.com (file missing) (HKCU)
    O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} - http://mediaplayer.walmart.com/installer/install.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
    O16 - DPF: {A0EAC162-A012-4AD8-B2E1-D5A0BBBCDA51} (PopupSh Control) - http://206.222.26.98/images/PopupSh.ocx
    O16 - DPF: {D8089245-3211-40F6-819B-9E5E92CD61A2} (FlashXControl Object) - https://jackpotcity.microgaming.com/...ty/FlashAX.cab
    O18 - Protocol: advert - {7DC356B2-7366-4F19-BF7A-4875F6AABEA0} - C:\WINNT\System32\nodeipproc.dll (file missing)
    O20 - Winlogon Notify: oppol - C:\WINNT\system32\oppol.dll
    O23 - Service: Trend NT Realtime Service (Tmntsrv) - Unknown owner - C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.exe (file missing)

    Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked.


    • Open a new Notepad window (Start>All programs>accessories>notepad). Choose File, New.
    • Highlight the contents of the below codebox and then press Ctrl+C to copy it to the clipboard
      Code:
      File::
      C:\WINNT\system32\xdauvrme.dll
      C:\WINNT\xhelper.dll
      C:\WINNT\system32\oppol.dll
      C:\PROGRAM Files\Excite\Toolbar\ExLaunch.exe
      C:\WINNT\system32\oppol.dll
      C:\WINNT\System32\nodeipproc.dll
      
      Folder::
      C:\Program Files\Trend Micro\PC-cillin 2000
    • Paste the contents of the clipboard into the Notepad window by pressing Ctrl+V or Edit, Paste
    • Save it to the desktop as Combofix-Do.txt
      [​IMG]
    • Now drag and drop the Combofix-Do.txt icon onto Combofix.exe as in the picture above and follow the prompts.
    • Then post the resultant log.
    Also please ReBoot, run another HiJackThis log, and post that also (You can use a second reply post)

    askey127
     
  15. tonedown49

    tonedown49 Thread Starter

    Joined:
    Apr 8, 2005
    Messages:
    53
    "Tony Owen" - 2007-07-17 18:52:55 - ComboFix 07-07-13 - Service Pack 4
    Command switches used :: C:\Documents and Settings\Tony Owen\Desktop\Combofix-Do.txt


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\TONYOW~1\Desktop.\internet explorer.lnk
    C:\Program Files\Common Files\ecurit~1
    C:\Program Files\Common Files\ecurit~1\smss.exe
    C:\Program Files\Common Files\Yazzle1552OinAdmin.exe
    C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe
    C:\PROGRAM Files\Excite\Toolbar\ExLaunch.exe
    C:\Program Files\fnts~1
    C:\Program Files\fnts~1\r?gedit.exe
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\Terms.rtf
    C:\Program Files\Trend Micro\PC-cillin 2000
    C:\Program Files\Trend Micro\PC-cillin 2000\Tmntsrv.dll
    C:\Program Files\Trend Micro\PC-cillin 2000\WebTrapNT.exe
    C:\Program Files\Trend Micro\PC-cillin 2000\WTRes.dll
    C:\temp\tn3
    C:\WINNT\system32\oppol.dll
    C:\WINNT\system32\wcpicomsv32.exe


    ((((((((((((((((((((((((( Files Created from 2007-06-18 to 2007-07-18 )))))))))))))))))))))))))))))))


    2007-07-17 18:32 1,799,821 --ahs---- C:\WINNT\system32\loppo.bak2
    2007-07-16 22:07 <DIR> d-------- C:\WINNT\ERUNT
    2007-07-15 15:25 1,797,394 --ahs---- C:\WINNT\system32\loppo.ini2
    2007-07-12 23:02 1,941,682 --ahs---- C:\WINNT\system32\loppo.bak1
    2007-07-12 22:13 <DIR> d-a------ C:\WINNT\system32\Kaspersky Lab
    2007-07-12 22:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\Kaspersky Lab
    2007-07-11 18:55 51,200 --a------ C:\WINNT\nircmd.exe
    2007-07-10 21:56 <DIR> d-------- C:\Program Files\CCleaner
    2007-07-09 23:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1.WIN\APPLIC~1\SUPERAntiSpyware.com
    2007-07-09 23:18 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-07-09 23:18 <DIR> d-------- C:\DOCUME~1\TONYOW~1\APPLIC~1\SUPERAntiSpyware.com
    2007-07-09 20:21 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-06 22:35 <DIR> d-a------ C:\WINNT\system32\FlashAX
    2007-07-06 20:51 13,573 --a------ C:\WINNT\system32\KB_963491.exe
    2007-07-04 00:48 626,688 --a------ C:\WINNT\system32\msvcr80.dll
    2007-07-04 00:22 84,480 --a------ C:\WINNT\h8bk8hld.exe
    2007-07-02 22:47 22,592 --a------ C:\WINNT\system32\D0CgPqEt.exe


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2165-11-13 02:36:37 -------- d---a-w C:\Program Files\Snapshot Viewer
    2165-11-09 02:52:35 999,760 ----a-w C:\winamp277_std.exe
    2165-05-11 05:03:35 137 ---ha-w C:\PCEA-9993-6244-4144-4403.DAT
    2007-07-18 00:55:09 -------- d---a-w C:\Program Files\Trend Micro
    2007-07-10 14:34:46 -------- d---a-w C:\Program Files\Windows NT
    2007-07-08 00:28:22 -------- d--ha-w C:\Program Files\WindowsUpdate
    2007-07-07 08:13:43 3,690,528 ----a-w C:\WINNT\system32\drivers\vrcore.sys
    2007-06-02 23:51:35 -------- d-----w C:\DOCUME~1\TONYOW~1\APPLIC~1\U3
    2007-04-20 00:56:34 70 ----a-w C:\WINNT\OH4WIN.REG
    2006-07-24 05:22:48 0 ----a-w C:\DOCUME~1\TONYOW~1\APPLIC~1\internaldb41.dat
    2004-03-17 23:13:46 1,028,368 ----a-w C:\Program Files\vbrun60sp6.exe
    2003-09-13 05:29:47 407,040 ----a-w C:\Program Files\kmd.exe
    2002-05-12 03:21:59 271 ---h--w C:\Program Files\desktop.ini
    2002-05-12 03:21:59 21,952 ---h--w C:\Program Files\folder.htt
    2001-12-24 06:56:39 4,341,906 ----a-w C:\Program Files\Cdm32s_480.zip
    1998-12-09 02:53:54 99,840 ----a-w C:\Program Files\Common Files\IRAABOUT.DLL
    1998-12-09 02:53:54 70,144 ----a-w C:\Program Files\Common Files\IRAMDMTR.DLL
    1998-12-09 02:53:54 48,640 ----a-w C:\Program Files\Common Files\IRALPTTR.DLL
    1998-12-09 02:53:54 31,744 ----a-w C:\Program Files\Common Files\IRAWEBTR.DLL
    1998-12-09 02:53:54 186,368 ----a-w C:\Program Files\Common Files\IRAREG.DLL
    1998-12-09 02:53:54 17,920 ----a-w C:\Program Files\Common Files\IRASRIAL.DLL


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    04-12-14 01:56 63136 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    05-05-31 01:04 853672 --a------ C:\Program Files\Spybot - Search & Destroy\SDHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C25992BC-9890-45EA-8D79-171554994842}]
    C:\WINNT\system32\oppol.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "Synchronization Manager"="mobsync.exe" [03-06-19 13:05 C:\WINNT\system32\mobsync.exe]
    "CountrySelection"="pctptt.exe" [01-03-22 04:08 C:\WINNT\system32\pctptt.exe]
    "MediaFace Integration"="C:\Program Files\Fellowes\MediaFACE 4.0\SetHook.exe" [06-10-17 17:37 ]
    "LWBMOUSE"="C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe" [06-10-17 17:37 ]
    "LoadQM"="loadqm.exe" [00-05-03 17:23 C:\WINNT\loadqm.exe]
    "dwStart"="C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe" [04-08-04 20:13 ]
    "Vrmon"="C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe" [06-01-18 17:07 ]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [06-10-30 09:36 ]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ssgrate.exe"="" []
    "PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [06-10-17 17:37 ]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [06-12-20 13:55 ]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 07-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\oppol]
    C:\WINNT\system32\oppol.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
    SecurityProviders msapsspc.dll, schannel.dll, msnsspc.dll, digest.dll


    HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\5ee14856-47c9-4f22-9377-671fc1021992
    C:\WINNT\System32\nmqbxmb.exe

    Contents of the 'Scheduled Tasks' folder
    2007-07-17 06:00:30 C:\WINNT\tasks\At1.job
    2007-07-17 15:00:33 C:\WINNT\tasks\At10.job
    2007-07-17 16:00:32 C:\WINNT\tasks\At11.job
    2007-07-17 17:00:33 C:\WINNT\tasks\At12.job
    2007-07-17 18:00:33 C:\WINNT\tasks\At13.job
    2007-07-17 19:00:33 C:\WINNT\tasks\At14.job
    2007-07-17 20:00:33 C:\WINNT\tasks\At15.job
    2007-07-17 21:00:32 C:\WINNT\tasks\At16.job
    2007-07-17 22:00:32 C:\WINNT\tasks\At17.job
    2007-07-17 23:00:33 C:\WINNT\tasks\At18.job
    2007-07-18 00:00:30 C:\WINNT\tasks\At19.job
    2007-07-17 07:00:33 C:\WINNT\tasks\At2.job
    2007-07-18 01:01:21 C:\WINNT\tasks\At20.job
    2007-07-17 02:00:30 C:\WINNT\tasks\At21.job
    2007-07-17 03:00:30 C:\WINNT\tasks\At22.job
    2007-07-17 04:00:30 C:\WINNT\tasks\At23.job
    2007-07-17 05:00:33 C:\WINNT\tasks\At24.job
    2007-07-17 08:00:30 C:\WINNT\tasks\At3.job
    2007-07-17 09:00:33 C:\WINNT\tasks\At4.job
    2007-07-17 10:00:34 C:\WINNT\tasks\At5.job
    2007-07-17 11:00:33 C:\WINNT\tasks\At6.job
    2007-07-17 12:00:33 C:\WINNT\tasks\At7.job
    2007-07-17 13:00:32 C:\WINNT\tasks\At8.job
    2007-07-17 14:00:33 C:\WINNT\tasks\At9.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-17 19:00:32
    Windows 5.0.2195 Service Pack 4 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-17 19:02:52 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 07-07-17 19:02
    C:\ComboFix2.txt ... 07-07-12 22:04

    --- E O F ---
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/593820

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice