[resolved]Request for help on a particular spyware problem.
Hiya
I have recently been having a serious problem on my computer regarding some kind of hijacking.
My particular problem arised through mere accident as before i was not aware i actually had a problem on my computer.
My particular problem is some kind of virus that is preventing me from running anything with the word 'spy' in it, for example if i try and run a spyware removal program (eg, spybot search and destroy) it automatically shut the program down, the only spyware removal program that i have been able to run is spyware doctor and still this virus will attempt to close it repeatedly, even when i installed spyware doctor onto my computer it continually tried to close down the setup program but with some insane furious clicking i managed to get it installed however as spyware doctor runs constantly from the icon tray (once installed) with more furious clicking i can manage to keep it open and run a scan.
I have removed alot of infections with spyware doctor however the original problem still exists and i believe it is using a backdoor to install new infections as i use the internet, i say this because after just 3 hours general use i will have around 25 new infections which are detected and removed by spyware doctor, unfortunatly it doesnt detect the original virus. nor does trendmicro's housecall, as far as i can tell this virus is comepletly undetectable by most spyware removal programs (not including the ones i just cannot run)
It even goes as far that if i simply type the word 'spy' into a google search it will close the browser automatically. I use both IE and Firefox with the same results.
I have spent the last 3 days searching fruitlessly for a solution all over the internet and im resigned to the fact i may have to just reformat my computer which i really really dont want to do. So i come here to plead my case in the hopes that maybe someone here can help me.
The one program i have been able to use (thankgod!) is hijackthis and i have included a log file in this post.
Thankyou for any insight into this god awful problem.
I have recently been having a serious problem on my computer regarding some kind of hijacking.
My particular problem arised through mere accident as before i was not aware i actually had a problem on my computer.
My particular problem is some kind of virus that is preventing me from running anything with the word 'spy' in it, for example if i try and run a spyware removal program (eg, spybot search and destroy) it automatically shut the program down, the only spyware removal program that i have been able to run is spyware doctor and still this virus will attempt to close it repeatedly, even when i installed spyware doctor onto my computer it continually tried to close down the setup program but with some insane furious clicking i managed to get it installed however as spyware doctor runs constantly from the icon tray (once installed) with more furious clicking i can manage to keep it open and run a scan.
I have removed alot of infections with spyware doctor however the original problem still exists and i believe it is using a backdoor to install new infections as i use the internet, i say this because after just 3 hours general use i will have around 25 new infections which are detected and removed by spyware doctor, unfortunatly it doesnt detect the original virus. nor does trendmicro's housecall, as far as i can tell this virus is comepletly undetectable by most spyware removal programs (not including the ones i just cannot run)
It even goes as far that if i simply type the word 'spy' into a google search it will close the browser automatically. I use both IE and Firefox with the same results.
I have spent the last 3 days searching fruitlessly for a solution all over the internet and im resigned to the fact i may have to just reformat my computer which i really really dont want to do. So i come here to plead my case in the hopes that maybe someone here can help me.
The one program i have been able to use (thankgod!) is hijackthis and i have included a log file in this post.
Thankyou for any insight into this god awful problem.
0
This discussion has been closed.
Comments
I did a complete scan with trendmicro's housecall, it found some malware which it removed.
I also ran spybots search and destroy via safe mode with networking enabled and it found nothing, unfortunatly i still have the problem where i cannot search for the word spy via any search engines, run programs with the word spy in them or even open folders that contain the word spy when after I boot up normally.
The problem does not exist in safe mode.
I also tried using Kasperskys online scan but it shuts the browser down within 1 second like the problems mentioned above although i can search for it on google without any problems, but once i click the kaspersky link it shuts the browser down.
Logfile of HijackThis v1.99.1
Scan saved at 18:49:24, on 25/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Systray.exe
D:\uo\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\sndoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Autorun.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Systray.exe
Could you please upload it for analysis:
http://virusscan.jotti.org/
Copy and paste the results.
I think you have cracked it, im just waiting for the server as its abit busy on that link you gave me however, in the same folder i found 2 zipped files, one called ToSpy.zip and another called ToStartUp.zip, also inside another folder in that directory there is 2 more zipped files called Delay.zip and LockPC.zip which also sound very suss. Ill update you when i manage to scan the systray.exe file.
File: Systray.exe
Status: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)
MD5 2f143639e4afc436860ba12c2d2631fe
Packers detected: ARMADILLO
Scanner results
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
UNA Found nothing
VirusBuster Found nothing
VBA32 Found nothing
In addition i ended the process via the task manager, did a search for spy in google and this time it didnt close the web browser so i can confirm you have indeed found the culprit
Now the big question .. how do i get this piece of s**t off my computer?
1) I need a small favor from you. This is most likely a new infection, and all scanners should be given a copy of it so that they can add it in their signature database.
So if you are willing to help out, please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.
Paste the following list into the Suspicious File Packer window:
C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\Systray.exe
Allow SFP to pack the file(s). This will generate a CAB archive on your desktop. Please email the file(s) to me at:
chiawaikian[AT]h-desk.com (replace [AT] with @)
2) Now to get on with the proper fix... restart your computer, as the computer is booting press and hold your "F8 Key" which should bring up the "Windows Advanced Options Menu" as shown below. Use your arrow keys to move to "Safe Mode" and press your Enter key.
3) Once in safe mode, please navigate to and delete:
C:\Program Files\Windows Media Player\Skins\WindowsMediaSkin\
4) Reboot back into normal mode and post a new HijackThis log, along with information on how things went.
I have sent you the suspicious file as requested and followed your instructions and deleted the folder \WindowsMediaSkin\ whilst in safe mode, the computer booted up fine and seems to be running ok however an error did pop up just after explorer.exe opened...
The window title was CallTemp and the actualy error message said Runtime error '53', File not found.
Thanks again for all your help! :celebrate
here is the latest Hijackthis log.
Logfile of HijackThis v1.99.1
Scan saved at 11:55:38, on 27/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
D:\uo\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Autorun.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://eu-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {E5D419D6-A846-4514-9FAD-97E826C84822} (HeartbeatCtl Class) - http://fdl.msn.com/zone/datafiles/heartbeat.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools - C:\Program Files\Spyware Doctor\sdhelp.exe
Your HijackThis log appears clean. However since HijackThis does not scan the entire system, I will now have you runKaspersky AntiVirus (works only with MS Internet Explorer 5.0 or higher).
Go to http://www.kaspersky.com/virusscanner and click the "Kaspersky Online Scanner" button (NOT "Kaspersky File Scanner").
- In the new window that opens, click the "Accept" button to accept the user agreement, install the ActiveX control, and download the program.
- When you get the Windows dialog asking if you want to install this software, click the "Install" button.
- When the "Update progress" line changes to "Ready" and the "NEXT ->" button lights up with a green arrow, click it.
- Click on the "Scan Settings" button, and in the next window select the "extended" database, and click Ok.
- Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window, and post the text in kavscan.txt in your next reply.KASPERSKY ON-LINE SCANNER REPORT
Sunday, May 28, 2006 11:25:37 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 28/05/2006
Kaspersky Anti-Virus database records: 196809
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 132818
Number of viruses found: 14
Number of infected objects: 136
Number of suspicious objects: 0
Duration of the scan process: 01:23:06
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0019362.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0019373.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0019374.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0019375.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026170.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026171.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026172.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026173.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026174.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026175.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026176.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026177.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026178.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026179.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026180.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026181.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026182.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026183.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026184.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026185.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026186.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026187.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026188.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026189.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026190.EXE.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026191.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026192.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026193.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\Documents and Settings\pimpim\.housecall\Quarantine\A0026194.exe.bac_a01744 Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012778.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012779.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012780.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012781.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012782.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012783.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012784.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012785.EXE Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012786.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012787.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012788.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012789.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012790.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012791.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012792.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012793.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012794.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012795.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012796.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012797.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012798.exe Infected: Backdoor.Win32.Agobot.afk skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012799.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012800.EXE Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012801.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012802.EXE Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012803.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012804.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012805.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012806.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012807.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012808.EXE Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012809.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012810.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012811.EXE Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012812.EXE Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012813.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012814.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012815.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012816.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012817.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012818.EXE Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012819.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012820.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012821.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012822.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012823.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012824.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012825.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012826.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012827.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012828.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012829.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012830.EXE Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012831.EXE Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012832.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012833.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012834.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012835.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012836.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012837.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012838.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012839.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012840.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012841.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012842.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012843.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012844.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012845.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012846.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012847.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012848.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012849.EXE Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012850.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012851.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012852.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012853.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012854.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012855.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012856.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012857.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012858.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012859.exe Infected: Virus.Win32.Parite.b skipped
C:\System Volume Information\_restore{E80FA42F-A50C-4CBF-BBE3-00F4B022037E}\RP65\A0012860.exe Infected: Virus.Win32.Parite.b skipped
D:\RECYCLER\S-1-5-21-1202660629-651377827-839522115-1003\Dd1\system32\a Infected: Trojan-Downloader.BAT.Ftp.ay skipped
D:\System Volume Information\_restore{53747E60-5BC9-44A7-8979-8D366285102C}\RP2\A0006040.exe Infected: Virus.Win32.Parite.b skipped
D:\System Volume Information\_restore{646DCA05-6ED5-48F4-B04E-4EFA60DA5C41}\RP210\A0030919.exe Infected: Virus.Win32.Parite.b skipped
D:\System Volume Information\_restore{646DCA05-6ED5-48F4-B04E-4EFA60DA5C41}\RP210\A0030920.exe Infected: Virus.Win32.Parite.b skipped
D:\System Volume Information\_restore{6DF82776-94B6-4B25-A353-70029760A8D8}\RP4\A0002100.sys Infected: Rootkit.Win32.Agent.p skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011855.EXE Infected: Backdoor.Win32.SdBot.ts skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011856.exe Infected: Backdoor.Win32.Rbot.gen skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011857.sys Infected: Rootkit.Win32.Agent.p skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011858.exe Infected: Backdoor.Win32.Rbot.gen skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011859.dll Infected: Net-Worm.Win32.Maslan.b skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011860.exe Infected: Net-Worm.Win32.Maslan.c skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011861.exe Infected: Backdoor.Win32.SdBot.ts skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011862.exe Infected: Net-Worm.Win32.Maslan.b skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0015289.exe Infected: Backdoor.Win32.Aimbot.bz skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0015318.exe Infected: Backdoor.Win32.Aimbot.bz skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0016237.exe Infected: Backdoor.Win32.Codbot.bm skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0016373.exe Infected: Trojan-Downloader.Win32.Agent.acv skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0016556.exe Infected: Backdoor.Win32.Rbot.ul skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0016599.exe Infected: Backdoor.Win32.Rbot.gen skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0016832.exe Infected: Backdoor.Win32.Rbot.va skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0017035.dll Infected: Trojan-Downloader.Win32.Agent.acv skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0017213.sys Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0019525.exe Infected: Trojan-Downloader.Win32.Agent.acv skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0019527.exe Infected: Backdoor.Win32.Aimbot.bz skipped
Scan process completed.
C:\Documents and Settings\pimpim\.housecall\Quarantine I remembered seeing the trendmicro scan options to quarantine infections before it would attempt to remove them.
Also the line:
D:\RECYCLER\S-1-5-21-1202660629-651377827-839522115-1003\Dd1\system32\a Infected: Trojan-Downloader.BAT.Ftp.ay
I deleted this also along with the rest of the files in that folder as these were just files i had already deleted previously so i felt it was safe to remove them completly.
I did another scan using Kaspersky but only selected the above folders and the results came back as:
KASPERSKY ON-LINE SCANNER REPORT
Sunday, May 28, 2006 12:28:12 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 28/05/2006
Kaspersky Anti-Virus database records: 196820
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Folders:
C:\Documents and Settings\
C:\RECYCLER\
C:\System Volume Information\
D:\RECYCLER\
D:\System Volume Information\
Scan Statistics:
Total number of scanned objects: 13422
Number of viruses found: 12
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 00:06:24
Infected Object Name / Virus Name / Last Action
D:\System Volume Information\_restore{53747E60-5BC9-44A7-8979-8D366285102C}\RP2\A0006040.exe Infected: Virus.Win32.Parite.b skipped
D:\System Volume Information\_restore{646DCA05-6ED5-48F4-B04E-4EFA60DA5C41}\RP210\A0030919.exe Infected: Virus.Win32.Parite.b skipped
D:\System Volume Information\_restore{646DCA05-6ED5-48F4-B04E-4EFA60DA5C41}\RP210\A0030920.exe Infected: Virus.Win32.Parite.b skipped
D:\System Volume Information\_restore{6DF82776-94B6-4B25-A353-70029760A8D8}\RP4\A0002100.sys Infected: Rootkit.Win32.Agent.p skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011855.EXE Infected: Backdoor.Win32.SdBot.ts skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011856.exe Infected: Backdoor.Win32.Rbot.gen skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011857.sys Infected: Rootkit.Win32.Agent.p skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011858.exe Infected: Backdoor.Win32.Rbot.gen skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011859.dll Infected: Net-Worm.Win32.Maslan.b skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011860.exe Infected: Net-Worm.Win32.Maslan.c skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011861.exe Infected: Backdoor.Win32.SdBot.ts skipped
D:\System Volume Information\_restore{B4ECE848-3479-46ED-9982-FE993EE1DB9B}\RP16\A0011862.exe Infected: Net-Worm.Win32.Maslan.b skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0015289.exe Infected: Backdoor.Win32.Aimbot.bz skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0015318.exe Infected: Backdoor.Win32.Aimbot.bz skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0016237.exe Infected: Backdoor.Win32.Codbot.bm skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0016373.exe Infected: Trojan-Downloader.Win32.Agent.acv skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0016556.exe Infected: Backdoor.Win32.Rbot.ul skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0016599.exe Infected: Backdoor.Win32.Rbot.gen skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0016832.exe Infected: Backdoor.Win32.Rbot.va skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0017035.dll Infected: Trojan-Downloader.Win32.Agent.acv skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0017213.sys Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0019525.exe Infected: Trojan-Downloader.Win32.Agent.acv skipped
D:\System Volume Information\_restore{B7FBDDD4-4CD2-46AA-8929-9220201DB788}\RP3\A0019527.exe Infected: Backdoor.Win32.Aimbot.bz skipped
Scan process completed.
While the System Volume Information on drive C: has been deleted it hasnt removed them on my D: drive, also i cannot access that folder to manually delete them. (which is slightly annoying.)
I must confess however, its very annoying to not have complete control over my computer, if i wanna delete files from System Volume Information i should be able too, im guessing this is a microsoft thing?
After abit of fiddling with the permissions in safe mode i gained access to and deleted all restore folders on my D drive, I then did a quick scan for that folder on Kaspersky and i am very pleased to report my computer seems to be completly clean! (and running bloody fast i might add).
Once again i cannot express how greatful i am for the help you have provided chiawaikian. Thanks man!
Here are a number of recommendations for additional protection to help prevent any malware infections in the future. These few simple steps can stave off the vast majority of spyware problems.
You may have already taken some of these steps:
1. Watch what you download!
Do not download just anything you see on the web. Some may have spyware bundled into them.
2. Try not to use peer-to-peer programs.
P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read this article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.
3. Visit Windows Update:
Make sure that you have all the Critical Updates recommended for your operating system and IE. The first defense against infection is a properly patched OS.
Windows Update: http://v4.windowsupdate.microsoft.com/en/default.asp
We recommend checking for Windows updates monthly.
4. Adjust your security settings for ActiveX:
Go to Internet Options/Security/Internet, press 'default level', then OK.
Now press "Custom Level."
In the ActiveX section, set the first two options ("Download signed and unsigned ActiveX controls) to 'prompt', and 'Initialize and Script ActiveX controls not marked as safe" to 'disable'.
So why is ActiveX so dangerous that you have to increase the security for it?
When your browser runs an activex control, it is running an executable program. It's no different from doubleclicking an exe file on your hard drive.
Would you run just any random file downloaded off a web site without knowing what it is and what it does?
5. Download and install the following free programs:
a. SpywareBlaster: http://www.javacoolsoftware.com/spywareblaster.html
b. SpywareGuard: http://www.javacoolsoftware.com/spywareguard.html
Periodically check for updates.
6. Keep your antivirus software up to date. If you don't have one, I recommend the free AVG.
7. Use a firewall. If you don't have a firewall, I recommend the free version of ZoneAlarm
A tutorial on understanding and using firewalls may be found here
8. IE-SPYAD puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all. Another good hosts program is mvpshosts. This little program packs a powerful punch as it block ads, banners, 3rd party Cookies, 3rd party page counters, web bugs, and many hijackers. For information on how to download and install, please read this tutorial.
9. You might consider installing Mozilla / Firefox, which is much safer than Internet Explorer.
http://www.mozilla.org/
10. Install spyware detection and removal programs:
Ad-aware: http://www.snapfiles.com/get/adaware.html
Spybot S&D:
http://www.safer-networking.org
Use these programs to regularly scan your system for and remove many forms of spyware/malware.
11. Microsoft now offers their own anti-spyware product. Windows® Defender (Beta 2) improves Internet browsing safety by guarding over fifty (50) ways spyware can enter your PC. This is a BETA for XP/2000 only.
12. Before using or purchasing any Spyware/Malware protection/removal program, always check the Rogue/Suspect Spyware List. It will save you a lot of grief, as well as money if you are thinking of purchasing. Here is the link: http://www.spywarewarrior.com/rogue_anti-spyware.htm
If you want to know just how effective your anti-spyware program is, or how well any of the "rogue" programs listed at the above link work, check this for an independent comparison of several anti-spyware programs: http://www.spywarewarrior.com/asw-test-guide.htm
Let us know if we have not resolved your problem. Otherwise, you are good to go.
Happy and Safe Surfing!