Scan Statistics
Total number of scanned objects 55412
Number of viruses found 30
Number of infected objects 109
Number of suspicious objects 0
Duration of the scan process 03:17:05
Infected Object Name Virus Name Last Action
C:\comhost.exe/data.rar/manager.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\comhost.exe/data.rar/manager.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\comhost.exe/data.rar/mc-110-12-0000488.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\comhost.exe/data.rar/mc-110-12-0000488.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\comhost.exe/data.rar/booterror.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\comhost.exe/data.rar Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\comhost.exe RarSFX: infected - 6 skipped
C:\defender26.exe Infected: Trojan-Clicker.Win32.VB.ly skipped
C:\Documents and Settings\All Users\Application Data\Pribi\v29.exe Infected: Trojan-Dropper.Win32.VB.cd skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/3.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/5.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0006 Infected: not-a-virus:AdWare.Win32.EZula skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe NSIS: infected - 20 skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0003/data0006 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0014/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0014/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0014 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe NSIS: infected - 10 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/3.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/5.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0006 Infected: not-a-virus:AdWare.Win32.EZula skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe NSIS: infected - 20 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0006 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0014/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0014/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0014 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe NSIS: infected - 10 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\MemWatcher2.exe/data0004 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\MemWatcher2.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\MemWatcher2.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Default User\My Documents\Data\MemWatcher2.exe/data0004 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\MemWatcher2.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\MemWatcher2.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Ken Pope\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\5651DF71-01D3-4AC9-AAEC-0D37B2\30B70DCD-F5A5-4A49-8CA5-5EBA5E Infected: not-a-virus:AdWare.Win32.UrlSpy.a skipped
C:\Documents and Settings\Nichole.KIDSMACHINE\ezStub\ezStub.exe Infected: not-a-virus:AdWare.Win32.EZula.z skipped
C:\msdos.pif Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\Program Files\Norton AntiVirus\Quarantine\026176AA.exe Infected: Trojan-Downloader.Win32.Keenval skipped
C:\svchost.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\WINDOWS\booterror.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\WINDOWS\Downloaded Program Files\ashton.inf Infected: not-a-virus:AdWare.Win32.BetterInternet.as skipped
C:\WINDOWS\fwoeewc.exe Infected: Trojan-Clicker.Win32.VB.el skipped
C:\WINDOWS\manager.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\WINDOWS\manager.exe QuickBatch: infected - 1 skipped
C:\WINDOWS\manager.exe PECompact: infected - 1 skipped
C:\WINDOWS\manager.exe PecBundle: infected - 1 skipped
C:\WINDOWS\manager.exe PE_Patch.PECompact: infected - 1 skipped
C:\WINDOWS\s4Setp.exe Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\WINDOWS\sahagent-mediamotor1001.exe/data0002 Infected: not-a-virus:AdWare.Win32.Sahat.a skipped
C:\WINDOWS\sahagent-mediamotor1001.exe NSIS: infected - 1 skipped
C:\WINDOWS\system\IEService.exe Infected: not-a-virus:AdWare.Win32.FastFind.b skipped
C:\WINDOWS\system32\removefunc.ram/data.rar/mc-110-12-0000515.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\WINDOWS\system32\removefunc.ram/data.rar/mc-110-12-0000515.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\WINDOWS\system32\removefunc.ram/data.rar/manager.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\WINDOWS\system32\removefunc.ram/data.rar/manager.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\WINDOWS\system32\removefunc.ram/data.rar Infected: Trojan.BAT.KillAV.cr skipped
C:\WINDOWS\system32\removefunc.ram RarSFX: infected - 5 skipped
C:\wmedia_bbi8015.exe/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\wmedia_bbi8015.exe/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\wmedia_bbi8015.exe NSIS: infected - 2 skipped
G:\TempPrograms\VNC\vnc-3.3.6-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
G:\TempPrograms\VNC\vnc-3.3.6-x86_win32.exe Inno: infected - 1 skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 8:07:46 AM, on 6/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Please download the Killbox.
Unzip it to the desktop
Please run Killbox.
Copy all lines below at the same time:
C:\comhost.exe
C:\defender26.exe
C:\Documents and Settings\All Users\Application Data\Pribi\v29.exe
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\MemWatcher2.exe
C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe
C:\Documents and Settings\Nichole.KIDSMACHINE\ezStub\ezStub.exe
C:\msdos.pif
C:\Program Files\Norton AntiVirus\Quarantine\026176AA.exe
C:\svchost.exe
C:\WINDOWS\booterror.exe
C:\WINDOWS\Downloaded Program Files\ashton.inf
C:\WINDOWS\fwoeewc.exe
C:\WINDOWS\manager.exe
C:\WINDOWS\s4Setp.exe
C:\WINDOWS\sahagent-mediamotor1001.exe
C:\WINDOWS\system\IEService.exe
C:\WINDOWS\system32\removefunc.ram
C:\wmedia_bbi8015.exe
Select "Delete on Reboot" and all files
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Scan Statistics
Total number of scanned objects 55178
Number of viruses found 30
Number of infected objects 136
Number of suspicious objects 0
Duration of the scan process 04:27:34
Logfile of HijackThis v1.99.1
Scan saved at 8:55:05 PM, on 6/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Well, Killbox has destroyed them; it only creates backups to C:\!killbox folder as you can see
Let's try this next.
Disable CounterSpy by doing this (important!!! You must do this. Those entries won't go away if you don't do this.)
1. Right-click the running icon of CounterSpy in the system tray.
2. With your mouse, hover over Active Protection Status (This should be enabled).
3. A menu will slide out and then you need to right click on "Disable Active Protection".
After that, open hijackthis, click do a system scan only and checkmark these:
Scan Statistics
Total number of scanned objects 55116
Number of viruses found 2
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 02:54:34
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Ken Pope\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\5651DF71-01D3-4AC9-AAEC-0D37B2\30B70DCD-F5A5-4A49-8CA5-5EBA5E Infected: not-a-virus:AdWare.Win32.UrlSpy.a skipped
G:\TempPrograms\VNC\vnc-3.3.6-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
G:\TempPrograms\VNC\vnc-3.3.6-x86_win32.exe Inno: infected - 1 skipped
Scan process completed.
Logfile of HijackThis v1.99.1
Scan saved at 6:06:17 AM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next
You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).
DON'T choose Rename if something was found!
Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)
Download WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard as a reply to where you are receiving help.
WARNING: not all files found by this scanner are bad. Consult with a knowledgable person before proceeding.
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
PTech 6/4/2004 10:37:00 AM H 2827853 C:\kyf.dat
Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/16/2006 2:53:10 AM S 2048 C:\WINDOWS\bootstat.dat
6/16/2006 4:27:40 PM H 1024 C:\WINDOWS\system32\config\default.LOG
6/16/2006 2:53:26 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
6/16/2006 4:31:00 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
6/16/2006 5:15:44 PM H 1024 C:\WINDOWS\system32\config\software.LOG
6/16/2006 5:15:00 PM H 1024 C:\WINDOWS\system32\config\system.LOG
6/16/2006 2:04:00 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
6/3/2006 1:48:38 AM S 25075 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
6/3/2006 1:48:22 AM S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
6/3/2006 2:35:34 AM S 1219 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7735880A01E3F94F763761958A7A8191
6/2/2006 10:32:22 PM S 7652 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C
6/3/2006 1:48:38 AM S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
6/3/2006 1:48:22 AM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
6/3/2006 2:35:34 AM S 132 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7735880A01E3F94F763761958A7A8191
6/2/2006 10:32:22 PM S 134 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C
5/3/2006 6:31:14 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\a8fe7b4a-171c-4f4d-91a2-d1a4c3075884
5/3/2006 6:31:14 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
6/16/2006 2:56:36 AM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
6/16/2006 2:53:22 AM H 6 C:\WINDOWS\Tasks\SA.DAT
6/3/2006 1:14:10 AM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
6/11/2006 1:30:42 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
6/11/2006 1:30:42 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0D1L02G7\desktop.ini
6/11/2006 1:30:42 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\APWZM1FI\desktop.ini
6/11/2006 1:30:42 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CKE7KO9H\desktop.ini
6/11/2006 1:30:42 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R7XPIF6Z\desktop.ini
Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 1/17/2003 12:04:58 AM 106544 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
Checking files in %ALLUSERSPROFILE%\Startup folder...
11/17/2002 4:56:50 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/17/2002 4:39:04 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
2/23/2002 12:00:36 AM HS 84 C:\Documents and Settings\Nichole.KIDSMACHINE\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
2/22/2002 5:37:42 PM HS 62 C:\Documents and Settings\Nichole.KIDSMACHINE\Application Data\desktop.ini
PTech 5/20/2005 3:18:34 PM H 57923 C:\Documents and Settings\Nichole.KIDSMACHINE\Application Data\ptads.bin
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/16/2006 5:33:37 PM
Logfile of HijackThis v1.99.1
Scan saved at 4:48:57 AM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Nope, it all seems fine and dandy now. Except for what I mentioned in my new thread, with the running of the A: drive and D: drive and nothing being in them at the time.
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad<=IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file<=The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar<=Get the free google toolbar to help stop pop up windows.
Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Comments
Total number of scanned objects 55412
Number of viruses found 30
Number of infected objects 109
Number of suspicious objects 0
Duration of the scan process 03:17:05
Infected Object Name Virus Name Last Action
C:\comhost.exe/data.rar/manager.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\comhost.exe/data.rar/manager.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\comhost.exe/data.rar/mc-110-12-0000488.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\comhost.exe/data.rar/mc-110-12-0000488.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\comhost.exe/data.rar/booterror.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\comhost.exe/data.rar Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\comhost.exe RarSFX: infected - 6 skipped
C:\defender26.exe Infected: Trojan-Clicker.Win32.VB.ly skipped
C:\Documents and Settings\All Users\Application Data\Pribi\v29.exe Infected: Trojan-Dropper.Win32.VB.cd skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/3.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/5.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe/data0006 Infected: not-a-virus:AdWare.Win32.EZula skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe NSIS: infected - 20 skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0003/data0006 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0014/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0014/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe/data0014 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe NSIS: infected - 10 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/3.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/5.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe/data0006 Infected: not-a-virus:AdWare.Win32.EZula skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe NSIS: infected - 20 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0003/data0006 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0014/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0014/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe/data0014 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe NSIS: infected - 10 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\MemWatcher2.exe/data0004 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\MemWatcher2.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\MemWatcher2.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Default User\My Documents\Data\MemWatcher2.exe/data0004 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\MemWatcher2.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\MemWatcher2.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Ken Pope\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\5651DF71-01D3-4AC9-AAEC-0D37B2\30B70DCD-F5A5-4A49-8CA5-5EBA5E Infected: not-a-virus:AdWare.Win32.UrlSpy.a skipped
C:\Documents and Settings\Nichole.KIDSMACHINE\ezStub\ezStub.exe Infected: not-a-virus:AdWare.Win32.EZula.z skipped
C:\msdos.pif Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\Program Files\Norton AntiVirus\Quarantine\026176AA.exe Infected: Trojan-Downloader.Win32.Keenval skipped
C:\svchost.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\WINDOWS\booterror.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\WINDOWS\Downloaded Program Files\ashton.inf Infected: not-a-virus:AdWare.Win32.BetterInternet.as skipped
C:\WINDOWS\fwoeewc.exe Infected: Trojan-Clicker.Win32.VB.el skipped
C:\WINDOWS\manager.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\WINDOWS\manager.exe QuickBatch: infected - 1 skipped
C:\WINDOWS\manager.exe PECompact: infected - 1 skipped
C:\WINDOWS\manager.exe PecBundle: infected - 1 skipped
C:\WINDOWS\manager.exe PE_Patch.PECompact: infected - 1 skipped
C:\WINDOWS\s4Setp.exe Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\WINDOWS\sahagent-mediamotor1001.exe/data0002 Infected: not-a-virus:AdWare.Win32.Sahat.a skipped
C:\WINDOWS\sahagent-mediamotor1001.exe NSIS: infected - 1 skipped
C:\WINDOWS\system\IEService.exe Infected: not-a-virus:AdWare.Win32.FastFind.b skipped
C:\WINDOWS\system32\removefunc.ram/data.rar/mc-110-12-0000515.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\WINDOWS\system32\removefunc.ram/data.rar/mc-110-12-0000515.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\WINDOWS\system32\removefunc.ram/data.rar/manager.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\WINDOWS\system32\removefunc.ram/data.rar/manager.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\WINDOWS\system32\removefunc.ram/data.rar Infected: Trojan.BAT.KillAV.cr skipped
C:\WINDOWS\system32\removefunc.ram RarSFX: infected - 5 skipped
C:\wmedia_bbi8015.exe/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\wmedia_bbi8015.exe/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\wmedia_bbi8015.exe NSIS: infected - 2 skipped
G:\TempPrograms\VNC\vnc-3.3.6-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
G:\TempPrograms\VNC\vnc-3.3.6-x86_win32.exe Inno: infected - 1 skipped
Scan process completed.
Scan saved at 8:07:46 AM, on 6/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
G:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file:\\C:\WINDOWS\system32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hmtwavy.exe
O4 - HKLM\..\Run: [SunServer] G:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.beqanna.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A96170D4-BFAA-4F6F-871F-B562EEDA8061}: NameServer = 63.245.131.21 63.245.131.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3A3602C-CE7E-4E8A-AED4-68B33B0754AB}: NameServer = 151.164.172.201
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Boot in safe mode.
Fix with HjT:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file:\\C:\WINDOWS\system32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hmtwavy. exe
Reboot.
Please download the Killbox.
Unzip it to the desktop
Please run Killbox.
Copy all lines below at the same time:
C:\comhost.exe
C:\defender26.exe
C:\Documents and Settings\All Users\Application Data\Pribi\v29.exe
C:\Documents and Settings\Default User\My Documents\Data\all_files3.exe
C:\Documents and Settings\Default User\My Documents\Data\all_files3b.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\all_files3b.exe
C:\Documents and Settings\Default User\My Documents\Data\Data\MemWatcher2.exe
C:\Documents and Settings\Default User\My Documents\Data\popinstlite.exe
C:\Documents and Settings\Nichole.KIDSMACHINE\ezStub\ezStub.exe
C:\msdos.pif
C:\Program Files\Norton AntiVirus\Quarantine\026176AA.exe
C:\svchost.exe
C:\WINDOWS\booterror.exe
C:\WINDOWS\Downloaded Program Files\ashton.inf
C:\WINDOWS\fwoeewc.exe
C:\WINDOWS\manager.exe
C:\WINDOWS\s4Setp.exe
C:\WINDOWS\sahagent-mediamotor1001.exe
C:\WINDOWS\system\IEService.exe
C:\WINDOWS\system32\removefunc.ram
C:\wmedia_bbi8015.exe
Select "Delete on Reboot" and all files
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Rescan with kaspersky.
Send a fresh HjT log and kaspersky report.
Total number of scanned objects 55178
Number of viruses found 30
Number of infected objects 136
Number of suspicious objects 0
Duration of the scan process 04:27:34
Infected Object Name Virus Name Last Action
C:\!KillBox\026176AA.exe Infected: Trojan-Downloader.Win32.Keenval skipped
C:\!KillBox\all_files3.exe/data0002/data299033.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\!KillBox\all_files3.exe/data0002/data299033.zip/Files/3.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\!KillBox\all_files3.exe/data0002/data299033.zip/Files/5.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\!KillBox\all_files3.exe/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\!KillBox\all_files3.exe/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\!KillBox\all_files3.exe/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\!KillBox\all_files3.exe/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\!KillBox\all_files3.exe/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\!KillBox\all_files3.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\!KillBox\all_files3.exe/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\!KillBox\all_files3.exe/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\!KillBox\all_files3.exe/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\!KillBox\all_files3.exe/data0005/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t skipped
C:\!KillBox\all_files3.exe/data0005/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\!KillBox\all_files3.exe/data0005/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\!KillBox\all_files3.exe/data0005/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\!KillBox\all_files3.exe/data0005/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\!KillBox\all_files3.exe/data0005/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\!KillBox\all_files3.exe/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\!KillBox\all_files3.exe/data0006 Infected: not-a-virus:AdWare.Win32.EZula skipped
C:\!KillBox\all_files3.exe NSIS: infected - 20 skipped
C:\!KillBox\all_files3.exe( 2)/data0002/data299033.zip/Setup.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\!KillBox\all_files3.exe( 2)/data0002/data299033.zip/Files/3.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\!KillBox\all_files3.exe( 2)/data0002/data299033.zip/Files/5.exe Infected: not-a-virus:AdWare.Win32.IEDriver.b skipped
C:\!KillBox\all_files3.exe( 2)/data0002/data299033.zip/Files/IEDRIVER.EXE Infected: Trojan-Downloader.Win32.Turown.h skipped
C:\!KillBox\all_files3.exe( 2)/data0002/data299033.zip/Files/ieupdate.exe Infected: Trojan-Downloader.Win32.Turown.b skipped
C:\!KillBox\all_files3.exe( 2)/data0002/data299033.zip/Files/td.exe Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\!KillBox\all_files3.exe( 2)/data0002/data299033.zip Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\!KillBox\all_files3.exe( 2)/data0002 Infected: Trojan-Downloader.Win32.Turown.a skipped
C:\!KillBox\all_files3.exe( 2)/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\!KillBox\all_files3.exe( 2)/data0003/data0004 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\!KillBox\all_files3.exe( 2)/data0003 Infected: not-a-virus:AdWare.Win32.Connector skipped
C:\!KillBox\all_files3.exe( 2)/data0004 Infected: Trojan-Downloader.Win32.Agent.ec skipped
C:\!KillBox\all_files3.exe( 2)/data0005/data0001.cab/Save.exe Infected: not-a-virus:AdWare.Win32.SaveNow.t skipped
C:\!KillBox\all_files3.exe( 2)/data0005/data0001.cab/SaveUninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\!KillBox\all_files3.exe( 2)/data0005/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.af skipped
C:\!KillBox\all_files3.exe( 2)/data0005/data0002.cab/Sync.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\!KillBox\all_files3.exe( 2)/data0005/data0002.cab/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\!KillBox\all_files3.exe( 2)/data0005/data0002.cab Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\!KillBox\all_files3.exe( 2)/data0005 Infected: not-a-virus:AdWare.Win32.SaveNow.v skipped
C:\!KillBox\all_files3.exe( 2)/data0006 Infected: not-a-virus:AdWare.Win32.EZula skipped
C:\!KillBox\all_files3.exe( 2) NSIS: infected - 20 skipped
C:\!KillBox\all_files3b.exe/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\!KillBox\all_files3b.exe/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\!KillBox\all_files3b.exe/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\!KillBox\all_files3b.exe/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\!KillBox\all_files3b.exe/data0003/data0003/data0006 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\!KillBox\all_files3b.exe/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\!KillBox\all_files3b.exe/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\!KillBox\all_files3b.exe/data0014/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\!KillBox\all_files3b.exe/data0014/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\!KillBox\all_files3b.exe/data0014 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\!KillBox\all_files3b.exe NSIS: infected - 10 skipped
C:\!KillBox\all_files3b.exe( 1)/data0002 Infected: not-a-virus:AdWare.Win32.180Solutions skipped
C:\!KillBox\all_files3b.exe( 1)/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval.b skipped
C:\!KillBox\all_files3b.exe( 1)/data0003/data0003/data0002 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\!KillBox\all_files3b.exe( 1)/data0003/data0003/data0005 Infected: Trojan-Downloader.Win32.Keenval skipped
C:\!KillBox\all_files3b.exe( 1)/data0003/data0003/data0006 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\!KillBox\all_files3b.exe( 1)/data0003/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\!KillBox\all_files3b.exe( 1)/data0003 Infected: not-a-virus:AdWare.Win32.Perfnav.d skipped
C:\!KillBox\all_files3b.exe( 1)/data0014/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\!KillBox\all_files3b.exe( 1)/data0014/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\!KillBox\all_files3b.exe( 1)/data0014 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\!KillBox\all_files3b.exe( 1) NSIS: infected - 10 skipped
C:\!KillBox\ashton.inf Infected: not-a-virus:AdWare.Win32.BetterInternet.as skipped
C:\!KillBox\booterror.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\!KillBox\comhost.exe/data.rar/manager.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\!KillBox\comhost.exe/data.rar/manager.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\!KillBox\comhost.exe/data.rar/mc-110-12-0000488.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\!KillBox\comhost.exe/data.rar/mc-110-12-0000488.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\!KillBox\comhost.exe/data.rar/booterror.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\!KillBox\comhost.exe/data.rar Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\!KillBox\comhost.exe RarSFX: infected - 6 skipped
C:\!KillBox\defender26.exe Infected: Trojan-Clicker.Win32.VB.ly skipped
C:\!KillBox\ezStub.exe Infected: not-a-virus:AdWare.Win32.EZula.z skipped
C:\!KillBox\fwoeewc.exe Infected: Trojan-Clicker.Win32.VB.el skipped
C:\!KillBox\IEService.exe Infected: not-a-virus:AdWare.Win32.FastFind.b skipped
C:\!KillBox\manager.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\!KillBox\manager.exe QuickBatch: infected - 1 skipped
C:\!KillBox\manager.exe PECompact: infected - 1 skipped
C:\!KillBox\manager.exe PecBundle: infected - 1 skipped
C:\!KillBox\manager.exe PE_Patch.PECompact: infected - 1 skipped
C:\!KillBox\MemWatcher2.exe/data0004 Infected: Backdoor.Win32.VB.nb skipped
C:\!KillBox\MemWatcher2.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\!KillBox\MemWatcher2.exe NSIS: infected - 2 skipped
C:\!KillBox\msdos.pif Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\!KillBox\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\!KillBox\removefunc.ram/data.rar/mc-110-12-0000515.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\!KillBox\removefunc.ram/data.rar/mc-110-12-0000515.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\!KillBox\removefunc.ram/data.rar/manager.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\!KillBox\removefunc.ram/data.rar/manager.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\!KillBox\removefunc.ram/data.rar Infected: Trojan.BAT.KillAV.cr skipped
C:\!KillBox\removefunc.ram RarSFX: infected - 5 skipped
C:\!KillBox\s4Setp.exe Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\!KillBox\sahagent-mediamotor1001.exe/data0002 Infected: not-a-virus:AdWare.Win32.Sahat.a skipped
C:\!KillBox\sahagent-mediamotor1001.exe NSIS: infected - 1 skipped
C:\!KillBox\svchost.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\!KillBox\v29.exe Infected: Trojan-Dropper.Win32.VB.cd skipped
C:\!KillBox\wmedia_bbi8015.exe/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\!KillBox\wmedia_bbi8015.exe/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\!KillBox\wmedia_bbi8015.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe Infected: Trojan-Downloader.Win32.Poplite.a skipped
C:\Documents and Settings\Default User\My Documents\Data\MemWatcher2.exe/data0004 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\MemWatcher2.exe/data0006 Infected: Backdoor.Win32.VB.nb skipped
C:\Documents and Settings\Default User\My Documents\Data\MemWatcher2.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Ken Pope\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\5651DF71-01D3-4AC9-AAEC-0D37B2\30B70DCD-F5A5-4A49-8CA5-5EBA5E Infected: not-a-virus:AdWare.Win32.UrlSpy.a skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000007.exe/data.rar/manager.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000007.exe/data.rar/manager.exe Infected: Trojan.BAT.KillAV.cr skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000007.exe/data.rar/mc-110-12-0000488.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000007.exe/data.rar/mc-110-12-0000488.exe Infected: Trojan-Downloader.NSIS.Agent.u skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000007.exe/data.rar/booterror.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000007.exe/data.rar Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000007.exe RarSFX: infected - 6 skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000008.exe Infected: Trojan-Clicker.Win32.VB.ly skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000009.exe Infected: Trojan-Dropper.Win32.VB.cd skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000010.exe Infected: not-a-virus:AdWare.Win32.EZula.z skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000011.pif Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000012.exe Infected: Trojan-Downloader.Win32.Keenval skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000013.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000014.exe Infected: Trojan-Downloader.Win32.Adload.bo skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000015.exe Infected: Trojan-Clicker.Win32.VB.el skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000016.exe/BAT Infected: Trojan.BAT.KillAV.cr skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000016.exe QuickBatch: infected - 1 skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000016.exe PECompact: infected - 1 skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000016.exe PecBundle: infected - 1 skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000016.exe PE_Patch.PECompact: infected - 1 skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000017.exe Infected: not-a-virus:AdWare.Win32.FunWeb.e skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000018.exe/data0002 Infected: not-a-virus:AdWare.Win32.Sahat.a skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000018.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000019.exe Infected: not-a-virus:AdWare.Win32.FastFind.b skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000020.exe/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000020.exe/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\System Volume Information\_restore{7AB47C38-FC36-4FA7-8DF1-B7D2BFEBB8B7}\RP1\A0000020.exe NSIS: infected - 2 skipped
G:\TempPrograms\VNC\vnc-3.3.6-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
G:\TempPrograms\VNC\vnc-3.3.6-x86_win32.exe Inno: infected - 1 skipped
Scan process completed.
Scan saved at 8:55:05 PM, on 6/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
G:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file:\\C:\WINDOWS\system32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hmtwavy.exe
O4 - HKLM\..\Run: [SunServer] G:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.beqanna.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A96170D4-BFAA-4F6F-871F-B562EEDA8061}: NameServer = 63.245.131.21 63.245.131.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3A3602C-CE7E-4E8A-AED4-68B33B0754AB}: NameServer = 151.164.172.201
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
It doesn't look like Killbox is destroying any of the things that its supposed to, or their coming back on reboot. I dunno.
Let's try this next.
Disable CounterSpy by doing this (important!!! You must do this. Those entries won't go away if you don't do this.)
1. Right-click the running icon of CounterSpy in the system tray.
2. With your mouse, hover over Active Protection Status (This should be enabled).
3. A menu will slide out and then you need to right click on "Disable Active Protection".
After that, open hijackthis, click do a system scan only and checkmark these:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file:\\C:\WINDOWS\system32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hmtwavy. exe
Close all windows, including Internet Explorer or Mozilla Firefox and press fix checked.
Boot in safe mode:
Delete these:
C:\Documents and Settings\Default User\My Documents\Data\Data\popinstlite.exe
C:\Documents and Settings\Default User\My Documents\Data\MemWatcher2.exe
Empty this folder (don't delete it!)
C:\!KillBox
Empty Recycle Bin.
Reboot
Rescan with kaspersky
Send a fresh HjT log and kaspersky report.
Total number of scanned objects 55116
Number of viruses found 2
Number of infected objects 3
Number of suspicious objects 0
Duration of the scan process 02:54:34
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Ken Pope\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\5651DF71-01D3-4AC9-AAEC-0D37B2\30B70DCD-F5A5-4A49-8CA5-5EBA5E Infected: not-a-virus:AdWare.Win32.UrlSpy.a skipped
G:\TempPrograms\VNC\vnc-3.3.6-x86_win32.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.c skipped
G:\TempPrograms\VNC\vnc-3.3.6-x86_win32.exe Inno: infected - 1 skipped
Scan process completed.
Now its truly starting to look better.
Scan saved at 6:06:17 AM, on 6/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\devldr32.exe
G:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file:\\C:\WINDOWS\system32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp_wave/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hmtwavy.exe
O4 - HKLM\..\Run: [SunServer] G:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.beqanna.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{A96170D4-BFAA-4F6F-871F-B562EEDA8061}: NameServer = 63.245.131.21 63.245.131.22
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3A3602C-CE7E-4E8A-AED4-68B33B0754AB}: NameServer = 151.164.172.201
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
Download F-Secure Blacklight and save it to your desktop -> http://www.f-secure.com/blacklight/try.shtml
Doubleclick blbeta.exe, accept the agreement, click Scan, then click Next
You'll see a list what have been found. A log will appear to your desktop, it is named fsbl.xxxxxxx.log (xxxxxxx will be random numbers).
DON'T choose Rename if something was found!
Post the contents of fsbl.xxxx.log to here (xxxx= random numbers,blacklight log from your desktop)
Download WinPFind.zip and extract it to your C:\ folder. This will create a folder called WinPFind in the C:\ folder. Inside c:\WinPFind is a file called WinPFind.exe. Double-click on this file to launch the program. Once it is launched, click on the Start Scan button and wait for it to finish. This program will scan large amounts of files on your computer for known patterns so please be patient while it works as it can take a while, upwards to 30 minutes or more.
When it is done, it will show the results of the scan. Click on the Copy to Clipboard button and then paste the contents of the log in your clipboard as a reply to where you are receiving help.
Send:
- blacklight log
- winpfind log
If you see a message in the titlebar saying "Not responding..." you can ignore it. Windows somethimes displays this message due to the high volume of disk I/O. As long as the hard disk light is flashing, the program is still working properly.
»»»»»»»»»»»»»»»»» Windows OS and Versions »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Product Name: Microsoft Windows XP Current Build: Service Pack 2 Current Build Number: 2600
Internet Explorer Version: 6.0.2900.2180
»»»»»»»»»»»»»»»»» Checking Selected Standard Folders »»»»»»»»»»»»»»»»»»»»
Checking %SystemDrive% folder...
PTech 6/4/2004 10:37:00 AM H 2827853 C:\kyf.dat
Checking %ProgramFilesDir% folder...
Checking %WinDir% folder...
Checking %System% folder...
PEC2 8/23/2001 7:00:00 AM 41397 C:\WINDOWS\SYSTEM32\dfrg.msc
PTech 4/10/2006 1:00:34 PM 555824 C:\WINDOWS\SYSTEM32\LegitCheckControl.dll
PECompact2 5/3/2006 11:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 5/3/2006 11:26:22 PM 5818784 C:\WINDOWS\SYSTEM32\MRT.exe
aspack 8/4/2004 2:56:36 AM 708096 C:\WINDOWS\SYSTEM32\ntdll.dll
Umonitor 8/4/2004 2:56:44 AM 657920 C:\WINDOWS\SYSTEM32\rasdlg.dll
aspack 1/16/2003 1:59:12 AM 833692 C:\WINDOWS\SYSTEM32\Shine.scr
winsync 8/23/2001 7:00:00 AM 1309184 C:\WINDOWS\SYSTEM32\wbdbase.deu
aspack 10/21/2003 3:58:58 PM 904968 C:\WINDOWS\SYSTEM32\zodiac.scr
Checking %System%\Drivers folder and sub-folders...
PTech 8/4/2004 12:41:38 AM 1309184 C:\WINDOWS\SYSTEM32\drivers\mtlstrm.sys
Items found in C:\WINDOWS\SYSTEM32\drivers\etc\hosts
Checking the Windows folder and sub-folders for system and hidden files within the last 60 days...
6/16/2006 2:53:10 AM S 2048 C:\WINDOWS\bootstat.dat
6/16/2006 4:27:40 PM H 1024 C:\WINDOWS\system32\config\default.LOG
6/16/2006 2:53:26 AM H 1024 C:\WINDOWS\system32\config\SAM.LOG
6/16/2006 4:31:00 PM H 1024 C:\WINDOWS\system32\config\SECURITY.LOG
6/16/2006 5:15:44 PM H 1024 C:\WINDOWS\system32\config\software.LOG
6/16/2006 5:15:00 PM H 1024 C:\WINDOWS\system32\config\system.LOG
6/16/2006 2:04:00 AM H 1024 C:\WINDOWS\system32\config\systemprofile\ntuser.dat.LOG
6/3/2006 1:48:38 AM S 25075 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\486CC6AFD08942336C61FCD401C4A1D1
6/3/2006 1:48:22 AM S 408 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\74BFD122C0875EC75DBE5C6DB4C59019
6/3/2006 2:35:34 AM S 1219 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\7735880A01E3F94F763761958A7A8191
6/2/2006 10:32:22 PM S 7652 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\Content\E891C648621A40AC7F773694A17FE76C
6/3/2006 1:48:38 AM S 120 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\486CC6AFD08942336C61FCD401C4A1D1
6/3/2006 1:48:22 AM S 124 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\74BFD122C0875EC75DBE5C6DB4C59019
6/3/2006 2:35:34 AM S 132 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\7735880A01E3F94F763761958A7A8191
6/2/2006 10:32:22 PM S 134 C:\WINDOWS\system32\config\systemprofile\Application Data\Microsoft\CryptnetUrlCache\MetaData\E891C648621A40AC7F773694A17FE76C
5/3/2006 6:31:14 PM HS 388 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\a8fe7b4a-171c-4f4d-91a2-d1a4c3075884
5/3/2006 6:31:14 PM HS 24 C:\WINDOWS\system32\Microsoft\Protect\S-1-5-18\Preferred
6/16/2006 2:56:36 AM H 330 C:\WINDOWS\Tasks\MP Scheduled Scan.job
6/16/2006 2:53:22 AM H 6 C:\WINDOWS\Tasks\SA.DAT
6/3/2006 1:14:10 AM HS 113 C:\WINDOWS\Temp\History\History.IE5\desktop.ini
6/11/2006 1:30:42 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\desktop.ini
6/11/2006 1:30:42 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\0D1L02G7\desktop.ini
6/11/2006 1:30:42 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\APWZM1FI\desktop.ini
6/11/2006 1:30:42 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\CKE7KO9H\desktop.ini
6/11/2006 1:30:42 AM HS 67 C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\R7XPIF6Z\desktop.ini
Checking for CPL files...
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\access.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 549888 C:\WINDOWS\SYSTEM32\appwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 110592 C:\WINDOWS\SYSTEM32\bthprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 135168 C:\WINDOWS\SYSTEM32\desk.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 358400 C:\WINDOWS\SYSTEM32\inetcpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\intl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 380416 C:\WINDOWS\SYSTEM32\irprops.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 68608 C:\WINDOWS\SYSTEM32\joy.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\main.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 618496 C:\WINDOWS\SYSTEM32\mmsys.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 25600 C:\WINDOWS\SYSTEM32\netsetup.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\nusrmgr.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\nwc.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\powercfg.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\sysdm.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\timedate.cpl
Microsoft Corporation 1/17/2003 12:04:58 AM 106544 C:\WINDOWS\SYSTEM32\TWEAKUI.CPL
Microsoft Corporation 8/4/2004 2:56:58 AM 148480 C:\WINDOWS\SYSTEM32\wscui.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\wuaucpl.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 80384 C:\WINDOWS\SYSTEM32\dllcache\firewall.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 155136 C:\WINDOWS\SYSTEM32\dllcache\hdwwiz.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 129536 C:\WINDOWS\SYSTEM32\dllcache\intl.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 187904 C:\WINDOWS\SYSTEM32\dllcache\main.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 35840 C:\WINDOWS\SYSTEM32\dllcache\ncpa.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 257024 C:\WINDOWS\SYSTEM32\dllcache\nusrmgr.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 36864 C:\WINDOWS\SYSTEM32\dllcache\nwc.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 32768 C:\WINDOWS\SYSTEM32\dllcache\odbccp32.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 114688 C:\WINDOWS\SYSTEM32\dllcache\powercfg.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 298496 C:\WINDOWS\SYSTEM32\dllcache\sysdm.cpl
Microsoft Corporation 8/23/2001 7:00:00 AM 28160 C:\WINDOWS\SYSTEM32\dllcache\telephon.cpl
Microsoft Corporation 8/4/2004 2:56:58 AM 94208 C:\WINDOWS\SYSTEM32\dllcache\timedate.cpl
Microsoft Corporation 5/26/2005 4:16:30 AM 174360 C:\WINDOWS\SYSTEM32\dllcache\wuaucpl.cpl
»»»»»»»»»»»»»»»»» Checking Selected Startup Folders »»»»»»»»»»»»»»»»»»»»»
Checking files in %ALLUSERSPROFILE%\Startup folder...
11/17/2002 4:56:50 PM HS 84 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\desktop.ini
Checking files in %ALLUSERSPROFILE%\Application Data folder...
11/17/2002 4:39:04 PM HS 62 C:\Documents and Settings\All Users\Application Data\desktop.ini
Checking files in %USERPROFILE%\Startup folder...
2/23/2002 12:00:36 AM HS 84 C:\Documents and Settings\Nichole.KIDSMACHINE\Start Menu\Programs\Startup\desktop.ini
Checking files in %USERPROFILE%\Application Data folder...
2/22/2002 5:37:42 PM HS 62 C:\Documents and Settings\Nichole.KIDSMACHINE\Application Data\desktop.ini
PTech 5/20/2005 3:18:34 PM H 57923 C:\Documents and Settings\Nichole.KIDSMACHINE\Application Data\ptads.bin
»»»»»»»»»»»»»»»»» Checking Selected Registry Keys »»»»»»»»»»»»»»»»»»»»»»»
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
[HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers]
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\IMMenuShellExt
{F8984111-38B6-11D5-8725-0050DA2761C4} = C:\Program Files\IncrediMail\bin\IMShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With
{09799AFB-AD67-11d1-ABCD-00C04FC30936} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Open With EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
HKEY_CLASSES_ROOT\*\shellex\ContextMenuHandlers\{a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
Start Menu Pin = %SystemRoot%\system32\SHELL32.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Symantec.Norton.Antivirus.IEContextMenu
{5345A4D5-41EB-4A2F-9616-CE1D4F6C35B2} = C:\Program Files\Norton AntiVirus\NavShExt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\EncryptionMenu
{A470F8CF-A1E8-4f65-8335-227475AA5C46} = %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Offline Files
{750fdf0e-2a26-11d1-a3ea-080036587f03} = %SystemRoot%\System32\cscui.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Sharing
{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6} = ntshrui.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers]
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{0D2E74C4-3C34-11d2-A27E-00C04FC30871}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F01-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{24F14F02-7B1C-11d1-838f-0000F80461CF}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{66742402-F9B9-11D1-A202-0000F81FEDEE}
= %SystemRoot%\system32\SHELL32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Folder\shellex\ColumnHandlers\{CE3A44D8-BC88-4D62-A890-42D96245F8D6}
=
[HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{3EA5C408-2437-4c40-ADAC-DFDA9AEEEA96}
eZ$hopper SideBar = SHDOCVW.DLL
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{4D5C8C25-D075-11d0-B416-00C04FB90376}
&Tip of the Day = %SystemRoot%\System32\shdocvw.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{FB5F1910-F110-11d2-BB9E-00C04F795683}
ButtonText = Messenger : C:\Program Files\Messenger\MSMSGS.EXE
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{30D02401-6A81-11D0-8274-00C04FD5AE38}
Search Band = %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{4528BBE0-4E08-11D5-AD55-00010333D0AD}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{90C61707-C8F8-43DB-A25C-C1F4B18EE41E}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{C4EE31F3-4768-11D2-BE5C-00A0C9A83DA1}
File Search Explorer Band = %SystemRoot%\system32\SHELL32.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EDC4193F-34AD-4D07-AA87-E3FDB89E3E76}
=
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E61-B078-11D0-89E4-00C04FC9E26E}
Favorites Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E62-B078-11D0-89E4-00C04FC9E26E}
History Band = %SystemRoot%\System32\shdocvw.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Explorer Bars\{EFA24E64-B078-11D0-89E4-00C04FC9E26E}
Explorer Band = %SystemRoot%\System32\shdocvw.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar]
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
{645FD3BC-C314-4F7A-9D2E-64D62A0FDD78} = :
{224530A0-C9CB-4AEE-9C0F-54AC1B533211} = :
{4CC0FAF8-6048-421C-9FE2-261A9ECE5F80} = :
{FE6BC4EF-5676-484B-88AE-883323913256} = :
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} = MSN : C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
{CD292324-974F-4224-D074-CACA427AA030} = Neopets : C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser
{01E04581-4EEE-11D0-BFE9-00AA005B4383} = &Address : %SystemRoot%\System32\browseui.dll
{0E5CBF21-D15F-11D0-8301-00AA005B4383} = &Links : %SystemRoot%\system32\SHELL32.dll
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} = Norton AntiVirus : C:\Program Files\Norton AntiVirus\NavShExt.dll
{056AADAA-940C-4826-8FC7-2F9C36C0FD45} = :
{4E7BD74F-2B8D-469E-D3FA-F27BA787AD2D} = :
{4CC0FAF8-6048-421C-9FE2-261A9ECE5F80} = :
{014DA6C9-189F-421A-88CD-07CFE51CFF10} = :
{2D8B1A24-D404-421B-8017-62F18342034D} = SuperBar : C:\Program Files\_SUPERBAR\_SUPERBAR.dll
{FE6BC4EF-5676-484B-88AE-883323913256} = :
{CD292324-974F-4224-D074-CACA427AA030} = Neopets : C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
{EF99BD32-C1FB-11D2-892F-0090271D4F88} = Yahoo! Toolbar : C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
SunServer G:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
NAV Agent C:\PROGRA~1\NORTON~1\navapw32.exe
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]
IMAIL Installed = 1
MAPI Installed = 1
MSFS Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Yahoo! Pager C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
msnmsgr "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
MSMSGS "C:\Program Files\Messenger\MSMSGS.EXE" /background
IncrediMail C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
ctfmon.exe C:\WINDOWS\system32\ctfmon.exe
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\load]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\run]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\services
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupfolder
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state
system.ini 0
win.ini 0
bootini 0
services 0
startup 0
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Attachments
ScanWithAntiVirus 2
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} =
{0DF44EAA-FF21-4412-828E-260A8728E7F1} =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings
Key OÙŒcD·fMÁñoäõÑP
FileName0 C:\WINDOWS\System32\RSACi.rat
WarnOnOff 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default
Allow_Unknowns 0
PleaseMom 1
Enabled 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\.Default\http://www.rsac.org/ratingsv01.html
l 0
n 0
s 0
v 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ratings\PICSRules\.Default
NumSys 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
dontdisplaylastusername 0
legalnoticecaption
legalnoticetext
shutdownwithoutlogon 1
undockwithoutlogon 1
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer
NoDriveTypeAutoRun 145
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
PostBootReminder {7849596a-48ea-486e-8937-a2a3009f31a9} = %SystemRoot%\system32\SHELL32.dll
CDBurn {fbeb8a05-beee-4442-804e-409d6c4515e9} = %SystemRoot%\system32\SHELL32.dll
WebCheck {E6FB5E20-DE35-11CF-9C87-00AA005127ED} = %SystemRoot%\System32\webcheck.dll
SysTray {35CEC8A3-2BE6-11D2-8773-92E220524153} = C:\WINDOWS\System32\stobject.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,hmtwavy.exe
Shell = explorer.exe
System =
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
= crypt32.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
= cryptnet.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
= cscdll.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
= sclgntfy.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
= WlNotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
= wlnotify.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WB
= C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\WgaLogon
= WgaLogon.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
= wlnotify.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options]
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Your Image File Name Here without a path
Debugger = ntsd -d
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
AppInit_DLLs
»»»»»»»»»»»»»»»»»»»»»»»» Scan Complete »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
WinPFind v1.4.1 - Log file written to "WinPFind.Txt" in the WinPFind folder.
Scan completed on 6/16/2006 5:33:37 PM
06/16/06 16:37:58 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/16/06 16:37:58 [Note]: 7019 4
06/16/06 16:37:58 [Note]: 7005 0
06/16/06 16:38:07 [Note]: 7006 0
06/16/06 16:38:08 [Note]: 7011 1792
06/16/06 16:38:08 [Note]: 7026 0
06/16/06 16:38:09 [Note]: 7026 0
06/16/06 16:38:48 [Note]: FSRAW library version 1.7.1015
06/16/06 16:42:53 [Note]: 7007 0
Follow these instructions:
http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs#Windows_Defender.28Beta2.29
http://wiki.castlecops.com/Malware_Removal:_Temporarily_Disable_Real_Time_Monitoring_Programs#CounterSpy
Fix with HjT:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = file:\\C:\WINDOWS\system32\Searchx.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20065&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20065&k=
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,hmtwavy. exe
Reboot and send a fresh HjT log.
Scan saved at 4:48:57 AM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Stardock\Object Desktop\WindowBlinds\wbload.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\devldr32.exe
G:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\system32\ctfmon.exe
G:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
G:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Hijackthis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=about:blank
O4 - HKLM\..\Run: [SunServer] G:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [IncrediMail] C:\PROGRA~1\INCRED~1\bin\IncMail.exe /c
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Add animation to IncrediMail Style Box - C:\PROGRA~1\INCRED~1\bin\resources\WebMenuImg.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O15 - Trusted Zone: http://www.beqanna.com
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1754A1BA-A1DF-4F10-B199-AA55AA1A120F} (InstallerBehaviorFactory Class) - https://signup.msn.com/pages/MsnInstC.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E6187999-9FEC-46A1-A20F-F4CA977D5643} (ZoneChess Object) - http://messenger.zone.msn.com/binary/Chess.cab31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{D3A3602C-CE7E-4E8A-AED4-68B33B0754AB}: NameServer = 151.164.172.201
O20 - Winlogon Notify: WB - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\Documents and Settings\Ken Pope\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine
Delete also this, if you haven't installed WinVNC it by yourself:
G:\TempPrograms\VNC
Otherwise looking good
Still problems?
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
You can find instructions on how to enable and reenable system restore here:
Managing Windows Millenium System Restore
or
Windows XP System Restore Guide
Reenable system restore with instructions from tutorial above
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources
- Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
- Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
- Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
- Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
- Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
- Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
- Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware
Here are some additional utilities that will enhance your safety
Using Winpatrol to protect your computer from malicious software
Stand Up and Be Counted ---> Malware Complaints <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place
Happy surfing and stay clean!