Jump to content


Photo
- - - - -

SOS!


  • This topic is locked This topic is locked
92 replies to this topic

#41 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 04:59 PM

okay...i left the program running for something like 2 hours, and it still didn't open any notepad, should i restart or continue allowing it to possibly do something....

originally, the program only worked in safe mode
so is there any way that i can have it completely run in safe mode?


here's exactly what happend:

i started in safe mode. i ran the program. it said it needed to restart to complete, it counted down, it restarted
i logged on. it said it loaded. it said it was searching, please wait

and that's wehre we are

the program looks frozen (the little red line is not blinking)

#42 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 February 2005 - 05:48 PM

It won't probably work in Safe mode

We must try another method

Let's try this first>>something is getting in the way and I'm not seeing any updates on this situation

download and save it to desktop Remv3.zip
UNZIP the contents to a folder

IMPORTANT>>and you must be In safe mode for this too work
With windows set to Show Hidden Files and Folders

In safe mode open the folder you unzipped the contents of remv3.zipand Double click on
remv3.bat
Let it run until the dos window closes

RESTART back to Normal mode

Remv3.bat would of produced a log
Navigate to c:\log.txt and post the whole contents of this log

Also post a fresh hijackthis log

Please stop bouncing back and forth from Normal mode to safe mode as minimally as you have to
Your making this very difficult, we still have a bit of cleaning to do and your allowing these infections to multiply

You really have to just let me know what the problems are, STOP and wait for instructions

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#43 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 06:58 PM

okay- i am right there.

my computer is starting in normal mode now... the log file did save to the hard drive, i saw it there

but now the c command thing is open from earlier, the same one that wouldn't really close

it says

"killing explorer and rundll32.exe
the system cannot find the path specified
0 files copied
scanning first pass. please wait"

this is the screen where i waited for a whole 2 hours before, however it said 1 file copied originally





thanks, awaiting your instruction

jordan

#44 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 February 2005 - 07:03 PM

If the scan finishes with L2Mfix
Post both logs from L2mfix and Remv3.bat

Also post a fresh hijackthis log

And try not too do anything else until I get a chance to see all logs, thanks

I'm stepping out for a bit so I'll see the logs when I get back

EDIT>>the scan shouldn't take no 2 hours
Tops 5 minutes
If you can't get the scan to finish post me the Log.txt from within the L2mfix folder

If you can't get into Windows in Normal mode

First Hit (Ctrl+Alt+Del) on your keyboard to bring up the Task manager

End task on L2mfix

Then click on FILE in the Task manager
New Task(Run)
Type in
explorer.exe
and hit OK

That should get you back to Windows in Normal mode

I need to see some logs

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#45 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 08:39 PM

i had to remove the l2mfix from starting during safemode in hijackthis, otherwise it kept opening and freezing,
i also removed my outdated mcaffee from starting because when too much stuff was starting it had an aversion for freezing... i

here's the log.txt



Files Found.................
----------------------------------------

Files Not deleted.................
----------------------------------------

Merging registry entries
-----------------------------------------------------------------
The Registry Entries Found...
-----------------------------------------------------------------


Other bad files to be Manually deleted.. Please note that this might also list legit Files, be careful while deleting
-----------------------------------------------------------------
msi.dll


and hijack this



Logfile of HijackThis v1.99.0
Scan saved at 9:37:12 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true (obfuscated)
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe









Finished

#46 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 February 2005 - 08:42 PM

In the L2mfix folder should be a log called log.txt
Can you post that here please

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#47 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 09:22 PM

this is lo2.txt

figure it may be what you're lookin for


L2Mfix 1.02a

Running From:
C:\Documents and Settings\jordan\Desktop\l2mfix



RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting registry permissions:


RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!


Denying C access for really "Everyone"
- adding new ACCESS DENY entry


Registry Permissions set too:

RegDACL 5.1 - Permissions Manager for Registry keys for Windows NT 4 and above
Copyright © 1999-2001 Frank Heyne Software (http://www.heysoft.de)
This program is Freeware, use it on your own risk!

Access Control List for Registry key HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify:
(CI) DENY --C------- Everyone
(ID-NI) ALLOW Read BUILTIN\Users
(ID-IO) ALLOW Read BUILTIN\Users
(ID-NI) ALLOW Full access BUILTIN\Administrators
(ID-IO) ALLOW Full access BUILTIN\Administrators
(ID-NI) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access NT AUTHORITY\SYSTEM
(ID-IO) ALLOW Full access CREATOR OWNER



Setting up for Reboot


Starting Reboot!

C:\Documents and Settings\jordan\Desktop\l2mfix
System Rebooted!

Running From:
C:\Documents and Settings\jordan\Desktop\l2mfix

killing explorer and rundll32.exe

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Killing PID 1976 'explorer.exe'

Command Line Process Viewer/Killer/Suspender for Windows NT/2000/XP V2.03
Copyright© 2002-2003 [email protected]
Error, Cannot find a process with an image name of rundll32.exe

#48 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 09:43 PM

my daughter switched users on the computer with a virus (who knows why)
and all of the desktop icons opened

dddd.exe
tvshdg.exe
IEXPLORER (caps locs)

and all of those other demon programs were running....i don't know what that means, but ...
i'll post another hijackthis log

#49 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 09:45 PM

Logfile of HijackThis v1.99.0
Scan saved at 10:45:30 PM, on 2/8/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\windows\system32\packager.exe
C:\WINDOWS\System32\wuauclt.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true (obfuscated)
O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O23 - Service: AOL Connectivity Service - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe

#50 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 08 February 2005 - 10:47 PM

is there any way for me to condense all of the users on my computer down to only one user? i have XP

you know, kind of get rid of the other profiles....so i'm only really dealing with one computer and one set of files running, etc.

i was thinking perhaps this would be easier for me to fix the virus if this was possible.


in any event. upon restarting under my user name, it is running more smoothly than it was on hers, however the tvgmd or whatever it was called, and a program called packager.exe and also every once in a while a program called calc.exe are running in my task manager and are not allowing a close.

it's really a shame about this whole l2mfix dillema,
do u think the virus is stopping it from running? before that series of restarts in order to get the l2mfix to complete.... the virus seemed basically contained- it hadn't been running during the hijackthis checks and also in my task manager...

that file ixgnear or whatever it was (the one i disabled starting automatically)
has disappeared (i checked on it while in safe mode running the l2mfix, just out of curiousity - to see if it had stayed disabled)
i thought that was weird.



thanks a lot, you really go above and beyond, and i hope that you are making money somehow from this site, let me know if you aren't and i'll take care of you

#51 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 08 February 2005 - 11:28 PM

Well, we still have to do some cleaning

Ensure that you have Notepad.exe in both these locations
C:\WINDOWS and C:\WINDOWS\System32 folders
If one or both are missing download a new copy from this link
http://www.merijn.or...es.html#notepad
Save to desktop and UNZIP to both those folders

Download and Install
SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacools...areblaster.html
Hold onto this and check for updates every couple of weeks

Ensure you still have Searchmiracle.reg and Hoster

From this account

Open Hijackthis>>Open Misc Tools>>Open Process Manager and kill these processes
C:\WINDOWS\isrvs\desktop.exe
C:\windows\system32\tvshdg.exe
C:\windows\system32\packager.exe


Do another scan with Hijackthis and put a check next to these entries

O2 - BHO: &EliteBar - {28CAEFF3-0F18-4036-B504-51D73BD81ABC} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O2 - BHO: &EliteSideBar - {ED103D9F-3070-4580-AB1E-E5C179C1AE41} - C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll
O3 - Toolbar: &EliteBar - {825CF5BD-8862-4430-B771-0C15C5CA8DEF} - C:\WINDOWS\EliteToolBar\EliteToolBar version 59.dll

O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tvshdg] c:\windows\system32\tvshdg.exe

O16 - DPF: v3cab - http://searchmiracle.com/cab/10.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll


Click FIX CHECKED, be sure all other windows are closed

RESTART your computer into safe mode

Find and delete
C:\WINDOWS\isrvs <--this folder
c:\windows\system32\tvshdg.exe <--file

Double click on Searchmiracle.reg and allow to merge to the registry

Open Hoster and Restore Original hosts

Run Windows CleanUp! in Safe mode

RESTART back to Normal mode

I need you to Redownload
eScan in case it was updated, you can delete your old copy
Mwav.exe
There's nothing to install, save it and then double click to run
It will self extract

Select all local drives, scan all files, press 'SCAN' and when it is completed, anything found will be displayed in the lower pane.
In the Virus Log Information Pane
Left click and Highlight all the info in the Lower pane--- Use "CTRL C" on your Keyboard to copy all found in the lower pane and paste it in your next reply.

Also, I'm uploading a file called Findit.zip
UNZIP the contents to a folder, then open that folder and double click on Find.bat. It will run for awhile (should be no longer than 15 minutes) then produce a log (ignore any File not found messages on the screen)
Please copy and paste the contents of the log to this thread please.

Also post a fresh hijackthis log from this log>>We'll Call Log2

Could I have you do one more thing for me, I'm hoping we almost got all of it

Can you go to START>>RUN>>type cmd
Hit ok

Type these into the command prompt box hitting Enter after each

cd\
cd %windir%\system32
dir /a:-d /o:-d > %systemdrive%\system32.txt
start %systemdrive%\system32.txt
cls
exit


The below is how to input

cd\<enter>
cd+%windir%\system32<enter>
dir+/a:-d+/o:-d+>+%systemdrive%\system32.txt<enter>
start+%systemdrive%\system32.txt<enter>
cls<enter>
exit<enter>

NOTE: Don't include the + signs when entering the commands
That is just to indicate where there is a space

A long log should popup
Can you include that log back here please

A few logs to show me, but can you try and show them all, thanks
Do what you can and post back what you can, I may not see the results until tomorrow, so good luck :D

EDIT>>I added a process to kill with hijackthis before you apply the fixes
If I'm too late, that's ok carry on
C:\windows\system32\packager.exe

[attachment=18:attachment]

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#52 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 09 February 2005 - 12:08 AM

small problem-

tvs.... there is no file named that... is this okay?
not on my computer at all, which is strange because i seem to catch it running quite often

#53 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 09 February 2005 - 12:12 AM

If you have to, before you restart back to Normal mode

Open Kill box and input this into the Full path of file to delete

C:\windows\system32\tvshdg.exe

Put a tick on Replace on Reboot
and Use Dummy
Then click the RED X button

Allow it to Restart
Make this the last thing you do before restarting back to Normal mode

If you experience any errors on startup, don't worry and try and do everything else posted
I need to see the logs.........

I almost forgot, can I get you to run Service filter again
Double-click ServiceFilter.vbs, if you get a prompt from your Anti-Virus, Allow this to run, we are just collecting information
This script will create a text file named 'Post_This.txt' in the same folder as the script itself has been saved - copy and paste the contents of Post_This.txt in your next reply here.

I'm throwing a lot of logs at you but I'm hoping these are the last ones

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#54 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 09 February 2005 - 08:09 AM

File C:\WINDOWS\explorer.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\brew.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\brew.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Explorer.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\addah32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\addyx.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\apiok32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appbu32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appcr32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appvg32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crkp32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crne32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crqo.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cruh.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\d3fm32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\d3ui32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\iebc.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ienm.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ipgn32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ipko32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\javaqv.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mfckx.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mspf.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mstl32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msxmidi.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\netfd32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\netsa32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ntjg.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ntqc32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sdked32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysfe.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysfh32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysiz32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysvg.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\winlb32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\304390.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\311375.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\addcr32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\apitu.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\apiwi32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\appgo32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\crbt.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\crza.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\d3bl.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\d3ea.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\d3tj32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\dOnim.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eliteztm32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ipdy32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ipmp.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ipxm32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\javaul.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\l06olaj31do.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\LMWND13n.DLL infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mfchc32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msab.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msfe.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msjy32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\msyz.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netoh.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\neton.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\netxh32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nndptyl.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\nteu.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ntod.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\ntqm.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\System32\s8pu0i79e8.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sdklk.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sysal32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\sysdl.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\tarmmgr.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wbfkfebl.dll infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\wined32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite.dll infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\System32\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\AOL Downloads\setup90\comp01.000 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy2.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy5.zip infected by "Password-protected-EXE" Virus. Action Taken: No Action Taken.
File C:\Documents and Settings\jordan\Desktop\l2mfix\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\HJT\backups\backup-20050207-220637-306.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-433.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050207-220637-968.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-313.dll infected by "not-a-virus:AdWare.MediaTickets.f" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-432.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-651.dll infected by "Trojan.Win32.Golid.e" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-104237-918.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-143714-783.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-174.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-354.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050208-225029-922.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\HJT\backups\backup-20050209-004902-169.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\ntdetect.hta infected by "Trojan-Dropper.VBS.Inor.cj" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\aim95.exe infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\AIM\Sysfiles\WxBug.EXE infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll infected by "not-a-virus:AdWare.MiniBug" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\FLPIUOBA.NQF infected by "Trojan-Dropper.Win32.Agent.ch" Virus. Action Taken: No Action Taken.
File C:\Program Files\ESET\infected\RMAD2MAA.NQF infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyWay\myBar\1.bin\MY2NS.EXE infected by "not-a-virus:AdWare.Toolbar.MyWay.b" Virus. Action Taken: No Action Taken.
File C:\Program Files\MyWay\myBar\1.bin\MYBAR.DLL infected by "not-a-virus:AdWare.ToolBar.MyWay.g" Virus. Action Taken: No Action Taken.
File C:\Program Files\TopConverting\arkanoid\arkanoid.exe infected by "not-a-virus:AdWare.WinShow.f" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049394.new infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049395.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049403.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049404.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0049407.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050400.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050409.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050410.dll infected by "Trojan-Downloader.Win32.Agent.iu" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050413.exe infected by "not-a-virus:AdWare.PowerScan.c" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050425.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050430.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050434.exe infected by "not-a-virus:AdWare.MetaDirect.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050443.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050444.exe infected by "not-a-virus:AdWare.BargainBuddy.n" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0050447.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053437.sys infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053438.dll infected by "Trojan-Downloader.Win32.Agent.iu" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053444.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053445.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053446.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053450.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053456.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053457.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0053458.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0054441.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0054450.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0055437.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056445.dll infected by "Trojan-Downloader.Win32.Small.ajp" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056449.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056450.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056451.exe infected by "Trojan-Dropper.Win32.Tibsis.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056452.exe infected by "Trojan-Downloader.Win32.Agent.ji" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056453.exe infected by "Trojan-Downloader.Win32.Agent.ji" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056454.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056457.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056458.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056461.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056463.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056508.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056510.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056511.exe infected by "Trojan-Dropper.Win32.Small.rx" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056512.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056513.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056514.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0056516.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059535.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059537.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059548.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059550.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059585.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059586.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059587.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059594.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059596.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059603.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059605.dll infected by "Trojan.Win32.Golid.e" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059606.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059607.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059612.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059613.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059614.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059626.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059627.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059630.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059635.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059644.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059646.exe infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059647.exe infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059652.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059653.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059654.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059657.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059658.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059659.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059660.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059661.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059662.exe infected by "not-a-virus:AdWare.PurityScan.v" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059664.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059667.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0059669.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062695.exe infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062696.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062698.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062699.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062700.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062701.exe infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0062703.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0063688.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0063694.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065690.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065691.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065693.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065695.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065701.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0065704.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0067740.dll infected by "Trojan-Clicker.Win32.Agent.bz" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0069697.exe infected by "Trojan-Downloader.Win32.Agent.gn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077740.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077743.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077756.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077765.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077766.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.z" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077768.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077769.exe infected by "Trojan.Win32.LowZones.ai" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077771.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077772.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077774.exe infected by "not-a-virus:PornWare.Dialer.Salc" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077794.exe infected by "Trojan.Win32.Agent.ay" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077796.exe infected by "not-a-virus:AdWare.Zestyfind" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0077979.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078202.exe infected by "Trojan-Downloader.Win32.Agent.gn" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078219.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078222.dll infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\System Volume Information\_restore{AAD76212-7B46-4D6E-8DBC-6E6DCAC51205}\RP388\A0078224.dll infected by "Trojan-Downloader.Win32.Ieser.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\addah32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\addyx.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\apiok32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appbu32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appcr32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\appvg32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\BTGrab.dll infected by "not-a-virus:AdWare.BiSpy.t" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crkp32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crne32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\crqo.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\cruh.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\d3fm32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\d3ui32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.1\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.10\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.2\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.3\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.4\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.5\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.6\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.7\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.8\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\CONFLICT.9\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\v3.dll infected by "not-a-virus:AdWare.ToolBar.EliteBar.s" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\Downloaded Program Files\YSBactivex.dll infected by "Trojan-Downloader.Win32.IstBar.gz" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\iebc.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ienm.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\inst\3p1.exe infected by "not-a-virus:AdWare.BetterInternet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ipgn32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ipko32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\javaqv.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mfckx.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mspf.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\mstl32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\msxmidi.exe infected by "Virus.Win32.Bube.b" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\NDNuninstall6_22.exe infected by "not-a-virus:AdWare.NewDotNet" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\netfd32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\netsa32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ntjg.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\ntqc32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sdked32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\SSK_B5.EXE infected by "Trojan-Dropper.Win32.SurfSide.a" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysfe.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysfh32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysiz32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\304390.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\311375.exe infected by "Trojan-Clicker.Win32.Small.dm" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\addcr32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\apitu.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\apiwi32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\appgo32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\cp.exe infected by "Trojan-Downloader.Win32.Agent.ic" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\crbt.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\crza.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3bl.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3ea.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\d3tj32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dfe.exe infected by "Trojan.Win32.LowZones.ac" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dllcache\explorer.exe infected by "Virus.Win32.Bube.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\dOnim.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\eliteztm32.exe infected by "Trojan.Win32.StartPage.nk" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\eree.exe infected by "Trojan-Clicker.Win32.Agent.bn" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\fgrr.exe infected by "Trojan-Dropper.Win32.Small.sa" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\htt.exe infected by "not-a-virus:AdWare.ToolBar.ISearch.d" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipdy32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipmp.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ipxm32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\iwdwin.dll infected by "not-a-virus:AdWare.PurityScan.ak" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\javaul.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\KVIF_7.dll infected by "Trojan-Downloader.Win32.Keenval.e" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\l06olaj31do.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\LMWND13n.DLL infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\lvno0953e.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mac80ex.idf infected by "not-a-virus:AdWare.BargainBuddy.l" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mfchc32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\mqexdlm.srg infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\msab.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\msfe.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\msjy32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\msyz.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\netoh.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\neton.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\netut80ex.vxd infected by "not-a-virus:AdWare.ToolBar.Exact" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\netxh32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\nndptyl.exe infected by "Trojan-Downloader.Win32.IstBar.gen" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\nteu.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ntod.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\ntqm.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\o884lilq18qe.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Process.exe tagged as not-a-virus:RiskWare.Tool.Processor.20. No Action Taken.
File C:\WINDOWS\system32\s8pu0i79e8.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\sdklk.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\SHAgentNew.dll infected by "not-a-virus:AdWare.Sahat.g" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\sysal32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\sysdl.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\tarmmgr.dll infected by "not-a-virus:AdWare.Look2Me.u" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wbfkfebl.dll infected by "Trojan.Win32.Agent.aw" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\wined32.exe infected by "Trojan-Downloader.Win32.Small.ajr" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\WinSuck.dll infected by "Trojan-Clicker.Win32.Agent.ca" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Xcite.dll infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\system32\Xcite2.exe infected by "not-a-virus:AdWare.F1Organizer.m" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\sysvg.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\winlb32.exe infected by "Backdoor.Win32.Small.dc" Virus. Action Taken: No Action Taken.
File C:\WINDOWS\woinstall.exe infected by "not-a-virus:AdWare.EZula.ak" Virus. Action Taken: No Action Taken.

#55 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 09 February 2005 - 08:52 AM

Warning! This utility will find legitimate files in addition to malware.
Do not remove anything unless you are sure you know what you're doing.

Find.bat is running from: C:\Documents and Settings\jordan\Desktop\Find_It_NT_2K_XP-1\Find It NT-2K-XP

------- System Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

02/09/2005 12:43 AM <DIR> dllcache
02/07/2005 04:02 PM 0 kwxle.txt
02/04/2005 01:45 AM 229,736 k644lghq164e.dll
02/04/2005 01:29 AM 0 d3wq.exe
02/03/2005 02:30 PM 10,824 d3ea.exe
02/01/2005 09:45 AM 413,696 r?gsvr32.exe
02/01/2005 09:42 AM 413,696 m?iexec.exe
01/30/2005 08:39 AM 11,467 msjy32.exe
01/23/2005 09:10 PM 10,824 ntqm.exe
01/23/2005 08:27 PM 29,256 ntod.exe
01/23/2005 07:37 PM 29,256 msyz.exe
01/23/2005 03:41 PM 29,256 netxh32.exe
01/20/2005 08:35 PM 11,550 sdklk.exe
01/20/2005 08:55 AM 10,824 ipxm32.exe
07/20/2004 02:33 PM 71 SYSDRVWC.SYS
12/29/2003 11:39 PM 0 appxa32.exe
12/29/2003 03:53 AM 10,824 neton.exe
12/28/2003 10:31 PM 10,824 apiwi32.exe
12/18/2003 01:03 PM <DIR> Microsoft
17 File(s) 1,222,104 bytes
2 Dir(s) 6,071,160,832 bytes free

------- Hidden Files in System32 Directory -------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32

02/09/2005 12:43 AM <DIR> dllcache
02/07/2005 04:02 PM 0 kwxle.txt
02/04/2005 01:29 AM 0 d3wq.exe
02/03/2005 02:30 PM 10,824 d3ea.exe
02/01/2005 09:45 AM 413,696 r?gsvr32.exe
02/01/2005 09:42 AM 413,696 m?iexec.exe
01/30/2005 08:39 AM 11,467 msjy32.exe
01/23/2005 09:10 PM 10,824 ntqm.exe
01/23/2005 08:27 PM 29,256 ntod.exe
01/23/2005 07:37 PM 29,256 msyz.exe
01/23/2005 03:41 PM 29,256 netxh32.exe
01/20/2005 08:35 PM 11,550 sdklk.exe
01/20/2005 08:55 AM 10,824 ipxm32.exe
07/20/2004 02:33 PM 71 SYSDRVWC.SYS
12/29/2003 11:39 PM 0 appxa32.exe
12/29/2003 03:53 AM 10,824 neton.exe
12/28/2003 10:31 PM 10,824 apiwi32.exe
12/18/2003 12:38 PM 488 WindowsLogon.manifest
12/18/2003 12:38 PM 488 logonui.exe.manifest
12/18/2003 12:38 PM 749 sapi.cpl.manifest
12/18/2003 12:38 PM 749 cdplayer.exe.manifest
12/18/2003 12:38 PM 749 ncpa.cpl.manifest
12/18/2003 12:38 PM 749 nwc.cpl.manifest
12/18/2003 12:38 PM 749 wuaucpl.cpl.manifest
23 File(s) 997,089 bytes
1 Dir(s) 6,071,156,736 bytes free

------------ Files Named "Guard" ---------------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32


------ Temp Files in System32 Directory ------

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\System32


------------------ User Agent ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
"{D2AD9633-36F1-4338-AA11-469CA091B890}"=""


------------- Keys Under Notify -------------

REGEDIT4

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify]
"Asynchronous"=dword:00000000
"DllName"=""
"Impersonate"=dword:00000000
"Logon"="WinLogon"
"Logoff"="WinLogoff"
"Shutdown"="WinShutdown"


------------- Locate.com Results -------------

C:\WINDOWS\SYSTEM32\
d3ea.exe Thu Feb 3 2005 2:31:00p A.SH. 10,824 10.57 K
d3wq.exe Fri Feb 4 2005 1:29:44a A.SH. 0 0.00 K
ipxm32.exe Thu Jan 20 2005 8:55:58a A.SH. 10,824 10.57 K
k644lg~1.dll Fri Feb 4 2005 1:45:12a ..S.R 229,736 224.35 K
kwxle.txt Mon Feb 7 2005 4:02:12p A.SH. 0 0.00 K
msjy32.exe Sun Jan 30 2005 8:39:30a A.SH. 11,467 11.20 K
msyz.exe Sun Jan 23 2005 7:37:42p A.SH. 29,256 28.57 K
miexec~1.exe Tue Feb 1 2005 9:42:42a ..SHR 413,696 404.00 K
netxh32.exe Sun Jan 23 2005 3:41:36p A.SH. 29,256 28.57 K
ntod.exe Sun Jan 23 2005 8:27:44p A.SH. 29,256 28.57 K
ntqm.exe Sun Jan 23 2005 9:10:40p A.SH. 10,824 10.57 K
rgsvr3~1.exe Tue Feb 1 2005 9:45:40a ..SHR 413,696 404.00 K
sdklk.exe Thu Jan 20 2005 8:35:14p A.SH. 11,550 11.28 K

13 items found: 13 files, 0 directories.
Total of file sizes: 1,200,385 bytes 1.14 M

-------- Strings.exe Qoologic Results --------


--------- Strings.exe Aspack Results ---------


-------------- HKLM Run Key ----------------

REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AdaptecDirectCD"="\"C:\\Program Files\\Roxio\\Easy CD Creator 5\\DirectCD\\DirectCD.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Desktop Search"="C:\\WINDOWS\\isrvs\\desktop.exe"
"ffis"="C:\\WINDOWS\\isrvs\\ffisearch.exe"




#56 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 09 February 2005 - 08:54 AM

Logfile of HijackThis v1.99.0
Scan saved at 9:54:54 AM, on 2/9/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\WINDOWS\explorer.exe
C:\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.msn.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.msn.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com...ystempopup=true (obfuscated)
O2 - BHO: (no name) - {4C6760DC-238D-9383-FB09-D1F471E71804} - (no file)
O2 - BHO: (no name) - {502B8893-05D5-1E4B-D4E1-6F514A11CDB7} - (no file)
O2 - BHO: IE Update Class - {5B4AB8E2-6DC5-477A-B637-BF3C1A2E5993} - C:\WINDOWS\isrvs\sysupd.dll (file missing)
O2 - BHO: (no name) - {79EF8DE9-C305-C8CC-6B87-1ED452FEAE42} - (no file)
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .mpg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O23 - Service: LexBce Server - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NOD32 Kernel Service - Unknown - C:\Program Files\Eset\nod32krn.exe

#57 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 09 February 2005 - 09:01 AM

Volume in drive C has no label.
Volume Serial Number is 5433-A367

Directory of C:\WINDOWS\system32

02/08/2005 10:42 PM 608 imon1.dat
02/08/2005 03:22 PM 56 QBRURZ~1.EXE
02/08/2005 02:10 PM 25,065 wmpscheme.xml
02/08/2005 02:01 PM 4,560 311375.exe
02/08/2005 02:01 PM 679 titles.ini
02/08/2005 02:01 PM 38 a.bat
02/08/2005 02:01 PM 1,634 306203.exe
02/08/2005 02:01 PM 4,560 304390.exe
02/08/2005 02:01 PM 8 hfkro.t4y
02/08/2005 10:33 AM 17,920 WinSuck.dll
02/07/2005 11:54 PM 27 brew32.dll
02/07/2005 11:53 PM 2 wapiit.exe
02/07/2005 09:08 PM 7,680 brew.dll
02/07/2005 04:42 PM 986 mapisvc.inf
02/07/2005 04:40 PM 114,688 nms32.dll
02/07/2005 04:40 PM 245,760 imon.dll
02/07/2005 04:02 PM 0 kwxle.txt
02/07/2005 03:54 PM 129 _t.bat
02/07/2005 03:12 PM 2,206 wpa.dbl
02/07/2005 02:27 PM 15,872 nndptyl.exe
02/07/2005 02:27 PM 28,160 dgdgd.exe
02/07/2005 12:56 PM 8 jdslg.rrh
02/04/2005 12:30 PM 230,038 o884lilq18qe.dll
02/04/2005 12:01 PM 230,619 l06olaj31do.dll
02/04/2005 11:59 AM 230,038 tarmmgr.dll
02/04/2005 11:59 AM 230,397 lvno0953e.dll
02/04/2005 06:33 AM 8,192 vx1x.nls
02/04/2005 06:33 AM 8,192 vx1.nls
02/04/2005 01:50 AM 230,038 s8pu0i79e8.dll
02/04/2005 01:45 AM 229,736 k644lghq164e.dll
02/04/2005 01:34 AM 168,644 netut80ex.vxd
02/04/2005 01:33 AM 8,192 vx0.nls
02/04/2005 01:33 AM 1,101,470 mac80ex.idf
02/04/2005 01:32 AM 192 my.preferences.xml
02/04/2005 01:32 AM 426,223 cp.exe
02/04/2005 01:29 AM 0 d3wq.exe
02/03/2005 02:30 PM 10,824 d3ea.exe
02/01/2005 09:45 AM 413,696 r?gsvr32.exe
02/01/2005 09:45 AM 167,936 iwdwin.dll
02/01/2005 09:42 AM 413,696 m?iexec.exe
01/30/2005 01:43 PM 10,824 nteu.exe
01/30/2005 08:39 AM 11,467 msjy32.exe
01/30/2005 04:04 AM 0 winun32.dll
01/29/2005 01:18 AM 10,824 mfchc32.exe
01/27/2005 11:03 PM 98,926 mskr32.dll
01/26/2005 03:20 AM 10,824 ipdy32.exe
01/26/2005 03:19 AM 29,256 wined32.exe
01/23/2005 09:10 PM 10,824 ntqm.exe
01/23/2005 08:27 PM 29,256 ntod.exe
01/23/2005 07:37 PM 29,256 msyz.exe
01/23/2005 03:41 PM 29,256 netxh32.exe
01/20/2005 08:35 PM 11,550 sdklk.exe
01/20/2005 08:55 AM 10,824 ipxm32.exe
01/18/2005 04:16 PM 73,728 ezPopStub.exe
01/17/2005 05:16 PM 10,824 d3tj32.exe
01/13/2005 09:41 PM 126,976 zip.exe
01/13/2005 09:41 PM 90,112 RegDACL.exe
01/13/2005 09:41 PM 39,184 Ntrights.exe
01/13/2005 09:41 PM 53,248 Process.exe
01/13/2005 09:41 PM 24,576 Reboot.exe
01/05/2005 05:24 PM 32,378 exclean.exe
01/05/2005 03:36 PM 110,592 mqexdlm.srg

#58 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 09 February 2005 - 09:12 AM

The script did not recognize the services listed below.
This does not mean that they are a problem.

To copy the entire contents of this document for posting:
At the top of this window click "Edit" then "Select All"
Next click "Edit" again then "Copy"
Now right click in the forum post box then click "Paste"

########################################

ServiceFilter 1.1
by rand1038

Microsoft Windows XP Home Edition
Version: 5.1.2600 Service Pack 1
Feb 9, 2005 10:13:42 AM


---> Begin Service Listing <---

Unknown Service # 1
Service Name: NOD32krn
Display Name: NOD32 Kernel Service
Start Mode: Auto
Start Name: LocalSystem
Description: ...
Service Type: Own Process
Path: c:\program files\eset\nod32krn.exe
State: Running
Process ID: 1140
Started: True
Exit Code: 0
Accept Pause: False
Accept Stop: False

Unknown Service #2
Service Name: SwPrv
Display Name: MS Software Shadow Copy Provider
Start Mode: Manual
Start Name: LocalSystem
Description: Manages software-based volume shadow copies taken by the Volume Shadow Copy service. If this ...
Service Type: Own Process
Path: c:\windows\system32\dllhost.exe /processid:{4af1c4a9-7593-4159-a089-20000a4dfd3b}
State: Stopped
Process ID: 0
Started: False
Exit Code: 1077
Accept Pause: False
Accept Stop: False

---> End Service Listing <---

There are 79 Win32 services on this machine.
2 were unrecognized.

Script Execution Time: 2.9375 seconds.

#59 guestolo

guestolo

    Site Donator

  • Admin
  • PipPipPipPipPipPipPip
  • 16,247 posts

Posted 09 February 2005 - 02:55 PM

Your machine is heavily infected,

If you want to try and clean this out it will take patience

We have to get rid of the VX2 infection
But first I need you to do something

Print off all the locations that the Scan from eScan found bad files

Don't do nothing with them yet
Also save a copy to Notepad so you can use it as a reference

Can you ensure that Windows is set to show Hidden files and folders

Navigate to these locations
C:\WINDOWS\explorer.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\dllcache\explorer.exe

Don't do nothing with them yet, there are legitimate files in this location that you cannot get rid of
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\dllcache\explorer.exe
If you right click on them, the correct file size should be approximately
.98 MB <--this is legit
What do you see on your computer?
Do you only see one explorer.exe in each folder?
Explorer folder in the C:Windows\ folder is legit, should be minimal in size
4 kb approx.

Some of these fixes will have to be done with Killbox

Do you want to post your own logs from FRST?
Follow the instructions posted Click Here


#60 boogieonrw

boogieonrw

    Member

  • Members
  • PipPipPip
  • 63 posts

Posted 09 February 2005 - 07:05 PM

there are only one explorer in each folder, and they are both 985 KB

the one in windows, however, says it was created on january 18 2005 at 12:15 pm.... that seems odd

how do i print out the locations escan found bad files?