Author Topic: Help - Can't fully clean - New virus daily (Read 2798 times)

CSOM · « **on:** November 14, 2004, 10:53:53 PM »

I know you love newbie's with questions on here, but I'm hoping someone can advise me of my next steps to take.

My McAfee seems to be popping up almost daily with something new, and it doesn't ever completely get rid of it. I've done a full system scan, with McAfee, Stinger, a few online scans, as well as my AdAware system scan, and I'm still having problems.

Can someone review my hijack log, and advise?

Much appreciated.

Logfile of HijackThis v1.98.2
Scan saved at 10:01:39 PM, on 11/14/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\drivers\dcfssvc.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\Explorer.EXE
D:\PROGRA~1\Logitech\iTouch\iTouch.exe
D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\WINNT\FSScrCtl.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\Program Files\Outlook Express\msimn.exe
D:\WINNT\System32\svchost.exe
D:\PROGRA~1\AIM95\aim.exe
D:\PROGRA~1\McAfee.com\Agent\mcagent.exe
d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
d:\program files\mcafee.com\vso\mcmnhdlr.exe
d:\program files\mcafee.com\shared\mghtml.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Mike Fehl\Desktop\hijackthis.exe
D:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
d:\program files\mcafee.com\vso\mcvsmap.exe
d:\program files\mcafee.com\shared\mcinfo.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.######.com/categories.cfm?catid=40
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\winnt\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [centurytel.net DSL Cleanup] D:\WINNT\CTECleanup.exe
O4 - HKLM\..\Run: [zBrowser Launcher] D:\PROGRA~1\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [CleanUp] D:\PROGRA~1\McAfee.com\Shared\mcappins.exe /v=3 /cleanup
O4 - HKLM\..\RunOnce: [mcagntps.dll] rundll32.exe advpack.dll,RegisterOCX d:\PROGRA~1\mcafee.com\agent\mcagntps.dll
O4 - HKCU\..\Run: [WrCtrl] "D:\Program Files\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: PowerReg SchedulerV2.exe
O4 - Startup: Screen Saver Control.lnk = D:\WINNT\FSScrCtl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = D:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://D:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Similar Pages - res://d:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM95\aim.exe
O16 - DPF: ESPN.com MLB GameCast - http://scores.espn.go.com/java/MLBGameCastInstall.cab
O16 - DPF: ESPN.com NBA GameCast - http://scores.espn.go.com/java/NBAGameCastInstall.cab
O16 - DPF: Yahoo! Euchre - http://yog31.yahoo.com/yog/y/em0_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cc...everContent.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp1.csom.umn.edu/qp2.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://cedarpoint.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {412F2472-59BC-4CCB-A3D4-C16A7D57CDCF} (CouponsIncIECtl Class) - http://a19.g.akamai.net/7/19/7125/1290/ftp.../v7/brix7ie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://surfer.www.conxion.com/surferplugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/M....cab?4,0,1323,0

guestolo · « **Reply #1 on:** November 14, 2004, 11:15:28 PM »

HI CSOM

If you don't use Viewpoint Manager, probably installed by AIM I would definitely uninstall it via Add/Remove Programs
Restart your computer once it's removed

Back in Windows
Do another scan with Hijackthis and put a check next to these entries

O4 - HKLM\..\Run: [ViewMgr] D:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

I would remove the next one too, software registration reminder, many consider to be as bad as spyware as it's know to call back home and report information about your computer
O4 - Startup: PowerReg SchedulerV2.exe

RESTART your computer

Can you let me know what folder or directory McAffee is finding these files in

CSOM · « **Reply #2 on:** November 15, 2004, 11:24:44 PM »

Thanks guestolo.

Did as instructed. Oddly enough I haven't had one pop up today, but when one does, it comes up 7-10 times in a row always. Mostly in my winnt\system32 or in program files somewhere... I will pay better attention next time to where it is...

Latest log

Logfile of HijackThis v1.98.2
Scan saved at 10:33:00 PM, on 11/15/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\drivers\dcfssvc.exe
D:\WINNT\System32\svchost.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\WINNT\Explorer.EXE
D:\PROGRA~1\Logitech\iTouch\iTouch.exe
D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\WINNT\system32\svhost.exe
D:\PROGRA~1\AIM95\aim.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINNT\FSScrCtl.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\Documents and Settings\Mike Fehl\Desktop\hijackthis.exe
D:\Program Files\McAfee.com\VSO\mcmnhdlr.exe
d:\program files\mcafee.com\shared\mghtml.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.######.com/categories.cfm?catid=40
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\winnt\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [zBrowser Launcher] D:\PROGRA~1\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKLM\..\Run: [Microsoft Systems] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Systems] svhost.exe
O4 - HKCU\..\Run: [WrCtrl] "D:\Program Files\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Systems] svhost.exe
O4 - Startup: Screen Saver Control.lnk = D:\WINNT\FSScrCtl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = D:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://D:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Similar Pages - res://d:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM95\aim.exe
O16 - DPF: ESPN.com MLB GameCast - http://scores.espn.go.com/java/MLBGameCastInstall.cab
O16 - DPF: ESPN.com NBA GameCast - http://scores.espn.go.com/java/NBAGameCastInstall.cab
O16 - DPF: Yahoo! Euchre - http://yog31.yahoo.com/yog/y/em0_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cc...everContent.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp1.csom.umn.edu/qp2.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://cedarpoint.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {412F2472-59BC-4CCB-A3D4-C16A7D57CDCF} (CouponsIncIECtl Class) - http://a19.g.akamai.net/7/19/7125/1290/ftp.../v7/brix7ie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://surfer.www.conxion.com/surferplugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/M....cab?4,0,1323,0

guestolo · « **Reply #3 on:** November 15, 2004, 11:55:24 PM »

Actually, I can see the bad guy now CSOM

Let's get a good incite of what the culprits name is

Set Windows to Show Hidden Files and Folders
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Next: Go to this online malware scan
http://virusscan.jotti.dhs.org/
Give the link time to load
Use the browse button and navigate to this file

D:\WINNT\system32\svhost.exe <--this file, Don't confuse it with svchost.exe, which is legitimate

Right click on the file and select it
Use the Submit button
Post back the results of the file

If you find time
I see you have also done an Online Virus Scan
Could you do one at RAV's also
http://www.ravantivirus.com/scan/

When you access that link with Internet Explorer
click on the "To Continue without subsribing click here" link
It will load the activex and dat files

Ensure that all the top entries are checked
Autoclean--Inside Archives---Unpack Executables---Smart Scan

Then click the Scan my PC button
Let it completely finish scanning
Copy and Paste the results back here

Could you also post a fresh hijackthis log and we'll try a fix from that point, thanks

CSOM · « **Reply #4 on:** November 17, 2004, 08:08:56 AM »

Ok, checked that file, did the scan, and a new log.... here are the results

Service load: 0% 100%

File: svhost.exe
Status: INFECTED/MALWARE
Packers detected: PE-DIMINISHER

AntiVir No viruses found (0.15 seconds taken)
Avast No viruses found (1.52 seconds taken)
BitDefender Win32.P2P.SpyBot.Gen (0.87 seconds taken)
ClamAV No viruses found (0.32 seconds taken)
Dr.Web Win32.HLLW.ForBot.based (0.57 seconds taken)
F-Prot Antivirus No viruses found (0.06 seconds taken)
Kaspersky Anti-Virus Backdoor.Win32.SdBot.gen (0.62 seconds taken)
mks_vir No viruses found (0.20 seconds taken)
NOD32 probably unknown NewHeur_PE (probable variant) (0.45 seconds taken)
Norman Virus Control Sandbox: W32/Backdoor; [ General information ]

* File length: 87578 bytes.

[ Changes to filesystem ]
* Creates file C:\WINDOWS\SYSTEM\svhost.exe.
* Creates file C:\WINDOWS\SYSTEM\ntfsdi.txt.

[ Changes to registry ]
* Creates value "Microsoft Systems"="svhost.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\Run".
* Creates value "Microsoft Systems"="svhost.exe" in key "HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices".
* Creates value "Microsoft Systems"="svhost.exe" in key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run".

[ Network services ]
* Connects to "ilx.no-ip.biz" on port 6667 (TCP).
* Connects to IRC server.
* IRC: Uses nickname ILX-00263.
* IRC: Uses username ILX-39610.
* IRC: Joins channel #test with password test.
* IRC: Sets the usermode for user ILX-00263 to +i.
* IRC: Sets the usermode for user ILX-00263 to -s.
* IRC: Sets the channel mode for channel #test to +nts.

[ Process/window information ]
* Creates a mutex botid.
* Will automatically restart after boot (I'll be back...). (31.61 seconds taken)

Statistics
Last piece of malware found was Backdoor.Win32.SdBot.gen in rBot032.exe, detected by:

Scanner Malware name Time taken
AntiVir X 0.16 seconds
Avast X 1.53 seconds
BitDefender X 0.80 seconds
ClamAV X 0.32 seconds
Dr.Web X 0.54 seconds
F-Prot Antivirus X 0.06 seconds
Kaspersky Anti-Virus Backdoor.Win32.SdBot.gen 0.62 seconds
mks_vir X 0.20 seconds
NOD32 X 0.44 seconds
Norman Virus Control X 1.04 seconds

Service statistics:

5310 files (4058 of those unique) have been uploaded & scanned since 05/11/2004, the day of the last database purge.
1245 of those 4058 files contained a virus or any other form of malware.
This page has been visited 11663 times in this time period.
This service managed to spot 77 pieces of malware no vendor used knew about at the time of uploading.
The service also warned against 510 suspicious files without any help from scanner results.
However, 39 files reported to be OK were found out to be malware later (this is checked daily).
As far as can be told, all this together makes this service 99.04% accurate. However, since it is very well possible malware has been uploaded no scanner knows about at this time, this number is to be taken with a proper amount of skepticism.
Most popular malware:

Rank Malware name Uploaded Last known filename
1 backdoor.sdbot.gen 123 times cvc.exe
2 backdoor.agobot.3.gen 56 times htpasswd.exe
3 tr/drop.delf.fd.1 37 times FFF.SP2.Cleaner.v3.0.exe
4 tr/spam.avafx 34 times vbsys2.dll
5 tr/dldr.small.uv.3 32 times s1p1y.exe
6 backdoor.wootbot.gen 23 times Kopie van 1.exe.exe
7 trojan.downloader.inservice.i 23 times assassin-254.exe
8 win32:trojan-gen. {other} 22 times auto.exe
9 bds/beastdoor.205.a 16 times server.exe
10 win32:trojan-gen. 15 times cia_upx.exe
11 trojan.downloader.zlob.d 14 times a1-search.zip
12 win32.hllw.forbot.based 14 times winzipsys.exe
13 win32.hllw.mybot.based 14 times iexplore.exe.mwt
14 worm/mydoom.ah 14 times msde1.exe
15 backdoor.win32.agobot.gen 14 times ges.exe

Scan started at 11/16/2004 11:44:40 PM

Scanning memory...
Scanning boot sectors...
Scanning files...

Scanned
============================
   Objects: 50106
   Directories: 2303
   Archives: 1205
   Size(Kb): 183132
   Infected files: 0

Found
============================
   Viruses found: 0
   Suspicious files: 0
   Disinfected files: 0
   Mail files: 4027

Logfile of HijackThis v1.98.2
Scan saved at 7:20:35 AM, on 11/17/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\drivers\dcfssvc.exe
D:\WINNT\System32\svchost.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\WINNT\Explorer.EXE
D:\PROGRA~1\Logitech\iTouch\iTouch.exe
D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\WINNT\system32\svhost.exe
D:\PROGRA~1\AIM95\aim.exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
D:\WINNT\FSScrCtl.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\Program Files\Outlook Express\msimn.exe
D:\WINNT\System32\svchost.exe
D:\WINNT\system32\svhost.exe
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\WINNT\system32\notepad.exe
D:\WINNT\system32\svhost.exe
D:\Documents and Settings\Mike Fehl\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.######.com/categories.cfm?catid=40
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\winnt\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [zBrowser Launcher] D:\PROGRA~1\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKLM\..\Run: [Microsoft Systems] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Systems] svhost.exe
O4 - HKCU\..\Run: [WrCtrl] "D:\Program Files\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Microsoft Systems] svhost.exe
O4 - Startup: Screen Saver Control.lnk = D:\WINNT\FSScrCtl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = D:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://D:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Similar Pages - res://d:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM95\aim.exe
O16 - DPF: ESPN.com MLB GameCast - http://scores.espn.go.com/java/MLBGameCastInstall.cab
O16 - DPF: ESPN.com NBA GameCast - http://scores.espn.go.com/java/NBAGameCastInstall.cab
O16 - DPF: Yahoo! Euchre - http://yog31.yahoo.com/yog/y/em0_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cc...everContent.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp1.csom.umn.edu/qp2.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://cedarpoint.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {412F2472-59BC-4CCB-A3D4-C16A7D57CDCF} (CouponsIncIECtl Class) - http://a19.g.akamai.net/7/19/7125/1290/ftp.../v7/brix7ie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://surfer.www.conxion.com/surferplugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/M....cab?4,0,1323,0

guestolo · « **Reply #5 on:** November 17, 2004, 08:09:09 PM »

Let's try some cleanup CSOM

Open Hijackthis>>>Config>>Misc Tools>>Open Process Manager
Left click to Highlight and then Kill these processes

D:\WINNT\system32\svhost.exe
I see 3 occurances of them, remember not to confuse it with svchost.exe

After you have closed those processes click the Back button in Hijackthis
>>Config>>Misc Tools>>Click the Delete File on Reboot button

Copy and paste the bolded text below into the File Name box

D:\WINNT\system32\svhost.exe

Click the OPEN button
Hijackthis will warn the file will be deleted and you must restart your computer
Don't restart yet

Instead, do another scan with Hijackthis and put a check next to these entries

O4 - HKLM\..\Run: [Microsoft Systems] svhost.exe
O4 - HKLM\..\RunServices: [Microsoft Systems] svhost.exe

O4 - HKCU\..\Run: [Microsoft Systems] svhost.exe

After you have ticked the above entries, Close All other open Windows, including this one
Leave Hijackthis open and Click FIX CHECKED
Yes to the prompt and exit Hijackthis

Restart your computer
Post back a fresh Hijackthis log and let me know if you are still having problems

Could you also let me know if your version of McAfee's has a Firewall or if you are behind any kind of Hardware firewall(Router), if not, you may think about installing one

I have links to free ones......

CSOM · « **Reply #6 on:** November 19, 2004, 08:17:26 AM »

Done and done. Unfortunately no Firewall, as much as I've thought about it. My procrastination has caught up to me I guess....

Logfile of HijackThis v1.98.2
Scan saved at 11:41:49 PM, on 11/18/2004
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
D:\WINNT\System32\smss.exe
D:\WINNT\system32\winlogon.exe
D:\WINNT\system32\services.exe
D:\WINNT\system32\lsass.exe
D:\WINNT\system32\svchost.exe
D:\WINNT\system32\spoolsv.exe
D:\WINNT\system32\drivers\dcfssvc.exe
D:\WINNT\System32\svchost.exe
d:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
D:\WINNT\system32\regsvc.exe
D:\WINNT\system32\MSTask.exe
D:\WINNT\system32\stisvc.exe
D:\WINNT\System32\WBEM\WinMgmt.exe
D:\WINNT\System32\mspmspsv.exe
D:\WINNT\system32\svchost.exe
d:\PROGRA~1\mcafee.com\vso\mcshield.exe
D:\WINNT\Explorer.EXE
D:\PROGRA~1\Logitech\iTouch\iTouch.exe
D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
D:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\Program Files\QuickTime\qttask.exe
D:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
D:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\PROGRA~1\AIM95\aim.exe
D:\Program Files\MSN Messenger\MsnMsgr.Exe
d:\progra~1\mcafee.com\vso\mcvsescn.exe
D:\WINNT\FSScrCtl.exe
d:\progra~1\mcafee.com\vso\mcvsftsn.exe
D:\Documents and Settings\Mike Fehl\Desktop\hijackthis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forums.######.com/categories.cfm?catid=40
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - d:\winnt\googletoolbar1.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - D:\WINNT\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - d:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - d:\winnt\googletoolbar1.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [zBrowser Launcher] D:\PROGRA~1\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [EM_EXEC] D:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [LoadQM] loadqm.exe
O4 - HKLM\..\Run: [TkBellExe] "D:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [VSOCheckTask] "d:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "d:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] d:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] D:\PROGRA~1\McAfee.com\Agent\mcupdate.exe
O4 - HKCU\..\Run: [WrCtrl] "D:\Program Files\WinRoute Pro\wrctrl.exe"
O4 - HKCU\..\Run: [AIM] D:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [msnmsgr] "D:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Startup: Screen Saver Control.lnk = D:\WINNT\FSScrCtl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check.lnk = D:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV03.EXE
O4 - Global Startup: Microsoft Office.lnk = D:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Google Search - res://d:\winnt\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://d:\winnt\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://d:\winnt\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Open Picture in &Microsoft PhotoDraw - res://D:\PROGRA~1\MICROS~2\Office\1033\phdintl.dll/phdContext.htm
O8 - Extra context menu item: Similar Pages - res://d:\winnt\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://d:\winnt\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\PROGRA~1\AIM95\aim.exe
O16 - DPF: ESPN.com MLB GameCast - http://scores.espn.go.com/java/MLBGameCastInstall.cab
O16 - DPF: ESPN.com NBA GameCast - http://scores.espn.go.com/java/NBAGameCastInstall.cab
O16 - DPF: Yahoo! Euchre - http://yog31.yahoo.com/yog/y/em0_x.cab
O16 - DPF: {0122955E-1FB0-11D2-A238-006097FAEE8B} (CscClnt Class) - http://205.159.125.199/central/02030106/cc...everContent.cab
O16 - DPF: {05D96F71-87C6-11D3-9BE4-00902742D6E0} (QuickPlace Class) - http://qp1.csom.umn.edu/qp2.cab
O16 - DPF: {072D3F2E-5FB6-11D3-B461-00C04FA35A21} (CFForm Runtime) - http://cedarpoint.com/CFIDE/classes/CFJava.cab
O16 - DPF: {0DD4833D-DFFA-11D3-94D7-0050DAC353B6} (DndCtrl Class) - http://www.ofoto.com/OfotoDND.cab
O16 - DPF: {412F2472-59BC-4CCB-A3D4-C16A7D57CDCF} (CouponsIncIECtl Class) - http://a19.g.akamai.net/7/19/7125/1290/ftp.../v7/brix7ie.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200203...meInstaller.exe
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://surfer.www.conxion.com/surferplugin.ocx
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://bin.mcafee.com/molbin/shared/mcinsc...76/mcinsctl.cab
O16 - DPF: {6B4788E2-BAE8-11D2-A1B4-00400512739B} (PWMediaSendControl Class) - http://216.249.24.141/code/PWActiveXImgCtl.CAB
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_WIN..._1/axofupld.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061...all/xscan53.cab
O16 - DPF: {8EDAD21C-3584-4E66-A8AB-EB0E5584767D} - http://toolbar.google.com/data/GoogleActivate.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://bin.mcafee.com/molbin/shared/mcgdmg...,16/mcgdmgr.cab
O16 - DPF: {C3DFA998-A486-11D4-AA25-00C04F72DAEB} (MSN Photo Upload Tool) - http://photos.msn.com/r/neutral/controls/M....cab?4,0,1323,0

guestolo · « **Reply #7 on:** November 19, 2004, 07:33:13 PM »

Log looks good CSOM, I would put a software firewall on your system if your not running through a NAT Router

My Personal Favorite is Sygate,
but you decide, you only need one
Here's a links to a few of them, they are all recommended by most
and they all have a free version
Sygate Personal Firewall

Zone Alarm by Zonelabs

Kerio Personal Firewall

OutPost by Agnitum

Also, to help tighten up your security
I very much suggest that you install these 2 applications
Both of these will help to Prevent Spyware from ever being installed
and they don't need to Run in the Background, install and run them once
Check for updates once every couple of weeks

SpywareBlaster by JavaCool---will block bad ActiveX and malevolent cookies
Install---Check for Updates---Enable all protection
http://www.javacoolsoftware.com/spywareblaster.html

IE-Spyad---IE-SPYAD puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
Here is a tutorial and download link
TUTORIAL==Link to Tutorial
Download link==Download link
Scroll down and click on IE-SPYAD.EXE Free!

Take care CSOM

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

CSOM · « **Reply #8 on:** November 21, 2004, 05:34:41 PM »

Thanks. Got it all taken care of. Appreciate the help.

TheTechGuide Forum

News:

Author Topic: Help - Can't fully clean - New virus daily (Read 2798 times)

CSOM

Help - Can't fully clean - New virus daily

guestolo

Help - Can't fully clean - New virus daily

CSOM

Help - Can't fully clean - New virus daily

guestolo

Help - Can't fully clean - New virus daily

CSOM

Help - Can't fully clean - New virus daily

guestolo

Help - Can't fully clean - New virus daily

CSOM

Help - Can't fully clean - New virus daily

guestolo

Help - Can't fully clean - New virus daily

CSOM

Help - Can't fully clean - New virus daily