Author Topic: Parite.B got me :( (Read 696 times)

ep0xy · « **on:** January 16, 2007, 08:17:57 PM »

Hey doc,

My PC is sick, it's got a bad case of Win32/Parite.B and the worms

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/biggrin.gif\' class=\'bbc_emoticon\' alt=\'

\' /> called Win32/krepper.c
Well what can i do about cleaning it doc ?
Is one of those a Key loger ?
My steam account was just hijacked yesterday while i was playing on it.

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/sad.gif\' class=\'bbc_emoticon\' alt=\'

\' />
i tryed loging in again and it said the pw was changed. and i cant get it to send me a email soo im guessing who ever stole it changed the contact address :\

Any wayz i went ahead and ran a hijackthis txt. here she is:

Logfile of HijackThis v1.99.1
Scan saved at 7:22:50 PM, on 1/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\IFACE.EXE
C:\Program Files\Panda Software\Panda Internet Security 2007\PAVJOBS.EXE
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [nvchost] C:\WINDOWS\winlogon.exe
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Software\Panda Internet Security 2007\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [SCANINICIO] "C:\Program Files\Panda Software\Panda Internet Security 2007\Inicio.exe"
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159461737484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159463988281
O20 - Winlogon Notify: avldr - C:\WINDOWS\SYSTEM32\avldr.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

Hope that helps and thanks in advance.

-p0x

guestolo · « **Reply #1 on:** January 17, 2007, 08:21:51 PM »

Can you do the following

Download this file - Combofix.exe and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from Combofix please

Mr Bell · « **Reply #2 on:** January 17, 2007, 11:27:32 PM »

Pox can't post he's getting a site error. LOL

The server encountered an internal error or misconfiguration and was unable to complete your request.

Please contact the server administrator, [email protected] and inform them of the time the error occurred, and anything you might have done that may have caused the error.

More information about this error may be available in the server error log.

guestolo · « **Reply #3 on:** January 17, 2007, 11:31:29 PM »

Are you able to get the log from him and post?
I'll check into the server error with Josetann if we continue with problems posting

guestolo · « **Reply #4 on:** January 17, 2007, 11:38:14 PM »

epoxy, I see your logged in, still having problems posting that combofix log?

Mr Bell · « **Reply #5 on:** January 17, 2007, 11:44:21 PM »

I have his log but getting same error. Can't post the log just shrt messages like this

guestolo · « **Reply #6 on:** January 17, 2007, 11:47:21 PM »

Looks like we're having server errors again, I'll let Josetann know about it
Can one of you email me the log to the below address
[color=\"#0000FF\"]Click HERE[/color]

Woops, I just edited the email addy to the correct one

Mr Bell · « **Reply #7 on:** January 17, 2007, 11:51:54 PM »

I sent it via email.

guestolo · « **Reply #8 on:** January 17, 2007, 11:54:33 PM »

Can you reclick the email addy link and resend please Mr.Bell
I used the wrong address, keep forgetting I don't use hot mail, but msn instead, My bad

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/blink.gif\' class=\'bbc_emoticon\' alt=\':blink:\' />

Mr Bell · « **Reply #9 on:** January 17, 2007, 11:58:47 PM »

No problem

guestolo · « **Reply #10 on:** January 18, 2007, 12:02:21 AM »

Got it, thanks Mr.Bell
epOxy, can you reboot the computer, ensure you reboot into Normal windows

If you can, come back here, run a fresh scan and save logfile with Hijackthis and post it's log
Let's see what leftover

ep0xy · « **Reply #11 on:** January 18, 2007, 12:07:43 AM »

REBOOTING NOW.........

ep0xy · « **Reply #12 on:** January 18, 2007, 12:12:49 AM »

Logfile of HijackThis v1.99.1
Scan saved at 12:10:20 AM, on 1/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\SYSTEM32\SWEEPER.EXE
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159461737484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159463988281
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

guestolo · « **Reply #13 on:** January 18, 2007, 12:24:02 AM »

I don't have time tonight to go over the whole combofix log, but at a quick glance
Looks like it removed some bad registry entries and files/folders

Looks like you just removed Panda's and installed AVG
Seems as if one registry entry that is no longer in your hijackthis log was probably removed by AVG or Windows Defender

How are things running now?
Let me know please, and I'll still look over your combofix in more depth tomorrow

ep0xy · « **Reply #14 on:** January 18, 2007, 12:29:09 AM »

running fast seems ok. the night it was bad i ran a program called NOD32 and it found like 750 exe's infected with the Parite.b thanks for your help tonight ive got to get to sleep myslef for work in the morn. talk tomarrow doc thanks again.

soo do u think Parite .B is what helped steal my steam account username and password ?

guestolo · « **Reply #15 on:** January 18, 2007, 11:43:22 PM »

It may be krepper or alcan that stole your steam identity
I'm concerned about the entries in your hijackthis log pertaining to the infected .exe's and .scr's
Re>Parite.B

An infection you had/have infects those files
As in your combofix log here are the ones I'm talking about that were modified on one date
2007-01-16 00:27 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2007-01-16 00:27 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2007-01-16 00:27 65536 --a------ C:\WINDOWS\system32\wextract.exe
2007-01-16 00:27 5632 --a------ C:\WINDOWS\system32\winver.exe
2007-01-16 00:27 50176 --a------ C:\WINDOWS\system32\utilman.exe
2007-01-16 00:27 44544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2007-01-16 00:27 433664 --a------ C:\WINDOWS\system32\wiaacmgr.exe
2007-01-16 00:27 347136 --a------ C:\WINDOWS\system32\tourstart.exe
2007-01-16 00:27 32256 --a------ C:\WINDOWS\system32\wpnpinst.exe
2007-01-16 00:27 32256 --a------ C:\WINDOWS\system32\wpabaln.exe
2007-01-16 00:27 30720 --a------ C:\WINDOWS\system32\xcopy.exe
2007-01-16 00:27 289792 --a------ C:\WINDOWS\system32\vssvc.exe
2007-01-16 00:27 28672 --a------ C:\WINDOWS\system32\verclsid.exe
2007-01-16 00:27 26112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-01-16 00:27 24576 --a------ C:\WINDOWS\system32\userinit.exe
2007-01-16 00:27 206336 --a------ C:\WINDOWS\system32\winfxdocobj.exe
2007-01-16 00:27 18432 --a------ C:\WINDOWS\system32\ups.exe
2007-01-16 00:27 17408 --a------ C:\WINDOWS\system32\wpdshextautoplay.exe
2007-01-16 00:27 172544 --a------ C:\WINDOWS\system32\wuauclt1.exe
2007-01-16 00:27 172032 --a------ C:\WINDOWS\system32\wjview.exe
2007-01-16 00:27 16896 --a------ C:\WINDOWS\system32\upnpcont.exe
2007-01-16 00:27 146432 --a------ C:\WINDOWS\system32\wudfhost.exe
2007-01-16 00:27 13824 --a------ C:\WINDOWS\system32\wscntfy.exe
2007-01-16 00:27 12288 --a------ C:\WINDOWS\system32\tracert.exe
2007-01-16 00:27 114688 --a------ C:\WINDOWS\system32\wscript.exe
2007-01-16 00:26 89600 --a------ C:\WINDOWS\system32\smlogsvc.exe
2007-01-16 00:26 8192 --a------ C:\WINDOWS\system32\spdwnwxp.exe
2007-01-16 00:26 8192 --a------ C:\WINDOWS\system32\smbinst.exe
2007-01-16 00:26 75776 --a------ C:\WINDOWS\system32\telnet.exe
2007-01-16 00:26 704512 --a------ C:\WINDOWS\system32\ss3dfo.scr
2007-01-16 00:26 679936 --a------ C:\WINDOWS\system32\sstext3d.scr
2007-01-16 00:26 610304 --a------ C:\WINDOWS\system32\sspipes.scr
2007-01-16 00:26 538624 --a------ C:\WINDOWS\system32\spider.exe
2007-01-16 00:26 47104 --a------ C:\WINDOWS\system32\ssmypics.scr
2007-01-16 00:26 393216 --a------ C:\WINDOWS\system32\ssflwbox.scr
2007-01-16 00:26 36864 --a------ C:\WINDOWS\system32\slrundll.exe
2007-01-16 00:26 24064 --a------ C:\WINDOWS\system32\spupdsvc.exe
2007-01-16 00:26 21504 --a------ C:\WINDOWS\system32\spupdwxp.exe
2007-01-16 00:26 20992 --a------ C:\WINDOWS\system32\ssmarque.scr
2007-01-16 00:26 19968 --a------ C:\WINDOWS\system32\ssbezier.scr
2007-01-16 00:26 18944 --a------ C:\WINDOWS\system32\ssmyst.scr
2007-01-16 00:26 14848 --a------ C:\WINDOWS\system32\stimon.exe
2007-01-16 00:26 14336 --a------ C:\WINDOWS\system32\ssstars.scr
2007-01-16 00:26 135680 --a------ C:\WINDOWS\system32\taskmgr.exe
2007-01-16 00:26 131584 --a------ C:\WINDOWS\system32\sndrec32.exe
2007-01-16 00:26 11776 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-01-16 00:26 105984 --a------ C:\WINDOWS\system32\sysocmgr.exe
2007-01-16 00:25 95744 --a------ C:\WINDOWS\system32\scardsvr.exe
2007-01-16 00:25 9319936 --a------ C:\WINDOWS\system32\rtlcpl.exe
2007-01-16 00:25 9216 --a------ C:\WINDOWS\system32\scrnsave.scr
2007-01-16 00:25 9216 --a------ C:\WINDOWS\system32\proxycfg.exe
2007-01-16 00:25 77824 --a------ C:\WINDOWS\system32\shrpubw.exe
2007-01-16 00:25 77312 --a------ C:\WINDOWS\system32\sdbinst.exe
2007-01-16 00:25 77312 --a------ C:\WINDOWS\system32\rtcshare.exe
2007-01-16 00:25 73728 --a------ C:\WINDOWS\system32\pv_c3.exe
2007-01-16 00:25 70144 --a------ C:\WINDOWS\system32\sigverif.exe
2007-01-16 00:25 67072 --a------ C:\WINDOWS\system32\rdshost.exe
2007-01-16 00:25 62464 --a------ C:\WINDOWS\system32\rdpclip.exe
2007-01-16 00:25 56832 --a------ C:\WINDOWS\system32\rasphone.exe
2007-01-16 00:25 50176 --a------ C:\WINDOWS\system32\reg.exe
2007-01-16 00:25 50176 --a------ C:\WINDOWS\system32\proquota.exe
2007-01-16 00:25 49152 --a------ C:\WINDOWS\system32\powercfg.exe
2007-01-16 00:25 42496 --a------ C:\WINDOWS\system32\shmgrate.exe
2007-01-16 00:25 40960 --a------ C:\WINDOWS\system32\renum.exe
2007-01-16 00:25 35840 --a------ C:\WINDOWS\system32\rcimlby.exe
2007-01-16 00:25 31232 --a------ C:\WINDOWS\system32\sethc.exe
2007-01-16 00:25 26112 --a------ C:\WINDOWS\system32\skeys.exe
2007-01-16 00:25 23040 --a------ C:\WINDOWS\system32\setup.exe
2007-01-16 00:25 21504 --a------ C:\WINDOWS\system32\rcp.exe
2007-01-16 00:25 20480 --a------ C:\WINDOWS\system32\qprocess.exe
2007-01-16 00:25 19456 --a------ C:\WINDOWS\system32\shutdown.exe
2007-01-16 00:25 163840 --a------ C:\WINDOWS\system32\prfact.exe
2007-01-16 00:25 14848 --a------ C:\WINDOWS\system32\rsh.exe
2007-01-16 00:25 14336 --a------ C:\WINDOWS\system32\runonce.exe
2007-01-16 00:25 140800 --a------ C:\WINDOWS\system32\sessmgr.exe
2007-01-16 00:25 13824 --a------ C:\WINDOWS\system32\rexec.exe
2007-01-16 00:25 13824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2007-01-16 00:25 13312 --a------ C:\WINDOWS\system32\savedump.exe
2007-01-16 00:25 119296 --a------ C:\WINDOWS\system32\reg_c3.exe
2007-01-16 00:25 11776 --a------ C:\WINDOWS\system32\regsvr32.exe
2007-01-16 00:24 86016 --a------ C:\WINDOWS\system32\netsh.exe
2007-01-16 00:24 794624 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-01-16 00:24 76800 --a------ C:\WINDOWS\system32\nslookup.exe
2007-01-16 00:24 69632 --a------ C:\WINDOWS\system32\odbcconf.exe
2007-01-16 00:24 6144 --a------ C:\WINDOWS\system32\msdtc.exe
2007-01-16 00:24 58368 --a------ C:\WINDOWS\system32\packager.exe
2007-01-16 00:24 53760 --a------ C:\WINDOWS\system32\narrator.exe
2007-01-16 00:24 442368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-01-16 00:24 42496 --a------ C:\WINDOWS\system32\net.exe
2007-01-16 00:24 419840 --a------ C:\WINDOWS\system32\ntvdm.exe
2007-01-16 00:24 4096 --a------ C:\WINDOWS\system32\nddeapir.exe
2007-01-16 00:24 407552 --a------ C:\WINDOWS\system32\mstsc.exe
2007-01-16 00:24 36864 --a------ C:\WINDOWS\system32\netstat.exe
2007-01-16 00:24 343040 --a------ C:\WINDOWS\system32\mspaint.exe
2007-01-16 00:24 329728 --a------ C:\WINDOWS\system32\netsetup.exe
2007-01-16 00:24 32768 --a------ C:\WINDOWS\system32\odbcad32.exe
2007-01-16 00:24 215552 --a------ C:\WINDOWS\system32\osk.exe
2007-01-16 00:24 208896 --a------ C:\WINDOWS\system32\nvuninst.exe
2007-01-16 00:24 208896 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-01-16 00:24 17920 --a------ C:\WINDOWS\system32\ping.exe
2007-01-16 00:24 1622016 --a------ C:\WINDOWS\system32\nwiz.exe
2007-01-16 00:24 15872 --a------ C:\WINDOWS\system32\perfmon.exe
2007-01-16 00:24 147456 --a------ C:\WINDOWS\system32\nvcolor.exe
2007-01-16 00:24 143360 --a------ C:\WINDOWS\system32\mobsync.exe
2007-01-16 00:24 1339392 --a------ C:\WINDOWS\system32\nvdspsch.exe
2007-01-16 00:24 124928 --a------ C:\WINDOWS\system32\net1.exe
2007-01-16 00:24 123392 --a------ C:\WINDOWS\system32\mplay32.exe
2007-01-16 00:24 122880 --a------ C:\WINDOWS\system32\nx.exe
2007-01-16 00:24 12288 --a------ C:\WINDOWS\system32\mstinit.exe
2007-01-16 00:24 12288 --a------ C:\WINDOWS\system32\msfeedssync.exe
2007-01-16 00:24 111104 --a------ C:\WINDOWS\system32\netdde.exe
2007-01-16 00:23 85504 --a------ C:\WINDOWS\system32\makecab.exe
2007-01-16 00:23 815104 --a------ C:\WINDOWS\system32\mmc.exe
2007-01-16 00:23 75264 --a------ C:\WINDOWS\system32\locator.exe
2007-01-16 00:23 72704 --a------ C:\WINDOWS\system32\magnify.exe
2007-01-16 00:23 59392 --a------ C:\WINDOWS\system32\logman.exe
2007-01-16 00:23 55808 --a------ C:\WINDOWS\system32\ipconfig.exe
2007-01-16 00:23 53248 --a------ C:\WINDOWS\system32\ipv6.exe
2007-01-16 00:23 51712 --a------ C:\WINDOWS\system32\migpwd.exe
2007-01-16 00:23 514560 --a------ C:\WINDOWS\system32\logonui.exe
2007-01-16 00:23 46592 --a------ C:\WINDOWS\system32\dxdllreg.exe
2007-01-16 00:23 45568 --a------ C:\WINDOWS\system32\extrac32.exe
2007-01-16 00:23 425984 --a------ C:\WINDOWS\system32\keystone.exe
2007-01-16 00:23 42496 --a------ C:\WINDOWS\system32\ftp.exe
2007-01-16 00:23 39424 --a------ C:\WINDOWS\system32\grpconv.exe
2007-01-16 00:23 32768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2007-01-16 00:23 27136 --a------ C:\WINDOWS\system32\findstr.exe
2007-01-16 00:23 23552 --a------ C:\WINDOWS\system32\ipxroute.exe
2007-01-16 00:23 220672 --a------ C:\WINDOWS\system32\logon.scr
2007-01-16 00:23 20992 --a------ C:\WINDOWS\system32\fontview.exe
2007-01-16 00:23 20992 --a------ C:\WINDOWS\system32\faxpatch.exe
2007-01-16 00:23 193024 --a------ C:\WINDOWS\system32\eudcedit.exe
2007-01-16 00:23 180224 --a------ C:\WINDOWS\system32\dwwin.exe
2007-01-16 00:23 172544 --a------ C:\WINDOWS\system32\jview.exe
2007-01-16 00:23 15360 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-01-16 00:23 150016 --a------ C:\WINDOWS\system32\imapi.exe
2007-01-16 00:23 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2007-01-16 00:23 1298432 --a------ C:\WINDOWS\system32\dxdiag.exe
2007-01-16 00:23 114688 --a------ C:\WINDOWS\system32\iexpress.exe
2007-01-16 00:22 98304 --a------ C:\WINDOWS\system32\cscript.exe
2007-01-16 00:22 85504 --a------ C:\WINDOWS\system32\diantz.exe
2007-01-16 00:22 83456 --a------ C:\WINDOWS\system32\dpvsetup.exe
2007-01-16 00:22 82432 --a------ C:\WINDOWS\system32\dfrgfat.exe
2007-01-16 00:22 63488 --a------ C:\WINDOWS\system32\cmstp.exe
2007-01-16 00:22 49664 --a------ C:\WINDOWS\system32\clspack.exe
2007-01-16 00:22 47104 --a------ C:\WINDOWS\system32\cmdl32.exe
2007-01-16 00:22 39936 --a------ C:\WINDOWS\system32\cmmon32.exe
2007-01-16 00:22 388608 --a------ C:\WINDOWS\system32\cmd.exe
2007-01-16 00:22 30208 --a------ C:\WINDOWS\system32\dplaysvr.exe
2007-01-16 00:22 30208 --a------ C:\WINDOWS\system32\ddeshare.exe
2007-01-16 00:22 27648 --a------ C:\WINDOWS\system32\conime.exe
2007-01-16 00:22 25088 --a------ C:\WINDOWS\system32\defrag.exe
2007-01-16 00:22 249856 --a------ C:\WINDOWS\system32\drmupgds.exe
2007-01-16 00:22 224768 --a------ C:\WINDOWS\system32\dmadmin.exe
2007-01-16 00:22 18432 --a------ C:\WINDOWS\system32\dpnsvr.exe
2007-01-16 00:22 17920 --a------ C:\WINDOWS\system32\dvdupgrd.exe
2007-01-16 00:22 163840 --a------ C:\WINDOWS\system32\diskpart.exe
2007-01-16 00:22 15872 --a------ C:\WINDOWS\system32\dmremote.exe
2007-01-16 00:22 10752 --a------ C:\WINDOWS\system32\dumprep.exe
2007-01-16 00:21 98304 --a------ C:\WINDOWS\system32\ahui.exe
2007-01-16 00:21 71680 --a------ C:\WINDOWS\system32\blastcln.exe
2007-01-16 00:21 64000 --a------ C:\WINDOWS\system32\cleanmgr.exe
2007-01-16 00:21 5632 --a------ C:\WINDOWS\system32\cisvc.exe
2007-01-16 00:21 454656 --a------ C:\WINDOWS\system32\capabilitytable.exe
2007-01-16 00:21 40960 --a------ C:\WINDOWS\system32\chcfg.exe
2007-01-16 00:21 4096 --a------ C:\WINDOWS\system32\actmovie.exe
2007-01-16 00:21 33280 --a------ C:\WINDOWS\system32\clipsrv.exe
2007-01-16 00:21 25088 --a------ C:\WINDOWS\system32\at.exe
2007-01-16 00:21 20480 --a------ C:\WINDOWS\system32\cliconfg.exe
2007-01-16 00:21 183808 --a------ C:\WINDOWS\system32\accwiz.exe
2007-01-16 00:21 14336 --a------ C:\WINDOWS\system32\auditusr.exe
2007-01-16 00:21 11264 --a------ C:\WINDOWS\system32\atmadm.exe
2007-01-16 00:21 102912 --a------ C:\WINDOWS\system32\clipbrd.exe

Read more here
http://www.pandasoftware.com/com/virus_inf...epanda=empresas

the best route in ensuring that the infection is totally gone is reformatting
But, NOD32 and other virus scanners have been taught how to disinfect
This is the route that you may want to try, although formatting and starting clean is alternative

Let's make sure that your clean please
I know you already had Panda installed, but it may have been infected before running
Can you do the following
Use Internet Explorer and Run the online Panda ActiveScan
* Once you are on the Panda site click the Scan your PC button at the bottom of the page
* A new window will open...click the big Check Now button.
* Enter your Country.
* Enter your State/Province.
* Enter your e-mail address.
* Select either "Home User or Company."
* Click the big Scan Now button.
* Allow the ActiveX component to install and download the files required for the scan. This may take a couple of minutes.
* Click on Local Disks to start the scan.

When the scan is complete
click See Report, then click Save Report and save it to your Desktop.

Post a fresh hijacthis log afterwards and the Full report from Panda's please

ep0xy · « **Reply #16 on:** January 19, 2007, 07:05:24 AM »

Logfile of HijackThis v1.99.1
Scan saved at 7:03:03 AM, on 1/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\program files\steam\steam.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MMTaskbar\MultiMon.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Excursion9.5\mIRC.ExCurSioN.exe
C:\Program Files\Ventrilo\Ventrilo.exe
C:\Documents and Settings\Administrator\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://localhost:3476/cgi-bin/ncgir.exe?menu/fwl_index.html
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O4 - HKLM\..\Run: [nTrayFw] C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nTrayFw.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\\nTune.exe" clear
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Internet Sweeper] C:\WINDOWS\SYSTEM32\SWEEPER.EXE /Q
O4 - HKCU\..\Run: [Steam] "c:\program files\steam\steam.exe" -silent
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: MultiMon Taskbar.lnk = C:\Program Files\MMTaskbar\MultiMon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1159461737484
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1159463988281
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe" -k runservice (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

ep0xy · « **Reply #17 on:** January 19, 2007, 11:37:51 AM »

heres what the active scan said also said u had to pay to disinfect :

Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jtt4h8oq.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jtt4h8oq.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\jtt4h8oq.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.casalemedia.com/]
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[ad.yieldmanager.com/]
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.realmedia.com/]
Spyware:Cookie/Adrevolver Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.adrevolver.com/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.atwola.com/]
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.com.com/]
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.atdmt.com/]
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.mediaplex.com/]
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.advertising.com/]
Spyware:Cookie/FastClick Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.fastclick.net/]
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.doubleclick.net/]
Spyware:Cookie/Coremetrics Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[data.coremetrics.com/]
Spyware:Cookie/Traffic Marketplace Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.trafficmp.com/]
Spyware:Cookie/Tribalfusion Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.tribalfusion.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.2o7.net/]
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.questionmarket.com/]
Spyware:Cookie/Hitbox Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.hitbox.com/]
Spyware:Cookie/Adtech Not disinfected C:\Documents and Settings\ep0xy\Application Data\Mozilla\Firefox\Profiles\7o8920gh.default\cookies.txt[.adtech.de/]
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\ep0xy\Cookies\ep0xy@atwola[1].txt
Potentially unwanted tool:Application/MotherboardMonitor.A

guestolo · « **Reply #18 on:** January 19, 2007, 12:13:36 PM »

Don't worry about Panda
It only identifed some cookies, this looks very promising

http://images.thetechguide.com/forum/public/style_emoticons/<#EMO_DIR#>/smile.gif\' class=\'bbc_emoticon\' alt=\'

\' />

One last step if you could epOxy

Do you have other computers sharing this Network?
If so, including this computer
Can you do the following

Download >> save then unzip to desktop [color=\"#0000FF\"]f-parite.zip[/color] from F-Secure

Do this on each computer in the household

After unzipping to desktop
Disconnect from the Net, close all unnecessary running programs
Double click on f-parite.com
It will scan your drives for infected files, if any are found it will proceed with disinfection

Reboot the computer when it's done

Let me know what it finds, if anything

ep0xy · « **Reply #19 on:** January 19, 2007, 05:19:00 PM »

None found , seems ok , still little wery somethings lerking around still. when i scan with avg thers some files it can t open it says locked.
some are system restore files.
Also what is O10 - Unknown file in Winsock LSP: c:\windows\system32\nvappfilter.dll

that appears a ton in the hijack this log what is the unknownfile in my Winsock LSP: c:\windows\system32\nvappfilter.dll

also what bit defender do you use?

News:

Author Topic: Parite.B got me :( (Read 696 times)