Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > HijackThis Log Help (Inactive)
Reload this Page Unable to Quarantine - Rootkit.Dayoff.Process
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


 
 
LinkBack Thread Tools
Old 08-08-2007, 09:43 PM   #1 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 5
OS: XP Pro


Unable to Quarantine - Rootkit.Dayoff.Process
I ran a standard Spybot SD scan and came up with a Rootkit.Dayoff.Process spyware application that cannot be quarantined or removed due to use of memory. I tried other spyware detectors and many came up with the same error while others couldnt even find it. I have noticed my computer running a little slower, but otherwise there are no effects.

Here is my activescan:


Incident Status Location

Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Bubbles\Cookies\bubbles@com[1].txt
Adware:Adware/NavHelper Not disinfected C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\areslite181.exe
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Karl Malone Jr\Cookies\karl malone jr@atwola[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Karl Malone Jr\Cookies\karl malone jr@target[1].txt
Virus:Trj/Downloader.MM Disinfected C:\Documents and Settings\Karl Malone Jr\Local Settings\Temporary Internet Files\Content.IE5\LIZH3SW4\QDow_AS2[1].cab
Virus:Trj/Downloader.FK Disinfected C:\Documents and Settings\Karl Malone Jr\Local Settings\Temporary Internet Files\Content.IE5\LIZH3SW4\stc[1].htm


and here is my Deckard's

Deckard's System Scanner v20070807.62
Run by Bubbles on 2007-08-08 at 22:27:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
53: 2007-08-09 03:27:46 UTC - RP1070 - Deckard's System Scanner Restore Point
52: 2007-08-09 01:00:19 UTC - RP1069 - Spybot-S&D Spyware removal
51: 2007-08-09 00:35:12 UTC - RP1068 - Software Distribution Service 3.0
50: 2007-08-09 00:00:27 UTC - RP1067 - Software Distribution Service 3.0
49: 2007-08-08 23:54:33 UTC - RP1066 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-06-10 18:34:56 UTC - RP1018 - Removed Rome: Total War - Barbarian Invasion


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Bubbles.exe) ---------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:31:01 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Bubbles\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Bubbles.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://channels.aimtoday.com/search/aimtoolbar.jsp
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wisc.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B982165F-FD54-4A2B-A38B-C96FB623FCA4}: Domain = caenn.wisc.edu
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)
O21 - SSODL: StreetPlugin - {7F7B01B8-7DFD-2740-85E6-D43D722EA4F5} - C:\Program Files\Learn2.com\StRunner\stcurs.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8366 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 omci (OMCI WDM Device Driver) - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>
R2 ASCTRM - c:\windows\system32\drivers\asctrm.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>

S2 windev-2fb9-6d4 - c:\windows\system32\windev-2fb9-6d4.sys (file missing)
S3 bvrp_pci - c:\windows\system32\drivers\bvrp_pci.sys
S3 Pcouffin (Low level access layer for CD devices) - c:\windows\system32\drivers\pcouffin.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

All services whitelisted.


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Cisco Systems VPN Adapter
Device ID: ROOT\NET\0001
Manufacturer: Cisco Systems
Name: Cisco Systems VPN Adapter
PNP Device ID: ROOT\NET\0001
Service: CVirtA


-- Scheduled Tasks -------------------------------------------------------------

2007-08-08 19:40:02 428 --a------ C:\WINDOWS\Tasks\Symantec NetDetect.job
2004-06-08 22:30:00 258 --a------ C:\WINDOWS\Tasks\ISP signup reminder 1.job


-- Files created between 2007-07-08 and 2007-08-08 -----------------------------

2007-08-08 22:30:47 0 d-------- C:\Program Files\Trend Micro
2007-08-08 19:03:39 0 d-------- C:\WINDOWS\network diagnostic
2007-08-08 17:30:07 0 d-------- C:\WINDOWS\system32\ActiveScan
2007-08-07 16:33:24 0 d-------- C:\Documents and Settings\Bubbles\Application Data\Tenebril
2007-08-07 07:11:16 40960 --a-s---- C:\WINDOWS\system32\ProcessKiller.dll
2007-08-07 07:11:16 0 d-------- C:\Program Files\SpyCatcher
2007-08-07 07:05:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Tenebril
2007-08-07 07:05:49 0 d-------- C:\WINDOWS\system32\tenarchlib
2007-08-07 07:05:49 180224 --a-s---- C:\WINDOWS\system32\archlib.dll <Not Verified; Tenebril Incorporated; Tenebril architecture technology>


-- Find3M Report ---------------------------------------------------------------

2007-08-08 19:40:16 0 d-------- C:\Program Files\Symantec AntiVirus
2007-08-08 18:28:34 0 d-------- C:\Program Files\Winamp
2007-08-08 18:27:22 0 d-------- C:\Program Files\QuickTime
2007-08-08 18:19:18 0 d-------- C:\Program Files\Dell Photo AIO Printer 924
2007-08-08 18:17:32 0 d-------- C:\Program Files\America Online 9.0
2007-08-08 18:17:21 0 d-------- C:\Program Files\AIM
2007-08-08 17:22:58 0 d-------- C:\Program Files\Viewpoint
2007-08-07 17:58:50 0 d-------- C:\Program Files\AWS
2007-08-06 22:36:17 0 d-------- C:\Documents and Settings\Bubbles\Application Data\Azureus
2007-08-05 20:36:52 0 d-------- C:\Program Files\World of Warcraft
2007-07-18 16:31:37 0 d-------- C:\Program Files\Dl_cats
2007-06-14 23:52:04 0 d-------- C:\Program Files\AVI DivX MPEG to DVD Converter & Burner Pro
2007-06-14 23:25:13 0 d-------- C:\Program Files\Cucusoft
2007-06-10 13:43:26 0 d-------- C:\Program Files\Common Files\InstallShield
2007-06-10 13:43:13 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [08/24/2003 09:10 PM]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [09/03/2003 08:12 PM]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [08/26/2003 07:47 PM]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [03/15/2004 01:04 AM]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [08/19/2003 01:01 AM]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [06/03/2004 07:34 AM]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [04/01/2003 09:20 PM]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [08/02/2004 07:36 PM]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [10/02/2004 02:15 PM]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [07/22/2005 03:03 PM]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [07/09/2007 10:56 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [10/13/2004 11:24 AM]
"AIM"="C:\Program Files\AIM\aim.exe" [09/01/2004 11:26 AM]
"NOMAD Detector"="C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE" [07/27/2000 02:00 AM]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

C:\Documents and Settings\Bubbles\Start Menu\Programs\Startup\
DESKTOP.INI [3/20/2004 12:58:38 PM]
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [8/7/2007 7:11:19 AM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [12/14/2004 4:44:06 AM]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [5/15/2005 3:38:41 PM]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [9/14/2006 5:30:48 PM]
DESKTOP.INI [3/20/2004 12:58:38 PM]
Digimax Viewer 2.1.lnk - C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [1/18/2005 4:41:03 AM]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2/13/2001 1:01:04 AM]
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [8/7/2007 7:11:19 AM]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [9/12/2004 12:12:15 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"StreetPlugin"= {7F7B01B8-7DFD-2740-85E6-D43D722EA4F5} - C:\Program Files\Learn2.com\StRunner\stcurs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzlo32]
winzlo32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"




-- End of Deckard's System Scanner: finished at 2007-08-08 at 22:32:37 ---------



any help will be greatly appreciated.
Thank You.
Attached Files
File Type: txt extra.txt (17.3 KB, 1 views)
pizac is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 08-08-2007, 11:19 PM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


Re: Unable to Quarantine - Rootkit.Dayoff.Process
1. Download & Save this file to Desktop -> http://download.bleepingcomputer.com...a/ComboFix.exe

2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that & a fresh Hijackthis log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-09-2007, 04:48 PM   #3 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 5
OS: XP Pro


Re: Unable to Quarantine - Rootkit.Dayoff.Process
here is my ComboFix:

ComboFix 07-08-09.6 - "Bubbles" 2007-08-09 17:15:10.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.566 [GMT -5:00]


((((((((((((((((((((((((( Files Created from 2007-07-09 to 2007-08-09 )))))))))))))))))))))))))))))))


2007-08-09 06:45 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 22:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-08 22:27 <DIR> d-------- C:\Deckard
2007-08-08 19:03 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-08-08 19:03 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-08 17:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-07 16:33 <DIR> d-------- C:\DOCUME~1\Bubbles\APPLIC~1\Tenebril
2007-08-07 07:11 40,960 --a-s---- C:\WINDOWS\SYSTEM32\ProcessKiller.dll
2007-08-07 07:11 169,544 --a-s---- C:\WINDOWS\SYSTEM32\SecuLoad.dll
2007-08-07 07:11 1,103,944 --a-s---- C:\WINDOWS\SYSTEM32\Protector.dll
2007-08-07 07:11 <DIR> d-------- C:\Program Files\SpyCatcher
2007-08-07 07:05 180,224 --a-s---- C:\WINDOWS\SYSTEM32\archlib.dll
2007-08-07 07:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\tenarchlib
2007-08-07 07:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-08 19:40 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-08-08 18:28 --------- d-------- C:\Program Files\Winamp
2007-08-08 18:27 --------- d-------- C:\Program Files\QuickTime
2007-08-08 18:19 --------- d-------- C:\Program Files\Dell Photo AIO Printer 924
2007-08-08 18:17 --------- d-------- C:\Program Files\America Online 9.0
2007-08-08 18:17 --------- d-------- C:\Program Files\AIM
2007-08-08 17:22 --------- d-------- C:\Program Files\Viewpoint
2007-08-07 17:58 --------- d-------- C:\Program Files\AWS
2007-08-06 22:36 --------- d-------- C:\DOCUME~1\Bubbles\APPLIC~1\Azureus
2007-08-05 20:36 --------- d-------- C:\Program Files\World of Warcraft
2007-07-18 16:31 --------- d-------- C:\Program Files\Dl_cats
2007-06-14 23:52 --------- d-------- C:\Program Files\AVI DivX MPEG to DVD Converter & Burner Pro
2007-06-14 23:25 --------- d-------- C:\Program Files\Cucusoft
2007-06-10 13:43 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-10 13:43 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-05-16 10:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2006-12-20 13:08 55160 --a------ C:\DOCUME~1\Bubbles\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-24 21:10]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 19:47]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-06-03 07:34]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2003-04-01 21:20]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 19:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-02 14:15]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 15:03]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [2007-07-09 10:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-09-01 11:26]
"NOMAD Detector"="C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE" [2000-07-27 02:00]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\Bubbles\Start Menu\Programs\Startup\
DESKTOP.INI [2004-03-20 12:58:38]
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2007-08-07 07:11:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-05-15 15:38:41]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-09-14 17:30:48]
DESKTOP.INI [2004-03-20 12:58:38]
Digimax Viewer 2.1.lnk - C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe [2005-01-18 04:41:03]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [2007-08-07 07:11:19]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-09-12 12:12:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"StreetPlugin"= {7F7B01B8-7DFD-2740-85E6-D43D722EA4F5} - C:\Program Files\Learn2.com\StRunner\stcurs.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzlo32]
winzlo32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
S2 windev-2fb9-6d4;windev-2fb9-6d4;\??\C:\WINDOWS\system32\windev-2fb9-6d4.sys
S3 bvrp_pci;bvrp_pci;C:\WINDOWS\system32\drivers\bvrp_pci.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 Oasis;Oasis;C:\WINDOWS\system32\DRIVERS\Oasisusb.sys

*Newly Created Service* - CATCHME

Contents of the 'Scheduled Tasks' folder
2004-06-09 03:30:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
2007-08-09 20:40:12 C:\WINDOWS\Tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 17:40:57
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-09 17:45:33
C:\ComboFix2.txt ... 2007-08-09 07:14

--- E O F ---






and here is my hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:46:58 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Samsung\Digimax Viewer 2.1\STImgBrowser.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wisc.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B982165F-FD54-4A2B-A38B-C96FB623FCA4}: Domain = caenn.wisc.edu
O20 - AppInit_DLLs: secuload.dll
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)
O21 - SSODL: StreetPlugin - {7F7B01B8-7DFD-2740-85E6-D43D722EA4F5} - C:\Program Files\Learn2.com\StRunner\stcurs.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 8317 bytes
pizac is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-09-2007, 05:13 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


Re: Unable to Quarantine - Rootkit.Dayoff.Process
Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs:
  • ViewPoint
    AWS\Weatherbug
Please note any other programs that you dont recognize in that list in your next response


---------------


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O4 - Global Startup: Digimax Viewer 2.1.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O20 - Winlogon Notify: winzlo32 - winzlo32.dll (file missing)
O21 - SSODL: StreetPlugin - {7F7B01B8-7DFD-2740-85E6-D43D722EA4F5} - C:\Program Files\Learn2.com\StRunner\stcurs.dll (file missing)


---------------


Open notepad and copy/paste the text in the quotebox below into it:

Code:
http://www.techsupportforum.com/security-center/hijackthis-log-help/173068-unable-quarantine-rootkit-dayoff-process.html
Collect::
C:\WINDOWS\system32\windev-2fb9-6d4.sys
Folder::
C:\Program Files\Viewpoint
C:\Program Files\AWS
Driver::
windev-2fb9-6d4
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"StreetPlugin"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzlo32]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Notification Packages"=hex(7):73,63,65,63,6c,69,00,00
Save this as "CFScript"




Refering to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply.


---------------


Click here perform an online scan >> Online Scanner


---------------


In your next post, please include fresh logs from:
  1. Fresh Hijackthis log taken just before replying
  2. Online scan
  3. ComboFix's log
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-09-2007, 05:13 PM   #5 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


Re: Unable to Quarantine - Rootkit.Dayoff.Process
This is to be performed after you have posted the required logs.

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1 - http://java.sun.com/javase/downloads/index.jsp
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u2-windowsi586-p.exe to install the newest version.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-09-2007, 10:25 PM   #6 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 5
OS: XP Pro


Re: Unable to Quarantine - Rootkit.Dayoff.Process
i was unable to find any of the programs in add/remove programs

combofix had me submit this file to its website for further analysis:

C:\DOCUME~1\Bubbles\Desktop.\[4]-Submit_2007-08-09_190115.89.zip


here is my combofix log:

ComboFix 07-08-09.6 - "Bubbles" 2007-08-09 19:01:17.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.560 [GMT -5:00]
Command switches used :: C:\Documents and Settings\Bubbles\Desktop\CFScript.txt
* Created a new restore point


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\AWS
C:\Program Files\Viewpoint


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINDEV-2FB9-6D4
-------\windev-2fb9-6d4


((((((((((((((((((((((((( Files Created from 2007-07-10 to 2007-08-10 )))))))))))))))))))))))))))))))


2007-08-09 06:45 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-08 22:30 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-08 22:27 <DIR> d-------- C:\Deckard
2007-08-08 19:03 33,792 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\custsat.dll
2007-08-08 19:03 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-08-08 17:30 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-08-07 16:33 <DIR> d-------- C:\DOCUME~1\Bubbles\APPLIC~1\Tenebril
2007-08-07 07:11 40,960 --a-s---- C:\WINDOWS\SYSTEM32\ProcessKiller.dll
2007-08-07 07:11 169,544 --a-s---- C:\WINDOWS\SYSTEM32\SecuLoad.dll
2007-08-07 07:11 1,103,944 --a-s---- C:\WINDOWS\SYSTEM32\Protector.dll
2007-08-07 07:11 <DIR> d-------- C:\Program Files\SpyCatcher
2007-08-07 07:05 180,224 --a-s---- C:\WINDOWS\SYSTEM32\archlib.dll
2007-08-07 07:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\tenarchlib
2007-08-07 07:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-09 20:28 --------- d-------- C:\Program Files\Symantec AntiVirus
2007-08-08 18:28 --------- d-------- C:\Program Files\Winamp
2007-08-08 18:27 --------- d-------- C:\Program Files\QuickTime
2007-08-08 18:19 --------- d-------- C:\Program Files\Dell Photo AIO Printer 924
2007-08-08 18:17 --------- d-------- C:\Program Files\America Online 9.0
2007-08-08 18:17 --------- d-------- C:\Program Files\AIM
2007-08-06 22:36 --------- d-------- C:\DOCUME~1\Bubbles\APPLIC~1\Azureus
2007-08-05 20:36 --------- d-------- C:\Program Files\World of Warcraft
2007-07-18 16:31 --------- d-------- C:\Program Files\Dl_cats
2007-06-14 23:52 --------- d-------- C:\Program Files\AVI DivX MPEG to DVD Converter & Burner Pro
2007-06-14 23:25 --------- d-------- C:\Program Files\Cucusoft
2007-06-10 13:43 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-06-10 13:43 --------- d-------- C:\Program Files\Common Files\InstallShield
2007-05-16 10:12 86528 --------- C:\WINDOWS\system32\dllcache\directdb.dll
2007-05-16 10:12 85504 --------- C:\WINDOWS\system32\dllcache\wabimp.dll
2007-05-16 10:12 683520 --a------ C:\WINDOWS\system32\inetcomm.dll
2007-05-16 10:12 683520 --------- C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-05-16 10:12 510976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-05-16 10:12 1314816 --------- C:\WINDOWS\system32\dllcache\msoe.dll
2006-12-20 13:08 55160 --a------ C:\DOCUME~1\Bubbles\APPLIC~1\GDIPFONTCACHEV1.DAT


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-08-24 21:10]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"PCMService"="C:\Program Files\Dell\Media Experience\PCMService.exe" [2003-08-26 19:47]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-03-15 01:04]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 01:01]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2004-06-03 07:34]
"WinampAgent"="C:\Program Files\Winamp\Winampa.exe" [2003-04-01 21:20]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-08-02 19:36]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-10-02 14:15]
"dlccmon.exe"="C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe" [2005-07-22 15:03]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" [2007-07-09 10:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"AIM"="C:\Program Files\AIM\aim.exe" [2004-09-01 11:26]
"NOMAD Detector"="C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE" [2000-07-27 02:00]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" []
"Sonic RecordNow!"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

C:\Documents and Settings\Bubbles\Start Menu\Programs\Startup\
DESKTOP.INI [2004-03-20 12:58:38]
Scheduler.lnk - C:\Program Files\SpyCatcher\Scheduler daemon.exe [2007-08-07 07:11:19]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-05-15 15:38:41]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2006-09-14 17:30:48]
DESKTOP.INI [2004-03-20 12:58:38]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]
SpyCatcher Protector.lnk - C:\Program Files\SpyCatcher\Protector.exe [2007-08-07 07:11:19]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2004-09-12 12:12:15]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
@=

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=secuload.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\system32\Drivers\CVPNDRVA.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
S3 bvrp_pci;bvrp_pci;C:\WINDOWS\system32\drivers\bvrp_pci.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 Oasis;Oasis;C:\WINDOWS\system32\DRIVERS\Oasisusb.sys


Contents of the 'Scheduled Tasks' folder
2004-06-09 03:30:00 C:\WINDOWS\Tasks\ISP signup reminder 1.job - C:\WINDOWS\System32\OOBE\OOBEBALN.EXE
2007-08-10 01:29:02 C:\WINDOWS\Tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-09 20:28:43
Windows 5.1.2600 Service Pack 2 NTFS

detected NTDLL code modification:
ZwQueryDirectoryFile

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-09 20:33:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-09 20:33
C:\ComboFix2.txt ... 2007-08-09 17:45
C:\ComboFix3.txt ... 2007-08-09 07:14

--- E O F ---



here is my online scan (did my computer scan):

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00F80000.VBN Infected: Backdoor.Win32.SdBot.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00F80001.VBN Infected: Backdoor.Win32.SdBot.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04200000.VBN Infected: Trojan-Downloader.Win32.Murlo.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04200001.VBN Infected: Trojan-Downloader.Win32.Murlo.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04400000.VBN Infected: Backdoor.Win32.SdBot.gen skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06540000.VBN Infected: Trojan-Clicker.Win32.Small.kb skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06540001.VBN Infected: Trojan-Clicker.Win32.Small.kb skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08DC0000.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08DC0001.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B940000.VBN Infected: P2P-Worm.Win32.SpyBot.gl skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C780000.VBN Infected: Email-Worm.Win32.Zhelatin.fi skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C780001.VBN Infected: Email-Worm.Win32.Zhelatin.fi skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C780002.VBN Infected: Email-Worm.Win32.Zhelatin.fi skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C780003.VBN Infected: Email-Worm.Win32.Zhelatin.fi skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C780004.VBN Infected: Email-Worm.Win32.Zhelatin.fi skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C780005.VBN Infected: Email-Worm.Win32.Zhelatin.fi skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CBC0000.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CBC0001.VBN Infected: Trojan-Downloader.Win32.Agent.acd skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EB00000.VBN Infected: Packed.Win32.Tibs.ab skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20540000.VBN Infected: Trojan-Downloader.Win32.Murlo.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40000.VBN Infected: Trojan-Downloader.Win32.Murlo.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40001.VBN Infected: Trojan-Downloader.Win32.Murlo.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40002.VBN Infected: Trojan-Downloader.Win32.Murlo.a skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40003.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40004.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40005.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40006.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40007.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40008.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40009.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4000A.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4000B.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4000C.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4000D.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4000E.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4000F.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40010.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40011.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40012.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40013.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40014.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40015.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40016.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40017.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40018.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40019.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4001A.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4001B.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4001C.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4001D.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4001E.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4001F.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40020.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40021.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40022.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40023.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40024.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40025.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40026.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40027.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40028.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40029.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4002A.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4002B.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4002C.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4002D.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4002E.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4002F.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40030.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40031.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40032.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40033.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40034.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40035.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40036.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40037.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40038.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40039.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4003A.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4003B.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4003C.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4003D.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4003E.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4003F.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40040.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40041.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40042.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40043.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40044.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40045.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40046.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40047.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40048.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40049.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4004A.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4004B.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4004C.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4004D.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4004E.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4004F.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40050.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40051.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40052.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40053.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40054.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40055.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40056.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40057.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40058.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40059.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4005A.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4005B.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4005C.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4005D.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4005E.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4005F.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40060.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40061.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40062.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40063.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40064.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40065.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40066.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40067.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40068.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40069.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4006A.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4006B.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4006C.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4006D.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4006E.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C4006F.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40070.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40071.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40072.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40073.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40074.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40075.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\20C40076.VBN Infected: Trojan-Downloader.Win32.Small.ajj skipped

C:\Documents and Settings\Bubbles\Application Data\Aim\fbcozjlq\SoSoNuckingFuts\cert8.db Object is locked skipped

C:\Documents and Settings\Bubbles\Application Data\Aim\fbcozjlq\SoSoNuckingFuts\key3.db Object is locked skipped

C:\Documents and Settings\Bubbles\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Bubbles\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

C:\Documents and Settings\Bubbles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Bubbles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Bubbles\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Bubbles\Local Settings\History\History.IE5\MSHist012007080920070810\index.dat Object is locked skipped

C:\Documents and Settings\Bubbles\Local Settings\Temp\fnm65.tmp Object is locked skipped

C:\Documents and Settings\Bubbles\Local Settings\Temp\fnm68.tmp Object is locked skipped

C:\Documents and Settings\Bubbles\Local Settings\Temp\~DF823A.tmp Object is locked skipped

C:\Documents and Settings\Bubbles\Local Settings\Temp\~DF8251.tmp Object is locked skipped

C:\Documents and Settings\Bubbles\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped

C:\Documents and Settings\Bubbles\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\areslite181.exe/data0017/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\areslite181.exe/data0017/v2.0.4b.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.g skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\areslite181.exe/data0017/v2.0.4b.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\areslite181.exe/data0017/v2.0.4b.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\areslite181.exe/data0017/v2.0.4b.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\areslite181.exe/data0017 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\areslite181.exe/data0018 Infected: not-a-virus:AdWare.Win32.NavExcel.i skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\areslite181.exe NSIS: infected - 7 skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\BSINSTALL.exe/WISE0024.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\BSINSTALL.exe/WISE0024.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\BSINSTALL.exe/WISE0024.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\BSINSTALL.exe WiseSFX: infected - 3 skipped

C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\BSINSTALL.exe WiseSFX Dropper: infected - 3 skipped

C:\Documents and Settings\Bubbles\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Bubbles\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1072\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped

C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WIADEBUG.LOG Object is locked skipped

C:\WINDOWS\WIASERVC.LOG Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

G:\System Volume Information\_restore{CCA15F78-7193-4CA6-8115-2B570DD6546C}\RP1072\change.log Object is locked skipped

Scan process completed.






and here is the hijackthis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:22 PM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\System32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Winamp\Winampa.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe
C:\WINDOWS\system32\dlcccoms.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpyCatcher\Protector.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wisc.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher 2006\SCActiveBlock.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: (no name) - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - (no file)
O3 - Toolbar: (no name) - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\Winampa.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe reminder
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [NOMAD Detector] "C:\Program Files\Creative\PlayCenter2\CTNMRUN.EXE"
O4 - HKCU\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{B982165F-FD54-4A2B-A38B-C96FB623FCA4}: Domain = caenn.wisc.edu
O20 - AppInit_DLLs: secuload.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7994 bytes





this whole process took most of the night, many scans were long and i lost track of time at some points. I will go and do the java update and probably shut down my computer till tommorrow. thank you.
pizac is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-09-2007, 10:34 PM   #7 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


Re: Unable to Quarantine - Rootkit.Dayoff.Process
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\ is your antivirus program's quarantine cache. You should delete the contents. Please use Symantec's guide to remove the files from quarantine. http://service1.symantec.com/SUPPORT...on=1#_Section1


------------


Open NOTEPAD.exe and copy/paste the text in the quotebox below into it:

Code:
@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (
"C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\areslite181.exe"
"C:\Documents and Settings\Bubbles\My Documents\Stuff which does Stuff\BSINSTALL.exe"
) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)

for %%g in (
%systemdrive%\Deckard
%systemdrive%\Qoobox
) do (
rd /s/q %%g >nul 2>&1
if exist %%g echo.%%~g>>"%temp%\log.txt"
)
if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Disable("")>SR.vbs
echo.GetObject("winmgmts:" ^& "{impersonationLevel=impersonate}!\\" ^& "." ^& "\root\default").Get("SystemRestore").Enable("")>>SR.vbs
wscript SR.vbs

(
echo.REGEDIT4&echo.
echo.[hkey_current_user\software\microsoft\windows\currentversion\explorer\advanced]
echo."hidden"=dword:00000002
echo."hidefileext"=dword:00000001
echo."showsuperhidden"=dword:00000000
)>rehide.reg

regedit /s rehide.reg
del rehide.reg SR.vbs
nircmd wait 7000
del %0
Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:
Double click on fix.bat & allow it to run

Post back to tell me what it says
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2007, 05:11 AM   #8 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 5
OS: XP Pro


Re: Unable to Quarantine - Rootkit.Dayoff.Process
updated java.
cleaned out quarantine.
ran fix.bat and got the message: Deleted Successfully!
pizac is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2007, 05:36 AM   #9 (permalink)
Registered User
 
Join Date: Aug 2007
Posts: 5
OS: XP Pro


Re: Unable to Quarantine - Rootkit.Dayoff.Process
Ran a SpybotSD scan and a Symantec AntiVirus scan. looks like you got everything.

Thanks a ton man.

Anything else you want me to do?
pizac is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 08-10-2007, 05:40 AM   #10 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


Re: Unable to Quarantine - Rootkit.Dayoff.Process
Now that your system is clean, kindly follow these simple steps in order to keep your computer clean and secure:

  1. ANTIVIRUS SOFTWARE
    It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


  2. FIREWALL
    Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html


  3. Microsoft Windows Updatehttp://www.windowsupdate.com
    Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.

  4. SPYWAREBLASTER
    SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.

    Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html


  5. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.
  • http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

  • http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.

  • http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.

  • http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.

    ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.

    NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Kindly respond to this thread once more so we can mark this thread as resolved.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 06:17 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85