Outlook Won't Open

[Lifeismusic]

Hi, I have several problems. My first one is that I can't get MS Outlook to open. I first got an error about there not being enough virtual memory, but now all it says is that Outlook has encountered a problem and needs to close.

I am also using Zone Alarm, and there are several processes (3aaa7714.exe is one, can't find the others) that are trying to gain access to the internet. I have completed the five steps except for the online virus scan, because I have dial-up.

Here is my HJT log file.

Logfile of HijackThis v1.99.1
Scan saved at 6:23:49 PM, on 9/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
D:\Program Files\MouseWare\system\em_exec.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\3aaa7714.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\{6C17C4F5-0AE0-1033-0913-020403020001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\Adobe\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [3aaa7714.exe] C:\WINDOWS\system32\3aaa7714.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [loaddr] C:\yilyur.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [3aaa7714.exe] C:\Documents and Settings\Mary\Local Settings\Application Data\3aaa7714.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - G:\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - G:\PartyPoker\PartyPoker.exe (file missing)
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopw...ueSwitchEC.exe
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winubg32 - C:\WINDOWS\SYSTEM32\winubg32.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Thank you for your time.

[sUBs]

Please tell me what type of antivirus program you have installed.

[Lifeismusic]

I don't have a specific antivirus program, but I use the latest version of Zone Alarm constantly. I also use Webroot's SpySweeper, and do periodic scans with Ad-Aware.

[sUBs]

Would you be agreeable to installing & more importantly, maintaining an antivirus program on this machine?

[Lifeismusic]

I would be happy to maintain a program, but I'd rather not spend $50 to get something like McAfee or Norton. I haven't had a single problem with Zone Alarm up until now, and the only reason that I got this problem was because I was stupid enough to run a .exe that I was a bit suspicious of.

[sUBs]

This one won't cost you a buck. Here's a link to a good & free antivirus program - http://www.activevirusshield.com/ant...eeav/index.adp
Install that but take note of this ...




* * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKLM\..\Run: [3aaa7714.exe] C:\WINDOWS\system32\3aaa7714.exe
O4 - HKLM\..\Run: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKLM\..\Run: [loaddr] C:\yilyur.exe
O4 - HKLM\..\RunServices: [stonedrv] c:\windows\system32\stonedrv.exe
O4 - HKCU\..\Run: [3aaa7714.exe] C:\Documents and Settings\Mary\Local Settings\Application Data\3aaa7714.exe
O20 - Winlogon Notify: winubg32 - C:\WINDOWS\SYSTEM32\winubg32.dll


* * * * * *


1. Download this file using either of these links

http://download.bleepingcomputer.com/sUBs/combofix.exe

http://www.techsupportforum.com/sectools/combofix.exe

* IMPORTANT !!! Place combofix.exe on your Desktop







2. Go to Start → Run → paste in the single line command & click OK

"%userprofile%\desktop\combofix.exe" /v winubg32

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools → Folder Options → View tab.

• Tick - 'Show hidden files and folder'
• Untick - 'Hide file extensions for known types'
• Untick - 'Hide protected operating system files'
• Click Yes to confirm & then click OK

Locate and delete the following files/folders: (let me know if you fail to find/delete any)

• C:\WINDOWS\system32\3aaa7714.exe
  C:\Program Files\Common Files\{6C17C4F5-0AE0-1033-0913-020403020001}
  c:\windows\system32\stonedrv.exe
  C:\yilyur.exe
  C:\Documents and Settings\Mary\Local Settings\Application Data\3aaa7714.exe

* * * * * *


Have ActiveShield run a systemwide scan & allow it to disinfect all that it finds
When done, launch ActiveShield's main menu




Click the 'Scan' button from the left & click 'Detected'





In the ensuing Window, select 'Save As' to save a copy of the log.


I shall require these in your next post:

1. Fresh Hijackthis log taken just before replying
2. ActiveShield's report
3. Combofix's log

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

[Lifeismusic]

Thanks for the reply. I was able to find and delete

C:\WINDOWS\system32\3aaa7714.exe
C:\Documents and Settings\Mary\Local Settings\Application Data\3aaa7714.exe

as well as

C:\Documents and Settings\User\Local Settings\Application Data\3aaa7714.exe (This is my account)

I could not find

C:\Program Files\Common Files\{6C17C4F5-0AE0-1033-0913-020403020001}
c:\windows\system32\stonedrv.exe
C:\yilyur.exe

I was not sure whether you meant that I should save the AVS log before or after neutrilaizing the trogans it found, so I saved it twice. The log from before the trogan deletion is quite large (1.8MB), and I'm not sure if it is needed, but if you do need it I still have it.

MS Outlook opens normally now, and I do not see any questionable processes. I am concerned about the HJT entry which I have highlighted. Also, can I delete the Aol system tray entry, because I do not have AOL installed on the computer anymore?

******************Combofix Log************************

User - 06-09-05 1:42:52.71
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\User\desktop

Microsoft Windows XP [Version 5.1.2600]

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\winubg32.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\winubg32.dll

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\rpcc.exe
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{6C17C4F5-0AE0-1033-0913-020403020001}


((((((((((((((((((((((((((((((( Files Created from 2006-08-05 to 2006-09-05 ))))))))))))))))))))))))))))))))))


2006-09-03 14:58 5,120 --a------ C:\WINDOWS\system32\ismini.exe
2006-09-03 14:58 13,312 --a------ C:\WINDOWS\system32\3aaa7714.exe
2006-09-02 15:36 18,944 --a------ C:\WINDOWS\system32\winubg32.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-09-05 01:43 -------- d-------- C:\Program Files\Common Files
2006-09-05 01:22 -------- d-------- C:\Program Files\AOL
2006-09-03 20:08 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-03 20:03 -------- d-------- C:\Documents and Settings\User\Application Data\Adobe
2006-09-01 16:05 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-01 16:05 -------- d-------- C:\Program Files\iPod
2006-09-01 15:51 2366 --a------ C:\Documents and Settings\User\Application Data\.iScrobbler
2006-09-01 15:51 131 --a------ C:\Documents and Settings\User\Application Data\iScrobbler.ini
2006-09-01 15:22 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-01 15:18 -------- d-------- C:\Documents and Settings\User\Application Data\Aim
2006-09-01 14:29 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-01 14:27 -------- d-------- C:\Documents and Settings\User\Application Data\Azureus
2006-09-01 13:49 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-01 13:38 -------- d---s---- C:\Documents and Settings\User\Application Data\Microsoft
2006-08-31 10:34 -------- d-------- C:\Documents and Settings\User\Application Data\Seven Zip
2006-08-28 01:51 -------- d-------- C:\Program Files\QuickTime
2006-08-16 10:10 -------- d-------- C:\Program Files\Internet Explorer
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Logitech Utility"="Logi_MwX.Exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"iTunesHelper"="D:\\Program Files\\iTunes\\iTunesHelper.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\""
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NVMCTRAY.DLL,NvTaskbarInit"
"stonedrv"="c:\\windows\\system32\\stonedrv.exe"
"3aaa7714.exe"="C:\\Documents and Settings\\User\\Local Settings\\Application Data\\3aaa7714.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
@=""
"NoDriveTypeAutoRun"=hex:5f,00,00,00
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\CTStartup]
"CTStartup"="\"C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE\" /play"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,d4,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,d4,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="http://www.3dbuzz.com/"
"SubscribedURL"="http://www.3dbuzz.com/"
"FriendlyName"=""
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,4b,00,00,00,01,00,00,00,b5,04,00,00,d3,03,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,4b,00,00,00,01,00,00,00,b5,04,00,00,d3,03,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,4b,00,00,00,00,00,00,00,b5,04,00,00,d4,03,\
00,00,01,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\2]
"Source"="http://www.google.com/"
"SubscribedURL"="http://www.google.com/"
"FriendlyName"="Google"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,05,01,00,00,3f,00,00,00,41,02,00,00,74,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,05,01,00,00,3f,00,00,00,41,02,00,00,74,02,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,05,01,00,00,3f,00,00,00,41,02,00,00,74,02,\
00,00,01,00,00,40

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Completion time: Tue 09/05/2006 1:46:59.12
ComboFix.txt

********************AVS Log After Deletion******************

Protection
----------
Total scanned: 362
Detected: 22
Untreated: 0
Start time: 9/5/2006 5:33:38 AM
Duration: 00:01:41


Detected
--------
Status Object
------ ------
not found: Trojan program Trojan.Win32.Agent.vg Running module: winlogon.exe\winubg32.dll
not found: virus Packed.Win32.Klone.g File: C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact
not found: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\WINDOWS\system32\3aaa7714.exe/PE_Patch.UPX/UPX
not found: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: c:\documents and settings\user\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX
not found: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: c:\documents and settings\mary\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX
not found: Trojan program Trojan.Win32.Pakes File: C:\WINDOWS\TEMP\win2B6.tmp.exe
deleted: Trojan program Trojan.Win32.Pakes File: C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\5Z40TRNM\srvele[1].exe
deleted: Trojan program Trojan.Win32.Dialer.pz File: C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\KP6ZKX2R\bgates[1].exe/UPX
deleted: adware not-a-virus:AdWare.Win32.Agent.y File: C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\SV1JAQB1\wlzip32[1].exe/stream/data0003
deleted: adware not-a-virus:AdWare.Win32.Softomate.q File: C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\SV1JAQB1\wlzip32[1].exe/stream/data0005
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\WPYBW9MN\wlzip32[1].exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-PSW.Win32.Sinowal.aq File: C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll
not found: Trojan program Trojan-PSW.Win32.Sinowal.aq File: C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\RECYCLER\S-1-5-21-1844237615-1425521274-725345543-1004\Dc1.exe/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\RECYCLER\S-1-5-21-1844237615-1425521274-725345543-1004\Dc2.exe/PE_Patch.UPX/UPX
deleted: adware not-a-virus:AdWare.Win32.WinAD.bg File: C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll/UPX
deleted: adware not-a-virus:AdWare.Win32.F1Organizer.h File: C:\WINDOWS\system32\55kd49fg.exe/UPX
deleted: adware not-a-virus:AdWare.Win32.F1Organizer.c File: C:\WINDOWS\system32\ATPartners.dll
deleted: Trojan program Trojan-Downloader.Win32.Zlob.aif File: C:\WINDOWS\system32\ismini.exe
deleted: Trojan program Trojan-Proxy.Win32.Agent.lb File: C:\WINDOWS\system32\msvcrt64.dll/PE_Patch.UPX/UPX
deleted: Trojan program Trojan-Dropper.Win32.Small.ht File: C:\WINDOWS\system32\TVM_B5_Bundle_2.EXE
deleted: Trojan program Trojan-Downloader.Win32.Obfuscated.a File: C:\System Volume Information\_restore{EFB94CC9-C0BB-418C-8F0C-B7A03E1E4754}\RP628\A0164135.exe/PE_Patch.UPX/UPX


Events
------
Time Event
---- -----
9/5/2006 1:23:16 AM A full computer scan has never been performed. Please complete a full scan as soon as possible. The initial scan may be time consuming, but you may pause and resume the scan at any time.
9/5/2006 1:29:58 AM A full computer scan has never been performed. Please complete a full scan as soon as possible. The initial scan may be time consuming, but you may pause and resume the scan at any time.
9/5/2006 1:30:53 AM Update error: cannot establish connection.
9/5/2006 1:30:53 AM The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
9/5/2006 1:33:03 AM Running module winlogon.exe\winubg32.dll: detected Trojan program Trojan.Win32.Agent.vg
9/5/2006 1:33:03 AM Security threats have been detected. You are advised to neutralize them immediately.
9/5/2006 1:33:03 AM Running module winlogon.exe\winubg32.dll: is not disinfected, postponed
9/5/2006 1:33:03 AM File C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: detected virus Packed.Win32.Klone.g
9/5/2006 1:33:03 AM File C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: is not disinfected, postponed
9/5/2006 1:33:12 AM File C:\WINDOWS\system32\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:33:12 AM File C:\WINDOWS\system32\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 1:33:22 AM File C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: detected virus Packed.Win32.Klone.g
9/5/2006 1:33:22 AM File C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: is not disinfected, postponed
9/5/2006 1:33:23 AM File c:\windows\system32\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:33:23 AM File c:\windows\system32\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 1:33:23 AM File c:\documents and settings\user\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:33:23 AM File c:\documents and settings\user\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 1:33:23 AM File c:\documents and settings\mary\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:33:23 AM File c:\documents and settings\mary\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 1:33:43 AM File C:\WINDOWS\system32\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:33:43 AM File C:\WINDOWS\system32\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 1:33:48 AM Process (PID 2768) tried to access Active Virus Shield process (PID 1644), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
9/5/2006 1:33:48 AM Process (PID 2768) tried to access Active Virus Shield process (PID 1240), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
9/5/2006 1:33:56 AM File C:\Documents and Settings\Mary\Local Settings\Application Data\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:33:56 AM File C:\Documents and Settings\Mary\Local Settings\Application Data\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 1:34:29 AM File C:\WINDOWS\system32\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:34:29 AM File C:\WINDOWS\system32\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 1:34:36 AM File C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: detected virus Packed.Win32.Klone.g
9/5/2006 1:34:36 AM File C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: is not disinfected, postponed
9/5/2006 1:34:39 AM Running module winlogon.exe\winubg32.dll: detected Trojan program Trojan.Win32.Agent.vg
9/5/2006 1:35:00 AM Running module winlogon.exe\winubg32.dll: is not disinfected, skipped by user
9/5/2006 1:35:00 AM Running module c:\windows\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: detected virus Packed.Win32.Klone.g
9/5/2006 1:35:01 AM Running module c:\windows\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: is not disinfected, skipped by user
9/5/2006 1:35:01 AM Running module c:\windows\system32\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:35:02 AM Running module c:\windows\system32\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, skipped by user
9/5/2006 1:35:02 AM Running module c:\documents and settings\user\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:35:02 AM Running module c:\documents and settings\user\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, skipped by user
9/5/2006 1:35:02 AM Running module c:\documents and settings\mary\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:35:03 AM Running module c:\documents and settings\mary\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, skipped by user
9/5/2006 1:35:13 AM Update error: cannot establish connection.
9/5/2006 1:35:13 AM The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
9/5/2006 1:39:48 AM File C:\WINDOWS\TEMP\win2B6.tmp.exe: detected Trojan program Trojan.Win32.Pakes
9/5/2006 1:39:51 AM File C:\WINDOWS\TEMP\win2B6.tmp.exe: is not disinfected, skipped by user
9/5/2006 1:40:12 AM Update error: cannot establish connection.
9/5/2006 1:40:12 AM The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
9/5/2006 1:40:43 AM Update error: cannot establish connection.
9/5/2006 1:40:43 AM The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
9/5/2006 1:40:45 AM File C:\Documents and Settings\User\Local Settings\Application Data\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:40:46 AM File C:\Documents and Settings\User\Local Settings\Application Data\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, skipped by user
9/5/2006 1:43:23 AM Running module winlogon.exe\winubg32.dll: detected Trojan program Trojan.Win32.Agent.vg
9/5/2006 1:43:23 AM Running module winlogon.exe\winubg32.dll: is not disinfected, postponed
9/5/2006 1:43:23 AM File C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: detected virus Packed.Win32.Klone.g
9/5/2006 1:43:23 AM File C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: is not disinfected, postponed
9/5/2006 1:43:51 AM File c:\documents and settings\user\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:43:51 AM File c:\documents and settings\user\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 1:44:00 AM File C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: detected virus Packed.Win32.Klone.g
9/5/2006 1:44:02 AM File C:\Documents and Settings\Mary\Local Settings\Application Data\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:44:02 AM File C:\Documents and Settings\Mary\Local Settings\Application Data\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 1:44:54 AM A full computer scan has never been performed. Please complete a full scan as soon as possible. The initial scan may be time consuming, but you may pause and resume the scan at any time.
9/5/2006 1:45:26 AM Security threats have been detected. You are advised to neutralize them immediately.
9/5/2006 1:45:26 AM Update error: cannot establish connection.
9/5/2006 1:45:26 AM The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
9/5/2006 1:45:40 AM Process (PID 608) tried to access Active Virus Shield process (PID 1640), but it has been blocked. This is Self-Defense monitoring, and you do not need to do anything.
9/5/2006 1:48:02 AM File C:\Documents and Settings\User\Local Settings\Application Data\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:48:05 AM File C:\Documents and Settings\User\Local Settings\Application Data\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, skipped by user
9/5/2006 1:48:12 AM Update error: cannot establish connection.
9/5/2006 1:48:12 AM The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
9/5/2006 1:50:09 AM Update error: cannot establish connection.
9/5/2006 1:50:09 AM The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
9/5/2006 1:50:20 AM File c:\documents and settings\user\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:50:20 AM File c:\documents and settings\user\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 1:50:28 AM File c:\documents and settings\user\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 1:50:29 AM File c:\documents and settings\user\local settings\application data\3aaa7714.exe/PE_Patch.UPX/UPX: is not disinfected, skipped by user
9/5/2006 1:51:46 AM Active Virus Shield is not activated.
9/5/2006 2:04:13 AM A full computer scan has never been performed. Please complete a full scan as soon as possible. The initial scan may be time consuming, but you may pause and resume the scan at any time.
9/5/2006 2:05:06 AM Security threats have been detected. You are advised to neutralize them immediately.
9/5/2006 2:05:06 AM Update error: cannot establish connection.
9/5/2006 2:05:06 AM The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
9/5/2006 2:08:41 AM Update completed successfully.
9/5/2006 2:18:02 AM File C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\5Z40TRNM\srvele[1].exe: detected Trojan program Trojan.Win32.Pakes
9/5/2006 2:18:02 AM File C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\5Z40TRNM\srvele[1].exe: is not disinfected, postponed
9/5/2006 2:18:44 AM File C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\KP6ZKX2R\bgates[1].exe/UPX: detected Trojan program Trojan.Win32.Dialer.pz
9/5/2006 2:18:44 AM File C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\KP6ZKX2R\bgates[1].exe/UPX: is not disinfected, postponed
9/5/2006 2:19:27 AM File C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\SV1JAQB1\wlzip32[1].exe/stream/data0003: detected adware not-a-virus:AdWare.Win32.Agent.y
9/5/2006 2:19:27 AM File C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\SV1JAQB1\wlzip32[1].exe/stream/data0003: is not disinfected, postponed
9/5/2006 2:19:27 AM File C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\SV1JAQB1\wlzip32[1].exe/stream/data0005: detected adware not-a-virus:AdWare.Win32.Softomate.q
9/5/2006 2:19:57 AM File C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\WPYBW9MN\wlzip32[1].exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 2:19:57 AM File C:\Documents and Settings\Mary\Local Settings\Temporary Internet Files\Content.IE5\WPYBW9MN\wlzip32[1].exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 2:22:25 AM File C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll: detected Trojan program Trojan-PSW.Win32.Sinowal.aq
9/5/2006 2:22:25 AM File C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.dll: is not disinfected, postponed
9/5/2006 2:22:25 AM File C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll: detected Trojan program Trojan-PSW.Win32.Sinowal.aq
9/5/2006 2:22:25 AM File C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00002.dll: is not disinfected, postponed
9/5/2006 2:25:03 AM File C:\RECYCLER\S-1-5-21-1844237615-1425521274-725345543-1004\Dc1.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 2:25:03 AM File C:\RECYCLER\S-1-5-21-1844237615-1425521274-725345543-1004\Dc1.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 2:25:03 AM File C:\RECYCLER\S-1-5-21-1844237615-1425521274-725345543-1004\Dc2.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 2:25:03 AM File C:\RECYCLER\S-1-5-21-1844237615-1425521274-725345543-1004\Dc2.exe/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 2:35:09 AM File C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll/UPX: detected adware not-a-virus:AdWare.Win32.WinAD.bg
9/5/2006 2:35:09 AM File C:\WINDOWS\Downloaded Program Files\MediaGatewayX.dll/UPX: is not disinfected, postponed
9/5/2006 2:45:07 AM File C:\WINDOWS\system32\55kd49fg.exe/UPX: detected adware not-a-virus:AdWare.Win32.F1Organizer.h
9/5/2006 2:45:07 AM File C:\WINDOWS\system32\55kd49fg.exe/UPX: is not disinfected, postponed
9/5/2006 2:45:10 AM File C:\WINDOWS\system32\ATPartners.dll: detected adware not-a-virus:AdWare.Win32.F1Organizer.c
9/5/2006 2:45:10 AM File C:\WINDOWS\system32\ATPartners.dll: is not disinfected, postponed
9/5/2006 2:45:30 AM File C:\WINDOWS\system32\ismini.exe: detected Trojan program Trojan-Downloader.Win32.Zlob.aif
9/5/2006 2:45:30 AM File C:\WINDOWS\system32\ismini.exe: is not disinfected, postponed
9/5/2006 2:45:43 AM File C:\WINDOWS\system32\msvcrt64.dll/PE_Patch.UPX/UPX: detected Trojan program Trojan-Proxy.Win32.Agent.lb
9/5/2006 2:45:43 AM File C:\WINDOWS\system32\msvcrt64.dll/PE_Patch.UPX/UPX: is not disinfected, postponed
9/5/2006 2:46:07 AM File C:\WINDOWS\system32\TVM_B5_Bundle_2.EXE: detected Trojan program Trojan-Dropper.Win32.Small.ht
9/5/2006 2:46:07 AM File C:\WINDOWS\system32\TVM_B5_Bundle_2.EXE: is not disinfected, postponed
9/5/2006 2:46:12 AM File C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: detected virus Packed.Win32.Klone.g
9/5/2006 2:46:12 AM File C:\WINDOWS\system32\winubg32.dll/PE_Patch.PECompact/PecBundle/PECompact: is not disinfected, postponed
9/5/2006 2:52:44 AM File c:\documents and settings\mary\local settings\temporary internet files\content.ie5\5z40trnm\srvele[1].exe: detected Trojan program Trojan.Win32.Pakes
9/5/2006 3:17:41 AM File C:\WINDOWS\SYSTEM32\WINUBG32.DLL/PE_Patch.PECompact/PecBundle/PECompact: detected virus Packed.Win32.Klone.g
9/5/2006 3:19:17 AM File C:\System Volume Information\_restore{EFB94CC9-C0BB-418C-8F0C-B7A03E1E4754}\RP628\A0164135.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 4:09:48 AM Update completed successfully.
9/5/2006 5:30:46 AM File c:\documents and settings\mary\local settings\temporary internet files\content.ie5\5z40trnm\srvele[1].exe: deleted
9/5/2006 5:30:46 AM File c:\documents and settings\mary\local settings\temporary internet files\content.ie5\kp6zkx2r\bgates[1].exe/UPX: detected Trojan program Trojan.Win32.Dialer.pz
9/5/2006 5:30:48 AM File C:\WINDOWS\SYSTEM32\WINUBG32.DLL: deleted
9/5/2006 5:30:51 AM File C:\System Volume Information\_restore{EFB94CC9-C0BB-418C-8F0C-B7A03E1E4754}\RP628\A0164135.exe: deleted
9/5/2006 5:30:51 AM File C:\WINDOWS\SYSTEM32\MSVCRT64.DLL/PE_Patch.UPX/UPX: detected Trojan program Trojan-Proxy.Win32.Agent.lb
9/5/2006 5:30:52 AM File c:\documents and settings\mary\local settings\temporary internet files\content.ie5\kp6zkx2r\bgates[1].exe: deleted
9/5/2006 5:30:53 AM File c:\documents and settings\mary\local settings\temporary internet files\content.ie5\sv1jaqb1\wlzip32[1].exe/stream/data0003: detected adware not-a-virus:AdWare.Win32.Agent.y
9/5/2006 5:30:53 AM File C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00002.DLL: detected Trojan program Trojan-PSW.Win32.Sinowal.aq
9/5/2006 5:30:54 AM File C:\WINDOWS\SYSTEM32\MSVCRT64.DLL will be deleted on system restart
9/5/2006 5:30:54 AM File C:\WINDOWS\system32\msvcrt64.dll/PE_Patch.UPX/UPX: detected Trojan program Trojan-Proxy.Win32.Agent.lb
9/5/2006 5:31:01 AM File c:\documents and settings\mary\local settings\temporary internet files\content.ie5\sv1jaqb1\wlzip32[1].exe/stream/data0005: detected adware not-a-virus:AdWare.Win32.Softomate.q
9/5/2006 5:31:01 AM File c:\documents and settings\mary\local settings\temporary internet files\content.ie5\sv1jaqb1\wlzip32[1].exe: deleted
9/5/2006 5:31:01 AM File c:\documents and settings\mary\local settings\temporary internet files\content.ie5\wpybw9mn\wlzip32[1].exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 5:31:04 AM File C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00002.DLL: deleted
9/5/2006 5:31:07 AM File c:\documents and settings\mary\local settings\temporary internet files\content.ie5\wpybw9mn\wlzip32[1].exe: deleted
9/5/2006 5:31:07 AM File c:\program files\common files\microsoft shared\web folders\ibm00001.dll: detected Trojan program Trojan-PSW.Win32.Sinowal.aq
9/5/2006 5:31:11 AM File c:\program files\common files\microsoft shared\web folders\ibm00001.dll: deleted
9/5/2006 5:31:11 AM File c:\recycler\s-1-5-21-1844237615-1425521274-725345543-1004\dc1.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 5:31:15 AM File c:\recycler\s-1-5-21-1844237615-1425521274-725345543-1004\dc1.exe: deleted
9/5/2006 5:31:16 AM File c:\recycler\s-1-5-21-1844237615-1425521274-725345543-1004\dc2.exe/PE_Patch.UPX/UPX: detected Trojan program Trojan-Downloader.Win32.Obfuscated.a
9/5/2006 5:31:19 AM File c:\recycler\s-1-5-21-1844237615-1425521274-725345543-1004\dc2.exe: deleted
9/5/2006 5:31:19 AM File c:\windows\downloaded program files\mediagatewayx.dll/UPX: detected adware not-a-virus:AdWare.Win32.WinAD.bg
9/5/2006 5:31:21 AM File c:\windows\downloaded program files\mediagatewayx.dll: deleted
9/5/2006 5:31:22 AM File c:\windows\system32\55kd49fg.exe/UPX: detected adware not-a-virus:AdWare.Win32.F1Organizer.h
9/5/2006 5:31:24 AM File c:\windows\system32\55kd49fg.exe: deleted
9/5/2006 5:31:24 AM File c:\windows\system32\atpartners.dll: detected adware not-a-virus:AdWare.Win32.F1Organizer.c
9/5/2006 5:31:29 AM File c:\windows\system32\atpartners.dll: deleted
9/5/2006 5:31:30 AM File c:\windows\system32\ismini.exe: detected Trojan program Trojan-Downloader.Win32.Zlob.aif
9/5/2006 5:31:32 AM File c:\windows\system32\ismini.exe: deleted
9/5/2006 5:31:32 AM File c:\windows\system32\msvcrt64.dll/PE_Patch.UPX/UPX: detected Trojan program Trojan-Proxy.Win32.Agent.lb
9/5/2006 5:31:32 AM File c:\windows\system32\tvm_b5_bundle_2.exe: detected Trojan program Trojan-Dropper.Win32.Small.ht
9/5/2006 5:31:36 AM File c:\windows\system32\tvm_b5_bundle_2.exe: deleted
9/5/2006 5:33:22 AM A full computer scan has never been performed. Please complete a full scan as soon as possible. The initial scan may be time consuming, but you may pause and resume the scan at any time.
9/5/2006 5:34:09 AM Security threats have been detected. You are advised to neutralize them immediately.


Reports
-------
Task Status Start Finish Size
---- ------ ----- ------ ----
File Anti-Virus running 9/5/2006 5:33:38 AM 43.4 KB
Mail Anti-Virus running 9/5/2006 5:33:38 AM 0 bytes


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
Infected: adware not-a-virus:AdWare.Win32.F1Organizer.h c:\windows\system32\55kd49fg.exe 54 KB
Infected: Trojan program Trojan-PSW.Win32.Sinowal.aq c:\program files\common files\microsoft shared\web folders\ibm00001.dll 73.5 KB
Infected: Trojan program Trojan.Win32.Dialer.pz c:\documents and settings\mary\local settings\temporary internet files\content.ie5\kp6zkx2r\bgates[1].exe 8.7 KB
Infected: adware not-a-virus:AdWare.Win32.F1Organizer.c c:\windows\system32\atpartners.dll 94 KB
Infected: Trojan program Trojan-Proxy.Win32.Agent.lb C:\WINDOWS\SYSTEM32\MSVCRT64.DLL 18 KB
Infected: virus Packed.Win32.Klone.g C:\WINDOWS\SYSTEM32\WINUBG32.DLL 18.5 KB
Infected: Trojan program Trojan-Dropper.Win32.Small.ht c:\windows\system32\tvm_b5_bundle_2.exe 16.5 KB
Infected: Trojan program Trojan-PSW.Win32.Sinowal.aq C:\PROGRAM FILES\COMMON FILES\MICROSOFT SHARED\WEB FOLDERS\IBM00002.DLL 63 KB
Infected: adware not-a-virus:AdWare.Win32.Agent.y c:\documents and settings\mary\local settings\temporary internet files\content.ie5\sv1jaqb1\wlzip32[1].exe 147.6 KB
Infected: Trojan program Trojan-Downloader.Win32.Obfuscated.a C:\System Volume Information\_restore{EFB94CC9-C0BB-418C-8F0C-B7A03E1E4754}\RP628\A0164135.exe 13 KB
Infected: Trojan program Trojan-Downloader.Win32.Obfuscated.a c:\documents and settings\mary\local settings\temporary internet files\content.ie5\wpybw9mn\wlzip32[1].exe 13 KB
Infected: Trojan program Trojan-Downloader.Win32.Obfuscated.a c:\recycler\s-1-5-21-1844237615-1425521274-725345543-1004\dc2.exe 13 KB
Infected: Trojan program Trojan.Win32.Pakes c:\documents and settings\mary\local settings\temporary internet files\content.ie5\5z40trnm\srvele[1].exe 39.5 KB
Infected: adware not-a-virus:AdWare.Win32.WinAD.bg c:\windows\downloaded program files\mediagatewayx.dll 21 KB
Infected: Trojan program Trojan-Downloader.Win32.Obfuscated.a c:\recycler\s-1-5-21-1844237615-1425521274-725345543-1004\dc1.exe 13 KB
Infected: Trojan program Trojan-Downloader.Win32.Zlob.aif c:\windows\system32\ismini.exe 5 KB

***********************HJT Log**********************

Logfile of HijackThis v1.99.1
Scan saved at 5:47:35 AM, on 9/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AOL\Active Virus Shield\avp.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\MouseWare\system\em_exec.exe
C:\Documents and Settings\Mary\Desktop\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\program files\Adobe\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [iTunesHelper] D:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM\..\Run: [aol] "C:\Program Files\AOL\Active Virus Shield\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopw...ueSwitchEC.exe
O20 - Winlogon Notify: klogon - C:\WINDOWS\system32\klogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: msvcrt64.dll - {30146BFE-F32E-4EF8-B8D2-57096BFF2FED} - msvcrt64.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Active Virus Shield (AVP) - Unknown owner - C:\Program Files\AOL\Active Virus Shield\avp.exe" -r (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


Thank you very much for your time!

[sUBs]

Quote:

O16 - DPF: {FFFFFFFF-CAFE-BABE-BABE-00AA0055595A} - http://www.networksolutionsemailpopw...ueSwitchEC.exe

It's not malicious. Appears to be a program used when someone switches ISPs. Have a read here - http://www.trueswitch.com/


* * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O21 - SSODL: msvcrt64.dll - {30146BFE-F32E-4EF8-B8D2-57096BFF2FED} - msvcrt64.dll (file missing)


* * * * * *


Download this file to Desktop - http://www.techsupportforum.com/sectools/AV_Fix.exe

Keep your internet connection active as it may require to download additional files

Doubleclick on Av_Fix.exe & it shall automatically reboot the machine.

A log shall be produced after the reboot. Please post that log & a fresh combofix log

[Lifeismusic]

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\icqkaxir

*******************

Script file located at: \??\C:\WINDOWS\system32\rdjmbwbp.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver pe386 unloaded successfully.


Registry key \Registry\Machine\System\CurrentControlSet\Services\msguard not found!
Unload of driver msguard failed!

Could not process line:
msguard
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.


*********************ComboFix Log****************

Mary - 06-09-05 18:10:48.07
ComboFix 06.09.04BT - Running from: C:\Documents and Settings\Mary\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((( Files Created from 2006-08-05 to 2006-09-05 ))))))))))))))))))))))))))))))))))


No new files created in this timespan


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-05 01:43 -------- d-------- C:\Program Files\Common Files
2006-09-05 01:22 -------- d-------- C:\Program Files\AOL
2006-09-03 20:08 -------- d-------- C:\Program Files\Common Files\Adobe
2006-09-03 20:03 -------- d-------- C:\Documents and Settings\Mary\Application Data\Adobe
2006-09-01 16:05 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-09-01 16:05 -------- d-------- C:\Program Files\iPod
2006-09-01 15:22 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-09-01 14:29 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-01 13:49 -------- d-------- C:\Program Files\Common Files\Ahead
2006-08-31 12:35 1787 --a------ C:\Documents and Settings\Mary\Application Data\.iScrobbler
2006-08-31 12:35 109 --a------ C:\Documents and Settings\Mary\Application Data\iScrobbler.ini
2006-08-30 20:47 -------- d---s---- C:\Documents and Settings\Mary\Application Data\Microsoft
2006-08-28 01:51 -------- d-------- C:\Program Files\QuickTime
2006-08-16 10:10 -------- d-------- C:\Program Files\Internet Explorer
2006-07-27 09:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 04:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"Logitech Utility"="Logi_MwX.Exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"BCMSMMSG"="BCMSMMSG.exe"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"iTunesHelper"="D:\\Program Files\\iTunes\\iTunesHelper.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb05.exe"
"aol"="\"C:\\Program Files\\AOL\\Active Virus Shield\\avp.exe\""
@=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
@=""
"NoDriveTypeAutoRun"=hex:5f,00,00,00
"AllowLegacyWebView"=dword:00000001
"AllowUnhashedWebView"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\CTStartup]
"CTStartup"="\"C:\\Program Files\\Creative\\Splash Screen\\CTEaxSpl.EXE\" /play"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,f2,01,00,00,b9,00,00,00,7c,00,00,00,72,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""



Completion time: Tue 09/05/2006 18:11:37.54
ComboFix.txt
ComboFix2.txt

[sUBs]

Congratulations. You just got rid of a rootkited mailbot. Your system is clean. Kindly follow these simple steps in order to keep your computer clean and secure:

1. CLEAR & RESET SYSTEM RESTORE'S CACHE - (System Volume Information folder)
   Go to Start → Run → type control sysdm.cpl,,4 & press Enter
   • Tick on the checkbox - Turn off System Restore on all drives
   • Click Apply
   Turn it back 'On' by unticking the same checkbox & click OK
   
   
   
2. DISABLE THE VIEWING OF SYSTEM FILES
   From Windows Explorer, go to Tools>Folder Options> View tab.
   • Untick - Show hidden files and folder
   • Tick - Hide file extensions for known types
   • Tick - Hide protected operating system files
   Click Yes to confirm & then click OK
   
   
   
3. SECURING INTERNET EXPLORER
   From within Internet Explorer click on the Tools menu and then click on Internet Options.
   • Select the Security tab
     • Click once on the Internet icon so it becomes highlighted.
     • Select Custom Level .
       • Change 'Download signed ActiveX controls' to Prompt
       • Change 'Download unsigned ActiveX controls' to Disable
       • Change 'Initialize and script ActiveX controls not marked as safe' to Disable
       • Change 'Installation of desktop items' to Prompt
       • Change 'Launching programs and files in an IFRAME' to Prompt
       • Change 'Navigate sub-frames across different domains' to Prompt
       • When all these changes have been made, click on the OK button.
     • If it prompts you as to whether or not you want to save the settings, press the Yes button.
   • Select OK to exit the Internet Properties page.
   
   
   
4. ANTIVIRUS SOFTWARE
   It is very important that you have anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
   
   See this link for a listing of some online & their stand-alone antivirus programs:
   
   Virus, Spyware, and Malware Protection and Removal Resources → http://www.bleepingcomputer.com/forums/topict405.html
   
   It is imperative that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
   
   
   
5. FIREWALL
   Without a firewall your computer is succeptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. A tutorial on Firewalls and a listing of some available ones can be found here → http://www.bleepingcomputer.com/forums/tutorial60.html
   
   
   
6. Microsoft Windows Update → http://www.windowsupdate.com
   Visit regularly. This will ensure your computer always has the latest security updates. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
   
   
   
7. SPYBOT - SEARCH & DESTROY
   Download and install Spybot - Search & Destroy with its TeaTimer option. This will provide realtime spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with the program on a regular basis just as you would an antivirus software. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial43.html
   
   
8. AD-AWARE
   Download and install Ad-Aware. You should use this program to scan your computer on a regular basis just as you would an antivirus software in conjunction with Spybot. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial48.html
   
   
   
9. SPYWAREBLASTER
   SpywareBlaster prevents the installation of malicious ActiveX, adware, browser hijackers, dialers, and other potentially unwanted software. Blocks spyware/tracking cookies & restricts the actions of potentially unwanted sites.
   
   Unlike other programs, SpywareBlaster does not have to remain running in the background. A tutorial on installing & using this product can be found here → http://www.bleepingcomputer.com/forums/tutorial49.html
   
   
   
10. IE-SPYAD
    IE/Spyad places more than 4000 dubious websites and domains in the IE Restricted list. This severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites. A tutorial on installing this product can be found here http://www.spywarewarrior.com/uiuc/resource.htm

Update all these programs regularly. Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically. Here are some additional utilities that will further enhance your safety.

• http://www.trillian.cc → Trillian or http://www.miranda-im.com → Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  
  
• http://www.mozilla.org/products/firefox/ - Firefox - Use this alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness.
  
  
• http://java.com/en/index.jsp - Sun's Java - It's much more secure than Microsoft's Java Virtual Machine.
  
  
• http://toolbar.google.com/ - Google Toolbar - Get the free google toolbar to help stop pop up windows.
  
  
• http://cleanup.stevengould.org/ - CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  
  
• http://www.aumha.org/downloads/erunt-setup.exe - ERUNT - A useful freeware utility for users of Windows 2000/XP. It's made up of two parts - ERUNT & NTREGOPT.
  
  ERUNT will create daily complete backups of your computer's Registry. Whilst System Restore does the same thing, a corrupt registry file may prevent Windows from booting & this effectively renders disables System Restore. With ERUNT, you're able to restore the damaged Registry.
  
  NTREGOPT works by recreating each registry hive "from scratch", thus removing any slack space that may be left from previously modified or deleted keys. In other words, it compacts the Registry to a small size which allows Windows to load & perform faster.
  
  
• http://www.winpatrol.com/ -Winpatrol - Download and install the free version of Winpatrol.
  A tutorial for this product is located here: http://www.winpatrol.com/features.html

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein - http://computercops.biz/postlite7736-.html

After doing all these, your system will be optimised against future threats.

It's okay to delete the Hijack This folder in a couple weeks if everything is working okay.
Have a safe & happy computing day.

Please respond to this thread one more time so we can mark this thread as resolved.

[Lifeismusic]

Thank you very much for you time and effort. I just love this forum!