Haxdoor-H problem - How to remove?

rangitamoe · 07-02-2005, 09:31 AM

Hi guys,
After doing my regular scan with Spybot, it picked up the Haxdoor-H trojan. It said it had fixed it, but then it miraculously re-appeared again the next day. How can I safely remove this from my PC???

Below is my HijackThis Log.
Please Note: I ran Spybot, Adaware SE (with VX2 cleaner) and CWShredder before running HJT.

Hope you can help me out....

Logfile of HijackThis v1.99.1
Scan saved at 1:26:21 AM, on 03/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\WINDOWS\system32\CmWatch.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\r_server.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\system32\ctfmon.exe
D:\Program Files\NetMeter\NetMeter.exe
C:\Program Files\VideoMate\ComproPVR\ComproPVR.exe
C:\Program Files\VideoMate\ComproPVR\Common\ComproRemote.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.*; 127.*;<local>
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [CmCardRun] C:\WINDOWS\system32\CmWatch.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Corel Reminder] "C:\Program Files\Corel\Graphics10\Register\NAVBrowser.exe" /r /i "C:\Program Files\Corel\Graphics10\Register\NavLoad.ini"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [D:\Program Files\NetMeter\NetMeter.exe] D:\Program Files\NetMeter\NetMeter.exe
O4 - Global Startup: ComproPVR Schedule.lnk = ?
O4 - Global Startup: ComproRemote.lnk = ?
O4 - Global Startup: TweakYC.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1116880232859
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

**Peebs85** · 07-02-2005, 10:24 AM

Hello rangitamoe and Welcome to TSF!

I am currently reviewing your log. Please note that this is under the supervision of an expert analyst. I will be back with a fix for your problem as soon as possible.

Please be patient with me during this time.

We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread".

**Peebs85** · 07-02-2005, 02:27 PM

Hello Again!

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below.

Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked.

For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep).

This next tool will be for the Haxdoor.H trojan:
Download and save to your C: drive HSFIX.zip
Unzip the contents of HSFix.zip and an HSFix directory will be created.
We'll need this later.

Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it):

D:\Program Files\NetMeter\NetMeter.exe

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist:

Netmeter

Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any):

O4 - HKCU\..\Run: [D:\Program Files\NetMeter\NetMeter.exe] D:\Program Files\NetMeter\NetMeter.exe
O4 - Global Startup: TweakYC.lnk = ?

Please remember to close all other windows, including browsers then click Fix checked.

Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist.

D:\Program Files\NetMeter

---------------------------------------------------------------------------------------------------------------------
Navigate to the HSFix directory and double-click on HSFix.bat.
It will produce a log file, located here: C:\hslog.txt
Please post that log.

**Note** Tool must be run in SAFE MODE!!
---------------------------------------------------------------------------------------------------------------------

Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer http://www.greyknight17.com/spy/KRC...%20Analyzer.zip in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply.

Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool.

Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3)

1. Save it to a folder.
2. Reboot into Safe Mode.
3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything.
4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane.
5. In the Virus Log Information Pane......
Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file
*Note* If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files.

Once you copy that to a Notepad file...highlight the text and copy it here.

So...I need to see the following things in your next post:
Fresh Hijack This log
C:\hslog.txt log ----> from running HSFix.bat
Mwav log

rangitamoe · 07-03-2005, 06:54 AM

This is going to be long, but should have all the info you need.....

====================================================================
Log was analyzed using KRC HijackThis Analyzer - Updated on 6/3/05
Get updates at http://www.greyknight17.com/download.htm#programs

***Security Programs Detected***

C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
c:\program files\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Logfile of HijackThis v1.99.1
Scan saved at 10:15:59 AM, on 03/07/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\system32\CmWatch.exe
C:\progra~1\mcafee\MCAFEE~1\MssCli.exe
c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
D:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\VideoMate\ComproPVR\ComproPVR.exe
C:\Program Files\VideoMate\ComproPVR\Common\ComproRemote.exe
D:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.iprimus.com.au;*.primustel.com.au;*.primus.com.au;192.*; 172.*; 127.*;<local>
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent
O4 - HKLM\..\Run: [CmCardRun] C:\WINDOWS\system32\CmWatch.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe
O4 - HKLM\..\Run: [Corel Reminder] "C:\Program Files\Corel\Graphics10\Register\NAVBrowser.exe" /r /i "C:\Program Files\Corel\Graphics10\Register\NavLoad.ini"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - Global Startup: ComproPVR Schedule.lnk = ?
O4 - Global Startup: ComproRemote.lnk = ?
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1116880232859
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab
O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

End of KRC HijackThis Analyzer Log.
====================================================================

Horseserver Removal Tool v1.05
by Atri
-
-
1. Registry Fix Started
-
Registry fix complete
-
2. Deleted Services
-
-
3. Finding files Located on system
-
w32tm.exe
-
4. Deleting files that were found.
-
-
5. Checking for and Removing Winupdate
-
-
-

File C:\WINDOWS\system32\r_server.exe tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.21. No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\3dviewer.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\qd3d.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\rave.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\qd3d_ir2.q3x". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\iccsigs.dat". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\mfcuia32.dll". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\MFCANS32.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\LTIH21TB.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\WINDOWS\system32\DIMM.DLL". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Documents and Settings\All Users\Application Data\Ahead\NeroDigital\settings.xml". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-dan.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-nor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-rus.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-sve.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-fin.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ptb.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-plk.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-csy.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-sky.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-slv.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-hun.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-tha.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-trk.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-ell.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\covered-esl.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\ShowTime-Ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Csy.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Dan.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Ell.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Esl.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Fin.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Hun.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Nor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Plk.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Ptb.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Rus.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Sky.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Slv.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Sve.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Tha.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\Recode-Trk.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Chs.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Cht.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Esp.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Fra.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ita.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Kor.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Nld.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Ptg.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_chs.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_cht.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_deu.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_esl.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_esp.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_fra.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_ita.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_jpn.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_kor.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_nld.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero StartSmart\NeroStartSmart_ptg.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero BackItUp\BackItUp-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero PhotoSnap\PhotoSnap-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero PhotoSnap\PhotoSnap-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero PhotoSnap\PhotoSnapViewer-Deu.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero PhotoSnap\PhotoSnapViewer-Jpn.nls". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero MediaHome\NeroMediaHome_Deu.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero MediaHome\NeroMediaHome_Jpn.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\Skins\standard.bmp". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero PhotoSnap\NeroPhotoSnap_fra.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero MediaHome\NeroMediaHome_Fra.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\CoverDesigner\NeroCoverDesigner_fra.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero Recode\NeroRecode_fra.chm". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\Ahead\Nero ShowTime\NeroShowTime_Fra.chm". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{29FF67FF-8050-480f-9F30-CC41635F2F9D}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{70B51430-B6CA-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8298d101-f992-43b7-8eca-5052d885b995}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{83D4679F-B6D7-11D2-BF36-00C04FB90A03}" refers to invalid object "C:\PROGRA~1\MESSEN~1\rtcimsp.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{A9E69612-B80D-11D0-B9B9-00A0C922E750}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{B0693766-5278-4ec6-B9E1-3CE40560EF5A}" refers to invalid object "CaPlgin.ax". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{f612954d-3b0b-4c56-9563-227b7be624b4}" refers to invalid object "ADMWPROX.DLL". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\Alg.AlgSetup.1" refers to invalid object "{27D0BCCC-344D-4287-AF37-0C72C161C14C}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\CorelDRAW.StateChartObject" refers to invalid object "{88B40185-1463-11d4-B6C3-009027912773}". Action Taken: No Action Taken.
Entry "HKCR\CorelDRAW.StateChartObject.10" refers to invalid object "{88B40185-1463-11d4-B6C3-009027912773}". Action Taken: No Action Taken.
Entry "HKCR\MailFileAtt" refers to invalid object "{00020D05-0000-0000-C000-000000000046}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\mapifvbx.object.1" refers to invalid object "{41116C00-8B90-101B-96CD-00AA003B14FC}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\Plenoptic.Plenoptic.1" refers to invalid object "{607C27E9-AB27-11d3-A116-A0EA50C10801}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\RTCCore.RTCClient.1" refers to invalid object "{7a42ea29-a2b7-40c4-b091-f6f024aa89be}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
Entry "HKCR\WMPPublsihCntr.WMPPublsihCntr.1" refers to invalid object "{939438A9-CF0F-44d8-9140-599736F0D3A2}". Action Taken: No Action Taken.
File C:\WINDOWS\system32\admdll.dll tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.20. No Action Taken.
File C:\WINDOWS\system32\raddrv.dll tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.20. No Action Taken.
File C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ppp4uyb.default\Cache\4B3A0B96d01 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ppp4uyb.default\Cache\C28EEC59d01 tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\9ppp4uyb.default\Cache\F8BCA334d01 tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File C:\Program Files\Radmin\AdmDll.dll tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.20. No Action Taken.
File C:\Program Files\Radmin\raddrv.dll tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.20. No Action Taken.
File C:\Program Files\Radmin\radmin.exe tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.21. No Action Taken.
File C:\Program Files\Radmin\r_server.exe tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.21. No Action Taken.
File C:\WINDOWS\system32\admdll.dll tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.20. No Action Taken.
File C:\WINDOWS\system32\raddrv.dll tagged as not-a-virus:RemoteAdmin.Win32.RAdmin.20. No Action Taken.
File D:\BDF Radio\cool edit pro.rar tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Downloads\Games\ArcadeInstallFull14d-Yahoo.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Downloads\Games\jimmywhite.zip tagged as not-a-virus:Effect.DOS.TheDrawCold. No Action Taken.
File D:\Downloads\Games\SolSuite 2002 10.1\solsuite 10.2.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Downloads\Utilities\aawsepersonal.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Downloads\Utilities\acdc.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Downloads\Utilities\Ad-aware Professional v6.0 Build 158\aaw6pro.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Downloads\Utilities\Ad-aware Professional v6.0 Build 158.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Downloads\Utilities\DivXPlayerInstaller.exe tagged as not-a-virus:Downloader.Win32.Nsis.a. No Action Taken.
File D:\Downloads\Utilities\etax2004_1.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Downloads\Utilities\HSFix.zip tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File D:\Downloads\Utilities\McAfeeVirusScan_v8.rar tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Downloads\Utilities\mirc616.exe tagged as not-a-virus:Client-IRC.Win32.mIRC.16. No Action Taken.
File D:\Downloads\Utilities\NP2k4WinInstall.zip tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Downloads\Utilities\ow32enen800.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Downloads\Utilities\plvx2cleaner.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\etax2004\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\HSFix\Process.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File D:\Jason\MonopolyTycoon.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Lavasoft\Ad-Aware SE Personal\Plugins\vx2cleaner\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Lavasoft\Ad-Aware SE Personal\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\Program Files\Victor Chandler Poker\UNWISE.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc138\setupcep.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc184.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc188.part tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc189.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc199.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc210.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc220.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc244.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc258.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc261\Overlay.com tagged as not-a-virus:Effect.DOS.TheDrawCold. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc262\VirusScanProfessional.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc276\ArcadeInstallFull14d.EXE tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\System Volume Information\_restore{8FBDEAA1-C762-4B09-84E0-7626AC44BEDE}\RP98\A0010817.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.
File D:\System Volume Information\_restore{8FBDEAA1-C762-4B09-84E0-7626AC44BEDE}\RP98\A0011059.exe tagged as not-a-virus:Tool.Win32.Processor.20. No Action Taken.
File D:\Trudie's Recipes\etax2003_1.exe tagged as not-a-virus:Tool.Win32.Reboot. No Action Taken.

Awaiting further instructions.....

**Peebs85** · 07-03-2005, 06:37 PM

Please run an online virus scan at Panda ActiveScan. Save the results and bring them with you in your next post.

rangitamoe · 07-05-2005, 04:43 AM

Here's my Pandascan results....

Incident Status Location

Virus:Bck/CrackBox Disinfected D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc257.exe

**Peebs85** · 07-05-2005, 10:59 AM

Congradulations! You're clean.

Please clear your System Restore Points by doing the following:

To turn off System Restore, Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK.

Reboot your System.

Now create a new Restore Point:

To turn on System Restore, Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK.

To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided.

Are there any problems now? If not, you should be set to go.

rangitamoe · 07-07-2005, 09:20 AM

It's all good :)

Thanks very much :))

07-02-2005, 09:31 AM	#1 (permalink)
rangitamoe Registered User Join Date: Jul 2005 Posts: 4 OS: Win XP Pro	Haxdoor-H problem - How to remove? Hi guys, After doing my regular scan with Spybot, it picked up the Haxdoor-H trojan. It said it had fixed it, but then it miraculously re-appeared again the next day. How can I safely remove this from my PC??? Below is my HijackThis Log. Please Note: I ran Spybot, Adaware SE (with VX2 cleaner) and CWShredder before running HJT. Hope you can help me out.... Logfile of HijackThis v1.99.1 Scan saved at 1:26:21 AM, on 03/07/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Analog Devices\SoundMAX\SMTray.exe C:\WINDOWS\system32\CmWatch.exe C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe c:\progra~1\mcafee.com\vso\mcvsescn.exe c:\program files\mcafee.com\agent\mcagent.exe c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE C:\WINDOWS\system32\r_server.exe C:\progra~1\mcafee\MCAFEE~1\MssCli.exe C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe D:\Program Files\QuickTime\qttask.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe C:\WINDOWS\system32\ctfmon.exe D:\Program Files\NetMeter\NetMeter.exe C:\Program Files\VideoMate\ComproPVR\ComproPVR.exe C:\Program Files\VideoMate\ComproPVR\Common\ComproRemote.exe c:\PROGRA~1\mcafee.com\vso\mcshield.exe c:\progra~1\mcafee.com\vso\mcvsftsn.exe C:\Program Files\Messenger\msmsgs.exe C:\Program Files\Mozilla Firefox\firefox.exe C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE D:\hijackthis\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.iprimus.com.au:8080 R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = .iprimus.com.au;.primustel.com.au;.primus.com.au;192.; 172.; 127.;<local> O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll O4 - HKLM\..\Run: [SiSPower] Rundll32.exe SiSPower.dll,ModeAgent O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe O4 - HKLM\..\Run: [CmCardRun] C:\WINDOWS\system32\CmWatch.exe O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe" O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\MssCli.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_02\bin\jusched.exe O4 - HKLM\..\Run: [Corel Reminder] "C:\Program Files\Corel\Graphics10\Register\NAVBrowser.exe" /r /i "C:\Program Files\Corel\Graphics10\Register\NavLoad.ini" O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb07.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [D:\Program Files\NetMeter\NetMeter.exe] D:\Program Files\NetMeter\NetMeter.exe O4 - Global Startup: ComproPVR Schedule.lnk = ? O4 - Global Startup: ComproRemote.lnk = ? O4 - Global Startup: TweakYC.lnk = ? O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/sh...0/mcinsctl.cab O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1116880232859 O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/sh...23/mcgdmgr.cab O23 - Service: McAfee AntiSpyware Real-Time Scanner (McAfeeAntiSpyware) - McAfee, Inc. - c:\progra~1\mcafee\MCAFEE~1\MssSrv.exe O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing) O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

07-02-2005, 10:24 AM	#2 (permalink)
Peebs85 TSF Enthusiast Join Date: Sep 2004 Location: Milwaukee, WI -USA Posts: 547 OS: WinXP Pro	Hello rangitamoe and Welcome to TSF! I am currently reviewing your log. Please note that this is under the supervision of an expert analyst. I will be back with a fix for your problem as soon as possible. Please be patient with me during this time. We also suggest that you Subscribe to this thread to be notified of fixes as soon as they are posted by our Team. You can do this simply by clicking the "Thread Tools" button located in the original thread line and selecting "Subscribe to this Thread". __________________ TSF deutsch-sprachiger Analyst -- für jene, die Deutsch sprechen, kann ich Ihnen helfen! Senden Sie eine Nachricht und PM mich! Detah kann auch Deutsch. Donations are Welcome! -- Spenden sind Wilkommen!

07-02-2005, 02:27 PM	#3 (permalink)
Peebs85 TSF Enthusiast Join Date: Sep 2004 Location: Milwaukee, WI -USA Posts: 547 OS: WinXP Pro	Hello Again! Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order it is mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes. You should 'not' have any open browsers when you are following the procedures below. Go to My Computer->Tools/View->Folder Options->View tab and make sure that 'Show hidden files and folders' (or 'Show all files') is enabled. Also make sure that 'Display the contents of system folders' is checked. If you have Windows XP, the search feature is a little different. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are checked. For the options that you checked/enabled earlier, you may uncheck them after your log is clean. If we ask you to fix a program that you use or want to keep, please post back saying that (we don't know every program that exists, so we may tell you to delete a program that we think is bad to keep). This next tool will be for the Haxdoor.H trojan: Download and save to your C: drive HSFIX.zip Unzip the contents of HSFix.zip and an HSFix directory will be created. We'll need this later. Reboot into Safe Mode (hit F8 key until menu shows up). Make sure to close any open browsers. Go into HijackThis->Config->Misc. Tools->Open process manager. Select the following and click Kill process for each one if they are still listed (they shouldn't be - but double check it): D:\Program Files\NetMeter\NetMeter.exe Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs) if they exist: Netmeter Run a scan in HijackThis. Check each of the following and hit 'Fix checked' (after checking them) if they still exist (make sure not to miss any): O4 - HKCU\..\Run: [D:\Program Files\NetMeter\NetMeter.exe] D:\Program Files\NetMeter\NetMeter.exe O4 - Global Startup: TweakYC.lnk = ? Please remember to close all other windows, including browsers then click Fix checked. Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. D:\Program Files\NetMeter --------------------------------------------------------------------------------------------------------------------- Navigate to the HSFix directory and double-click on HSFix.bat. It will produce a log file, located here: C:\hslog.txt Please post that log. Note Tool must be run in SAFE MODE!! --------------------------------------------------------------------------------------------------------------------- Reboot into Normal Mode run a new HijackThis scan. Save the log file and run KRC HijackThis Analyzer http://www.greyknight17.com/spy/KRC...%20Analyzer.zip in the same folder to get the result.txt log. Just post the contents of the result.txt file in your next reply. Please empty any Quarantine folder in your antivirus program and purge all recovery items in the Spybot program (if you use it) before running this tool. Download the Mwav virus checker at http://www.mwti.net/antivirus/mwav.asp (Use Link 3) 1. Save it to a folder. 2. Reboot into Safe Mode. 3. Double click the Mwav.exe file. This is a stand alone tool and NOT just a virus checker......so it won't install anything. 4. Select all local drives, scan all files, and press SCAN. When it is completed, anything found will be displayed in the lower pane. 5. In the Virus Log Information Pane...... Left click and highlight all the information in the Lower pane --- Use &CTRL C &on your keyboard to copy everything found in the lower pane and save it to a notepad file Note If prompted that a virus was found and you need to purchase the product to remove the malware, just close out the prompt and let it continue scanning. We are not going to use this to remove anything...but to ID the bad files. Once you copy that to a Notepad file...highlight the text and copy it here. So...I need to see the following things in your next post: Fresh Hijack This log C:\hslog.txt log ----> from running HSFix.bat Mwav log __________________ TSF deutsch-sprachiger Analyst -- für jene, die Deutsch sprechen, kann ich Ihnen helfen! Senden Sie eine Nachricht und PM mich! Detah kann auch Deutsch. Donations are Welcome! -- Spenden sind Wilkommen!

07-03-2005, 06:37 PM	#5 (permalink)
Peebs85 TSF Enthusiast Join Date: Sep 2004 Location: Milwaukee, WI -USA Posts: 547 OS: WinXP Pro	Please run an online virus scan at Panda ActiveScan. Save the results and bring them with you in your next post. __________________ TSF deutsch-sprachiger Analyst -- für jene, die Deutsch sprechen, kann ich Ihnen helfen! Senden Sie eine Nachricht und PM mich! Detah kann auch Deutsch. Donations are Welcome! -- Spenden sind Wilkommen!

07-05-2005, 10:59 AM	#7 (permalink)
Peebs85 TSF Enthusiast Join Date: Sep 2004 Location: Milwaukee, WI -USA Posts: 547 OS: WinXP Pro	Congradulations! You're clean. Please clear your System Restore Points by doing the following: To turn off System Restore, Click Start > right-click My Computer and then click Properties. Click the System Restore tab > Check "Turn off System Restore" or "Turn off System Restore on all drives". Click Apply. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this. Click OK. Reboot your System. Now create a new Restore Point: To turn on System Restore, Click Start. Right-click My Computer, and then click Properties. Click the System Restore tab. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives." Click Apply, and then OK. To help prevent future spyware installations/infections, please read the Anti-Spyware Tutorial http://www.greyknight17.com/spyware.htm#prevent and use the tools provided. Are there any problems now? If not, you should be set to go. __________________ TSF deutsch-sprachiger Analyst -- für jene, die Deutsch sprechen, kann ich Ihnen helfen! Senden Sie eine Nachricht und PM mich! Detah kann auch Deutsch. Donations are Welcome! -- Spenden sind Wilkommen!

07-05-2005, 04:43 AM	#6 (permalink)
rangitamoe Registered User Join Date: Jul 2005 Posts: 4 OS: Win XP Pro	Here's my Pandascan results.... Incident Status Location Virus:Bck/CrackBox Disinfected D:\RECYCLER\S-1-5-21-1644491937-152049171-1202660629-500\Dc257.exe

07-07-2005, 09:20 AM	#8 (permalink)
rangitamoe Registered User Join Date: Jul 2005 Posts: 4 OS: Win XP Pro	It's all good :) Thanks very much :))