|
|
|
|
|||||
|
|
|
|
|
|
|||
| Welcome
to Tech Support Forum home to more then 136,000 problems solved. Issues
have included: Spyware, Malware, Virus Issues, Windows, Microsoft,
Linux, Networking, Security, Hardware, and Gaming Getting your
problem solved is as easy as: 1. Registering for a free account 2. Asking your question 3. Receiving an answer Registered members: * See fewer ads. * And much more..
|
| Want to know how to post a question? click here | Having problems with spyware and pop-ups? First Steps |
|
|||||||
| Resolved HJT Threads Resolved spyware and popup issues. |
|
|
LinkBack | Thread Tools |
11-28-2005, 05:38 PM
|
#1 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 29
OS: XP
|
My HiJack Log
Logfile of HijackThis v1.97.7
Scan saved at 6:28:48 PM, on 11/28/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\System32\cisvc.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\Explorer.exe C:\WINDOWS\System32\msiexec.exe C:\WINDOWS\system32\fcrsvdq.exe C:\WINDOWS\explorer.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\MSN Apps\Updater\01.05.0000.1009\en-us\msnappau.exe C:\WINDOWS\regedit.exe C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe C:\Program Files\Microsoft AntiSpyware\gcasServAlert.exe C:\Documents and Settings\Jason\My Documents\HijackThis.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.intuit.com/ R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=w...QIDiZvqyDPoYAM R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.alltheinternet.com F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309020.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing) O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll (file missing) O2 - BHO: (no name) - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll (file missing) O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [idbfrz] C:\WINDOWS\system32\fcrsvdq.exe r O4 - HKLM\..\Run: [nnbauf] C:\WINDOWS\system32\jqfbop.exe r O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm185YYUS O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O9 - Extra button: Ebates (HKCU) O14 - IERESET.INF: START_PAGE_URL=http://www.intuit.com/ O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1132191013218 O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} - http://v4.windowsupdate.microsoft.co...614.6177546296 O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/s...sh/swflash.cab |
|
     |
| Sponsored Links |
|
11-28-2005, 06:53 PM
|
#2 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.
Special Note: Microsoft AntiSpyware Program: Because of recent changes in the way this program now defines and detects spyware/adware, it is no longer recommended as a spyware removal tool. Microsoft has downgraded several adware/spyware programs that it used to detect and remove and now lists them simply as “Ignore” These are some of the adware/spyware programs that this program will NOT prompt you to remove. Claria, 180Solutions, WhenU, New.net, most WhenU apps, eZula,TopText, Gain/Gator, and Webhancer. These are all known adware/spyware programs and hijackers. Basically this product can no longer be trusted. We recommend you uninstall it. Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads(make sure to save these in a permanent location) dsrfix.zip by Attribune- Unzip it to it's own folder on your desktop. Cleanup! (Alternate Link)- Install it. You will use this later. *NOTE* Cleanup deletes EVERYTHING out of temporary folders and does not make backups. Ewido Security Suite
If you are having problems with the updater, you can use this link to manually update Ewido When you have finished updating, EXIT Ewido. Ad-aware-Install it if you don't have it already. Make sure it's the newest version and check for any updates before running it. Also download the VX2 plugin to download the plug-in for fixing VX2 variants. To run this tool, go into Ad-aware->Add-ons and select VX2 Cleaner. Then click Run Tool and OK to start it. If it's clean, it will say Status System Clean. Otherwise, you will have to click on the Clean button to remove the VX2 infection. Also make sure to customize the settings in Ad-aware as described on this page for better scan results. Run the scan and fix everything that it finds. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). Add/Remove Click > Start > Control Panel > Add / Remove Programs and uninstall the following programs: Starware EbatesMoeMoneyMaker Best Offers HijackThis! Open Hijack This and click on Scan. Check the following entries (make sure you do not miss any) R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://websearch.drsnsrch.com/sidesearch.cgi?id= R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://websearch.drsnsrch.com/sidesearch.cgi?id= R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=w...QIDiZvqyDPoYAM R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.alltheinternet.com F0 - system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe O2 - BHO: (no name) - {CA356D79-679B-4b4c-8E49-5AF97014F4C1} - C:\Program Files\Starware\bin\Starware.dll (file missing) O2 - BHO: (no name) - {F5DE8ADB-4A69-4e56-96AB-823171C8E9D8} - C:\Program Files\TBONAS\TBONlchr.dll O3 - Toolbar: (no name) - {2CDE1A7D-A478-4291-BF31-E1B4C16F92EB} - (no file) O3 - Toolbar: Starware - {D49E9D35-254C-4c6a-9D17-95018D228FF5} - C:\Program Files\Starware\bin\Starware.dll (file missing) O3 - Toolbar: BestOffers Shopping v1.20 - {7FD44536-9DF0-4034-939F-5BD4D98E3187} - C:\Program Files\TBONAS\TBONlchr.dll O4 - HKLM\..\Run: [idbfrz] C:\WINDOWS\system32\fcrsvdq.exe r <<<This entry may have a new name. Please check any entry that appears to be random letters and has the single letter r at the end. O4 - HKLM\..\Run: [nnbauf] C:\WINDOWS\system32\jqfbop.exe r<<<This entry may have a new name. Please check any entry that appears to be random letters and has the single letter r at the end. O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm185YYUS O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm O9 - Extra button: Ebates (HKCU) O16 - DPF: {70522FA0-4656-11D5-B0E9-0050DAC24E8F} - http://cc.iwon.com/ct/pm3/iwonpm_12_1,0,2,5.cab Please remember to close all other windows, including browsers then click Fix checked. File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\Program Files\Starware C:\Program Files\TBONAS C:\Program Files\Ebates_MoeMoneyMaker Tools Now open the folder dsrfix on your desktop. Double-Click on dsrfix.bat. A window will pop up briefly then close, this is normal. Open Cleanup! by double-clicking the icon on your desktop (or from Start > All Programs). Set the program up as follows: Click Options Move the slider button down to Custom CleanUp! Check the following:
Click OK, Press the CleanUp! button to start the program. If prompted to reboot, press No. Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
** This scan may take over an hour, after choosing the action for the first item you do not need to stay at the PC. Reboot your system in Normal Mode. Online Scans Perform an online scan with Internet Explorer with Panda ActiveScan ** click on "Free use ActiveScan" located on the top right hand corner
*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report. *Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include:
|
|
|
|
|
11-30-2005, 05:30 PM
|
#3 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 29
OS: XP
|
Thanks for the help.
Ewino Log: --------------------------------------------------------- ewido security suite - Scan report --------------------------------------------------------- + Created on: 7:00:01 PM, 11/30/2005 + Report-Checksum: 35878D40 + Scan result: HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Spyware.WebRebates : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/abasa5jrp_.exe\\.Owner -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/abasa5jrp_.exe\\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/abasa5jrp_.ini\\.Owner -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/abasa5jrp_.ini\\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/hochkaod3_.exe\\.Owner -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/hochkaod3_.exe\\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/hochkaod3_.ini\\.Owner -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/hochkaod3_.ini\\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/lkir8l2gm_.dll\\.Owner -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/lkir8l2gm_.dll\\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/u6f6uftuc_.exe\\.Owner -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/u6f6uftuc_.exe\\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/u6f6uftuc_.ini\\.Owner -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/u6f6uftuc_.ini\\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/WEBInstaller.dll\\.Owner -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/CONFLICT.1/WEBInstaller.dll\\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/dp5000.dll\\.Owner -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/Downloaded Program Files/dp5000.dll\\{5053A978-5972-4D8E-BEC7-3E8D4BC6B830} -> Dialer.Generic : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/mfc42.dll\\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/msvcrt.dll\\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ModuleUsage\C:/WINDOWS/System32/olepro32.dll\\{C0EF89EE-EEC7-4535-A041-F1EBF79560A7} -> Spyware.CashBack : Cleaned with backup HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\70tovmto -> Spyware.SAHA : Cleaned with backup HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon -> Spyware.BetterInternet : Cleaned with backup HKU\.DEFAULT\Software\Ceres -> Spyware.BetterInternet : Cleaned with backup HKU\S-1-5-19\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup HKU\S-1-5-20\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{c95fe080-8f5d-11d2-a20b-00aa003c157a} -> Spyware.Alexa : Cleaned with backup HKU\S-1-5-21-1417001333-1580818891-1708537768-1008\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{10E42047-DEB9-4535-A118-B3F6EC39B807} -> Spyware.SideFind : Cleaned with backup HKU\S-1-5-21-1417001333-1580818891-1708537768-1008\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\\{6685509E-B47B-4f47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup HKU\S-1-5-21-1417001333-1580818891-1708537768-1008\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{CA0B9B71-C2AF-11D3-B376-0800460222F0} -> Spyware.iWon : Cleaned with backup HKU\S-1-5-21-1417001333-1580818891-1708537768-1008\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\\{0494D0D9-F8E0-41AD-92A3-14154ECE70AC} -> Spyware.MyWay : Cleaned with backup HKU\S-1-5-21-1417001333-1580818891-1708537768-1008\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{6685509E-B47B-4F47-8E16-9A5F3A62F683} -> Spyware.MoneyMaker : Cleaned with backup HKU\S-1-5-21-1417001333-1580818891-1708537768-1008\Software\_dsktptr -> Spyware.DesktopTraffic : Cleaned with backup HKU\S-1-5-21-1417001333-1580818891-1708537768-1008\Software\_dsktptr\kkws -> Spyware.DesktopTraffic : Cleaned with backup HKU\S-1-5-21-1417001333-1580818891-1708537768-1008\Software\_dsktptr\ppops -> Spyware.DesktopTraffic : Cleaned with backup HKU\S-1-5-21-1417001333-1580818891-1708537768-1008\Software\_dsktptr\ssites -> Spyware.DesktopTraffic : Cleaned with backup HKU\S-1-5-18\Software\Ceres -> Spyware.BetterInternet : Cleaned with backup C:\WINDOWS\SYSTEM32\gfggfb -> Trojan.Agent.ic : Cleaned with backup C:\WINDOWS\SYSTEM32\P2ECOM.dll -> Trojan.P2E.r : Cleaned with backup C:\WINDOWS\SYSTEM32\70tovmto.ini -> Adware.SAHA : Cleaned with backup C:\WINDOWS\SYSTEM32\f3PSSavr.scr -> Spyware.MyWebSearch : Cleaned with backup C:\WINDOWS\STWSI\update.exe -> TrojanDownloader.Dyfuca.a : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.1\u6f6uftuc_.ini -> Adware.SAHA : Cleaned with backup C:\WINDOWS\Downloaded Program Files\CONFLICT.1\hochkaod3_.exe -> Adware.SAHA : Cleaned with backup C:\Program Files\MSN Messenger\riched20.dll -> Spyware.MyWebSearch : Cleaned with backup C:\Program Files\Spybot - Search & Destroy\Includes\Hosts.sbs -> Trojan.Qhost.ew : Cleaned with backup C:\Program Files\LoveFreeGames\thin.exe -> Adware.BetterInternet : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\371E428B-7900-4DFD-88B2-699F3B\DC3AA90E-DEA9-465D-9B71-A29EB3 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\A4601AAC-A77A-49E9-8D92-432559\D3502083-4099-41E9-A2B3-83BE91 -> Trojan.Agent.db : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\7F7EBC32-15A0-412E-B7C9-070791\DDEC1EC9-1207-4AC3-B00F-9B0AD4 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\10D246C2-FA7A-4F41-8CEF-1F5FDE\BC76344D-66DA-49D6-A720-CD60F7 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\0C1CC1AE-3E60-4670-8C96-9CBC50\411FDCB0-147B-4DAC-BD63-F98DB9 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\3AF46563-D03D-4259-96E2-CE2DE1\3A4A243A-A831-49A7-A633-9229AF -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\8ED6A0B5-5F09-4B9C-91DA-37212C\A83F1EDA-BCDA-4305-B549-797A0E -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\D73611FB-7017-4803-AA93-AEEA73\7D25B307-3943-4146-82EF-5D6643 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\67ED4C58-B3CC-471C-A341-74A802\F8226A18-D7F4-4580-BE1E-B7DC35 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\08509237-1ADF-448F-A661-6CA629\912125B3-798B-4DA8-A823-1BEA92 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\47D73658-665C-4013-B661-E5F3BF\01A1C073-DF61-4961-819B-D9659E -> Trojan.Imiserv.c : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\AE90648B-FCCF-4C33-869A-B3EEE4\67AA90FF-7A76-42FE-9269-C70214 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\50CFF38C-AFEC-4C34-8DB2-C561C4\3B2C2E96-4170-48B9-8DAF-4A9491 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\9C8C0C3E-7061-4D27-BE11-1385BA\75FAAADC-6718-4BAA-A489-A77DFA -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\F6177B6C-F285-4284-8143-BA1E3A\523A3A69-C554-4DDA-B87E-D9314C -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\20776D2C-8AFA-44AA-B655-78054B\5141C71F-80FB-4A14-91DF-009B01 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\8D3BE8FD-B70F-4780-B479-302C2C\0D2800B9-F357-4B1C-9342-041C45 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\5384D5F0-0C5E-467E-AF7D-0FA768\261180B1-F94C-456F-934C-5F5ACD -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\A22CF73A-F1ED-4A48-B383-A3D17F\021EC7B4-1C70-4C79-ADD1-DD6B24 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\49B24B36-3C40-4DD2-9BF9-CC3869\39D86E3A-369C-426C-9E66-58F710 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\E8723F47-DFFA-4CB0-92A2-2BF3D4\EA180C1D-7960-4269-917C-8CFBF0 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\8CD263D2-8AB5-4F02-B705-0256CF\CA2C6AC4-982B-4851-BC55-2B342F -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\C6BA0B49-9EA6-4809-BAA4-5EBC5B\37462466-87B1-4476-9148-CECCF6 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\54AB0482-BAF1-468F-99E6-904B93\4DD018A4-9EC1-4BE5-8822-B7F8F6 -> Trojan.Imiserv.c : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\54AB0482-BAF1-468F-99E6-904B93\7B6A3BD2-2E70-4AD9-A263-54C7C4 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\5A4BA9C0-2129-4D32-A8A5-AC7301\12F4444B-596F-4509-80EA-8AE1C1 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\518924A5-DE12-4BDD-96F0-1014B2\166FA975-DD02-4D4D-AF4B-E642C8 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\91C39C9E-F976-405E-B90C-61CC7A\5C061DFD-106E-4E6F-AC43-005AE2 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\0AA68CF7-6283-49F7-84FD-EB47CB\60F0612D-56C8-4BB9-818B-889984 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\71C972AE-F657-438D-A40A-84F3D6\66780C50-8266-4451-88AD-8D86E9 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\6E675801-2E74-421C-BB83-891493\5B2F6A04-2544-428B-985E-5DCDC2 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\F9A638F1-CB78-44AB-83CA-4BB7F3\62AC3404-F680-4AC1-9390-C716C9 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\4494FC44-E80B-479B-B73C-DF129F\6279611D-1914-42DC-9E55-461C12 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\A6CE6E09-2426-4FD2-84D6-16A4C0\1B8A9290-0300-4E93-9EBF-54897C -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\BB4F0B83-4644-4D47-9C21-515F7C\01DA5D0C-4088-4423-BDBF-1B3CE8 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\0544D707-E413-4FBF-B11C-E73BC9\4821C50E-9A54-4B0D-8008-FF2E7A -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\69DAFDBF-C05A-4789-88DA-CC14B0\3D27D868-BAC5-4325-B11E-2EBC86 -> Trojan.Agent.ic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\67FF5CCD-B91A-41B5-9E0B-D2A20B\DE9A60EE-54BF-4A40-B46B-66C148 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\4F9DAE9A-3726-4EA8-8152-FF4FD7\43354DC4-48DF-4081-BB51-365A2D -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\F75190F6-9D28-4A73-A129-22E6BB\D74F0ED9-9CED-40BB-BB7A-2F5FD4 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\FA53F6E0-7725-4446-A75C-505E53\B55BBFDC-63D5-49F9-8B24-D774C5 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Program Files\Microsoft AntiSpyware\Quarantine\43A5A773-7735-438D-9649-4173E6\332806F2-868A-4DB4-9619-6D31C1 -> Spyware.Hijacker.Generic : Cleaned with backup C:\Documents and Settings\Jason\My Documents\MsgPlus-221.exe/70000011.exe -> TrojanDownloader.Swizzor.g : Cleaned with backup C:\Documents and Settings\Jason\Cookies\jason@tribalfusion[1].txt -> Spyware.Cookie.Tribalfusion : Cleaned with backup C:\Documents and Settings\Jason\Cookies\jason@msnportal.112.2o7[1].txt -> Spyware.Cookie.2o7 : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP756\A0107731.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP756\A0108084.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP757\A0108104.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP757\A0108131.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP757\A0109112.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP759\A0109137.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP759\A0109151.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109225.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109310.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109316.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109332.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109340.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109509.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109510.EXE -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109520.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109524.EXE -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109533.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109566.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109573.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109574.EXE -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP761\A0109584.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP762\A0109592.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP762\A0109598.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP762\A0109599.EXE -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP763\A0109612.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP763\A0109618.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP763\A0109627.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP764\A0109630.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP764\A0109636.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP765\A0109639.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP765\A0109645.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP765\A0110646.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP766\A0110661.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP766\A0110663.EXE -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP767\A0110670.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP767\A0110676.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP767\A0110678.EXE -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP770\A0110695.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP770\A0110701.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP771\A0110706.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP772\A0110712.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP772\A0110721.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP772\A0110722.EXE -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP772\A0110724.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP772\A0110725.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP773\A0110727.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP773\A0110734.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP773\A0110761.EXE -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP773\A0110763.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP773\A0110764.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP774\A0110783.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP774\A0110786.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP774\A0110787.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP774\A0110788.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP775\A0111736.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP776\A0111737.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP776\A0111738.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP776\A0111744.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP776\A0111745.EXE -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP776\A0111747.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP776\A0111748.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP776\A0111756.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP776\A0111760.EXE -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP777\A0111763.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP777\A0111772.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP777\A0111777.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP777\A0111778.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP778\A0111783.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP778\A0111785.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP779\A0111792.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP779\A0111796.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP779\A0111797.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP779\A0111799.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP779\A0111805.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP780\A0111811.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP781\A0112815.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP781\A0112816.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP781\A0112818.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP781\A0112823.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP781\A0112832.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP781\A0112844.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP781\A0112850.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP781\A0112857.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP782\A0112858.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP782\A0112876.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP782\A0112878.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP782\A0112879.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP782\A0112883.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP782\A0112888.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP782\A0112889.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP782\A0113897.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP783\A0113898.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP783\A0113907.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP783\A0113911.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP783\A0113912.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP783\A0113914.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP783\A0113927.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP783\A0113928.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP783\A0113933.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP783\A0113934.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP783\A0113935.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP783\A0113936.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP785\A0113974.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP785\A0113980.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP785\A0113981.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP785\A0113982.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP786\A0113984.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP786\A0113986.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP786\A0114980.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP787\A0114987.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP787\A0114988.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP787\A0114989.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP788\A0115060.exe -> Spyware.Hijacker.Generic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP788\A0115061.dll -> Trojan.Agent.ic : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP788\A0115062.exe -> Adware.BetterInternet : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP789\A0115070.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP789\A0115071.exe -> Trojan.Poler.a : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP789\A0115080.exe -> TrojanDownloader.Intexp.d : Cleaned with backup C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP789\A0115085.exe -> Spyware.Hijacker.Generic : Cleaned with backup ::Report End -------------------------------------------------------------------------- Activesan Log: Incident Status Location Dialer:dialer.b Not disinfected C:\WINDOWS\SYSTEM32\P2ECOM.dll Spyware:spyware/virtumonde Not disinfected C:\WINDOWS\dpusys.ini Adware:adware/beginto Not disinfected C:\WINDOWS\SYSTEM32\cache32_dsktptr Adware:adware/dyfuca Not disinfected C:\WINDOWS\STWSI Adware:adware/wupd Not disinfected Windows Registry Dialer:Dialer.B Not disinfected C:\WINDOWS\SYSTEM32\P2ECOM.dll Adware:Adware/Dyfuca Not disinfected C:\WINDOWS\STWSI\update.exe Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\hochkaod3_.ini Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\u6f6uftuc_.ini Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\abasa5jrp_.ini Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\hochkaod3_.exe Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\u6f6uftuc_.exe Adware:Adware/SAHAgent Not disinfected C:\WINDOWS\Downloaded Program Files\CONFLICT.1\lkir8l2gm_.dll Adware:Adware/BrilliantDigitalNot disinfected C:\Program Files\KaZaA Lite\bdcore.dll.updpnd Adware:Adware/Lop Not disinfected C:\Program Files\Sizesetupooze\part show.exe Adware:Adware/IWon Not disinfected C:\Program Files\Microsoft AntiSpyware\DeactivatedItems\D34F5AF5-24EB-4F79-B79B-3ACDEF.asq Adware:Adware/ISearch Not disinfected C:\install.cab Adware:Adware/ISearch Not disinfected C:\install.cab[initial.inf] Adware:Adware/Lop Not disinfected C:\Documents and Settings\Jason\My Documents\Win MX\Lop-Sucks.exe Adware:Adware/Lop Not disinfected C:\Documents and Settings\Jason\My Documents\lopremove.exe Virus:Exploit/CodeBase.A Not disinfected C:\install.htm ------------------------------------------------------------------------- New HiJackThis! Log Logfile of HijackThis v1.97.7 Scan saved at 8:28:52 PM, on 11/30/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\Explorer.EXE C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Program Files\RealVNC\VNC4\winvnc4.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Jason\My Documents\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309020.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1132191013218 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab -------------------------------------------------------------------------- |
|
|
|
|
11-30-2005, 05:55 PM
|
#4 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
Please print out or copy this page to Notepad in order to assist you when carrying out the following instructions.
Ewido managed to clean a lot off your system...but it got a little carried away. Please launch Ewido and click the quarantine button on the left side. Highlight each of these files then click Restore C:\Program Files\MSN Messenger\riched20.dll C:\Program Files\Spybot - Search & Destroy\Includes\Hosts.sbs Ewido also seemed to mess with your Restore Point so I would like to set a new one before we continue. Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.
Viewing Hidden Files Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files option. Downloads(make sure to save these in a permanent location) Findlop by Metallica. Unzip it to your desktop. Reboot your system in Safe Mode (By repeatedly tapping the F8 key until the menu appears). We need to make it so you can see some files that owuld otherwise be invisible to you. Please go to Start>Run>Type regsvr32 /u occache.dll File and Folder Deletions Delete the following Files indicated in RED and Folders indicated in BLUE if they still exist. C:\WINDOWS\SYSTEM32\cache32_dsktptr C:\WINDOWS\STWSI C:\Program Files\LoveFreeGames C:\Program Files\Sizesetupooze C:\WINDOWS\Downloaded Program Files\CONFLICT.1 C:\WINDOWS\SYSTEM32\P2ECOM.dll c:\Windows\Nail.exe C:\WINDOWS\dpusys.ini C:\install.cab C:\Documents and Settings\Jason\My Documents\Win MX\Lop-Sucks.exe C:\Documents and Settings\Jason\My Documents\lopremove.exe C:\install.htm Now we need to hide those files again. Please go to Start>Run> Type regsvr32 occache.dll Reboot your system in Normal Mode. Double click findlop.bat. It will open a notepad file. Copy the content of that file and past it here in your reply. Online Scans Please open IE and go to Kaspersky WebScanner Next Click on Kaspersky Online Scanner You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* Turn off the real time scanner of any existing antivirus program while performing the online scan In your next post please include:
|
|
|
|
|
12-01-2005, 12:11 PM
|
#5 (permalink) |
|
Registered User
Join Date: Nov 2005
Posts: 29
OS: XP
|
Didn't find
C:\WINDOWS\SYSTEM32\P2ECOM.dll c:\Windows\Nail.exe to delete it, so I'm assuming thats good. And C:\Documents and Settings\Jason\My Documents\Win MX\Lop-Sucks.exe was actually C:\Documents and Settings\Jason\My Documents\Win MX\Lopremove.exe and also C:\Documents and Settings\Jason\My Documents\lopremove.exe was no where to be found. Anways, here are the logs you need  Find Lop Log: [TRACE] Enumerating jobs and queues [TRACE] Activating job 'Tune-up Application Start.job' [TRACE] Printing all job properties ApplicationName: 'walign' Parameters: '' WorkingDirectory: '' Comment: '' Creator: 'mleo' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 10 IdleDeadline: 60 MostRecentRun: 00/00/0000 0:00:00 NextRun: 12/03/2005 9:00:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0 Status: SCHED_S_TASK_HAS_NOT_RUN ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 0 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 1 KillIfGoingOnBatteries = 1 RunOnlyIfLoggedOn = 0 SystemRequired = 0 Hidden = 0 TaskFlags: 0 8 Triggers Trigger 0: Type: MonthlyDOW Week: 1 DaysOfTheWeek: ...W... Months: JanFebMarAprMayJunJulAugSepOctNovDec StartDate: 11/22/1997 EndDate: 00/00/0000 StartTime: 09:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 Trigger 1: Type: MonthlyDOW Week: 1 DaysOfTheWeek: ...W... Months: JanFebMarAprMayJunJulAugSepOctNovDec StartDate: 11/22/1997 EndDate: 00/00/0000 StartTime: 14:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 Trigger 2: Type: MonthlyDOW Week: 1 DaysOfTheWeek: ...W... Months: JanFebMarAprMayJunJulAugSepOctNovDec StartDate: 11/22/1997 EndDate: 00/00/0000 StartTime: 19:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 Trigger 3: Type: MonthlyDOW Week: 1 DaysOfTheWeek: ...W... Months: JanFebMarAprMayJunJulAugSepOctNovDec StartDate: 11/22/1997 EndDate: 00/00/0000 StartTime: 23:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 Trigger 4: Type: MonthlyDOW Week: 1 DaysOfTheWeek: ......A Months: JanFebMarAprMayJunJulAugSepOctNovDec StartDate: 11/22/1997 EndDate: 00/00/0000 StartTime: 09:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 Trigger 5: Type: MonthlyDOW Week: 1 DaysOfTheWeek: ......A Months: JanFebMarAprMayJunJulAugSepOctNovDec StartDate: 11/22/1997 EndDate: 00/00/0000 StartTime: 14:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 Trigger 6: Type: MonthlyDOW Week: 1 DaysOfTheWeek: ......A Months: JanFebMarAprMayJunJulAugSepOctNovDec StartDate: 11/22/1997 EndDate: 00/00/0000 StartTime: 19:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 Trigger 7: Type: MonthlyDOW Week: 1 DaysOfTheWeek: ......A Months: JanFebMarAprMayJunJulAugSepOctNovDec StartDate: 11/22/1997 EndDate: 00/00/0000 StartTime: 23:00 MinutesDuration: 0 MinutesInterval: 0 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 [TRACE] Activating job 'PCHealth Scheduler for Data Collection.job' [TRACE] Printing all job properties ApplicationName: 'C:\WINDOWS\PCHEALTH\SUPPORT\PCHSCHD.EXE' Parameters: ' -c' WorkingDirectory: '' Comment: 'Scheduled Task for PC Health Scheduler (Data Collection)' Creator: 'socha' Priority: NORMAL MaxRunTime: 259200000 (3d 0:00:00) IdleWait: 5 IdleDeadline: 32767 MostRecentRun: 09/22/2002 14:34:00 NextRun: 12/01/2005 14:34:00 StartError: SCHED_E_ACCOUNT_INFORMATION_NOT_SET ExitCode: 0 Status: SCHED_S_TASK_READY ScheduledWorkItem Flags: DeleteWhenDone = 0 Suspend = 0 StartOnlyIfIdle = 1 KillOnIdleEnd = 0 RestartOnIdleResume = 0 DontStartIfOnBatteries = 0 KillIfGoingOnBatteries = 0 RunOnlyIfLoggedOn = 0 SystemRequired = 0 Hidden = 0 TaskFlags: 0 1 Trigger Trigger 0: Type: Daily DaysInterval: 1 StartDate: 09/22/2002 EndDate: 00/00/0000 StartTime: 20:34 MinutesDuration: 1440 MinutesInterval: 360 Flags: HasEndDate = 0 KillAtDuration = 0 Disabled = 0 ------------------------------------------------------------------------------------- Kaspersky Log: ------------------------------------------------------------------------------- KASPERSKY ON-LINE SCANNER REPORT Thursday, December 01, 2005 15:05:40 Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.67.0 Kaspersky Anti-Virus database last update: 1/12/2005 Kaspersky Anti-Virus database records: 152870 ------------------------------------------------------------------------------- Scan Settings: Scan using the following antivirus database: standard Scan Archives: true Scan Mail Bases: true Scan Target - My Computer: A:\ C:\ D:\ E:\ F:\ G:\ H:\ Scan Statistics: Total number of scanned objects: 80366 Number of viruses found: 7 Number of infected objects: 19 Number of suspicious objects: 0 Duration of the scan process: 5075 sec Infected Object Name - Virus Name C:\Program Files\Microsoft AntiSpyware\Quarantine\821052FB-AA63-4442-BBE4-FE06BC\6D56813A-3EFC-40A4-B47A-155EAC Infected: Trojan.Win32.Agent.ic C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06E80000.VBN Infected: Trojan-Downloader.Win32.Small.vq C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06C00000.VBN Infected: Exploit.VBS.Phel.a C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06A80000.VBN Infected: Exploit.VBS.Phel.a C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06A80001.VBN Infected: Exploit.HTML.Mht C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06C40000.VBN Infected: Exploit.HTML.Mht C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04200000.VBN Infected: Exploit.HTML.Mht C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\04640000.VBN Infected: Exploit.VBS.Phel.a C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\06FC0000.VBN Infected: Exploit.VBS.Phel.a C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03400000.VBN Infected: Exploit.HTML.Mht C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03500000.VBN Infected: Exploit.HTML.Mht C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03200000.VBN Infected: Exploit.HTML.Mht C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\03200001.VBN Infected: Exploit.HTML.Mht C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FAC0002.VBN Infected: Exploit.HTML.Mht C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus Corporate Edition\7.5\Quarantine\0FAC0003.VBN Infected: Exploit.HTML.Mht C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP789\A0115066.dll Infected: Trojan.Win32.Agent.ic C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP799\A0116886.dll Infected: Trojan.Win32.P2E.r C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP799\A0116888.exe Infected: Trojan-Downloader.Win32.Dyfuca.a C:\System Volume Information\_restore{8247BACA-9A17-40B3-B93E-8DFA64C1AB3F}\RP799\A0117993.exe Infected: Trojan-Downloader.Win32.Swizzor.bo Scan process completed. -------------------------------------------------------------------------------- HiJackThis Log: Logfile of HijackThis v1.97.7 Scan saved at 3:08:08 PM, on 12/1/2005 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Unable to get Internet Explorer version! Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\WINDOWS\System32\cisvc.exe C:\Program Files\ewido\security suite\ewidoctrl.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\System32\svchost.exe C:\Program Files\Microsoft AntiSpyware\gcasServ.exe C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe C:\Program Files\MSN Messenger\msnmsgr.exe C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe C:\WINDOWS\system32\wscntfy.exe C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe C:\WINDOWS\system32\notepad.exe C:\Program Files\Internet Explorer\iexplore.exe C:\WINDOWS\system32\cidaemon.exe C:\WINDOWS\system32\NOTEPAD.EXE C:\Documents and Settings\Jason\My Documents\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\Userinit.exe O2 - BHO: (no name) - {029CA12C-89C1-46a7-A3C7-82F2F98635CB} - C:\Program Files\Kontiki\bin\bh309020.dll O2 - BHO: (no name) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll O2 - BHO: (no name) - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" O4 - HKLM\..\Run: [LexStart] Lexstart.exe O4 - HKLM\..\Run: [LexmarkPrinTray] PrinTray.exe O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\evntsvc.exe -osboot O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe" O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\RunServices: [RegisterDropHandler] C:\PROGRA~1\TEXTBR~1.0\Bin\REGIST~1.EXE O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background O9 - Extra button: Yahoo! Messenger (HKLM) O9 - Extra 'Tools' menuitem: Yahoo! Messenger (HKLM) O9 - Extra button: Messenger (HKLM) O9 - Extra 'Tools' menuitem: Windows Messenger (HKLM) O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/k...an_unicode.cab O16 - DPF: {166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control) - http://fpdownload.macromedia.com/get...irector/sw.cab O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1132191013218 O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab --------------------------------------------------------------------------------- I guess this is what happens when you leave your parents along with the computer for a few monthes! 
|
|
|
|
|
12-01-2005, 12:31 PM
|
#6 (permalink) |
|
Analyst, Security Team
Join Date: Jun 2005
Posts: 3,065
OS: Windows XP
|
Please follow
Symantec’s Guide to clean out your Norton quarantine. Open Microsoft Antispyware
Your log appears to be clean. If you still have any problems let me know and we will work on diagnosing those through other means. If not, there are just a few more things to go through to finish this off and help prevent future infections. Please post one more time even if you have no problems so we can mark this thread as resolved. Disabling the Viewing of Hidden and System Files
Setting a new Restore Point Go to Start >> Run - type control sysdm.cpl,,4 & press Enter.
Windows Update Make sure to get the latest updates for Windows and Internet Explorer at Microsoft Update Site. Prevention A good virus scanner is a necessity in today's computer environment. Many virus scanners include active components that protect you from infection without even running a scan. Some good free antivirus programs include: AVG Free Avast! Home Edition (Antivirus & Firewall) AntiVir A firewall is the first line of defense standing between the internet and your computer. Some good free firewalls are: Zone Alarm Outpost Tiny Personal Firewall Avast! Home Edition (Antivirus & Firewall) Adaware SE and Spybot SD are a pair of anti-spyware scanners that should be run every week or two. Although there is some overlap there are many pieces of malware that is caught by one of these and not the other, therefore it is recommended you use both to compliment each other. Spybot also contains two other useful pieces. The first is "Immunize", this helps protect your computer against known exploits. The second is "TeaTimer", with this feature enabled you will receive notifications of all changes to the registry such as programs adding themselves to start-up and you default search page being changed. Spyware Blaster is a powerful tool that prevents "drive-by" downloads and other unwanted installations. It also uses no system resources, run it once and you're all set. Spyware Guard Is a realtime protection engine to guard your computer from spyware. This program does for spyware what an antivirus program does for viruses. IE-Spyad is a program that only needs to be run once to protect you from many malicious sites. It adds domains of known adware companies into the Restricted List of Internet Explorer, preventing them from performing malicious actions on your PC. The MVPS HOSTS file is a file you can download and use to replace your regular hosts file. It prevents many sites from performing malicious actions by blocking the sites from ever being accessed. Together these programs form a powerful barrier between the Internet and your computer. However, all the programs stand alone and feel free to eliminate any you are not comfortable with. Any protection you add to your PC is better than no protection at all. Alternative Programs Here are some alternatives that are either less suceptible than others to malware or don't contain malware where similar programs do. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN) Desktop Weather - Free taskbar weather program that is free, malware free, and resource light. Firefox - This is an increasingly popular alternate browser. Whilst Internet Explorer is not a bad browser, almost every exploit crafted is targeted to take advantage of an IE weakness. Sun's Java - It's much more secure than Microsoft's Java Virtual Machine. |
|
|
|
| Thread Tools | |
|
|
