MSN Messenger MyAlbum2007.zip

Started by Equestrianism, Jul 01 2007 11:04 AM

Next

You cannot reply to this topic

28 replies to this topic

#1 OFFLINE Equestrianism

Member

Members
27 posts

Gender:Male
Location:The Netherlands
Interests:Too much to mention

Posted 01 July 2007 - 11:04 AM

First off the errors I get:
Posted Image

More crap I get by that virus prolly:
Posted Image

(I keep on removing it, and it keeps coming back)

Posted Image

(That keeps on popping up, obviously I'm not going to install it; I use Mozilla Firefox anyway..)

And now the problem, I received a file from an infected person, which I downloaded not being aware of the virus (I usually am aware of dangers though, but the message it said was so much like him (by luck though I think) and we were talking about pictures in the previous conversation) and I opened the .zip file... I saw it was a screensaver, since I really didn't trust it this time, I scanned it for viruses with Avast! and Norton Anti-Virus, both didn't say it contained any viruses. I pressed "test screensaver" and then all hell broke loose.
Suddenly my msn messenger sent out all these invites to everybody online to download "MyAlbum2007.zip" aswell. Nobody was harmed.. Until 3 o' clock at night I tried to do stuff about it. I ran System Restore (which said nothing changed, so it didn't work), I let Avast! handle it, without success... I looked things up at Google (mostly finding things in French <_<

)...

So I woke up today and found this site with somebody else being infected with all these Trojan Horses, since I'm quite afraid of people finding stuff on my computer I don't want them to find (like Messenger Discovery which doesn't work anymore now), I did the same thing which was recommended by the mod... Ofcourse that wouldn't help since the locations and stuff are all different so I couldn't figure out what to do. So halfway through the progress I had to quit... (used topic: http://forum.pirifor...showtopic=10780)

I have "Smitfraudfix", "Trend Micro HijackThis v2.0.0 (BETA)", Avast! Antivirus, ERUNT, Norton AntiVirus, Spybot - Search & Destroy, VundoFix and SDFix...

Currently, retadpu420.exe and the .zip file are gone (which makes the virus useless, but makes it sending it cancled invites)...
Here is the HijackThis report when I couldn't continue removing the viruses:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:16:00, on 1-7-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\x\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUMENTS AND SETTINGS\x\MIJN DOCUMENTEN\Mijn downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woopyland.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DNA] "C:\Documents and Settings\x\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ShortKeys Lite.lnk = C:\Program Files\shortkey2\SHORTKEY.EXE
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ivr.spaces.li...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129539859109
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O21 - SSODL: system32 - {4A71D09E-028F-4D84-92A2-71C3715C27DA} - sysprinters.dll (file missing)
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 13066 bytes

THE SmitFraudFix FILE DONE BEFORE THE ABOVE SCAN:

SmitFraudFix v2.197

Scan done at 12:12:20,71, zo 01-07-2007
Run from C:\Documents and Settings\x\Bureaublad\SmitfraudFix
OS: Microsoft Windows XP [versie 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Documents and Settings\x\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Messenger\msmsgs.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\x

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\x\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\xBO~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="Mijn huidige introductiepagina"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Broadcom 802.11g netwerkadapter - Pakketplanner-minipoort
DNS Server Search Order: 168.95.1.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{13A2B284-8082-429B-9EE6-C11139B28E3E}: DhcpNameServer=168.95.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{13A2B284-8082-429B-9EE6-C11139B28E3E}: DhcpNameServer=168.95.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{13A2B284-8082-429B-9EE6-C11139B28E3E}: DhcpNameServer=168.95.1.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=168.95.1.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=168.95.1.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=168.95.1.1

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

According to a French forum (http://www.sur-la-toile.com/viewTopic_70374_5_demande-d'aide-au-virus-msn-album-p.html) it had to do something with this:

Quote

O21 - SSODL: system32 - {4A71D09E-028F-4D84-92A2-71C3715C27DA} - sysprinters.dll (file missing)

I thought so aswell due to the fact it said "(file missing)", but I got confused by the "printers" part, thinking it was something which had to do with my HP printers...

I don't speak a lot of French, neither an I understand it very well... But here's the quote:

Quote

relancer hijack

cocher ces lignes et clic ensuite sur FIX CHECKED

O21 - SSODL: system32 - {656B8D40-807E-4CAB-8880-69C870CE59C3} - sysprinters.dll (file missing)
-----
supprimer si présent
sysprinters.dll ==> dans C:\WINDOWS\system32\

I should open Hijack again, check the phrase "O21 - SSODL: system32 ....." and use "Fix Checked"... Is that correct?

I really need to get rid of the stupid virus since MSN is my way of communicating with the Belgian owners of a site I work for (hence the Homepage Woopyland >_>) ...

Back to top

#2 OFFLINE Equestrianism

Member

Members
27 posts

Gender:Male
Location:The Netherlands
Interests:Too much to mention

Posted 02 July 2007 - 07:33 PM

Ahh heck! In some strange way I suddenly got "retadpu420.exe" back in my windows directory... I ran another HiJack This scan:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:32:42, on 2-7-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\x\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\retadpu420.exe
C:\WINDOWS\retadpu420.exe
C:\Documents and Settings\x\Mijn documenten\Mijn downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woopyland.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\retadpu420.exe 61A847B5BBF72816309B284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DNA] "C:\Documents and Settings\x\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ShortKeys Lite.lnk = C:\Program Files\shortkey2\SHORTKEY.EXE
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ivr.spaces.li...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129539859109
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O21 - SSODL: system32 - {4A71D09E-028F-4D84-92A2-71C3715C27DA} - sysprinters.dll (file missing)
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 13542 bytes

Back to top

#3 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 02 July 2007 - 08:37 PM

Hi Equestrianism

Can you delete the version of SDFix you have now and then download the new version, delete the sdfix.exe from wherever you saved it to and then delete the C:\SDFix folder

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Back to top

#4 OFFLINE Equestrianism

Member

Members
27 posts

Gender:Male
Location:The Netherlands
Interests:Too much to mention

Posted 04 July 2007 - 03:16 PM

SDFix: Version 1.89

Run by x on wo 04-07-2007 at 17:06

Microsoft Windows XP [versie 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\retadpu420.exe - Deleted
C:\WINDOWS\system32\sysprinters.dll - Deleted
C:\WINDOWS\wr.txt - Deleted

Removing Temp Files...

ADS Check:

Checking C:\WINDOWS
C:\WINDOWS
No streams found.

Checking C:\WINDOWS\system32
C:\WINDOWS\system32
No streams found.

Checking C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking C:\WINDOWS\system32\ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\MSMSGS.EXE"="C:\\Program Files\\Messenger\\MSMSGS.EXE:*:Enabled:Windows Messenger"
"C:\\WINDOWS\\System32\\FXSCLNT.exe"="C:\\WINDOWS\\System32\\FXSCLNT.exe:*:Enabled:Microsoft Fax Console"
"C:\\WINDOWS\\System32\\MSIEXEC.EXE"="C:\\WINDOWS\\System32\\MSIEXEC.EXE:*:Enabled:Windows© installer"
"C:\\Program Files\\MessengerDiscovery\\msgdiscoveryx.exe"="C:\\Program Files\\MessengerDiscovery\\msgdiscoveryx.exe:*:Disabled:MessengerDiscovery the MSN Messenger addon"
"C:\\WINDOWS\\System32\\dplaysvr.exe"="C:\\WINDOWS\\System32\\dplaysvr.exe:*:Enabled:Microsoft DirectPlay Helper"
"C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD"="C:\\Program Files\\Microsoft Games\\Age of Empires II\\EMPIRES2.ICD:*:Enabled:Age of Empires II"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Messenger 8.0 Beta (Phone)"
"C:\\Program Files\\TightVNC\\WinVNC.exe"="C:\\Program Files\\TightVNC\\WinVNC.exe:*:Enabled:TightVNC Win32 Server"
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe"="C:\\WINDOWS\\PCHEALTH\\HELPCTR\\BINARIES\\HelpCtr.exe:*:Enabled:Hulp op afstand - Windows Messenger en spraak"
"C:\\Documents and Settings\\x\\Program Files\\BitTorrent_DNA\\dna.exe"="C:\\Documents and Settings\\x\\Program Files\\BitTorrent_DNA\\dna.exe:*:Enabled:DNA"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Messenger 8.0 Beta (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Documents and Settings\x\NetHood\ftp.support.acer-euro.com\Desktop.ini
C:\Documents and Settings\Admin\NetHood\ftp.support.acer-euro.com\Desktop.ini
C:\WINDOWS\system32\NTICDMK7.dll
C:\WINDOWS\system32\NTIMPEG2.dll
C:\WINDOWS\system32\NTIMP3.dll
C:\WINDOWS\system32\NTIFCD3.dll
C:\WINDOWS\system32\NTIBUN4.dll
C:\Program Files\MSN Messenger\VERSION.dll
C:\Program Files\MSN Messenger\WINHTTP.dll
C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
C:\Program Files\MessengerDiscovery\SpellCHK.exe
C:\Documents and Settings\All Users\Documenten\School\Klein\~WRL3977.tmp
C:\Documents and Settings\All Users\Documenten\School\Klein\~WRL3468.tmp
C:\Documents and Settings\All Users\Documenten\School\Klein\~WRL1003.tmp
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\Documents and Settings\x\Mijn documenten\~WRL0321.tmp
C:\Documents and Settings\x\Mijn documenten\~WRL2340.tmp
C:\Documents and Settings\x\Bureaublad\Map + spel + prog\Mappen\School\School\Klein\~WRL3977.tmp
C:\Documents and Settings\x\Bureaublad\Map + spel + prog\Mappen\School\School\Klein\~WRL3468.tmp
C:\Documents and Settings\x\Bureaublad\Map + spel + prog\Mappen\School\School\Klein\~WRL1003.tmp
C:\Documents and Settings\x\Application Data\Microsoft\Word\~WRL1226.tmp
C:\Documents and Settings\x\Application Data\Microsoft\Word\~WRL0264.tmp

Finished

Back to top

#5 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 04 July 2007 - 08:22 PM

Cheers Equestrianism

Delete the C:\SDFix folder now as it contains backups of the trojan files it removed which are not needed,

Run Kaspersky WebScanner

Please go HERE and click Kaspersky Online Scanner
Read and Accept the Agreement
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
If you see a Windows dialog asking if you want to install this software, click the Install button.
The program will launch and then begin downloading the latest definition files,
When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
Under "Please select a target to scan:", click My Computer to start the scan.
When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.

Please then post back the Kaspersky log and a new HijackThis log

Thanks

Andy

Back to top

#6 OFFLINE Equestrianism

Member

Members
27 posts

Gender:Male
Location:The Netherlands
Interests:Too much to mention

Posted 04 July 2007 - 10:40 PM

Ahh... Nothing happens when I click on "accept", and I should be going to bed now... I'll try again after I wake up (it's almost 1 o' clock AM here) when the internet isn't as messed up as it is now because of my roommates uploading and downloading stuff...

This is just to notify you that I read your post and will try it as soon as possible.. (I already deleted the folder with SDFIX in it..)

BTW: I'm truly thankful that you guys are helping me out.

Back to top

#7 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 04 July 2007 - 10:48 PM

Thanks,

If you still have problems make sure there isnt any pop up or script blockers enabled, disable Norton temporarily if you still cannot run the scanner incase its interfering, If your using IE7 then also try adjust the zoom feature if you continue to have problems.

The window may look like this when it opens at 100% on IE7

Posted Image

If it does click Ctrl and - it will zoom out to 90% then the buttons will show or you can click the magnifying glass icon on the bottom right of the status bar and choose zoom out from there

Posted Image

It will then show the Accept and Decline button

Posted Image

If the text size is then too small to see the instructions once the scan has started press Ctrl and + to zoom back to 100%

Let us know if you still cannot run it and we can try another scan but Kaspersky's detection rate is excellent so it would be useful if it can run to see if there's any remaining problems

Cheers

Andy

Back to top

#8 OFFLINE Equestrianism

Member

Members
27 posts

Gender:Male
Location:The Netherlands
Interests:Too much to mention

Posted 05 July 2007 - 10:01 AM

Well, I tried it with Internet Explorer and it worked instantly, but nothing happened with Mozilla like I tried at night. I should be going to work soon, so I hope it'll be done quick (updating goes pretty slow...

).

...

(edit will come when it's done, currently updating is 88%)

Hmm, it took longer than I expected, I should be leaving any minute now... I'd let it run while I'm at work, don't think that can do any harm...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 17:30:07, on 5-7-2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Acer\eManager\anbmServ.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Launch Manager\LaunchAp.exe
C:\Program Files\Launch Manager\PowerKey.exe
C:\Program Files\Launch Manager\HotkeyApp.exe
C:\Program Files\Launch Manager\OSDCtrl.exe
C:\Program Files\Launch Manager\Wbutton.exe
C:\acer\epm\epm-dm.exe
C:\Program Files\Arcade\PCMService.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\x\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\acer\eRecovery\Monitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\x\Mijn documenten\Mijn downloads\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.woopyland.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://global.acer.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://global.acer.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koppelingen
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [preload] C:\Windows\RUNXMLPL.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [LaunchAp] "C:\Program Files\Launch Manager\LaunchAp.exe"
O4 - HKLM\..\Run: [PowerKey] "C:\Program Files\Launch Manager\PowerKey.exe"
O4 - HKLM\..\Run: [LManager] "C:\Program Files\Launch Manager\HotkeyApp.exe"
O4 - HKLM\..\Run: [CtrlVol] "C:\Program Files\Launch Manager\CtrlVol.exe"
O4 - HKLM\..\Run: [LMgrOSD] "C:\Program Files\Launch Manager\OSDCtrl.exe"
O4 - HKLM\..\Run: [Wbutton] "C:\Program Files\Launch Manager\Wbutton.exe"
O4 - HKLM\..\Run: [EPM-DM] c:\acer\epm\epm-dm.exe
O4 - HKLM\..\Run: [ePowerManagement] C:\Acer\ePM\ePM.exe boot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Arcade\PCMService.exe"
O4 - HKLM\..\Run: [eRecoveryService] C:\Windows\System32\Check.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb12.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [WorksFUD] C:\Program Files\Microsoft Works\wkfud.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [DNA] "C:\Documents and Settings\x\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Lokale service')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Netwerkservice')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: ShortKeys Lite.lnk = C:\Program Files\shortkey2\SHORTKEY.EXE
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Snelstart HP Image Zone.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Herinneringen van Microsoft Works Agenda.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Adobe Reader Snelle start.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineS...er.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://ivr.spaces.li...ad/MsnPUpld.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1129539859109
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zon...ro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab56907.cab
O16 - DPF: {DA758BB1-5F89-4465-975F-8D7179A4BCF3} (WheelofFortune Object) - http://messenger.zon...oF.cab57176.cab
O22 - SharedTaskScheduler: Preloader van browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Cache-daemon voor onderdeelcategorieën - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Notebook Manager Service (anbmService) - OSA Technologies Inc. - C:\Acer\eManager\anbmServ.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: HP Port Resolver - Hewlett-Packard Company - C:\WINDOWS\system32\hpbpro.exe
O23 - Service: HP Status Server - Hewlett-Packard Company - C:\WINDOWS\system32\hpboid.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect-service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: Planner voor Automatische LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe

--
End of file - 12996 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 05, 2007 5:28:11 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/07/2007
Kaspersky Anti-Virus database records: 358544
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 81840
Number of viruses found: 9
Number of infected objects: 182 / 0
Number of suspicious objects: 2
Duration of the scan process: 01:52:45

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_6dc.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_464.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-07-05_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\3F616840.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\49266F41.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\5A1168A4.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\60FB4D08.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\34ED22A7.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\2A97712B.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Quarantine\15992BB1.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPHomePageActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\HPPAppActivity.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite.zip/backWeb-8876480.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BackWeblite.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\x\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\x\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temp\~DF651E.tmp Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temp\hpqtra001.log Object is locked skipped
C:\Documents and Settings\x\Local Settings\Geschiedenis\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\x\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\x\Mijn documenten\Mijn downloads\SmitfraudFix.zip/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\x\Mijn documenten\Mijn downloads\SmitfraudFix.zip ZIP: infected - 1 skipped
C:\Documents and Settings\x\Bureaublad\Map + spel + prog\Mappen\Zooi\tight vnc.exe/data0002 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.h skipped
C:\Documents and Settings\x\Bureaublad\Map + spel + prog\Mappen\Zooi\tight vnc.exe/data0003 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
C:\Documents and Settings\x\Bureaublad\Map + spel + prog\Mappen\Zooi\tight vnc.exe Inno: infected - 2 skipped
C:\Documents and Settings\x\Bureaublad\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\x\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\x\Application Data\Symantec\PendingAlertsQueue.log Object is locked skipped
C:\Documents and Settings\x\yhxtqg.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\jkzrji.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\dopqxt.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\dopqxt.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\dopqxt.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\dopqxt.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\pegqup.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\zourdx.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\geqdgs.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\injayh.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\vlnitp.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\cicgmd.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\jkymhs.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\wqevsy.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\ioizyd.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\tnwcuj.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\raqbvn.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\raqbvn.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\raqbvn.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\raqbvn.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\zpepzy.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\zpepzy.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\zpepzy.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\zpepzy.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\dfmvyp.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\dfmvyp.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\dfmvyp.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\dfmvyp.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\ofnhfd.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\ofnhfd.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\ofnhfd.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\ofnhfd.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\vhkauz.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\vhkauz.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\vhkauz.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\vhkauz.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\hcmjqv.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\hcmjqv.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\hcmjqv.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\hcmjqv.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\wkyrxn.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\hnlbbr.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\hnlbbr.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\hnlbbr.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\hnlbbr.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\sqtvpw.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\pimpts.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\trrpyl.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\trrpyl.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\trrpyl.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\trrpyl.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\mahbrj.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\mahbrj.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\mahbrj.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\mahbrj.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\szzjug.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\szzjug.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\szzjug.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\szzjug.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\llsjrq.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\pqwqep.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\qqlwte.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\akzvxc.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\syyaid.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\syyaid.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\syyaid.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\syyaid.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\ptxfuy.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\ptxfuy.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\ptxfuy.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\ptxfuy.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\fpshtv.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\fpshtv.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\fpshtv.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\fpshtv.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\jkqvwy.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\jkqvwy.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\jkqvwy.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\jkqvwy.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\rstcfc.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\rstcfc.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\rstcfc.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\rstcfc.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\eweero.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\lrjfez.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\lrjfez.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\lrjfez.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\lrjfez.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\lpwlbc.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\lpwlbc.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\lpwlbc.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\lpwlbc.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\lblovn.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\lblovn.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\lblovn.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\lblovn.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\dvjyrl.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\dvjyrl.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\dvjyrl.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\dvjyrl.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\zocepi.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\zocepi.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\zocepi.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\zocepi.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\nwzocs.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\ljheez.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\wllvos.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\ognwiq.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\ognwiq.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\ognwiq.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\ognwiq.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\odkjgm.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\jdbmaw.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\tatqig.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\qamkmc.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\jznxso.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\jznxso.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\jznxso.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\jznxso.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\juxkkx.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\kzztdc.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\vmjsno.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\sarzog.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\rjexcj.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\txwgmy.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\nejpde.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\nejpde.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\nejpde.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\nejpde.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\uovudb.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\fxanfz.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\mjxgia.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\x\mjxgia.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\mjxgia.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\Documents and Settings\x\mjxgia.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\x\hvzwog.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\fnxmwo.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\gilica.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Documents and Settings\x\krgxsw.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt342NAV~.TMP Object is locked skipped
C:\Program Files\Norton AntiVirus\Savrt908NAV~.TMP Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Interne bescherming.txt Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP206\A0019692.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP206\A0019695.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP206\A0019696.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP206\A0019697.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP206\A0019698.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP206\A0019699.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP207\A0019755.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP207\A0019765.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP207\A0019798.exe Infected: Trojan.Win32.VB.aqc skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP207\A0019835.exe Infected: Trojan.Win32.VB.aqc skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP207\A0019840.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP207\A0019861.exe Infected: Trojan.Win32.VB.aqc skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP208\A0019873.exe Infected: Trojan.Win32.VB.aqc skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP208\A0019891.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP208\A0019910.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP208\A0019911.dll Infected: Backdoor.Win32.IRCBot.acd skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP208\A0019921.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP208\A0019922.dll Infected: Backdoor.Win32.IRCBot.acd skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP209\change.log Object is locked skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP205\A0019648.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP205\A0019651.exe Infected: Trojan.Win32.VB.aqc skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP205\A0019652.exe/data.rar/ghost.exe Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP205\A0019652.exe/data.rar/install.exe Infected: Trojan.Win32.VB.aqc skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP205\A0019652.exe/data.rar Infected: Trojan.Win32.VB.aqc skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP205\A0019652.exe RarSFX: infected - 3 skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP205\A0019658.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP205\A0019659.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP205\A0019660.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP205\A0019661.dll Infected: Backdoor.Win32.IRCBot.acd skipped
C:\System Volume Information\_restore{F8EE0AB4-1BD9-4213-9E30-87B5C680D80B}\RP205\A0019663.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci�000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci�000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\catalog.wci�010002.ci Object is locked skipped
C:\install\install.exe Infected: Trojan.Win32.VB.aqc skipped

Scan process completed.

Back to top

#9 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2007 - 05:34 PM

Quote

Well, I tried it with Internet Explorer and it worked instantly, but nothing happened with Mozilla like I tried at night.

Yeah, Sorry I should of made that clearer, the scanner only runs with Internet Explorer and it shows that on the scan page but I'll adjust the kaspersky instructions to make it clearer next time.

Quote

The Online Scanner service offered by Kaspersky Lab uses Microsoft ActiveX technology. Microsoft ActiveX Technology and the Kaspersky Online Scanner work only with MS Internet Explorer 5.0 or higher.

Run Hijack This and choose Do A System Scan then place a check next to this entry

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Close all open browser and other windows except for HijackThis and press the Fix Checked button

Download Killbox from Here

Click killbox.exe

Select the option "Delete on reboot".

Click the button: All Files (Important!)
Now it should flash green.

Next copy the contents of the code box below to clipboard by left clicking and covering the text then right click inside the highlighted area and choose Copy:

C:\Documents and Settings\Ivar Bouwmeester\yhxtqg.exe
C:\Documents and Settings\Ivar Bouwmeester\jkzrji.exe
C:\Documents and Settings\Ivar Bouwmeester\jkymhs.exe
C:\Documents and Settings\Ivar Bouwmeester\dopqxt.exe
C:\Documents and Settings\Ivar Bouwmeester\pegqup.exe
C:\Documents and Settings\Ivar Bouwmeester\zourdx.exe
C:\Documents and Settings\Ivar Bouwmeester\geqdgs.exe
C:\Documents and Settings\Ivar Bouwmeester\injayh.exe
C:\Documents and Settings\Ivar Bouwmeester\vlnitp.exe
C:\Documents and Settings\Ivar Bouwmeester\wqevsy.exe
C:\Documents and Settings\Ivar Bouwmeester\cicgmd.exe
C:\Documents and Settings\Ivar Bouwmeester\ioizyd.exe
C:\Documents and Settings\Ivar Bouwmeester\tnwcuj.exe
C:\Documents and Settings\Ivar Bouwmeester\raqbvn.exe
C:\Documents and Settings\Ivar Bouwmeester\zpepzy.exe
C:\Documents and Settings\Ivar Bouwmeester\dfmvyp.exe
C:\Documents and Settings\Ivar Bouwmeester\ofnhfd.exe
C:\Documents and Settings\Ivar Bouwmeester\vhkauz.exe
C:\Documents and Settings\Ivar Bouwmeester\hcmjqv.exe
C:\Documents and Settings\Ivar Bouwmeester\wkyrxn.exe
C:\Documents and Settings\Ivar Bouwmeester\hnlbbr.exe
C:\Documents and Settings\Ivar Bouwmeester\sqtvpw.exe
C:\Documents and Settings\Ivar Bouwmeester\pimpts.exe
C:\Documents and Settings\Ivar Bouwmeester\trrpyl.exe
C:\Documents and Settings\Ivar Bouwmeester\mahbrj.exe
C:\Documents and Settings\Ivar Bouwmeester\szzjug.exe
C:\Documents and Settings\Ivar Bouwmeester\llsjrq.exe 
C:\Documents and Settings\Ivar Bouwmeester\pqwqep.exe
C:\Documents and Settings\Ivar Bouwmeester\qqlwte.exe
C:\Documents and Settings\Ivar Bouwmeester\akzvxc.exe
C:\Documents and Settings\Ivar Bouwmeester\syyaid.exe
C:\Documents and Settings\Ivar Bouwmeester\ptxfuy.exe
C:\Documents and Settings\Ivar Bouwmeester\fpshtv.exe
C:\Documents and Settings\Ivar Bouwmeester\jkqvwy.exe
C:\Documents and Settings\Ivar Bouwmeester\rstcfc.exe
C:\Documents and Settings\Ivar Bouwmeester\eweero.exe
C:\Documents and Settings\Ivar Bouwmeester\lrjfez.exe
C:\Documents and Settings\Ivar Bouwmeester\lpwlbc.exe
C:\Documents and Settings\Ivar Bouwmeester\lblovn.exe
C:\Documents and Settings\Ivar Bouwmeester\dvjyrl.exe
C:\Documents and Settings\Ivar Bouwmeester\zocepi.exe
C:\Documents and Settings\Ivar Bouwmeester\nwzocs.exe
C:\Documents and Settings\Ivar Bouwmeester\ljheez.exe
C:\Documents and Settings\Ivar Bouwmeester\wllvos.exe
C:\Documents and Settings\Ivar Bouwmeester\ognwiq.exe
C:\Documents and Settings\Ivar Bouwmeester\jdbmaw.exe
C:\Documents and Settings\Ivar Bouwmeester\tatqig.exe
C:\Documents and Settings\Ivar Bouwmeester\qamkmc.exe
C:\Documents and Settings\Ivar Bouwmeester\jznxso.exe
C:\Documents and Settings\Ivar Bouwmeester\juxkkx.exe
C:\Documents and Settings\Ivar Bouwmeester\kzztdc.exe
C:\Documents and Settings\Ivar Bouwmeester\vmjsno.exe 
C:\Documents and Settings\Ivar Bouwmeester\sarzog.exe
C:\Documents and Settings\Ivar Bouwmeester\rjexcj.exe
C:\Documents and Settings\Ivar Bouwmeester\txwgmy.exe
C:\Documents and Settings\Ivar Bouwmeester\nejpde.exe
C:\Documents and Settings\Ivar Bouwmeester\uovudb.exe
C:\Documents and Settings\Ivar Bouwmeester\fxanfz.exe
C:\Documents and Settings\Ivar Bouwmeester\mjxgia.exe
C:\Documents and Settings\Ivar Bouwmeester\hvzwog.exe
C:\Documents and Settings\Ivar Bouwmeester\fnxmwo.exe
C:\Documents and Settings\Ivar Bouwmeester\gilica.exe
C:\Documents and Settings\Ivar Bouwmeester\krgxsw.exe
C:\install\install.exe

After copying the above text to Clipboard click File on the killbox menu bar and choose Paste From Clipboard

Then press the Delete File button (Red Circle with a White X).
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click YES
If you don't get that message, reboot manually.

Your computer should reboot now.

After reboot please open the C:\drive and right click the !Killbox folder then click Send To > Compressed (Zipped) Folder, which will make a copy of the folder named C:\!Killbox.zip

Please then visit the below link

http://www.bleepingcomputer.com/submit-mal....php?channel=27

Type files from Ccleaners forum in the link area and then click Browse and located the C:\Killbox.zip file then click Send File

You can then delete the C:\!Killbox folder, the C:\!Killbox.zip folder and the C:\install folder

Remove the items in Nortons Quarantine as described Here

Then run CCleaner to clear out the temp folders and then reset your system restore points

Click Start Menu > All Programs > Accessories > System Tools > SystemRestore

Choose Create a Restore Point then click Next. Name it and click Create, when the confirmation screen shows the restore point has been created click Close.

Next goto Start Menu > Run > type

cleanmgr

Click OK, Disk Cleanup will open and start calculating the amount of space that can be freed, Once thats finished it will open the Disk Cleanup options screen, click the More Options tab then click Clean up on the system restore area and choose Yes at the confirmation window which will remove all the restore points except the one we just created. Then press OK to clear the temp files found in the initial scan and close Disk Cleanup

Next download AVG Anti-Spyware

Load AVG and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner tab at the top and then click on Complete System Scan
AVG will list any infections found on the left, when the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVG will then display "All actions have been applied" on the right.
Click on "Save Report", then "Save Report As". This will create a text file which you can then save to the Desktop and post back

Finally download Blacklight beta HERE and save it to your desktop.
Run the program, accept statement > click next then scan
When its finished scanning exit the program and post back the log if it detects hidden files, The log is called 'fsbl-<date/time>.log' which will save to the same location as the blbeta.exe file.

Post back the AVG log and the Blacklight log if it finds any hidden files and let us know if there's any remaining problems,

Cheers

Andy

Back to top

#10 OFFLINE Equestrianism

Member

Members
27 posts

Gender:Male
Location:The Netherlands
Interests:Too much to mention

Posted 05 July 2007 - 07:02 PM

When Killbot said the computer should be rebooted, and I clicked yes. It started its countdown, but at zero, the computer didn't restart but said this error:

Posted Image

I'm now closing windows manually, hoping that the progress will not be interupted.

EDIT: I'll just continue... It seems I'm fine I guess...

EDIT2: "(...) Type files from Ccleaners forum in the link area (...)" I'm not sure what you want me to do there... and I havn't downloaded Ccleaners yet (or is already a program on my pc?)...

Back to top

#11 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2007 - 07:57 PM

Killbox uses the PendingFileRename value in the registry to move the files on reboot to the !Killbox folder, with it showing that the PendingFileRename data had been removed then killbox may of failed to remove the files so can you check now you have rebooted the PC,

Goto Start > Run > then copy and paste

C:\Documents and Settings\Ivar Bouwmeester\

Press OK to open your profiles folder, if all the random named files listed earlier are still present then please do this below , if the files are all gone then skip this next part and just upload the !killbox.zip file.

If the random named files still exist in your profiles folder delete the C:\!Killbox.zip folder (if you created it) as it will not contain any of the files, you can create another zip after following the below steps, once its removed run Killbox again but this time choose Standard File Kill

Copy all the files from the list in my last post to clipboard again then on the Killbox File menu choose Paste From Clipboard, it will then load all the paths into killbox ready to be removed, click the delete button (Red Circle with a White X) and killbox will then ask if you want to create a backup of the file and delete it, choose yes and keep pressing the delete button after each one and confirming that you do want to delete it until all the files in the killbox list are removed, killbox will show 'You have not specified any file to delete' when the list is empty and you can then close Killbox,

Quote

EDIT2: "(...) Type files from Ccleaners forum in the link area (...)" I'm not sure what you want me to do there... and I havn't downloaded Ccleaners yet (or is already a program on my pc?)...

When you attempt to upload files at the BleepingComputer site it will ask you to put a link to your topic, the 'files from ccleaners forum' is just a note so I know its you who uploaded them but you can put anything in that 'link' area such as a link to this topic or your name or just leave it blank, The files will be uploaded on my channel there anyway so its fine if you leave that part blank and just upload the folder.

If you have any problems with the above steps or using killbox then just delete all the files in that list from my last post and continue with the other steps

Let me know how it goes

Andy

Back to top

#12 OFFLINE Equestrianism

Member

Members
27 posts

Gender:Male
Location:The Netherlands
Interests:Too much to mention

Posted 05 July 2007 - 08:21 PM

Quote

If you have any problems with the above steps or using killbox then just delete all the files in that list from my last post and continue with the other steps

Since I followed your steps, and Killbot didn't do anything when I chose "Paste From Clipboard" I'm just going to continue... Sorry that I can't be much of a help now... Tur mir Leid. I've deleted the files manually.

edit: According to your quote, it says there are 57 of those random named files and that C:/install/install file, I could only spot 28 of the 57 (deleted those), and I couldn't find the C:/install/install file... Perhaps those are already deleted? Is that possible?

In the !killbot folder it created when I rebooted my laptop, it does contain the "install.exe" and the *randomA*.exe and *randomA*.exe*randomB* files... Plus a so-called "eweero.exe" and "Logs" folder.... I've lost track of it all seriously... :s

Back to top

#13 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2007 - 08:28 PM

Thats fine,

Delete killbox.exe and the c:\!killbox folder if its there as you dont need it now and post back the logs from the other scanners.

Cheers

Back to top

#14 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2007 - 08:33 PM

Perhaps Killbox deleted some or they are set with hidden attributes, You'll have to enable hidden files and folders to check

Click Start. Goto MyComputer then C:\drive
Select the Tools menu from the top bar and click Folder Options. Select the View Tab.
Under the Hidden files and folders heading select "Show hidden files and folders".
UnCheck the "Hide protected operating system files (recommended)" option.

Click Yes to confirm then OK

Set this back once you have checked for the files by opening the same page and pressing the Restore Defaults button then click Apply and OK.

Back to top

#15 OFFLINE Equestrianism

Member

Members
27 posts

Gender:Male
Location:The Netherlands
Interests:Too much to mention

Posted 05 July 2007 - 08:33 PM

I'll do that immediately.

C:\drive isn't an existing path...

Back to top

#16 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2007 - 08:37 PM

Im losing track as well as you keep editing your posts to add more info

Just add a new post each time you reply as it makes it alot easier to follow,

zip up the killbox folder if it has files inside and upload it if you have time, if not then just delete it and the killbox.exe, set windows to show hidden files and folders as explained in my last post then make sure there is no more of the random named files on your system then continue with the earlier steps and run AVG and blacklight

Thanks

Back to top

#17 OFFLINE Equestrianism

Member

Members
27 posts

Gender:Male
Location:The Netherlands
Interests:Too much to mention

Posted 05 July 2007 - 08:45 PM

AndyManchesta, on Jul 5 2007, 10:37 PM, said:

zip up the killbox folder if it has files inside and upload it if you have time, if not then just delete it and the killbox.exe, set windows to show hidden files and folders as explained in my last post then make sure there is no more of the random named files on your system then continue with the earlier steps and run AVG and blacklight

Sorry for the editing, but I'm just used to the rule "double posting is prohibited"...

I see no more of those random.exe files in my C:\Documents and Settings\Ivar Bouwmeester folder anymore... I've deleted the !killbox folder and .zip file after I sent it and I'm going to continue the step-by-step removal you explained a few posts before...

Back to top

#18 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2007 - 08:54 PM

Post as many times as you want as its alot easier for me to follow than alot of edits being added to earlier posts, there's no rules here regarding how many posts can be made,

I think we are nearly done but I just want to make sure there is no hidden files using blacklight or any remaining trojans found by AVG, If you set windows to show hidden and system files then you should rehide them again using the Restore Defaults button.

Cheers for uploading the files, I can see its over 4MB so it must of been able to delete alot of them, Id expect most are identical except for the name but I'll check them abit later and send them off to AV vendors if they are not well detected.

Thanks

Back to top

#19 OFFLINE Equestrianism

Member

Members
27 posts

Gender:Male
Location:The Netherlands
Interests:Too much to mention

Posted 05 July 2007 - 08:55 PM

Can I add you on MSN or something, 'cause I can't seem to figure out what's CCleaner (I confused it with Disc Cleanup, so I used that twice)...

Back to top

#20 OFFLINE AndyManchesta

Power Member

Spyware Moderators
1,821 posts

Gender:Male
Location:Manchester. UK
Interests:Music, Movies, Website Building & Design, Malware Testing/Research and spending time with friends & family.

Posted 05 July 2007 - 09:00 PM

Its easier to keep it on the forum, just ask if you have any questions

CCleaner is a free program by Piriform for removing temp files from your system and this is the forum of CCleaner

If you do not have it installed then download it from Here. When the download page opens scroll down to the center download which is named (CCleaner v1.40.520 - Basic - No Toolbar 629KB) then click Download Now. Run the setup file and press Next, click I Agree on the Licence Agreement then Next again, click Install and then finally click Finish, Run CCleaner and press the Run Cleaner button to remove temp files then exit CCleaner.

Back to top

Next

Back to Spyware Hell