Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

malware

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

malware

Unread postby dray2990 » January 13th, 2008, 5:00 pm

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Video Add-on\icthis.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\COMMON~1\AOL\119923~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\119923~1\EE\AOLServiceHost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html ... TP&M=W3503
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... TP&M=W3503
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {BA0BACB5-FC95-451E-94D2-4959AB0949D2} - C:\Program Files\Video Add-on\isfmdl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1199230322\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WorkFlo] E:\Install\WorkFlow.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Documents and Settings\Owner\Start Menu\Programs\Adobe\BigFix\bigfix.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O22 - SharedTaskScheduler: aposiopetic - {91316323-2ad5-4794-9589-52a2eaa60a68} - C:\WINDOWS\system32\shlahsd.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8047 bytes
dray2990
Active Member
 
Posts: 9
Joined: January 13th, 2008, 4:45 pm
Advertisement
Register to Remove

Re: malware

Unread postby km2357 » January 13th, 2008, 9:51 pm

Hello and welcome to The Malware Removal Forum.

My name is km2357 and I will be helping you to remove any infection(s) that you may have.

Since I am still in training, I have to let experts check the content of my fixes before I post them so please be patient.

I will be giving you a series of instructions that need to be followed in the order in which I give them to you.

If for any reason you do not understand an instruction or are just unsure then please do not guess, simply post back with your questions/concerns and we will go through it again.

Please do not start another thread or topic, I will assist you at this thread until we solve your problems.

Lastly the fix may take several attempts and my replies may take some time but I will stick with it if you do the same.


I will be back as soon as possible with your first instructions!
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: malware

Unread postby km2357 » January 14th, 2008, 2:34 am

When posting HiJackThis logs from now on, please include the header (the area of text above "Running Processes) of the log. You left it out of your first HJT log. Thanks. :)


Step # 1 Download and run SmitFraudFix

Using one of the links below download SmitfraudFix (by S!Ri) to your Desktop.


http://siri.urz.free.fr/Fix/SmitfraudFix.exe
http://downloads.securitycadets.com/SmitfraudFix.exe


Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.



Step # 2: Make an uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here on your next reply



Step # 3 Post Logs

In your next post/reply, I'd like to see the following:

    1. SmitFraudFix Report
    2. Uninstall List
    3. A fresh HiJackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: malware

Unread postby dray2990 » January 14th, 2008, 10:46 am

SmitFraudFix v2.274

Scan done at 8:45:02.53, Mon 01/14/2008
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Video Add-on\icthis.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\COMMON~1\AOL\119923~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\119923~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1

C:\DOCUME~1\Owner\FAVORI~1\Online Security Test.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\Helper\ FOUND !
C:\Program Files\Video Add-on\ FOUND !
C:\Program Files\VirusProtect 3.9\ FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix.exe by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{91316323-2ad5-4794-9589-52a2eaa60a68}"="aposiopetic"

[HKEY_CLASSES_ROOT\CLSID\{91316323-2ad5-4794-9589-52a2eaa60a68}\InProcServer32]
@="C:\WINDOWS\system32\shlahsd.dll"

[HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{91316323-2ad5-4794-9589-52a2eaa60a68}\InProcServer32]
@="C:\WINDOWS\system32\shlahsd.dll"



»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: Realtek RTL8139/810x Family Fast Ethernet NIC - Packet Scheduler Miniport
DNS Server Search Order: 192.168.2.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{AC005FA4-05AD-4020-9888-48F01C2AD19E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{AC005FA4-05AD-4020-9888-48F01C2AD19E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{AC005FA4-05AD-4020-9888-48F01C2AD19E}: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.2.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

thanks for your help in advance
dray2990
Active Member
 
Posts: 9
Joined: January 13th, 2008, 4:45 pm

Re: malware

Unread postby km2357 » January 14th, 2008, 3:22 pm

I still need to see the Uninstall List and a fresh HiJackThis Log.

Thanks.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: malware

Unread postby dray2990 » January 14th, 2008, 3:28 pm

Adobe Flash Player ActiveX
Adobe Reader 7.0
AI RoboForm (All Users)
America Online (Choose which version to remove)
AOL Coach Version 2.0(Build:20041026.5 en)
AOL Connectivity Services
AOL You've Got Pictures Screensaver
ATI Display Driver
avast! Antivirus
BigFix
BroadJump Client Foundation
Browser Address Error Redirector
Digital Media Reader
DVD Solution
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
Hotfix for Windows Media Player 10 (KB903157)
Hotfix for Windows Media Player 10 (KB910393)
Hotfix for Windows XP (KB888795)
Hotfix for Windows XP (KB891593)
Hotfix for Windows XP (KB895961)
Hotfix for Windows XP (KB896256)
Hotfix for Windows XP (KB899337)
Hotfix for Windows XP (KB899510)
Hotfix for Windows XP (KB902841)
Hotfix for Windows XP (KB910728)
Hotfix for Windows XP (KB912024)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB935448)
IE Custom Tools
IE Safety Features
Information Center
J2SE Runtime Environment 5.0 Update 2
Microsoft .NET Framework 1.0 Hotfix (KB930494)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Digital Image Starter Edition 2006
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Standard Edition 2003
Microsoft Works
MSXML 4.0 SP2 (KB936181)
MultiMedia Software
Power2Go 4.0
PowerDVD
QuickTime
RealPlayer Basic
REALTEK GbE & FE Ethernet PCI NIC Driver
Realtek High Definition Audio Driver
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937894)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Soft Data Fax Modem with SmartCP
Sonic Encoders
Update for Windows Media Player 10 (KB913800)
Update for Windows Media Player 10 (KB926251)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Update Rollup 2 for Windows XP Media Center Edition 2005
Viewpoint Media Player
Windows Backup Utility
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Safety Alert
Windows XP Hotfix - KB886185
Windows XP Media Center Edition 2005 KB912067
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:28:04 PM, on 1/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Video Add-on\icthis.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\COMMON~1\AOL\119923~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\COMMON~1\AOL\119923~1\EE\AOLServiceHost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\NOTEPAD.EXE
C:\WINDOWS\system32\spider.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html ... TP&M=W3503
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... TP&M=W3503
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: (no name) - {BA0BACB5-FC95-451E-94D2-4959AB0949D2} - C:\Program Files\Video Add-on\isfmdl.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1199230322\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [WorkFlo] E:\Install\WorkFlow.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKLM\..\Policies\Explorer\Run: [some] C:\Program Files\Video Add-on\icthis.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Documents and Settings\Owner\Start Menu\Programs\Adobe\BigFix\bigfix.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: (no name) - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing)
O9 - Extra 'Tools' menuitem: IE Anti-Spyware - {9034A523-D068-4BE8-A284-9DF278BE776E} - http://www.updatesgate.com/redirect.php (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O22 - SharedTaskScheduler: aposiopetic - {91316323-2ad5-4794-9589-52a2eaa60a68} - C:\WINDOWS\system32\shlahsd.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8165 bytes
dray2990
Active Member
 
Posts: 9
Joined: January 13th, 2008, 4:45 pm

Re: malware

Unread postby km2357 » January 14th, 2008, 8:26 pm

Print out these instructions or save them into a notepad on your desktop, because you will not have internet access while in Safe Mode.



Step # 1 Remove Viewpoint Media Player

You have Viewpoint Media Player installed on your system. This program is not malware but it is foistware in that it is usually installed without the user's knowledge or approval, and for this reason I recommend you remove it. If you actually use this program, I recommend you try using safe and free alternatives such as VLC Media Player.
To remove, open Start->Control Panel->Add/Remove Programs find Viewpoint Media Player and select Remove.



Step # 2 Remove BroadJump Client Foundation

You have Broadjump Client Foundation software installed. This is a memory and resource hog. Please uninstall Broadjump Client Foundation in the Control Panel via Add or Remove programs.



Step # 3: Remove Malicious Programs

Go to Start-Settings-Control Panel, click on Add Remove Programs. If any of the following programs are listed there, click on the program to highlight it, and click on remove. Then close the Control Panel.

    IE Custom Tools

    IE Safety Features

    Information Center

    MultiMedia Software

    Windows Safety Alert



Step # 4 Update Java

Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.

Please follow these steps to remove older version Java components and update.

Updating Java:

  • Download the latest version of Java Runtime Environment (JRE) 6u4.
  • Scroll down to where it says "The Java SE Runtime Environment (JRE) allows end-users to run Java applications.".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Remove the following old versions of Java:
  • J2SE Runtime Environment 5.0 Update 2
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • From your desktop double-click on the download to install the newest version.



Step # 5: Boot into Safe Mode

You can go in Safe Mode by restarting your computer, then continually tapping F8 until a menu appears. Use your up arrow key to highlight Safe Mode, then hit enter.



Step # 6 Run SmitFraudFix


Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.



Step # 7 Post Logs

In your next post/reply, I'd like to see the following:

    1. SmitFraudFix Report (C:\rapport.txt)
    2. A fresh HiJackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: malware

Unread postby dray2990 » January 15th, 2008, 6:34 pm

the computer crashed during this process. I had to go in and reload everything. I got rid of and updated what you suggested. thanks for your help
dray2990
Active Member
 
Posts: 9
Joined: January 13th, 2008, 4:45 pm

Re: malware

Unread postby km2357 » January 15th, 2008, 7:54 pm

Do you remember at what step your computer crashed? And I would like for you to post a HiJackThis log for me to look over to make sure there is nothing left over from the infection that was on your computer.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: malware

Unread postby dray2990 » January 16th, 2008, 5:40 pm

The computer crashed after deleting the broadjump software.


Logfile of Trend Micro HijackThis v2.0.2

Scan saved at 3:38:09 PM, on 1/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\PROGRA~1\COMMON~1\AOL\120043~1\EE\AOLHOS~1.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\120043~1\EE\AOLServiceHost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\bigfix.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html ... TP&M=W3503
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... TP&M=W3503
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1200434113\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files\GameSpy\Comrade\Comrade.exe
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 5797 bytes
dray2990
Active Member
 
Posts: 9
Joined: January 13th, 2008, 4:45 pm

Re: malware

Unread postby km2357 » January 16th, 2008, 11:45 pm

I had to go in and reload everything.


What does this mean exactly? Did you have to reformat your Hard Drive and reinstall Windows?



Step # 1 Update Adobe Acrobat Reader

There is a newer version of Adobe Acrobat Reader available. (See Note below)

  • First, go to Add/Remove Programs and uninstall all previous versions.
  • Please go to this link Adobe Acrobat Reader Download Link
  • On the right Untick Adobe Phototshop Album Starter Edition if you do not wish to include this in the installation.
  • Click the Continue button
  • Click Run, and click Run again
  • Next click the Install Now button and follow the on screen prompts

Note: Adobe 8 is a large program and if you prefer a smaller program you can get Foxit 2.0 instead from http://www.foxitsoftware.com/pdf/rd_intro.php



Step # 2: Remove Hijackthis Entries

  • Run HijackThis
  • Click on the Scan button
  • Put a check beside all of the items listed below (if present):

    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
  • Close all open windows and browsers/email, etc...
  • Click on the "Fix Checked" button
  • When completed, close the application.



Step # 3: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

Click Accept

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.

  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:

    • Scan using the following Anti-Virus database:


      Extended (if available otherwise Standard)


    • Scan Options:


      Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:

      Select My Computer
  • The program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.

    • Now click on the Save as Text button:
  • Once finished, save the log to your Desktop as filename KAV.txt

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.


Step # 4 Post Logs

In your next post/reply, I'd like to see the following:

    1. Kaspersky Report (KAV.txt)
    2. A fresh HiJackThis Log

If you can't fit all the logs into one post/reply, then use multiple posts/replies to get all the logs in.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California

Re: malware

Unread postby dray2990 » January 17th, 2008, 2:53 am

yes I had to reinstall windows but I did not reformat my hard drive. The program saved a backup of some of the files and programs.
dray2990
Active Member
 
Posts: 9
Joined: January 13th, 2008, 4:45 pm

Re: malware

Unread postby dray2990 » January 17th, 2008, 6:31 pm

Protection
----------
Total scanned: 423323
Detected: 5
Untreated: 5
Start time: 1/17/2008 2:41:01 PM
Duration: 00:00:00
Finish time: 1/17/2008 2:41:01 PM


Detected
--------
Status Object
------ ------
detected: Trojan program Trojan.Java.ClassLoader.ao File: C:\My Backup -- 08-01-15 0121PM\Documents and Settings\Owner\.housecall6.6\Quarantine\1d19b497-28b388c3.bac_a03008//CryptFF.b/BaaaaBaa.class
detected: Trojan program Trojan.Java.ClassLoader.ao File: C:\My Backup -- 08-01-15 0121PM\Documents and Settings\Owner\.housecall6.6\Quarantine\1d19b497-28b388c3.bac_a03008//CryptFF.b/VaaaaaaaBaa.class
detected: Trojan program Trojan.Java.ClassLoader.ao File: C:\My Backup -- 08-01-15 0121PM\Documents and Settings\Owner\.housecall6.6\Quarantine\1d19b497-28b388c3.bac_a03008//CryptFF.b/Baaaaa.class
detected: Trojan program Trojan.Java.ClassLoader.ao File: C:\My Backup -- 08-01-15 0121PM\Documents and Settings\Owner\.housecall6.6\Quarantine\statistic.jar-7ba8ab78-27e5cb3f.zip.bac_a03008//CryptFF.b
detected: adware not-a-virus:AdWare.Win32.Agent.qi File: C:\RECYCLER\S-1-5-21-1534050903-3764960506-3587342584-1006\Dc11.tmp//stream//data0004


Events
------
Time Event
---- -----
1/17/2008 2:41:01 PM The threat signatures are obsolete. Your computer is at risk. You are advised to update the signatures immediately.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/CmnIds.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/images/arrow_right.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/images/btn_signup_52x20.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/images/more_info.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/images/sidetable_bottom.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/images/sidetable_bottom_red.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/images/sidetable_top.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/images/sidetable_top_red.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/images/transpix.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/images/watermark_mys_150x130.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/oemcfg.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/OEMIds.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/valert.htm: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/valert_old.htm: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\News\valert.ui/hs~valert.htm: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/agentins.ini: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/agntcons.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/agntinst.htm: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/agntinst.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/agntlang.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/default.htm: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/header.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/HtmlUtil.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/images/bg_left_1x314.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/images/bg_left_MSC_165x314.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/images/icon_info_16x16.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/images/icon_mcafee_61x61.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/images/icon_progress_checked_13x13.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/images/icon_progress_hot_13x13.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/images/icon_progress_unchecked_13x13.gif: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/InstUtil.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/instwiz.css: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/instxp.css: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/mcccom.lpk: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/pbar.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/setcss.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\agentins.cab/agentins.ui/SubInfoData.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/common_utils.js: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/countries.js: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/default.htm: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/default.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/HtmlUtil.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/install.htm: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/install.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/instwiz.css: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/instxp.css: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/lang_common.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/mcccom.lpk: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/pbar.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/setcss.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/strids_brandables.js: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/strids_common.js: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/strids_vsinstaller.js: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/vmap_reporting.css: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/VsoConst.vbs: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/vsoins.ini: is password protected.
1/17/2008 3:02:48 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(3)\vsoins.cab/vsoins.ui/VSOPropConst.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/agentins.ini: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/agntcons.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/agntinst.htm: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/agntinst.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/agntlang.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/default.htm: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/header.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/HtmlUtil.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/images/bg_left_1x314.gif: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/images/bg_left_MSC_165x314.gif: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/images/icon_info_16x16.gif: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/images/icon_mcafee_61x61.gif: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/images/icon_progress_checked_13x13.gif: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/images/icon_progress_hot_13x13.gif: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/images/icon_progress_unchecked_13x13.gif: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/InstUtil.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/instwiz.css: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/instxp.css: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/mcccom.lpk: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/pbar.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/setcss.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\agentins.cab/agentins.ui/SubInfoData.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/common_utils.js: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/countries.js: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/default.htm: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/default.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/HtmlUtil.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/install.htm: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/install.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/instwiz.css: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/instxp.css: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/lang_common.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/mcccom.lpk: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/pbar.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/setcss.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/strids_brandables.js: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/strids_common.js: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/strids_vsinstaller.js: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/vmap_reporting.css: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/VsoConst.vbs: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/vsoins.ini: is password protected.
1/17/2008 3:02:56 PM File C:\My Backup -- 08-01-01 0255PM\Documents and Settings\All Users\Application Data\McAfee.com\Agent\update\UPD_vso(4)\vsoins.cab/vsoins.ui/VSOPropConst.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/agentins.ini: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/agntcons.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/agntinst.htm: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/agntinst.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/agntlang.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/default.htm: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/header.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/HtmlUtil.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/images/bg_left_1x314.gif: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/images/bg_left_MSC_165x314.gif: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/images/icon_info_16x16.gif: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/images/icon_mcafee_61x61.gif: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/images/icon_progress_checked_13x13.gif: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/images/icon_progress_hot_13x13.gif: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/images/icon_progress_unchecked_13x13.gif: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/InstUtil.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/instwiz.css: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/instxp.css: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/mcccom.lpk: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/pbar.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/setcss.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\agentins.cab/agentins.ui/SubInfoData.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/common_utils.js: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/countries.js: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/default.htm: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/default.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/HtmlUtil.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/install.htm: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/install.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/instwiz.css: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/instxp.css: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/lang_common.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/mcccom.lpk: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/pbar.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/setcss.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/strids_brandables.js: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/strids_common.js: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/strids_vsinstaller.js: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/vmap_reporting.css: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/VsoConst.vbs: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/vsoins.ini: is password protected.
1/17/2008 3:23:40 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1B.tmp\vsoins.cab/vsoins.ui/VSOPropConst.vbs: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/agentins.ini: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/agntcons.vbs: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/agntinst.htm: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/agntinst.vbs: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/agntlang.vbs: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/default.htm: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/header.vbs: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/HtmlUtil.vbs: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/images/bg_left_1x314.gif: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/images/bg_left_MSC_165x314.gif: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/images/icon_info_16x16.gif: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/images/icon_mcafee_61x61.gif: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/images/icon_progress_checked_13x13.gif: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/images/icon_progress_hot_13x13.gif: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/images/icon_progress_unchecked_13x13.gif: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/InstUtil.vbs: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/instwiz.css: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/instxp.css: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/mcccom.lpk: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/pbar.vbs: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/setcss.vbs: is password protected.
1/17/2008 3:23:50 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\agentins.cab/agentins.ui/SubInfoData.vbs: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/common_utils.js: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/countries.js: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/default.htm: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/default.vbs: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/HtmlUtil.vbs: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/install.htm: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/install.vbs: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/instwiz.css: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/instxp.css: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/lang_common.vbs: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/mcccom.lpk: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/pbar.vbs: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/setcss.vbs: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/strids_brandables.js: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/strids_common.js: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/strids_vsinstaller.js: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/vmap_reporting.css: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/VsoConst.vbs: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/vsoins.ini: is password protected.
1/17/2008 3:23:51 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu1C.tmp\vsoins.cab/vsoins.ui/VSOPropConst.vbs: is password protected.
1/17/2008 3:23:54 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcu7.tmp\mskf.cfu/update.sku: is password protected.
1/17/2008 3:23:55 PM File C:\My Backup -- 08-01-01 0255PM\WINDOWS\Temp\mcuB.tmp\mskf.cfu/update.sku: is password protected.
1/17/2008 3:24:44 PM File C:\My Backup -- 08-01-15 0121PM\Documents and Settings\Owner\.housecall6.6\Quarantine\1d19b497-28b388c3.bac_a03008//CryptFF.b/BaaaaBaa.class: detected Trojan program 'Trojan.Java.ClassLoader.ao'.
1/17/2008 3:24:44 PM Security threats have been detected. You are advised to neutralize them immediately.
1/17/2008 3:24:44 PM File C:\My Backup -- 08-01-15 0121PM\Documents and Settings\Owner\.housecall6.6\Quarantine\1d19b497-28b388c3.bac_a03008//CryptFF.b/BaaaaBaa.class: is still infected, postponed.
1/17/2008 3:24:44 PM File C:\My Backup -- 08-01-15 0121PM\Documents and Settings\Owner\.housecall6.6\Quarantine\1d19b497-28b388c3.bac_a03008//CryptFF.b/VaaaaaaaBaa.class: detected Trojan program 'Trojan.Java.ClassLoader.ao'.
1/17/2008 3:24:44 PM File C:\My Backup -- 08-01-15 0121PM\Documents and Settings\Owner\.housecall6.6\Quarantine\1d19b497-28b388c3.bac_a03008//CryptFF.b/Baaaaa.class: detected Trojan program 'Trojan.Java.ClassLoader.ao'.
1/17/2008 3:24:44 PM File C:\My Backup -- 08-01-15 0121PM\Documents and Settings\Owner\.housecall6.6\Quarantine\statistic.jar-7ba8ab78-27e5cb3f.zip.bac_a03008//CryptFF.b: detected Trojan program 'Trojan.Java.ClassLoader.ao'.
1/17/2008 4:09:58 PM File C:\RECYCLER\S-1-5-21-1534050903-3764960506-3587342584-1006\Dc11.tmp//stream//data0004: detected adware 'not-a-virus:AdWare.Win32.Agent.qi'.
1/17/2008 4:09:58 PM File C:\RECYCLER\S-1-5-21-1534050903-3764960506-3587342584-1006\Dc11.tmp//stream//data0004: is still infected, postponed.
1/17/2008 4:20:22 PM File c:\my backup -- 08-01-15 0121pm\documents and settings\owner\.housecall6.6\quarantine\1d19b497-28b388c3.bac_a03008//CryptFF.b/BaaaaBaa.class: detected Trojan program 'Trojan.Java.ClassLoader.ao'.


Reports
-------
Component Status Start Finish Size
--------- ------ ----- ------ ----
Scan running 1/17/2008 2:41:49 PM 91.6 MB
Scan startup objects completed 1/17/2008 2:43:15 PM 1/17/2008 2:53:28 PM 397.3 KB


Quarantine
----------
Status Object Size Added
------ ------ ---- -----


Backup
------
Status Object Size
------ ------ ----
dray2990
Active Member
 
Posts: 9
Joined: January 13th, 2008, 4:45 pm

Re: malware

Unread postby dray2990 » January 17th, 2008, 6:31 pm

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:28:53 PM, on 1/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\AOL\120043~1\EE\AOLHOS~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe
C:\PROGRA~1\COMMON~1\AOL\120043~1\EE\AOLServiceHost.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.gateway.com/g/sidepanel.html ... TP&M=W3503
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.gateway.com/g/sidepanel.html ... TP&M=W3503
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {724d43a9-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &RoboForm - {724d43a0-0d85-11d4-9908-00400523e39a} - C:\Program Files\Siber Systems\AI RoboForm\roboform.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1200434113\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Comrade.exe] C:\Program Files\GameSpy\Comrade\Comrade.exe
O4 - HKCU\..\Run: [RoboForm] "C:\Program Files\Siber Systems\AI RoboForm\RoboTaskBarIcon.exe"
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O8 - Extra context menu item: Customize Menu - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComCustomizeIEMenu.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Fill Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O8 - Extra context menu item: RoboForm Toolbar - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O8 - Extra context menu item: Save Forms - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RoboForm Toolbar - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 8169 bytes
dray2990
Active Member
 
Posts: 9
Joined: January 13th, 2008, 4:45 pm

Re: malware

Unread postby km2357 » January 18th, 2008, 5:03 am

I need you to empty the following folder (in red) of its contents, do not delete the folder itself:

C:\My Backup -- 08-01-15 0121PM\Documents and Settings\Owner\.housecall6.6\Quarantine\

Empty your Recycle Bin.


Please take the time to read my All Clean Post.


Please follow these simple steps in order to keep your computer clean and secure:
  • This is a good time to clear your existing system restore points and establish a new clean restore point:
    • Go to Start > All Programs > Accessories > System Tools > System Restore
    • Select Create a restore point, and Ok it.
    • Next, go to Start > Run and type in cleanmgr
    • Select the More options tab
    • Choose the option to clean up system restore and OK it.
    • This will remove all restore points except the new one you just created.
    .

    Clearing your restore points is not something you should do on a regular basis. Normally, this process only needs to be done after clearing out an infestation of malware.

  • Make your Internet Explorer more secure This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialize and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub frames across different domains to Prompt
    5. When all these settings have been made, click on the OK button.
    6. If it asks you if you want to save the settings, press the Yes button.
    7. Next press the Apply button and then the OK to exit the Internet Properties page.
    Set correct settings for files that should be hidden in Windows XP
    • Click Start > My Computer > Tools menu (at top of page) > Folder Options > View tab.
    • Under "Hidden files and folders" if necessary select Do not show hidden files and folders.
    • If unchecked please checkHide protected operating system files (Recommended)
    • If necessary check "Display content of system folders"
    • If necessary Uncheck Hide file extensions for known file types.
    • Click OK
  • Use An Antivirus Software and Keep It Updated - It is very important that your computer has an antivirus software running on your machine. This alone can save you a lot of trouble with malware in the future. It is imperative that you update your antivirus software at least once a day. If you do not update your antivirus software, then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Windows Update Site Frequently It is important that you visit Microsoft Windows Update regularly. This will ensure your computer has the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • You should scan your computer with Spybot S&D on a regular basis just as you would an anti- virus software. A tutorial on installing & using this product can be found here:
    Using Spybot - Search & Destroy to remove Spyware from Your Computer
  • Install SpywareBlaster SpywareBlaster will add a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. An article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line Anti Malware
  • Use the hosts file: Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate web pages. We can customize a hosts file so that it blocks certain web pages. However, it can slow down certain computers. This is why using a hosts file is optional. Download mvps hosts file Make sure you read the instructions on how to install the hosts file. There is a good tutorial HERE If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
    1. Click the start button on the task bar at the bottom of your screen
    2. Click run
    3. In the dialog box, type services.msc
    4. hit enter, then locate dns client
    5. Highlight it, then doubleclick it.
    6. On the dropdown box, change the setting from automatic to manual.
    7. Click ok..
  • Use an alternative instant messenger program.Trillian and Miranda IM These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
  • Please read Tony Klein's excellent article: How I got Infected in the First Place
  • Please read Understanding Spyware, Browser Hijackers, and Dialers
  • Please read Simple and easy ways to keep your computer safe and secure on the Internet
  • If you are using Internet Explorer, please consider using an alternate browser: Mozilla's Firefox or
    Opera.
    If you decide to use either FireFox or Opera, it is very important that you keep them up to date and check frequently for updates of the browser of your choice.
  • Update all these programs regularly Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  • If your computer was infected by a website, a program, IM, MSN, or p2p, check this site because it is Time To Fight Back.
Follow these steps and your potential for being infected again will reduce dramatically.

Here's a good website to read about Malware prevention:

http://users.telenet.be/bluepatchy/miek ... ntion.html

Good luck!


Please reply one last time so that I know you have read my post and this thread can be closed.
User avatar
km2357
MRU Master
MRU Master
 
Posts: 3007
Joined: January 30th, 2007, 2:48 pm
Location: California
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 11 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware