Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HJT log pls help

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HJT log pls help

Unread postby steve67474 » March 21st, 2006, 8:41 am

Hi, experts, I have just been around to a family members computer to try to clean up his machine. I ran Kaspersky with the latest updates and it found 176 viruses!! but could not clean all of them. I then ran EWIDO with the latest updates and it cleaned 206 malware but again there are still some showing on bootup. I ran Hyjackthis and here is the log. Could anybody please help to clean off these critters. Much appreciated.

Regards Steve

Logfile of HijackThis v1.99.1
Scan saved at 11:31:45, on 21/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\TCM\TCM Mouse Only\MouseDrv.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Documents and Settings\All Users\Documents\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\windows\mousepad4.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\wmplayer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Hyjackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - blank (file missing)
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [adiras] adiras.exe
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\2\printray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [WireLessMouse] C:\Program Files\TCM\TCM Mouse Only\MouseDrv.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Documents and Settings\All Users\Documents\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [wmplayer] p2pnetworking.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: wmplayer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE97A420-5821-4027-A895-C25E13EDA91C}: NameServer = 80.225.252.178 80.225.252.186
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\o648lghu1648.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Um9iZXJ0\command.exe (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
steve67474
Regular Member
 
Posts: 30
Joined: December 26th, 2005, 7:42 am
Advertisement
Register to Remove

Unread postby Gary R » March 21st, 2006, 12:28 pm

Beat Amateur to punch here, but as she's already worked hard on this one, I've withdrawn.
Last edited by Gary R on March 23rd, 2006, 4:39 pm, edited 3 times in total.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21782
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Unread postby amateur » March 21st, 2006, 12:31 pm

Hi Steve67474, :)

Welcome to MWR. You have quite a collection in there. :shock:

Please go to Start>Control Panel>Add/Remove Programs and remove the following programs, if there:

VCClient
Surfsidekick
p2p networking


==================

Next, download FixSSK.reg to the Desktop
Do not do anything with it yet.

==================

Download ATF Cleaner by Atribune and save it to your Desktop.

=================

Before proceeding, please disable Ewido Guard as it will interfere with the fix.

1. Open Ewido by double-clicking the yellow 'E' icon in the system tray.
2. In the 'Your security status' section, toggle the Ewido Guard realtime protection 'off' by clicking 'active' which will then change the protection status to 'inactive'.
3. When you reboot, Ewido will prompt you as to whether you would like to "Restart the guard?".
4. Reply 'no' and set it to 'inactive' for the duration of your cleanup.

====================

" Download Brute Force Uninstaller.
" Unzip it to a folder of it's own (c:\BFU).
" Read here how to unzip/extract properly:
" http://metallica.geekstogo.com/xpcompressedexplanation.html
"
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra Remover.
Save it in the folder you made earlier (c:\BFU).

Open My Computer and navigate to the c:\BFU folder. Start the Brute Force Uninstaller by doubleclicking BFU.exe

In the scriptline to execute field copy and paste c:\bfu\p2pnetwork.bfu
Press execute and let it do it’s job.
"
Wait for the complete script execution box to popup and press OK.
"
Again, doubleclick the BFU.exe in BFU. Click the "Web-button"Image
Where it says: 'Please enter the full URL to the sript you want to execute'
Copy and paste:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok
Then click execute in Brute Force Uninstaller.

Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

If you have any questions about the use of BFU please read here:
http://metallica.geekstogo.com/BFUinstructions.html

===============================

Download and run CWShredder 2.19
http://www.intermute.com/spysubtract/cw...nload.html
http://www.trendmicro.com/cwshredder/

Launch the executable and then click "Check for Update"
Download and install any updates.
Now, close any open windows except for CWShredder and then click "Fix ->"
It should take about a minute to run, then click "Next ->" You'll see three lines starting with "Restoring" to let you know the scan is finished.

===========================

Now Click Start>Run and Copy&Paste the command below into the Open box, and Click OK! If you get an error message ignore it and go to the next line.

sc delete cmdService

Do the same for:

sc delete Network Monitor

===========================

  • Close all open Explorer windows and browsers
  • Run HijackThis
  • Click on the Scan button and when complete
  • Put a check beside all of the items listed below
  • Click on the "Fix Checked" button
  • When complete and all files removed, close the application.
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O4 - HKLM\..\Run: [keyboard] C:\windows\keyboard4.exe
O4 - HKLM\..\Run: [mousepad] C:\windows\mousepad4.exe
O4 - HKLM\..\Run: [newname] C:\windows\newname4.exe
O4 - HKLM\..\Run: [winlog] winlog.exe
O4 - HKLM\..\Run: [wmplayer] p2pnetworking.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKLM\..\RunServices: [winlog] winlog.exe
O4 - HKCU\..\Run: [CU1] C:\Program Files\Common Files\VCClient\VCClient.exe
O4 - HKCU\..\Run: [CU2] C:\Program Files\Common Files\VCClient\VCMain.exe
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\
O20 - Winlogon Notify: WindowsUpdate - C:\WINDOWS\
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Um9iZXJ0\command.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

===============================

Make sure that you can see hidden files
" Click Start
" Open My Computer
" Select the Tools menu and click Folder Options
" Select the View Tab
" Under the Hidden files and folders heading select Show hidden files and folders
" Uncheck the Hide protected operating system files (recommended) option
" Click Yes to confirm
" Click OK

==========================

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.
Look in here for more information.

==========================

Delete the following files and folders, using Windows Explorer, if found:

C:\windows\keyboard4.exe
C:\windows\mousepad4.exe
C:\windows\newname4.exe

C:\WINDOWS\Um9iZXJ0
C:\Program Files\SurfSideKick 3
C:\Program Files\Common Files\VCClient
C:\Program Files\Network Monitor

Search and delete the following files, using Windows XP Search function, if found.

winlog.exe
p2pnetworking.exe
Ssk.dll
Sskknwrd.dll
Ssk.log
SskUpdater.exe

=======================

Double-click on FixSSK.reg (downloaded earlier)
Agree to merge the data.

=======================

Double click ATF-Cleaner.exe to run the program.
Check the boxes to the left of:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Prefetch
Java Cache

The rest are optional - if you want to remove the lot, check "Select All".

Finally click Empty Selected. When you get the "Done Cleaning" message, click OK.

If you use the Firefox or Opera browsers, you can use this program as a quick way to tidy those up as well.

Firefox :
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Opera :
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

When you have finished, click on the Exit button in the Main menu.

For Technical Support, double-click the e-mail address located at the bottom of each menu

===========================

Reboot your computer in Normal Mode.

===========================

Click here to download Look2Me-Destroyer.exe and save it to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If Look2Me-Destroyer does not reopen automatically, reboot and try again.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX

==============================

Download WebRoot SpySweeper from here (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Shields on the left.
  • Click Internet Explorer and uncheck all items.
  • Click Windows System and uncheck all items.
  • Click Startup Programs and uncheck all items.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.
  • After Spysweeper has finished and removed any items found, reboot your computer right away to ensure the infection is fully removed

=========================

Scan with HijackThis and post a new log along with Spysweeper log and L2Me-Destroyer text, please.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Thanks Guys

Unread postby steve67474 » March 21st, 2006, 12:45 pm

Thanks to both Garry R and Ameteur. Great to know we have ppl like yourselves out there. Question.... do I follow both replies here as it sounds like my cousin is in dire straights. BTW I work for IBM and am fairly computer literate but am totally in your hands here. I can follow process to the letter guys.
steve67474
Regular Member
 
Posts: 30
Joined: December 26th, 2005, 7:42 am

Unread postby Gary R » March 21st, 2006, 12:48 pm

I have withdrawn from this post (see above)

Follow Amateur's instructions only. Her approach here is slightly different to mine, trying to use both will lead to problems.

Good luck with your clean up.

Gary
Last edited by Gary R on March 23rd, 2006, 4:40 pm, edited 1 time in total.
User avatar
Gary R
Administrator
Administrator
 
Posts: 21782
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Bank Stuff

Unread postby steve67474 » March 21st, 2006, 12:51 pm

Garry R saw your response as soon as I asked the question. Will be guided by Ameteaur. Cheers for the prompt response. only one thing should I get my cousin to contact the banks and credit card companies as you first advised?? Any comments Ameteaur I will be guided by yourself. I do know that he does not do any banking or online transactions on the computer
steve67474
Regular Member
 
Posts: 30
Joined: December 26th, 2005, 7:42 am

Unread postby amateur » March 21st, 2006, 12:54 pm

Hi Steve,

This is a supplementary post. I would like to warn you that you have W32/Rbot-AFL, a worm which attempts to spread to remote network shares. It also contains backdoor functionality, allowing unauthorised remote access to the infected computer while running in the background as a service process, plus a possible keylogger. This is the standard warning in such cases:

You are strongly advised to do the following immediately:

1. Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.

2. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

3. From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passords and transaction information.

and do what ever else seems appropriate.

If you are using this computer to do sensitive work (i.e., online banking, paying credit card bills), I recommend, in all honesty, that you save your datafiles and start afresh with a reformat. The nature of your infection makes it impossible for us to be completely sure that your machine is clean, even if the logs are all clear. Reformatting is the only way to be sure that your computer is completely clean.

If, however, you decide that the computer is not used for any sensitive work, or if you do not wish to reformat at this time, you can follow the instructions given in my first post.
Last edited by amateur on March 21st, 2006, 3:33 pm, edited 2 times in total.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

Thanks

Unread postby steve67474 » March 21st, 2006, 12:59 pm

Thanks Ameteur, will recommend he does that and have just printed off your instructions. I will download all the prereq software tools to my computer and cut a cd then go round and follow your post. It may be a day or two b4 I get back to you as he is not near. Once again Thanks
steve67474
Regular Member
 
Posts: 30
Joined: December 26th, 2005, 7:42 am

Unread postby amateur » March 21st, 2006, 1:00 pm

OK. Good luck :D
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

reports

Unread postby steve67474 » March 23rd, 2006, 4:09 pm

OK Ameteur, had a few problems so will list them first then post logs...

1. BFU.exe when going to http://metallica.geekstogo.com/alcanshorty.bfu got "cannot find server" I tried on my system at home and same message so server was down so could't run it. Did run it next day and it was OK but out of sequence from list as this was last action now.

2. installed webroot spysweeper and configured it as stated and ran sweep. after about 1.5 hrs locked up on a system restore file C:\system volume information\_restore{ddeb55e-599c-4763-b3e7-b0d3854aa86c}a0034896.ini
left it for 1 hr no progress. Reboot system then started again, locked up again on a system restore file. Had to check the "Do not sweep Restore folder" it then ran through and I was able to clean the infections. ran Hyjack this again and here are the three logs requested.....

Logfile of HijackThis v1.99.1
Scan saved at 18:11:31, on 23/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hyjackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - blank (file missing)
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE97A420-5821-4027-A895-C25E13EDA91C}: NameServer = 80.225.252.178 80.225.252.186
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe



Look2Me-Destroyer V1.0.11

Scanning for infected files.....
Scan started at 22/03/2006 09:03:05

Infected! C:\WINDOWS\system32\dnrs0197e.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029353.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029356.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029512.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029513.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029514.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029515.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0030083.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042437.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042442.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043234.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043236.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043237.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043297.dll
Infected! C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043604.dll
Infected! C:\WINDOWS\system32\dnrs0197e.dll
Infected! C:\WINDOWS\system32\ktr6l79s1.dll
Infected! C:\WINDOWS\system32\lvl2093oe.dll
Infected! C:\WINDOWS\system32\mlvidc32.dll
Infected! C:\WINDOWS\system32\rPsdlg.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\dnrs0197e.dll
C:\WINDOWS\system32\dnrs0197e.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029353.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029353.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029356.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029356.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029512.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029512.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029513.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029513.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029514.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029514.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029515.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0029515.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0030083.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0030083.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042437.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042437.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042442.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0042442.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043234.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043234.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043236.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043236.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043237.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043237.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043297.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043297.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043604.dll
C:\System Volume Information\_restore{DDEB55E3-599C-4763-B3E7-B0D3854AA86C}\RP76\A0043604.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\dnrs0197e.dll
C:\WINDOWS\system32\dnrs0197e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\ktr6l79s1.dll
C:\WINDOWS\system32\ktr6l79s1.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\lvl2093oe.dll
C:\WINDOWS\system32\lvl2093oe.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\mlvidc32.dll
C:\WINDOWS\system32\mlvidc32.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\rPsdlg.dll
C:\WINDOWS\system32\rPsdlg.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Applets

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{454F3E6E-409B-44FF-9493-5325E2AAA450}"
HKCR\Clsid\{454F3E6E-409B-44FF-9493-5325E2AAA450}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{D78DF933-FB5E-45FB-BC37-46E3AB20A43F}"
HKCR\Clsid\{D78DF933-FB5E-45FB-BC37-46E3AB20A43F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{F6A31C8B-98DE-4572-B097-DA3AC309C118}"
HKCR\Clsid\{F6A31C8B-98DE-4572-B097-DA3AC309C118}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{FE81359C-C5FA-4FF3-A224-CA1B5F30B50E}"
HKCR\Clsid\{FE81359C-C5FA-4FF3-A224-CA1B5F30B50E}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

********
12:26: | Start of Session, 23 March 2006 |
12:26: Spy Sweeper started
12:26: Sweep initiated using definitions version 638
12:26: Found Adware: zquest
12:26: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\inprocserver32\ (2 subtraces) (ID = 1209096)
12:26: DH.dll (ID = 1209096)
12:26: Starting Memory Sweep
12:28: Memory Sweep Complete, Elapsed Time: 00:01:39
12:28: Starting Registry Sweep
12:28: Found Adware: command
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
12:28: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074389)
12:28: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074513)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
12:28: Found Adware: dollarrevenue
12:28: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
12:28: Found Adware: maxifiles
12:28: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
12:28: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
12:28: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
12:28: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
12:28: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
12:28: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
12:28: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
12:28: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
12:28: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
12:28: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
12:28: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
12:28: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
12:28: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
12:28: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (1 subtraces) (ID = 1156519)
12:28: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
12:28: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
12:28: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
12:28: Found Adware: surfsidekick
12:28: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
12:28: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\surfsidekick3\ (2 subtraces) (ID = 143412)
12:28: Found Adware: findthewebsiteyouneed hijack
12:28: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
12:28: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu1 (ID = 1140965)
12:28: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu2 (ID = 1140966)
12:28: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
12:28: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\director\ || baseurl (ID = 980277)
12:28: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\xbtb04715\ (69 subtraces) (ID = 1156401)
12:28: Registry Sweep Complete, Elapsed Time:00:00:09
12:28: Starting Cookie Sweep
12:28: Found Spy Cookie: 2o7.net cookie
12:28: robert@microsoftwga.112.2o7[1].txt (ID = 1958)
12:28: Cookie Sweep Complete, Elapsed Time: 00:00:02
12:28: Starting File Sweep
12:28: Found Trojan Horse: trojan downloader matcash
12:28: c:\program files\common files\inetget (ID = -2147477182)
12:28: c:\program files\toolbar888 (8 subtraces) (ID = -2147456311)
12:28: c:\program files\outlook (1 subtraces) (ID = -2147454834)
12:28: Found Adware: webhancer
12:28: c:\program files\whinstall (ID = -2147480064)
12:29: installer[1].exe (ID = 231664)
12:29: cmdinst.exe (ID = 231664)
12:30: ss1001.exe (ID = 216718)
12:31: autoit3.exe (ID = 185254)
12:31: basis.xml (ID = 244764)
12:31: Found Adware: look2me
12:31: installer.exe (ID = 168558)
12:31: atmtd.dll (ID = 166754)
12:32: atmtd.dll._ (ID = 166754)
12:33: sskknwrd.dll (ID = 77733)
12:37: ss1001[1].exe (ID = 216718)
12:37: uninstall_nmon.vbs (ID = 231442)
12:39: dr140306[1].exe (ID = 267188)
12:39: whcc2.exe (ID = 267157)
12:40: freeprodtb.exe (ID = 244762)
12:40: freeprodtb[1].exe (ID = 244762)
12:40: Found Adware: targetsaver
12:40: tsupdate2[1].ini (ID = 193498)
12:41: class-barrel (ID = 78229)
12:41: vocabulary (ID = 78283)
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0000:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0001:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0100:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0101:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0200:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.i0201:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.reph:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.repi:kavichs". Access is denied
12:41: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\reports\rptmngbak.rept:kavichs". Access is denied
12:43: Found Trojan Horse: sdbot
12:43: adiras.ini (ID = 74768)
14:19: File Sweep Complete, Elapsed Time: 01:50:45
14:19: Full Sweep has completed. Elapsed time 01:52:46
14:19: Traces Found: 254
18:02: Removal process initiated
18:02: Quarantining All Traces: look2me
18:02: Quarantining All Traces: sdbot
18:02: Quarantining All Traces: trojan downloader matcash
18:02: Quarantining All Traces: dollarrevenue
18:02: Quarantining All Traces: maxifiles
18:02: Quarantining All Traces: surfsidekick
18:02: Quarantining All Traces: zquest
18:02: Quarantining All Traces: command
18:02: Quarantining All Traces: findthewebsiteyouneed hijack
18:02: Quarantining All Traces: targetsaver
18:02: Quarantining All Traces: webhancer
18:02: Quarantining All Traces: 2o7.net cookie
18:02: Removal process completed. Elapsed time 00:00:44
********
09:47: | Start of Session, 23 March 2006 |
09:47: Spy Sweeper started
09:47: Sweep initiated using definitions version 638
09:47: Found Adware: zquest
09:47: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\inprocserver32\ (2 subtraces) (ID = 1209096)
09:47: DH.dll (ID = 1209096)
09:47: Starting Memory Sweep
09:48: Memory Sweep Complete, Elapsed Time: 00:01:34
09:48: Starting Registry Sweep
09:49: Found Adware: command
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
09:49: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074389)
09:49: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074513)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
09:49: Found Adware: dollarrevenue
09:49: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
09:49: Found Adware: maxifiles
09:49: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
09:49: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
09:49: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
09:49: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
09:49: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
09:49: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
09:49: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
09:49: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
09:49: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
09:49: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
09:49: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
09:49: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
09:49: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
09:49: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (1 subtraces) (ID = 1156519)
09:49: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
09:49: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
09:49: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
09:49: Found Adware: surfsidekick
09:49: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
09:49: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\surfsidekick3\ (2 subtraces) (ID = 143412)
09:49: Found Adware: findthewebsiteyouneed hijack
09:49: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
09:49: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu1 (ID = 1140965)
09:49: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu2 (ID = 1140966)
09:49: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
09:49: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\director\ || baseurl (ID = 980277)
09:49: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\xbtb04715\ (69 subtraces) (ID = 1156401)
09:49: Registry Sweep Complete, Elapsed Time:00:00:09
09:49: Starting Cookie Sweep
09:49: Found Spy Cookie: 2o7.net cookie
09:49: robert@microsoftwga.112.2o7[1].txt (ID = 1958)
09:49: Cookie Sweep Complete, Elapsed Time: 00:00:02
09:49: Starting File Sweep
09:49: Found Trojan Horse: trojan downloader matcash
09:49: c:\program files\outlook (1 subtraces) (ID = -2147454834)
09:49: c:\program files\common files\inetget (ID = -2147477182)
09:49: c:\program files\toolbar888 (8 subtraces) (ID = -2147456311)
09:49: Found Adware: webhancer
09:49: c:\program files\whinstall (ID = -2147480064)
09:49: installer[1].exe (ID = 231664)
09:49: a0042406.vbs (ID = 231442)
09:49: cmdinst.exe (ID = 231664)
09:49: a0029454.exe (ID = 184143)
09:49: a0029511.dll (ID = 144945)
09:49: a0029474.exe (ID = 216718)
09:50: whcc2.exe (ID = 267157)
09:50: a0043233.exe (ID = 267188)
09:51: a0029737.exe (ID = 267157)
09:51: ss1001.exe (ID = 216718)
09:51: a0029442.exe (ID = 246327)
09:52: autoit3.exe (ID = 185254)
09:52: basis.xml (ID = 244764)
09:53: a0029008.dll (ID = 244763)
09:53: Found Adware: look2me
09:53: installer.exe (ID = 168558)
09:53: atmtd.dll (ID = 166754)
09:53: a0029318.exe (ID = 144946)
09:54: atmtd.dll._ (ID = 166754)
09:54: a0029452.exe (ID = 185254)
09:54: a0029080.dll (ID = 144945)
09:55: sskknwrd.dll (ID = 77733)
09:55: a0029645.exe (ID = 244762)
09:55: a0028644.exe (ID = 212828)
09:56: a0029835.exe (ID = 212828)
09:56: a0032170.exe (ID = 184143)
09:58: a0029929.exe (ID = 231443)
09:59: a0029503.exe (ID = 267188)
10:00: a0029510.exe (ID = 144946)
10:00: ss1001[1].exe (ID = 216718)
10:00: a0030049.config (ID = 212361)
10:01: uninstall_nmon.vbs (ID = 231442)
10:03: a0032168.exe (ID = 185254)
10:03: a0028649.exe (ID = 212830)
10:03: a0030790.dll (ID = 244763)
10:04: a0030046.exe (ID = 212831)
10:05: a0029840.exe (ID = 212830)
10:05: a0029473.exe (ID = 168558)
10:05: dr140306[1].exe (ID = 267188)
10:05: a0029349.dll (ID = 144945)
10:07: a0036833.exe (ID = 168558)
10:07: a0039269.dll (ID = 166754)
10:07: a0042827.exe (ID = 212830)
10:08: a0029451.config (ID = 212361)
10:08: a0029450.exe (ID = 212831)
10:09: freeprodtb[1].exe (ID = 244762)
10:09: freeprodtb.exe (ID = 244762)
10:09: Found Adware: targetsaver
10:09: tsupdate2[1].ini (ID = 193498)
10:10: class-barrel (ID = 78229)
10:10: vocabulary (ID = 78283)
10:11: a0029477.dll (ID = 166754)
10:12: a0029059.exe (ID = 144946)
10:14: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\sfdb.dat:kavichs". Access is denied
10:16: Found Trojan Horse: sdbot
10:16: adiras.ini (ID = 74768)
10:16: a0029447.bat (ID = 212353)
10:16: a0029449.config (ID = 212358)
10:16: a0030043.bat (ID = 212353)
10:16: a0030045.config (ID = 212358)
10:16: a0034896.ini (ID = 74768)
********
11:45: | Start of Session, 22 March 2006 |
11:45: Spy Sweeper started
11:45: Sweep initiated using definitions version 638
11:45: Found Adware: zquest
11:45: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\inprocserver32\ (2 subtraces) (ID = 1209096)
11:45: DH.dll (ID = 1209096)
11:45: Starting Memory Sweep
11:47: Memory Sweep Complete, Elapsed Time: 00:01:39
11:47: Starting Registry Sweep
11:47: Found Adware: command
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
11:47: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074389)
11:47: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074513)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
11:47: Found Adware: dollarrevenue
11:47: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
11:47: Found Adware: maxifiles
11:47: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
11:47: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
11:47: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
11:47: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
11:47: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
11:47: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
11:47: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
11:47: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
11:47: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
11:47: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
11:47: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
11:47: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
11:47: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
11:47: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (1 subtraces) (ID = 1156519)
11:47: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
11:47: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
11:47: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
11:47: Found Adware: surfsidekick
11:47: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
11:47: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\surfsidekick3\ (2 subtraces) (ID = 143412)
11:47: Found Adware: findthewebsiteyouneed hijack
11:47: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
11:47: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu1 (ID = 1140965)
11:47: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu2 (ID = 1140966)
11:47: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
11:47: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\director\ || baseurl (ID = 980277)
11:47: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\xbtb04715\ (69 subtraces) (ID = 1156401)
11:47: Registry Sweep Complete, Elapsed Time:00:00:09
11:47: Starting Cookie Sweep
11:47: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:47: Starting File Sweep
11:47: Found Trojan Horse: trojan downloader matcash
11:47: c:\program files\outlook (1 subtraces) (ID = -2147454834)
11:47: c:\program files\common files\inetget (ID = -2147477182)
11:47: c:\program files\toolbar888 (8 subtraces) (ID = -2147456311)
11:47: Found Adware: webhancer
11:47: c:\program files\whinstall (ID = -2147480064)
11:47: installer[1].exe (ID = 231664)
11:47: a0042406.vbs (ID = 231442)
11:47: cmdinst.exe (ID = 231664)
11:47: a0029454.exe (ID = 184143)
11:47: a0029511.dll (ID = 144945)
11:47: a0029474.exe (ID = 216718)
11:48: whcc2.exe (ID = 267157)
11:48: a0043233.exe (ID = 267188)
11:49: a0029737.exe (ID = 267157)
11:49: ss1001.exe (ID = 216718)
11:49: a0029442.exe (ID = 246327)
11:50: autoit3.exe (ID = 185254)
11:50: basis.xml (ID = 244764)
11:51: a0029008.dll (ID = 244763)
11:51: Found Adware: look2me
11:51: installer.exe (ID = 168558)
11:51: atmtd.dll (ID = 166754)
11:51: a0029318.exe (ID = 144946)
11:52: atmtd.dll._ (ID = 166754)
11:52: a0029452.exe (ID = 185254)
11:52: a0029080.dll (ID = 144945)
11:53: sskknwrd.dll (ID = 77733)
11:53: a0029645.exe (ID = 244762)
11:54: a0028644.exe (ID = 212828)
11:54: a0029835.exe (ID = 212828)
11:54: a0032170.exe (ID = 184143)
11:56: a0029929.exe (ID = 231443)
11:57: a0029503.exe (ID = 267188)
11:58: a0029510.exe (ID = 144946)
11:59: ss1001[1].exe (ID = 216718)
11:59: a0030049.config (ID = 212361)
11:59: uninstall_nmon.vbs (ID = 231442)
12:00: a0032168.exe (ID = 185254)
12:01: a0028649.exe (ID = 212830)
12:01: a0030790.dll (ID = 244763)
12:01: a0030046.exe (ID = 212831)
12:01: a0029840.exe (ID = 212830)
12:01: a0029473.exe (ID = 168558)
12:02: dr140306[1].exe (ID = 267188)
12:02: a0029349.dll (ID = 144945)
12:02: a0036833.exe (ID = 168558)
12:02: a0039269.dll (ID = 166754)
12:03: a0042827.exe (ID = 212830)
12:03: a0029451.config (ID = 212361)
12:03: a0029450.exe (ID = 212831)
12:03: freeprodtb[1].exe (ID = 244762)
12:03: freeprodtb.exe (ID = 244762)
12:04: Found Adware: targetsaver
12:04: tsupdate2[1].ini (ID = 193498)
12:05: class-barrel (ID = 78229)
12:05: vocabulary (ID = 78283)
12:06: a0029477.dll (ID = 166754)
12:06: a0029059.exe (ID = 144946)
12:11: Found Trojan Horse: sdbot
12:11: adiras.ini (ID = 74768)
12:11: a0029447.bat (ID = 212353)
12:11: a0029449.config (ID = 212358)
12:11: a0030043.bat (ID = 212353)
12:11: a0030045.config (ID = 212358)
12:11: a0034896.ini (ID = 74768)
22:12: Sweep Canceled
********
09:15: | Start of Session, 22 March 2006 |
09:15: Spy Sweeper started
09:15: Sweep initiated using definitions version 638
09:15: Found Adware: zquest
09:15: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\inprocserver32\ (2 subtraces) (ID = 1209096)
09:15: DH.dll (ID = 1209096)
09:15: Starting Memory Sweep
09:17: Memory Sweep Complete, Elapsed Time: 00:01:41
09:17: Starting Registry Sweep
09:17: Found Adware: command
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ (7 subtraces) (ID = 892523)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || nomodify (ID = 958653)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || noremove (ID = 958654)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || norepair (ID = 958655)
09:17: HKCR\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074389)
09:17: HKLM\software\classes\clsid\{6001cdf7-6f45-471b-a203-0225615e35a7}\ (4 subtraces) (ID = 1074513)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be}\ (7 subtraces) (ID = 1110756)
09:17: Found Adware: dollarrevenue
09:17: HKLM\software\microsoft\drsmartload2\ (1 subtraces) (ID = 1134137)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920}\ || uninstallstring (ID = 1134952)
09:17: Found Adware: maxifiles
09:17: HKCR\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156344)
09:17: HKCR\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156348)
09:17: HKCR\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156354)
09:17: HKCR\toolband.xbtb04715\ (5 subtraces) (ID = 1156358)
09:17: HKCR\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156364)
09:17: HKCR\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156368)
09:17: HKCR\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156379)
09:17: HKCR\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156391)
09:17: HKLM\software\classes\toolband.xbtb04715\ (5 subtraces) (ID = 1156475)
09:17: HKLM\software\classes\xbtb04715.xbtb04715.1\ (3 subtraces) (ID = 1156481)
09:17: HKLM\software\classes\xbtb04715.xbtb04715\ (5 subtraces) (ID = 1156485)
09:17: HKLM\software\classes\clsid\{a8b0bded-64a5-495b-97da-42c0301e229b}\ (11 subtraces) (ID = 1156496)
09:17: HKLM\software\classes\typelib\{75e46ee7-404b-48ec-9326-c654f21f65bf}\ (9 subtraces) (ID = 1156508)
09:17: HKLM\software\microsoft\windows\currentversion\uninstall\xbtb04715.xbtb04715toolbar\ (1 subtraces) (ID = 1156519)
09:17: HKLM\software\classes\xbtb04715.ietoolbar.1\ (3 subtraces) (ID = 1156524)
09:17: HKLM\software\classes\xbtb04715.ietoolbar\ (5 subtraces) (ID = 1156528)
09:17: HKLM\software\classes\toolband.xbtb04715.1\ (3 subtraces) (ID = 1156534)
09:17: Found Adware: surfsidekick
09:17: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
09:17: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\surfsidekick3\ (2 subtraces) (ID = 143412)
09:17: Found Adware: findthewebsiteyouneed hijack
09:17: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
09:17: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu1 (ID = 1140965)
09:17: HKU\WRSS_Profile_S-1-5-21-57989841-1767777339-725345543-1004\software\microsoft\windows\currentversion\run\ || cu2 (ID = 1140966)
09:17: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
09:17: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\director\ || baseurl (ID = 980277)
09:17: HKU\S-1-5-21-57989841-1767777339-725345543-1003\software\xbtb04715\ (69 subtraces) (ID = 1156401)
09:17: Registry Sweep Complete, Elapsed Time:00:00:10
09:17: Starting Cookie Sweep
09:17: Cookie Sweep Complete, Elapsed Time: 00:00:00
09:17: Starting File Sweep
09:17: c:\program files\toolbar888 (8 subtraces) (ID = -2147456311)
09:17: Found Trojan Horse: trojan downloader matcash
09:17: c:\program files\common files\inetget (ID = -2147477182)
09:17: c:\program files\outlook (1 subtraces) (ID = -2147454834)
09:17: Found Adware: webhancer
09:17: c:\program files\whinstall (ID = -2147480064)
09:17: installer[1].exe (ID = 231664)
09:17: a0042406.vbs (ID = 231442)
09:17: cmdinst.exe (ID = 231664)
09:17: a0029454.exe (ID = 184143)
09:17: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030583.exe". The operation completed successfully
09:18: a0029511.dll (ID = 144945)
09:18: a0029474.exe (ID = 216718)
09:18: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030569.exe". The operation completed successfully
09:19: a0029504.exe (ID = 190798)
09:19: whcc2.exe (ID = 267157)
09:19: a0043233.exe (ID = 267188)
09:20: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0042608.exe". The operation completed successfully
09:21: a0029737.exe (ID = 267157)
09:21: ss1001.exe (ID = 216718)
09:21: a0029442.exe (ID = 246327)
09:23: autoit3.exe (ID = 185254)
09:24: basis.xml (ID = 244764)
09:24: a0028919.exe (ID = 268082)
09:25: a0029008.dll (ID = 244763)
09:25: Found Adware: look2me
09:25: installer.exe (ID = 168558)
09:25: atmtd.dll (ID = 166754)
09:25: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030420.exe". The operation completed successfully
09:26: a0029318.exe (ID = 144946)
09:27: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030449.exe". The operation completed successfully
09:28: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030589.exe". The operation completed successfully
09:28: atmtd.dll._ (ID = 166754)
09:28: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030539.exe". The operation completed successfully
09:29: a0029452.exe (ID = 185254)
09:29: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030761.exe". The operation completed successfully
09:30: a0029080.dll (ID = 144945)
09:30: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030473.exe". The operation completed successfully
09:31: a0028659.exe (ID = 190798)
09:31: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030451.exe". The operation completed successfully
09:32: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030659.exe". The operation completed successfully
09:33: sskknwrd.dll (ID = 77733)
09:34: a0029645.exe (ID = 244762)
09:35: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030728.exe". The operation completed successfully
09:35: a0028644.exe (ID = 212828)
09:35: a0028916.exe (ID = 268081)
09:36: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030675.exe". The operation completed successfully
09:36: a0029835.exe (ID = 212828)
09:36: a0032170.exe (ID = 184143)
09:36: a0029436.exe (ID = 185985)
09:37: Warning: Failed to read file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0029505.exe". The operation completed successfully
09:38: a0028920.exe (ID = 268083)
09:38: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030484.exe". The operation completed successfully
09:40: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030545.exe". The operation completed successfully
09:40: a0029173.exe (ID = 268083)
09:41: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030573.exe". The operation completed successfully
09:43: a0029929.exe (ID = 231443)
09:44: a0029503.exe (ID = 267188)
09:44: a0029170.exe (ID = 268081)
09:47: a0029510.exe (ID = 144946)
09:48: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030424.exe". The operation completed successfully
09:48: ss1001[1].exe (ID = 216718)
09:48: a0030049.config (ID = 212361)
09:49: uninstall_nmon.vbs (ID = 231442)
09:50: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030486.exe". The operation completed successfully
09:52: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030393.exe". The operation completed successfully
09:53: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030527.exe". The operation completed successfully
09:53: a0032168.exe (ID = 185254)
09:54: a0028649.exe (ID = 212830)
09:55: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030711.exe". The operation completed successfully
09:56: a0030790.dll (ID = 244763)
09:57: Warning: Failed to read file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0029172.exe". The operation completed successfully
09:57: a0030046.exe (ID = 212831)
09:58: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030694.exe". The operation completed successfully
09:59: a0029840.exe (ID = 212830)
09:59: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030688.exe". The operation completed successfully
10:00: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030751.exe". The operation completed successfully
10:00: a0029473.exe (ID = 168558)
10:01: dr140306[1].exe (ID = 267188)
10:01: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030233.exe". The operation completed successfully
10:01: a0029349.dll (ID = 144945)
10:03: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030302.exe". The operation completed successfully
10:03: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030663.exe". The operation completed successfully
10:04: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030733.exe". The operation completed successfully
10:04: a0036833.exe (ID = 168558)
10:05: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030778.exe". The operation completed successfully
10:06: a0039269.dll (ID = 166754)
10:07: Found Adware: targetsaver
10:07: a0029435.exe (ID = 193995)
10:07: a0042827.exe (ID = 212830)
10:08: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030491.exe". The operation completed successfully
10:09: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030665.exe". The operation completed successfully
10:12: a0029451.config (ID = 212361)
10:12: a0029450.exe (ID = 212831)
10:12: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030575.exe". The operation completed successfully
10:12: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030338.exe". The operation completed successfully
10:13: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030283.exe". The operation completed successfully
10:14: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030713.exe". The operation completed successfully
10:15: freeprodtb[1].exe (ID = 244762)
10:15: freeprodtb.exe (ID = 244762)
10:15: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030754.exe". The operation completed successfully
10:16: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030621.exe". The operation completed successfully
10:16: tsupdate2[1].ini (ID = 193498)
10:17: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030679.exe". The operation completed successfully
10:17: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030623.exe". The operation completed successfully
10:19: Warning: PerformFileOffsetMatch Failed to check file "c:\documents and settings\andre\shared\_\wallace and gromit the curse of the were-rabbit (2005) ntsc dts .avi.exe". The operation completed successfully
10:20: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030340.exe". The operation completed successfully
10:22: Warning: PerformFileOffsetMatch Failed to check file "c:\documents and settings\andre\shared\_\the young punx - dance with someone else (vocal-edit).mp3.exe". The operation completed successfully
10:23: Warning: PerformFileOffsetMatch Failed to check file "c:\documents and settings\andre\shared\_\tiesto - just be.mp3.exe". The operation completed successfully
10:23: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030653.exe". The operation completed successfully
10:24: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030333.exe". The operation completed successfully
10:25: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030780.exe". The operation completed successfully
10:26: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030235.exe". The operation completed successfully
10:27: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030721.exe". The operation completed successfully
10:29: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030649.exe". The operation completed successfully
10:31: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030690.exe". The operation completed successfully
10:31: class-barrel (ID = 78229)
10:31: vocabulary (ID = 78283)
10:32: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030700.exe". The operation completed successfully
10:33: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030566.exe". The operation completed successfully
10:33: a0029477.dll (ID = 166754)
10:33: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030582.exe". The operation completed successfully
10:35: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030371.exe". The operation completed successfully
10:36: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030633.exe". The operation completed successfully
10:38: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030405.exe". The operation completed successfully
10:40: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030316.exe". The operation completed successfully
10:40: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030757.exe". The operation completed successfully
10:41: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030356.exe". The operation completed successfully
10:42: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030768.exe". The operation completed successfully
10:43: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030725.exe". The operation completed successfully
10:43: a0029059.exe (ID = 144946)
10:44: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030407.exe". The operation completed successfully
10:45: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030691.exe". The operation completed successfully
10:45: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030547.exe". The operation completed successfully
10:46: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030384.exe". The operation completed successfully
10:48: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030704.exe". The operation completed successfully
10:49: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030258.exe". The operation completed successfully
10:50: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030746.exe". The operation completed successfully
10:51: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030259.exe". The operation completed successfully
10:51: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030261.exe". The operation completed successfully
10:54: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030435.exe". The operation completed successfully
10:54: Warning: PerformFileOffsetMatch Failed to check file "c:\system volume information\_restore{ddeb55e3-599c-4763-b3e7-b0d3854aa86c}\rp76\a0030227.exe". The operation completed successfully
10:55: Warning: Failed to open file "c:\documents and settings\andre\shared\_\queen - princes of the universe.mp3.exe:kavichs". Access is denied
10:55: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\policy\policy.dat:kavichs". Access is denied
10:55: Warning: Failed to open file "c:\documents and settings\all users\application data\kaspersky anti-virus personal\5.0\sfdb.dat:kavichs". Access is denied
10:55: Warning: Failed to open file "c:\documents and settings\andre\shared\_\tiger trap - words and smiles.mp3.exe:kavichs". Access is denied
10:57: Warning: Failed to open file "c:\documents and settings\andre\shared\_\hot chip - crap kraft dinner.mp3.exe:kavichs". Access is denied
11:07: Found Trojan Horse: sdbot
11:07: adiras.ini (ID = 74768)
11:07: a0029447.bat (ID = 212353)
11:07: a0029449.config (ID = 212358)
11:07: a0030043.bat (ID = 212353)
11:07: a0030045.config (ID = 212358)
11:07: a0034896.ini (ID = 74768)
11:36: Sweep Canceled
11:43: Updating spyware definitions
11:43: There is a problem reaching the server. The cause may be in your connection, or on the server. Please try again later.
11:45: | End of Session, 22 March 2006 |
********
09:11: | Start of Session, 22 March 2006 |
09:11: Spy Sweeper started
09:12: Updating spyware definitions
09:12: Your spyware definitions have been updated.
09:15: | End of Session, 22 March 2006 |
steve67474
Regular Member
 
Posts: 30
Joined: December 26th, 2005, 7:42 am

Unread postby amateur » March 23rd, 2006, 5:35 pm

Hello steve67474 ,

Thanks for the logs. :) Well done. So far not so good, but excellent. We managed to get a lot of things cleaned out. :D
BFU.exe when going to http://metallica.geekstogo.com/alcanshorty.bfu got "cannot find server" I tried on my system at home and same message so server was down so could't run it. Did run it next day and it was OK but out of sequence from list as this was last action now.

No problem. That was a kind of backup anyway.

Had to check the "Do not sweep Restore folder" it then ran through and I was able to clean the infections.

Good move.

==================================

I cannot see any antivirus or firewall running eventhough I see a folder belonging to Kaspersky 5.0 in the Spysweeper report . It may have been used once as a stand-alone scanner. Please remove it from Add/Remove Programs, if there, and delete the associated folder, as it seems to contain some infected data. It's probably saved in Program Files.

C:\Program Files\Kaspersky anti-virus personal

I would suggest that you install an antivirus and a firewall immediately. Below are some good and free alternatives. Please make sure that only one antivirus and one firewall are installed, because more doesn't mean better in this case. They would conflict with each other and render the computer vulnerable.

Antivirus:

AVG Free here
AntiVir here
Avast here

Firewall:

ZoneAlarm here
Sygate here
Kerio Personal Firewall here
Outpost here
Important: (Windows XP only) If you install a firewall, be sure to turn off the WinXP-firewall! (ZoneAlarm does that automatically)

=================================

Also, please run Panda's ActiveScan from here and perform a full system scan.
- Once you are on the Panda site click the "Scan your PC" button
- A new window will open...click the big "Check Now" button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It will take a couple minutes)
- Click on "Local Disks" to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
- Post Panda scan results and a fresh HijackThis log in your next reply please.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

antivirus

Unread postby steve67474 » March 23rd, 2006, 7:44 pm

OK will get this done tomorrow evening. There is no firewall other than windows firewall but there is Kaspersky antivirus. I installed this a few days ago to try to fix this problem. It is the same as I am running on my home system, however it did not autostart when system boots up so I have added it to the startup folder now. are we saying Kaspersky is corrupt? would a remove and fresh install be ok as I do like Kaspersky. I also have zone alarm which I will install. Once again thanx ameteur
steve67474
Regular Member
 
Posts: 30
Joined: December 26th, 2005, 7:42 am

Unread postby amateur » March 23rd, 2006, 8:03 pm

I can only see it in the services, not in the running processes. It should be running in the background. You could try uninstalling/reinstalling and we should see it in the HijackThis log.

Edit: Let's see the next HijackThis log. If you've set it to autostart then it may be alright.

Just delete this folder then:

C:\Program Files\kaspersky anti-virus personal\5.0\reports. If it doesn't allow it, then delete the contents of it.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA

logs

Unread postby steve67474 » March 25th, 2006, 11:19 am

Hi amateur first I did not find the kaspersky repoers that you wanted me to delete...C:\Program Files\kaspersky anti-virus personal\5.0\reports. I set the folder options to show all hidden and show system folders but could not see past the \kaspersky anti-virus personal\ folder . there was no 5.0 so saw no reports to delete. OK having said that I ran the scan and hyjackthis again and here are the results....Oh! didnt load a firewall as of yet as forgot to take zone alarm with me but will do it next week......

This was Pandascan log.


Incident Status Location

Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Andre\Application Data\Mozilla\Firefox\Profiles\pc39l01n.default\cookies.txt[]
Spyware:Cookie/WebtrendsLive Not disinfected C:\Documents and Settings\Andre\Application Data\Mozilla\Firefox\Profiles\pc39l01n.default\cookies.txt[dcs2omr9fpifwznrgv67zf9ub_7p8i]
Spyware:Cookie/Xmts Not disinfected C:\Documents and Settings\Andre\Cookies\andre@xmts[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Robert\Application Data\Mozilla\Firefox\Profiles\gozw924h.default\cookies.txt[]
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Robert\Local Settings\Temporary Internet Files\Ssk.log
Virus:Trj/Downloader.HFV Disinfected C:\WINDOWS\system32\OLDF.tmp
Adware:adware/dollarrevenue Not disinfected C:\WINDOWS\teller2.chk


this was HJT log

Logfile of HijackThis v1.99.1
Scan saved at 19:30:27, on 24/03/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Ahead\Nero BackItUp\NBJ.exe
C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe
C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\WINDOWS\System32\svchost.exe
C:\Hyjackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - blank (file missing)
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [PowerBar] "C:\Program Files\CyberLink DVD Solution\Multimedia Launcher\PowerBar.exe" /AtBootTime
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - Startup: Shortcut to kav.lnk = C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: DSLMON.lnk = C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan ... asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EE97A420-5821-4027-A895-C25E13EDA91C}: NameServer = 80.225.252.178 80.225.252.186
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
steve67474
Regular Member
 
Posts: 30
Joined: December 26th, 2005, 7:42 am

Unread postby amateur » March 25th, 2006, 12:06 pm

Hi steve67474,

Thanks for the logs. We are getting there, but still some work to do:

I set the folder options to show all hidden and show system folders but could not see past the \kaspersky anti-virus personal\ folder . there was no 5.0 so saw no reports to delete

We'll check that out later.

=======================

We'll need to disable Ewidoguard and Spysweeper so that they will not interfere with the fix. If your antivirus or other security tools warn you about a change in the registry during the HJT fix, you'll need to allow it. Once the fix is complete you can re-enable them.

Ewido:

From the system tray:
1. Right-click the system tray icon
2. Uncheck real time protection.
or
From within Ewido:
1. Under 'Your security status',
2. Deactivate it by clicking 'real time protection' until the status says 'inactive'.

SpySweeper:

• Open Spysweeper and click on Options > Program Options.
• Uncheck "load at windows startup".
• On the left click "shields" and then uncheck everything there.
• Uncheck "home page shield".
• Uncheck "automatically restore default without notification".
• Exit the program.

=======================

  • Close all open Explorer windows and browsers
  • Run HijackThis
  • Click on the Scan button and when complete
  • Put a check beside all of the items listed below
  • Click on the "Fix Checked" button

O3 - Toolbar: Toolbar888 - {77FBF9B8-1D37-4FF2-9CED-192D8E3ABA6F} - blank (file missing)

Please go back to the main page in Hijack This and click on the Open Misc Tools section button. Now click on the Delete a file on reboot.
Click once on the file below to select it:

Documents and Settings\Robert\Local Settings\Temporary Internet Files\Ssk.log
do the same for this one:
C:\WINDOWS\teller2.chk
and this one:
C:\WINDOWS\system32\OLDF.tmp

Click on the Back button to exit Process Manager
You will be asked if you want to restart. Click Yes.

=======================

Spysweeper has updated again. Please update Spysweeper first and run it again.
The malicious files may have already been deleted but let's make sure. It would be a good idea to use the ATF cleaner prior to scanning to clean the temp files, temp internet files, old prefetch files and the cookies to reduce the scanning time.

=======================

Scan with Panda again.

=======================

Please post a new HijackThis log, SpySweeper log and the Panda results.
User avatar
amateur
MRU Master
MRU Master
 
Posts: 2545
Joined: September 25th, 2005, 1:13 pm
Location: RI, USA
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 36 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware