Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HJT log (wangyou)

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HJT log (wangyou)

Unread postby mattandi » August 16th, 2006, 7:52 pm

This is a church PC. A traveling missionary installed a chinese language translator. Now get numerous pop-up while using IE. Pop-ups are somehow related to wangyou.com. No virus apparant. Have run Spybot and AdAware. Here is the log. Thanks.

Logfile of HijackThis v1.99.1
Scan saved at 7:43:49 PM, on 8/16/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Support\hijackthis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sides ... ch-en.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/custo ... ch-en.html
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\nleee.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: FltSetUp Class - {1D49D58D-5C84-4B50-8359-D9809BEB2B32} - C:\Program Files\Internet Explorer\Connection Wizard\icwuti1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: ActiveBHO Class - {63C55A7F-6E29-8D4F-5C76-4F850F28D13A} - C:\Progra~1\DoDoorRSSFinder\ActiveBandObject.dll
O2 - BHO: StqZxlei Class - {841B5A25-6B1F-B956-B85F-4EE02D2FD7F2} - C:\WINDOWS\DOWNLO~1\czsxdrm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D424FE4E-CAF9-4fdd-BC5F-E6E6B91D53BF} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Bittorrent] C:\WINDOWS\bittorrent.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [renewup] C:\Program Files\CNNIC\Cdn\cdnrenew.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [CDNCLIENT] Chinese Navigation
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1706ea21e2f ... xIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3938095187
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O18 - Filter: text/html - {E7009873-0D40-45B1-8D59-5B9AE98C7D38} - C:\Program Files\Internet Explorer\Connection Wizard\icwuti1.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Windows Desktop Multimedia (ntkrnl) - Unknown owner - ntkrnl.exe (file missing)
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
mattandi
Regular Member
 
Posts: 36
Joined: October 4th, 2005, 10:56 am
Advertisement
Register to Remove

Unread postby bamajim » August 17th, 2006, 8:16 pm

mattandi

Hello and welcome to MRU :)

I am currently looking at your log and will have a reply soon

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby bamajim » August 18th, 2006, 8:41 am

mattandi

First
Please disable your Symantec Script Blocking from within your Norton so it does not interfere with anything during our fixes now or later. You can enable this whenever we have verified that your system is clean.
To disable Norton AntiVirus Script Blocking:
    1. Start Norton AntiVirus.
    If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
    2. Click Options.
    If you see a menu, click Norton AntiVirus.
    3. In the left pane, click Script Blocking.
    4. In the right pane, uncheck Enable Script Blocking (recommended).
    5. Click OK.
Next Re Run Hijackthis
    At the Main window select "Open the misc tool section"
    Then select "Open uninstall manager"
    Then "save list" and save it to your desktop


Copy and paste that list as a reply to this thread

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby mattandi » August 21st, 2006, 4:11 pm

Thanks bamajim

Here's the unistall list

Ad-Aware SE Personal
Adobe Download Manager 1.2 (Remove Only)
Adobe Photoshop Album 2.0 Starter Edition
Adobe Photoshop Elements 2.0
Adobe Reader 6.0.1
ccCommon
Chinese Navigation2.3.0.19
ClickArt® Christian Deluxe
Color Network ScanGear Ver.1.1
Easy CD Creator 5 Basic
Gateway Drivers and Applications Recovery
Gateway IE Customizations
Google Desktop Search
Google Toolbar for Internet Explorer
HijackThis 1.99.1
Hotfix for Windows XP (KB896344)
HP PrecisionScan LT Software
Intel(R) Extreme Graphics Driver
Intel(R) PRO Network Connections Drivers
Intel(R) PROSet II
Internet Worm Protection
iTunes
Java 2 Runtime Environment, SE v1.4.2
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Metafile Companion 1.10
Microsoft Data Access Components KB870669
Microsoft Office XP Professional
Microsoft Publisher 2002
Mozilla Firefox (1.5)
Norton AntiVirus 2005
Norton AntiVirus 2005 (Symantec Corporation)
Norton AntiVirus Help
Norton AntiVirus Parent MSI
Norton AntiVirus SYMLT MSI
Norton WMI Update
Norton WMI Update
QuickTime
RealPlayer
Rhapsody Player Engine
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
SPBBC
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
Symantec
Symantec Script Blocking Installer
SymNet
TntMPD
Tweak UI
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Windows Defender
Windows Defender Signatures
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2



Sorry for the delay. I do not have access to this machine regularly. It might take a day or two, but I will get to it.
mattandi
Regular Member
 
Posts: 36
Joined: October 4th, 2005, 10:56 am

Unread postby mattandi » August 28th, 2006, 3:45 pm

bump

I know you are busy, but I meant I might be able to get to this about every 2-3 days. Thanks
mattandi
Regular Member
 
Posts: 36
Joined: October 4th, 2005, 10:56 am

Unread postby bamajim » August 28th, 2006, 4:45 pm

Mattandi

I appologize fro the delay in responding, somehow I didn't see that you had replied. Again I'm Sorry

edit: Apologies for the delay. We will have a fix for you shortly - agrarianmonk
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby mattandi » August 28th, 2006, 5:01 pm

No worries :)

Look forward to hearing from you soon.
mattandi
Regular Member
 
Posts: 36
Joined: October 4th, 2005, 10:56 am

Unread postby bamajim » August 28th, 2006, 9:58 pm

Mattandi

You may want to print out these instructions for reference

First We need to temporarily disable the Real-time Protection on Windows Defender as it may interfere with the HijackThis fixes we make.
  • Open Windows Defender
  • Click Tools => Options
  • Scroll down and uncheck Use real-time protection (recommended).
  • Click Save
  • Close Windows Defender
After all of the fixes are complete it is very important that you enable Real-time Protection again.

Next We need to make sure we can see hidden files and folders
    Click Start.
    Click My Computer.
    Select the Tools menu and click Folder Options.
    Select the View Tab.
    Under the Hidden files and folders heading select Show hidden files and folders.
    Uncheck the Hide protected operating system files (recommended) option.
    Click Yes to confirm.
    Uncheck the Hide file extensions for known file types.
    Click OK.
Next Go here and Download Ewido Antimalware 4.0
(30 day free trial version) Save it to Your Desktop
Double Click Ewido-setup
(It will create its own folder)
Once the program starts You will be at the Status menu
    Under "Your computers Security"
    Click change status on Resident shield to inactive
    Click Update now (next to last update)
    After the update loads
    Under Automatic updates Uncheck download and install updates automatically(recommended)
    (you can always select maual updates the next day)
At the top toolbar Click Scanner Then the settings tab
    Under How to act? Set default action for detected malwareTo Quarantine
    Under how to scan All boxes should be checked
    Under Possibly unwanted software All boxes should be checked
    Under reports Select Automatically generate report after every scan
    Uncheck Only if threats were found
    Under what to scan Scan every file should be highlited
Exit Ewido (Do Not run it yet)

Next Go to Add/Remove Programs (Click Start->>Control Panel ->> Add/Remove Programs
And uninstall the following program
    Chinese Navigation2.3.0.19
Close Add/Remove Programs

Next Copy and Paste the following into Notepad (Not Wordpad)
Making sure there is no space between the top of the window and the first line
    sc stop ntkrnl
    sc del ntkrnl
Click File ->> Save as ->>type in Svc.bat
    Under "Save as file type" Select "all files"
    Save it to your Desktop
    The Svc.bat file should no appear on your Desktop
    Double click that file (It will seem that nothing has happened, but that's O.K.)

Next Re Run Hijackthis and place checks beside the following entries
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://client.jogo.cn/cdn/browser/sides ... ch-en.html
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://client.jogo.cn/cdn/browser/custo ... ch-en.html
    F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\nleee.exe ]
    O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
    O2 - BHO: ActiveBHO Class - {63C55A7F-6E29-8D4F-5C76-4F850F28D13A} - C:\Progra~1\DoDoorRSSFinder\ActiveBandObject.dll
    O2 - BHO: StqZxlei Class - {841B5A25-6B1F-B956-B85F-4EE02D2FD7F2} - C:\WINDOWS\DOWNLO~1\czsxdrm.dll
    O2 - BHO: (no name) - {D424FE4E-CAF9-4fdd-BC5F-E6E6B91D53BF} - (no file)
    O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
    O4 - HKLM\..\Run: [renewup] C:\Program Files\CNNIC\Cdn\cdnrenew.exe
    O8 - Extra context menu item: Access Internet Keyword - C:\Program Files\CNNIC\Cdn\cnnic.htm
    O11 - Options group: [CDNCLIENT] Chinese Navigation
    O23 - Service: Windows Desktop Multimedia (ntkrnl) - Unknown owner - ntkrnl.exe (file missing)
Close all other open windows except Hijackthis and Select "Fix checked"

Next Using Windows Explorer

    (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and Delete the following Folders
    C:\Program Files\CNNIC
    C:\Progra~1\DoDoorRSSFinder
Locate and Delete the following files (If found)
    C:\WINDOWS\DOWNLO~1\czsxdrm.dll
    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\nleee.exe
    C:\WINDOWS\System32\ntkrnl.exe
Reboot your PC into Safe Mode
This can be done by
    Restart your PC, and after it starts, but before you see the Windows Splash screen
    Begin tapping the F8 key twice a second untill you reach another menu screen (black background with white menu choices)
    Use your arrow keys and select Safe Mode and then Enter
Run Ewido
    Click scanner
    Select Complete system scan
Once the scan finishes
    Select Apply all actions (The items found will be quarantined)
    Click save report as (Another window will open)
    Save it to your desktop
    (By default It will be saved in the Ewido folder as)
    C:\Program Files\ewido anti-spyware 4.0\Reports
Exit Ewido

Reboot your PC in Normal Mode

    Double click the report-scan txt. you saved to your desktop
    It will open in Notepad
    Copy and paste that report as a reply to this thread
Do not run any other options untill instructed to do so

Finally Re run Hijackthis and post a fresh Hijackthis log

Your reply should include
    your report_scan.txt from Ewido
    a fresh Hijackthis log

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby mattandi » August 30th, 2006, 7:50 pm

Hi

Need your advice on how/if to continue.

The first bit of instructions no problem.

Add/Remove programs returned an Uninstaller Error stating the program could not be uninstalled. This reminded me that the guy who installed the thing told me that he didn't think that it had an uninstaller. Sorry I forgot to mention that earlier.

The batch file returned this message:

C:\Documents and Settings\Prophet's Reward\Desktop>sc stop ntkrnl
[SC] ControlService FAILED 1062:

The service has not been started.


C:\Documents and Settings\Prophet's Reward\Desktop>sc del ntkrnl
*** Unrecognized Command ***
DESCRIPTION:
SC is a command line program used for communicating with the
NT Service Controller and services.
USAGE:
sc <server> [command] [service name] <option1> <option2>...

The option <server> has the form "\\ServerName"
Further help on commands can be obtained by typing: "sc [command]"
Commands:
query-----------Queries the status for a service, or
enumerates the status for types of services.
queryex---------Queries the extended status for a service, or
enumerates the status for types of services.
start-----------Starts a service.
pause-----------Sends a PAUSE control request to a service.
interrogate-----Sends an INTERROGATE control request to a service.
continue--------Sends a CONTINUE control request to a service.
stop------------Sends a STOP request to a service.
config----------Changes the configuration of a service (persistant).
description-----Changes the description of a service.
failure---------Changes the actions taken by a service upon failure.
qc--------------Queries the configuration information for a service.
qdescription----Queries the description for a service.
qfailure--------Queries the actions taken by a service upon failure.
delete----------Deletes a service (from the registry).
create----------Creates a service. (adds it to the registry).
control---------Sends a control to a service.
sdshow----------Displays a service's security descriptor.
sdset-----------Sets a service's security descriptor.
GetDisplayName--Gets the DisplayName for a service.
GetKeyName------Gets the ServiceKeyName for a service.
EnumDepend------Enumerates Service Dependencies.

The following commands don't require a service name:
sc <server> <command> <option>
boot------------(ok | bad) Indicates whether the last boot should
be saved as the last-known-good boot configuration
Lock------------Locks the Service Database
QueryLock-------Queries the LockStatus for the SCManager Database
EXAMPLE:
sc start MyService

Would you like to see help for the QUERY and QUERYEX commands? [ y | n ]:

I stopped here. Should I continue with the fix or would there be something else I should do.

Thanks.
mattandi
Regular Member
 
Posts: 36
Joined: October 4th, 2005, 10:56 am

Unread postby bamajim » August 30th, 2006, 9:27 pm

mattandi

Add/Remove programs returned an Uninstaller Error stating the program could not be uninstalled. This reminded me that the guy who installed the thing told me that he didn't think that it had an uninstaller. Sorry I forgot to mention that earlier.


We will take care of it another way. Please continue with the rest of the fix and report with any other items you had problems with

thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby mattandi » September 11th, 2006, 11:19 am

Just to check in. I have not been able to get back to this machine for a while. I'll be able to work on this some more the evening of Wed. Sept. 13. Will post back after.
mattandi
Regular Member
 
Posts: 36
Joined: October 4th, 2005, 10:56 am

Unread postby bamajim » September 11th, 2006, 11:26 pm

mattandi

Looking forward to it :)

bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby mattandi » September 20th, 2006, 8:22 pm

Here you go. Sorry for the delay.

Could not delete (reasons)
C:\Program Files\CNNIC (cdnspie.dll in use)
C:\Progra~1\DoDoorRSSFinder (ActiveBandObject.dll access denied)

Did not find
C:\WINDOWS\DOWNLO~1\czsxdrm.dll
C:\WINDOWS\System32\ntkrnl.exe

Here's the logs

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:11:22 PM 9/20/2006

+ Scan result:



C:\Documents and Settings\Prophet's Reward\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\EE81C059-1A58-4253-9D57-E84671\9E4B7089-12FC-45B7-93D7-2C8352 -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Documents and Settings\Prophet's Reward\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\EE81C059-1A58-4253-9D57-E84671\9FAAC527-34E5-4F71-9A41-C77FF4 -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Documents and Settings\Prophet's Reward\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\EE81C059-1A58-4253-9D57-E84671\C7DF1DD8-A608-48F3-9D42-FDF774 -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Documents and Settings\Prophet's Reward\Local Settings\Application Data\Sunbelt Software\CounterSpy\Quarantine\EE81C059-1A58-4253-9D57-E84671\FDB1AABD-B6F2-4B0C-86A7-BB0BA7 -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Support\hijackthis\backups\backup-20060906-195204-398.dll -> Adware.Cdn : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temp\ewoena.exe -> Adware.IEHlpr : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temp\fpxfou.exe -> Adware.IEHlpr : Cleaned with backup (quarantined).
C:\Documents and Settings\Default User\Local Settings\Temp\lengo.exe -> Adware.IEHlpr : Cleaned with backup (quarantined).
C:\Documents and Settings\Prophet's Reward\Local Settings\Temporary Internet Files\Content.IE5\4G7Q934G\View[1].dat -> Adware.IEHlpr : Cleaned with backup (quarantined).
C:\Program Files\ClickArt\iozer.exe -> Adware.IEHlpr : Cleaned with backup (quarantined).
C:\Program Files\DoDoorRSSFinder\ActiveBandObject.dll -> Adware.IEHlpr : Cleaned with backup (quarantined).
C:\Program Files\NetMeeting\conf.dll -> Adware.IEHlpr : Cleaned with backup (quarantined).
C:\Program Files\NetMeeting\nmview.dll -> Adware.IEHlpr : Cleaned with backup (quarantined).
C:\Support\hijackthis\backups\backup-20060906-195204-131.dll -> Adware.IEHlpr : Cleaned with backup (quarantined).
C:\WINDOWS\system32\sctongji04.dll -> Adware.SeeCha : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\mmc3.tmp -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temp\mmcBD.tmp -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\01MB8XYN\p2yjj[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\01MB8XYN\p2yjj[2].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\01MB8XYN\popup[2].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\A1J4D4FA\p2yjj[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\A1J4D4FA\popup[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\A1J4D4FA\popup[3].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4GZ9HW5\p2yjj[3].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4GZ9HW5\popup[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4GZ9HW5\popup[2].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\L4GZ9HW5\popup[3].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\WPEBOLAV\p2yjj[1].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\WPEBOLAV\p2yjj[2].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\WPEBOLAV\popup[2].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\Content.IE5\WPEBOLAV\popup[3].htm -> Downloader.IstBar.ai : Cleaned with backup (quarantined).
C:\Documents and Settings\Martha Knox\Cookies\martha knox@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Pastor Wally.BUTCH\Cookies\pastor wally@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\Prophet's Reward\Cookies\prophet's reward@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.50:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.51:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.52:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.53:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.54:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.85:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.86:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.77:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.78:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.79:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.70:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
C:\Documents and Settings\Martha Knox\Cookies\martha knox@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\Pastor Wally.BUTCH\Cookies\pastor wally@burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\Pastor Wally.BUTCH\Cookies\pastor wally@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.33:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.34:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.35:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.36:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.38:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned with backup (quarantined).
:mozilla.89:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Pastor Wally.BUTCH\Cookies\pastor wally@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Prophet's Reward\Cookies\prophet's reward@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned with backup (quarantined).
C:\Documents and Settings\Martha Knox\Cookies\martha knox@ehg-legacy.hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned with backup (quarantined).
:mozilla.80:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
:mozilla.81:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned with backup (quarantined).
C:\Documents and Settings\Martha Knox\Cookies\martha knox@www.myaffiliateprogram[2].txt -> TrackingCookie.Myaffiliateprogram : Cleaned with backup (quarantined).
:mozilla.71:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.72:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
:mozilla.73:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned with backup (quarantined).
C:\Documents and Settings\Pastor Wally.BUTCH\Cookies\pastor wally@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup (quarantined).
C:\Documents and Settings\Pastor Wally.BUTCH\Cookies\pastor wally@adopt.specificclick[2].txt -> TrackingCookie.Specificclick : Cleaned with backup (quarantined).
:mozilla.57:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
:mozilla.58:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned with backup (quarantined).
C:\Documents and Settings\Martha Knox\Cookies\martha knox@anad.tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Martha Knox\Cookies\martha knox@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
C:\Documents and Settings\Pastor Wally.BUTCH\Cookies\pastor wally@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.83:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned with backup (quarantined).
:mozilla.84:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned with backup (quarantined).
:mozilla.27:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.28:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.29:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.30:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).
:mozilla.31:C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 8:14:55 PM, on 9/20/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Support\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\nleee.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: FltSetUp Class - {1D49D58D-5C84-4B50-8359-D9809BEB2B32} - C:\Program Files\Internet Explorer\Connection Wizard\icwuti1.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D424FE4E-CAF9-4fdd-BC5F-E6E6B91D53BF} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Bittorrent] C:\WINDOWS\bittorrent.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
O4 - HKLM\..\Run: [renewup] C:\Program Files\CNNIC\Cdn\cdnrenew.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [CDNCLIENT] Chinese Navigation
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1706ea21e2f ... xIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3938095187
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O18 - Filter: text/html - {E7009873-0D40-45B1-8D59-5B9AE98C7D38} - C:\Program Files\Internet Explorer\Connection Wizard\icwuti1.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: Windows Desktop Multimedia (ntkrnl) - Unknown owner - ntkrnl.exe (file missing)
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
mattandi
Regular Member
 
Posts: 36
Joined: October 4th, 2005, 10:56 am

Unread postby bamajim » September 22nd, 2006, 2:03 pm

mattandi

Sorry for the delay in responding

First Delete the batch file we created earlier (Rt Click->>Delete)
We are going to make a new one

Next Copy and paste the following into NotePad (Not Wordpad)
    sc stop ntkrnl
    sc delete ntkrnl
Click File ->>Save as ->>type in cmd.bat
    Under "Save as type" Select "all files" ->>Save it to your Desktop
    Close Notepad
    The cmd.bat file should now appear on your Desktop

    Double Click that file (It will appear that nothing has happened, but that's o.k.)

Next Re Run Hijackthis and place checks beside the following entries
    O2 - BHO: CdnForIE Class - {5C3853CF-C7E0-4946-B3FA-1ABDB6F48108} - C:\PROGRA~1\CNNIC\Cdn\cdnforie.dll (file missing)
    O2 - BHO: (no name) - {D424FE4E-CAF9-4fdd-BC5F-E6E6B91D53BF} - (no file)
    O4 - HKLM\..\Run: [CdnCtr] C:\Program Files\CNNIC\Cdn\cdnup.exe
    O4 - HKLM\..\Run: [renewup] C:\Program Files\CNNIC\Cdn\cdnrenew.exe
    O11 - Options group: [CDNCLIENT] Chinese Navigation
    O18 - Filter: text/html - {E7009873-0D40-45B1-8D59-5B9AE98C7D38} - C:\Program Files\Internet Explorer\Connection Wizard\icwuti1.dll
    O23 - Service: Windows Desktop Multimedia (ntkrnl) - Unknown owner - ntkrnl.exe (file missing)
Close all other open windows except Hijackthis and Select "Fix checked"

If prompted to reboot your PC Select No and close Hijackthis

Next Using Windows Explorer
    (Right click on "Start," select "Explore," and you will see the "tree' of file folders in the left side of the window. Click on the "+" next to any folder name to expand its contents)
Locate and delete the following folder
    C:\Program Files\CNNIC
Locate and delete the following file
    C:\Program Files\Internet Explorer\Connection Wizard\icwuti1.dll
Close Windows Explorer

Reboot your PC

Next Run an online virus scan called Kaspersky from HERE.
    1. Click on "Kaspersky Online Scanner"
    2. A new smaller window will pop up. Press on "Accept". After reading the contents.
    3. Now Kaspersky will update the anti-virus database. Let it run.
    4. Click on "Next"->>"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
    5. Then click on "My Computer". And the scan will start.
    6. Once finished, save a log as ".txt" to the desktop.

Copy and post the results of the Kaspersky Online scan

Finally Rerun Hijkackthis and post a fresh Hijackthis log

Your reply should include
    the results from Kaspersky online scan
    A fresh Hijackthis log

Thanks bamajim
User avatar
bamajim
Visiting Staff
 
Posts: 1138
Joined: February 3rd, 2006, 11:09 am

Unread postby mattandi » October 4th, 2006, 9:23 pm

Could not find
O23 - Service: Windows Desktop Multimedia (ntkrnl) - Unknown owner - ntkrnl.exe (file missing)

Could not find
C:\Program Files\CNNIC

Here's the reports

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, October 04, 2006 9:16:20 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 5/10/2006
Kaspersky Anti-Virus database records: 228878
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\

Scan Statistics:
Total number of scanned objects: 108557
Number of viruses found: 18
Number of infected objects: 78 / 0
Number of suspicious objects: 38
Duration of the scan process: 01:19:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From jhight@rdmail.rural.usda.gov][Date Fri, 26 Mar 2004 11:41:57 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From jhight@rdmail.rural.usda.gov][Date Fri, 26 Mar 2004 11:41:57 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From jhight@rdmail.rural.usda.gov][Date Fri, 26 Mar 2004 11:41:57 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From wjwashington@msn.com][Date Wed, 07 Apr 2004 13:54:36 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From wjwashington@msn.com][Date Wed, 07 Apr 2004 13:54:36 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From wjwashington@msn.com][Date Wed, 07 Apr 2004 13:54:36 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From janslowp@hotmail.com][Date Tue, 13 Apr 2004 12:12:20 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From janslowp@hotmail.com][Date Tue, 13 Apr 2004 12:12:20 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From janslowp@hotmail.com][Date Tue, 13 Apr 2004 12:12:20 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From wjwashington@msn.com][Date Wed, 07 Apr 2004 13:54:36 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From wjwashington@msn.com][Date Wed, 07 Apr 2004 13:54:36 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From wjwashington@msn.com][Date Wed, 07 Apr 2004 13:54:36 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From janslowp@hotmail.com][Date Tue, 13 Apr 2004 12:12:20 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From janslowp@hotmail.com][Date Tue, 13 Apr 2004 12:12:20 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From janslowp@hotmail.com][Date Tue, 13 Apr 2004 12:12:20 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay <aw-confirm@eBay.com>][Date Sat, 02 Apr 2005 18:14:44 -0500]/html Infected: Trojan-Spy.HTML.Bayfraud.co skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From lmwenger@hotmail.com][Date Thu, 22 Apr 2004 13:59:26 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From lmwenger@hotmail.com][Date Thu, 22 Apr 2004 13:59:26 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From lmwenger@hotmail.com][Date Thu, 22 Apr 2004 13:59:26 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From asteger@ncswim.org][Date Fri, 30 Apr 2004 12:50:00 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From asteger@ncswim.org][Date Fri, 30 Apr 2004 12:50:00 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From asteger@ncswim.org][Date Fri, 30 Apr 2004 12:50:00 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From dlogan@clintongroup.com][Date Mon, 03 May 2004 13:08:28 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From dlogan@clintongroup.com][Date Mon, 03 May 2004 13:08:28 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From dlogan@clintongroup.com][Date Mon, 03 May 2004 13:08:28 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <support_refnum_643082@ebay.com>][Date Thu, 17 Nov 2005 07:20:24 +0600]/UNNAMED/html Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From eBay Inc <support_refnum_643082@ebay.com>][Date Thu, 17 Nov 2005 07:20:24 +0600]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.hn skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From Pastorwally <pastorwally@stpaulsokc.com>][Date Tue, 20 Dec 2005 15:26:26 +0100]/UNNAMED/Harrye.zip/S3700026.exe Infected: Email-Worm.Win32.Bagle.fb skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From Pastorwally <pastorwally@stpaulsokc.com>][Date Tue, 20 Dec 2005 15:26:26 +0100]/UNNAMED/Harrye.zip Infected: Email-Worm.Win32.Bagle.fb skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From Pastorwally <pastorwally@stpaulsokc.com>][Date Tue, 20 Dec 2005 15:26:26 +0100]/UNNAMED Infected: Email-Worm.Win32.Bagle.fb skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From Comerica Bank <aw-confirm@comerica.com>][Date Mon, 20 Feb 2006 02:13:29 -0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.ny skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From Comerica Bank <aw-confirm@comerica.com>][Date Mon, 20 Feb 2006 02:13:29 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ny skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From Comerica Bank <pw-confirm@comerica.com>][Date Mon, 20 Feb 2006 03:14:45 -0500]/UNNAMED/html Infected: Trojan-Spy.HTML.Bankfraud.ny skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx/[From Comerica Bank <pw-confirm@comerica.com>][Date Mon, 20 Feb 2006 03:14:45 -0500]/UNNAMED Infected: Trojan-Spy.HTML.Bankfraud.ny skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{00472A1D-CE6D-48DB-B2C1-340E763F99AD}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 10, suspicious - 24 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Deleted Items.dbx/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 09:20:36 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Deleted Items.dbx/[From aw-confirm@ebay.com][Date Tue, 12 Apr 2005 09:20:36 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 2 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\ebay.dbx/[From aw-confirm@ebay.com][Date Sun, 10 Apr 2005 14:42:35 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\ebay.dbx/[From aw-confirm@ebay.com][Date Sun, 10 Apr 2005 14:42:35 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\ebay.dbx/[From aw-confirm@ebay.com][Date Mon, 11 Apr 2005 08:48:20 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\ebay.dbx/[From aw-confirm@ebay.com][Date Mon, 11 Apr 2005 08:48:20 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\ebay.dbx/[From aw-confirm@ebay.com][Date Tue, 05 Apr 2005 05:26:58 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\ebay.dbx/[From aw-confirm@ebay.com][Date Tue, 05 Apr 2005 05:26:58 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\ebay.dbx/[From aw-confirm@ebay.com][Date Tue, 05 Apr 2005 07:48:08 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\ebay.dbx/[From aw-confirm@ebay.com][Date Tue, 05 Apr 2005 07:48:08 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\ebay.dbx Mail MS Outlook 5: infected - 8 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Thu, 14 Apr 2005 13:40:15 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Thu, 14 Apr 2005 13:40:15 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Thu, 14 Apr 2005 17:42:14 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Thu, 14 Apr 2005 17:42:14 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Fri, 15 Apr 2005 05:27:14 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Fri, 15 Apr 2005 05:27:14 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Mon, 25 Apr 2005 08:43:17 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Mon, 25 Apr 2005 08:43:17 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Fri, 15 Apr 2005 05:27:14 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Fri, 15 Apr 2005 05:27:14 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Mon, 25 Apr 2005 08:43:17 -0700]/UNNAMED/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx/[From aw-confirm@ebay.com][Date Mon, 25 Apr 2005 08:43:17 -0700]/UNNAMED Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{6089EFF9-EB0B-4DCB-B1AE-37711F9F1B4E}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: infected - 12 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Deleted Items.dbx/[From cbradshaw@forsyth.cc.nc.us][Date Thu, 25 Mar 2004 09:00:34 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Deleted Items.dbx/[From cbradshaw@forsyth.cc.nc.us][Date Thu, 25 Mar 2004 09:00:34 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Deleted Items.dbx/[From cbradshaw@forsyth.cc.nc.us][Date Thu, 25 Mar 2004 09:00:34 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Deleted Items.dbx/[From jhight@rdmail.rural.usda.gov][Date Fri, 26 Mar 2004 11:41:57 -0500]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Deleted Items.dbx/[From jhight@rdmail.rural.usda.gov][Date Fri, 26 Mar 2004 11:41:57 -0500]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Deleted Items.dbx/[From jhight@rdmail.rural.usda.gov][Date Fri, 26 Mar 2004 11:41:57 -0500]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: suspicious - 6 skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Inbox.dbx/[From wjwashington@msn.com][Date Wed, 07 Apr 2004 13:54:36 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Inbox.dbx/[From wjwashington@msn.com][Date Wed, 07 Apr 2004 13:54:36 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Inbox.dbx/[From wjwashington@msn.com][Date Wed, 07 Apr 2004 13:54:36 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Inbox.dbx/[From janslowp@hotmail.com][Date Tue, 13 Apr 2004 12:12:20 -0400]/UNNAMED/UNNAMED/html Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Inbox.dbx/[From janslowp@hotmail.com][Date Tue, 13 Apr 2004 12:12:20 -0400]/UNNAMED/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Inbox.dbx/[From janslowp@hotmail.com][Date Tue, 13 Apr 2004 12:12:20 -0400]/UNNAMED Suspicious: Exploit.HTML.Iframe.FileDownload skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Identities\{C9C2A126-0C86-4BC5-BBBB-5F8AC13766C0}\Microsoft\Outlook Express\Inbox.dbx Mail MS Outlook 5: suspicious - 6 skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\B3DJ7TSW\wbk44.tmp Infected: Trojan-Spy.HTML.Citifraud.ae skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\CRRVEOX5\wbk18.tmp Infected: Trojan-Spy.HTML.Citifraud.ae skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D40ZHD85\wbk3F.tmp Infected: Trojan-Spy.HTML.Bayfraud.hl skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WZ5ZY2ZX\wbk3F.tmp Infected: Trojan-Spy.HTML.Bankfraud.ny skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WZ5ZY2ZX\wbk41.tmp Infected: Trojan-Spy.HTML.Bankfraud.ny skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\WZ5ZY2ZX\wbk43.tmp Infected: Trojan-Spy.HTML.Bankfraud.ny skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\WDLog-07282006-110315.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UD3D7QQM\dmplayer[1].zip/dmplayer.dll Infected: not-a-virus:AdWare.Win32.Dm.p skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\UD3D7QQM\dmplayer[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\cert8.db Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\history.dat Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\key3.db Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\parent.lock Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Local Settings\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Local Settings\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Local Settings\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Local Settings\Application Data\Mozilla\Firefox\Profiles\0jhj6s3j.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Prophet's Reward\Local Settings\Temp\176c75.msi/bdprof.cab.AE3C3951_7A91_4185_B6E7_BA9F78BFE365/regspy.sys Infected: not-a-virus:Monitor.Win32.PCAcme.61 skipped
C:\Documents and Settings\Prophet's Reward\Local Settings\Temp\176c75.msi/bdprof.cab.AE3C3951_7A91_4185_B6E7_BA9F78BFE365 Infected: not-a-virus:Monitor.Win32.PCAcme.61 skipped
C:\Documents and Settings\Prophet's Reward\Local Settings\Temp\176c75.msi Embedded: infected - 2 skipped
C:\Documents and Settings\Prophet's Reward\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Prophet's Reward\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Prophet's Reward\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Prophet's Reward\scto.exe/data0002 Infected: not-a-virus:AdWare.Win32.SeeCha.a skipped
C:\Documents and Settings\Prophet's Reward\scto.exe NSIS: infected - 1 skipped
C:\Program Files\Common Files\Softwin\Setup Information\{A4E55645-B82F-44DD-90D8-6B2B9BEA7F85}\bdantispy.msi/bdprof.cab.AE3C3951_7A91_4185_B6E7_BA9F78BFE365/regspy.sys Infected: not-a-virus:Monitor.Win32.PCAcme.61 skipped
C:\Program Files\Common Files\Softwin\Setup Information\{A4E55645-B82F-44DD-90D8-6B2B9BEA7F85}\bdantispy.msi/bdprof.cab.AE3C3951_7A91_4185_B6E7_BA9F78BFE365 Infected: not-a-virus:Monitor.Win32.PCAcme.61 skipped
C:\Program Files\Common Files\Softwin\Setup Information\{A4E55645-B82F-44DD-90D8-6B2B9BEA7F85}\bdantispy.msi Embedded: infected - 2 skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
C:\Program Files\Common Files\System\aekheif.dat Infected: not-a-virus:AdWare.Win32.IEHlpr.o skipped
C:\Program Files\DoDoorRSSFinder\BandObjs.dll Infected: not-a-virus:AdWare.Win32.AdMedia.g skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010003.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP448\A0046539.exe Infected: Worm.Win32.RJump.c skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP472\A0047782.msi/bdprof.cab.AE3C3951_7A91_4185_B6E7_BA9F78BFE365/regspy.sys Infected: not-a-virus:Monitor.Win32.PCAcme.61 skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP472\A0047782.msi/bdprof.cab.AE3C3951_7A91_4185_B6E7_BA9F78BFE365 Infected: not-a-virus:Monitor.Win32.PCAcme.61 skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP472\A0047782.msi Embedded: infected - 2 skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP472\A0047815.EXE Infected: Worm.Win32.RJump.c skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP472\A0047816.dll Infected: not-a-virus:AdWare.Win32.Dm.e skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP474\A0048624.sys Infected: not-a-virus:Monitor.Win32.PCAcme.61 skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP475\A0048951.exe Infected: not-a-virus:AdWare.Win32.IEHlpr.k skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP479\A0051311.exe Infected: not-a-virus:AdWare.Win32.IEHlpr.k skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP483\A0051382.exe Infected: not-a-virus:AdWare.Win32.IEHlpr.n skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP487\A0051475.exe/bdantispy.msi/bdprof.cab.AE3C3951_7A91_4185_B6E7_BA9F78BFE365/regspy.sys Infected: not-a-virus:Monitor.Win32.PCAcme.61 skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP487\A0051475.exe/bdantispy.msi/bdprof.cab.AE3C3951_7A91_4185_B6E7_BA9F78BFE365 Infected: not-a-virus:Monitor.Win32.PCAcme.61 skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP487\A0051475.exe/bdantispy.msi Infected: not-a-virus:Monitor.Win32.PCAcme.61 skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP487\A0051475.exe CAB: infected - 3 skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP493\A0051818.exe Infected: not-a-virus:AdWare.Win32.IEHlpr.n skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP496\A0052080.exe Infected: not-a-virus:AdWare.Win32.IEHlpr.o skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP497\A0052117.exe Infected: not-a-virus:AdWare.Win32.IEHlpr.o skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP511\A0052428.exe Infected: not-a-virus:AdWare.Win32.IEHlpr.k skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP511\A0052429.DLL Infected: not-a-virus:AdWare.Win32.IEHlpr.h skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP511\A0052430.dll Infected: not-a-virus:AdWare.Win32.IEHlpr.k skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP511\A0052431.dll Infected: not-a-virus:AdWare.Win32.IEHlpr.k skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP511\A0052432.DLL Infected: not-a-virus:AdWare.Win32.IEHlpr.h skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP511\A0052434.DLL Infected: not-a-virus:AdWare.Win32.SeeCha.a skipped
C:\System Volume Information\_restore{FA845A7B-6586-42B0-9312-3813A36F967B}\RP518\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\cmdevtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\evtgprov.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmp.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\2.2.0.0\dmplayer.dll Infected: not-a-virus:AdWare.Win32.Dm.p skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.


Logfile of HijackThis v1.99.1
Scan saved at 9:17:53 PM, on 10/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PROMon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\SCANJET\PrecisionScanLT\hppwrsav.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\gearsec.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Support\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.gatewaybiz.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gatewaybiz.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\SYSTEM32\Userinit.exe,C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\nleee.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: FltSetUp Class - {1D49D58D-5C84-4B50-8359-D9809BEB2B32} - C:\Program Files\Internet Explorer\Connection Wizard\icwuti1.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D424FE4E-CAF9-4fdd-BC5F-E6E6B91D53BF} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [hppwrsav] C:\SCANJET\PrecisionScanLT\hppwrsav.exe
O4 - HKLM\..\Run: [hplampc] C:\WINDOWS\system32\hplampc.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Advanced Tools Check] C:\PROGRA~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Bittorrent] C:\WINDOWS\bittorrent.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1706ea21e2f ... xIE601.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 3938095187
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: PrismXL - Lanovation - C:\Program Files\Common Files\Lanovation\PrismXL\PRISMXL.SYS
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe[/b]
mattandi
Regular Member
 
Posts: 36
Joined: October 4th, 2005, 10:56 am
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 147 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware