Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

New Vundo Attack at my PC

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

New Vundo Attack at my PC

Unread postby alcskid » February 16th, 2007, 8:00 am

Hi, I just got Vundo Malware attack since last week. I already try cleaning with new vundofix and virtumondebegone applications. It seem to be cleared, but when I just wait for another 5 minutes idle then all that nasty file come back again with different names. When I take a look at processexplorer, everytime msngr.exe application loaded, then it will hook greeen.exe application that make a rundll error pop up said Error Loading $u(Square box ascii char). Could you help me destroy this nasty new vundo variant? Thanks.

Here is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 10:50:59 PM, on 16/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Rollback\RollbackTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Rollback\RollbackClnt.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\Rollback\shdserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\msngr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=172.16.16.1:8080;http=127.0.0.1:4444;https=172.16.16.1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Rollback] "C:\Program Files\Rollback\RollbackTray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [Multi-Mail Notifier Professional Edition] C:\Program Files\GlobalMedia\Multi-Mail Notifier\MultiMailNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2196325433
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2196421417
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C57FE198-5134-46C6-A103-AD44A4873F7E}: Domain = 1sbs.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{C57FE198-5134-46C6-A103-AD44A4873F7E}: NameServer = 172.16.16.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: khfefca - C:\WINDOWS\SYSTEM32\khfefca.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Beyond Remote Server - Data Apples Corporation - C:\PROGRA~1\DATAAP~1\BEYOND~1\BRServer.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RollbackClientService - Unknown owner - C:\Program Files\Rollback\RollbackClnt.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SHDSERV - Horizon Datasys, Inc. - C:\Program Files\Rollback\shdserv.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner - C:\WINDOWS\msngr.exe
alcskid
Active Member
 
Posts: 6
Joined: February 16th, 2007, 7:21 am
Advertisement
Register to Remove

Unread postby John B. » February 16th, 2007, 11:26 am

Hi! :hello2: and welcome to the Malware Removal forums.
My name is John Brouwer - if it helps, you can call me John for short. I'll be glad to help you with your computer problems.

HijackThis logs can take some time to research, so please be patient with me. I know that you need
your computer working as quickly as possible, and I will work hard to help see that happens.
I am currently looking over your log. As I am a trainee, everything that I post to you must be checked by an Admin or Moderator. Thus, there may be a tiny bit of a delay between posts, but it shouldn't be too long. I will post back shortly with a potential fix.

Please be patient and I'd be grateful if you would note the following:
  • I will working be on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for this issue on this machine.
  • Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
  • It's often worth reading through these instructions and printing them for ease of reference.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
  • Please reply to this thread. Do not start a new topic.
  • Finally, please make a uninstall list using HijackThis
    To access the Uninstall Manager you would do the following:

    1. Start HijackThis
    2. Click on the Config button
    3. Click on the Misc Tools button
    4. Click on the Open Uninstall Manager button.

    You will now be presented with a screen similar to the one below:

    Image

    5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby alcskid » February 16th, 2007, 12:00 pm

Hi John,

While I'm waiting for reply I already did this:
* Run VirtumundoBeGone app again -> It will automatically Reboot (It's successfully stripping and deactivate vundo variant. Here is the log from app:

[02/17/2007, 0:30:08] - VirtumundoBeGone v1.5 ( "C:\VirtumundoBeGone.exe" )
[02/17/2007, 0:30:13] - Detected System Information:
[02/17/2007, 0:30:13] - Windows Version: 5.1.2600, Service Pack 2
[02/17/2007, 0:30:13] - Current Username: Anton (Admin)
[02/17/2007, 0:30:13] - Windows is in NORMAL mode.
[02/17/2007, 0:30:13] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:13] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:13] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:13] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:13] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:13] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:13] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:13] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:13] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:13] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:13] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:13] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:13] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:13] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:13] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:13] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:13] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:13] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:13] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:13] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:13] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:13] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:13] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:13] - *** Detected MSEvents Object
[02/17/2007, 0:30:13] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:14] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:14] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:14] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:14] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:14] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:14] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:14] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:14] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:14] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:14] - ! File rename was unsucessful.
[02/17/2007, 0:30:14] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:15] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:15] - processed file: C:\WINDOWS\system32\khfefca.dll

[02/17/2007, 0:30:15] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:15] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:15] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:15] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:15] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:15] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:15] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:15] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:15] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:15] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:15] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:15] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:15] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:15] - *** Detected MSEvents Object
[02/17/2007, 0:30:15] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:16] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:16] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:16] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:18] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:18] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:18] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:18] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:18] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:18] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:30:18] - ! File rename was unsucessful.
[02/17/2007, 0:30:18] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:19] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:19] - processed file: C:\WINDOWS\system32\ssqpo.dll

[02/17/2007, 0:30:19] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:19] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:19] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:19] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:20] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:20] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:20] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:20] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:20] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:20] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:20] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:20] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:20] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:21] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:21] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:21] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:21] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:21] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:21] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:21] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:21] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:21] - Key not found: HKLM\...\Winlogon\Notify\ssqpo, continuing.
[02/17/2007, 0:30:21] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:21] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:21] - *** Detected MSEvents Object
[02/17/2007, 0:30:21] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:22] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:22] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:22] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:22] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:22] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:22] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:22] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:22] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:22] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:23] - ! File rename was unsucessful.
[02/17/2007, 0:30:23] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:23] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:23] - processed file: C:\WINDOWS\system32\khfefca.dll

[02/17/2007, 0:30:23] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:23] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:23] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:23] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:23] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:23] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:23] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:23] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:23] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:23] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:23] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:23] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:23] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:23] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:23] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:23] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:23] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:23] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:24] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:24] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:24] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:24] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:24] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:24] - *** Detected MSEvents Object
[02/17/2007, 0:30:24] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:25] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:25] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:25] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:26] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:26] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:26] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:26] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:26] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:26] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:30:26] - ! File rename was unsucessful.
[02/17/2007, 0:30:26] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:27] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:27] - processed file: C:\WINDOWS\system32\ssqpo.dll

[02/17/2007, 0:30:27] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:27] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:27] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:27] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:27] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:27] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:30] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:30] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:30] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:30] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:30] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:30] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:30] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:30] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:30] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:31] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:31] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:31] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:31] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:31] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:31] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:31] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:31] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:31] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:31] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:31] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:31] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:31] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:31] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:31] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:31] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:31] - *** Detected MSEvents Object
[02/17/2007, 0:30:31] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:32] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:32] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:32] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:32] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:32] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:32] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:32] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:32] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:32] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:32] - ! File rename was unsucessful.
[02/17/2007, 0:30:32] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:32] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:32] - processed file: C:\WINDOWS\system32\khfefca.dll

[02/17/2007, 0:30:32] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:32] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:32] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:32] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:32] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:32] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:32] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:32] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:32] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:32] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:32] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:32] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:32] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:32] - *** Detected MSEvents Object
[02/17/2007, 0:30:32] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:33] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:33] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:33] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:35] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:35] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:35] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:35] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:36] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:36] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:30:36] - ! File rename was unsucessful.
[02/17/2007, 0:30:36] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:36] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:36] - processed file: C:\WINDOWS\system32\ssqpo.dll

[02/17/2007, 0:30:36] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:36] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:36] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:36] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:36] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:36] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:36] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:36] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:36] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:36] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:36] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:36] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:36] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:38] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:38] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:38] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:38] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:38] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:38] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:38] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:38] - *** Detected MSEvents Object
[02/17/2007, 0:30:38] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:39] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:39] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:39] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:39] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:39] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:39] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:39] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:39] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:39] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:39] - ! File rename was unsucessful.
[02/17/2007, 0:30:39] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:40] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:40] - processed file: C:\WINDOWS\system32\khfefca.dll

[02/17/2007, 0:30:40] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:40] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:40] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:40] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:40] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:40] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:40] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:40] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:40] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:40] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:40] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:40] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:40] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:40] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:40] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:40] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:40] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:42] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:42] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:42] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:42] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:43] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:43] - *** Detected MSEvents Object
[02/17/2007, 0:30:43] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:44] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:44] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:44] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:45] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:45] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:45] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:45] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:45] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:45] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:30:45] - ! File rename was unsucessful.
[02/17/2007, 0:30:45] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:45] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:45] - processed file: C:\WINDOWS\system32\ssqpo.dll

[02/17/2007, 0:30:45] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:45] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:45] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:45] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:45] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:45] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:45] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:45] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:45] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:45] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:45] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:45] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:45] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:45] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:45] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:45] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:45] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:45] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:46] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:46] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:46] - No filename found. Continuing.
[02/17/2007, 0:30:46] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:46] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:46] - *** Detected MSEvents Object
[02/17/2007, 0:30:46] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:47] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:47] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:47] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:47] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:47] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:47] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:47] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:47] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:47] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:48] - ! File rename was unsucessful.
[02/17/2007, 0:30:48] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:49] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:49] - processed file: C:\WINDOWS\system32\khfefca.dll

[02/17/2007, 0:30:49] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:49] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:49] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:49] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:49] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:49] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:49] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:49] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:49] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:49] - No filename found. Continuing.
[02/17/2007, 0:30:49] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:49] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:49] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:49] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:49] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:49] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:49] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:49] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:49] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:49] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:49] - Key not found: HKLM\...\Winlogon\Notify\khfefca, continuing.
[02/17/2007, 0:30:49] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:49] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:49] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:49] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:49] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:49] - *** Detected MSEvents Object
[02/17/2007, 0:30:49] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:50] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:50] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:52] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:52] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:52] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:52] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:52] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:53] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:53] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:30:53] - ! File rename was unsucessful.
[02/17/2007, 0:30:53] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:30:53] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:53] - processed file: C:\WINDOWS\system32\ssqpo.dll

[02/17/2007, 0:30:53] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:53] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:54] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:54] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:30:54] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:54] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:54] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:54] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:54] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:54] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:54] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:54] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:30:54] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:30:54] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:54] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:54] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:30:54] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:54] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:54] - BHO 4: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:54] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:54] - *** Detected MSEvents Object
[02/17/2007, 0:30:54] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:55] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:55] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:55] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:56] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:56] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:56] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:57] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:57] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:57] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:30:57] - ! File rename was unsucessful.
[02/17/2007, 0:30:57] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:30:57] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:30:57] - processed file: C:\WINDOWS\system32\khfefca.dll

[02/17/2007, 0:30:57] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:30:57] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:57] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:57] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:30:57] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:30:57] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:57] - Searching for Browser Helper Objects:
[02/17/2007, 0:30:57] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:57] - BHO 2: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:57] - BHO 3: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:30:57] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:57] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:30:57] - Found: HKLM\...\Winlogon\Notify\ssqpo - This is probably Virtumundo.
[02/17/2007, 0:30:57] - Assigning {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} MSEvents Object
[02/17/2007, 0:30:57] - BHO list has been changed! Starting over...
[02/17/2007, 0:30:57] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:30:58] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:30:58] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:30:58] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:30:58] - Key not found: HKLM\...\Winlogon\Notify\khfefca, continuing.
[02/17/2007, 0:30:58] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:30:58] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} (MSEvents Object)
[02/17/2007, 0:30:58] - ALERT: Found MSEvents Object!
[02/17/2007, 0:30:58] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:30:58] - Finished Searching Browser Helper Objects
[02/17/2007, 0:30:58] - *** Detected MSEvents Object
[02/17/2007, 0:30:58] - Trying to remove MSEvents Object...
[02/17/2007, 0:30:59] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:30:59] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:30:59] - Disabling Automatic Shell Restart
[02/17/2007, 0:30:59] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:30:59] - Suspending the NT Session Manager System Service
[02/17/2007, 0:30:59] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:30:59] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:30:59] - File to disable: C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:31:00] - Renaming C:\WINDOWS\system32\ssqpo.dll -> C:\WINDOWS\system32\ssqpo.dll.vir
[02/17/2007, 0:31:00] - ! File rename was unsucessful.
[02/17/2007, 0:31:00] - Attempting to Deny Access to C:\WINDOWS\system32\ssqpo.dll
[02/17/2007, 0:31:00] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:31:00] - processed file: C:\WINDOWS\system32\ssqpo.dll

[02/17/2007, 0:31:00] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:31:00] - Removing HKLM\...\Browser Helper Objects\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:31:00] - Removing HKCR\CLSID\{81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:31:01] - Adding Kill Bit for ActiveX for GUID: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF}
[02/17/2007, 0:31:01] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:31:01] - Removing HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:31:01] - Searching for Browser Helper Objects:
[02/17/2007, 0:31:01] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:31:01] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} ()
[02/17/2007, 0:31:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:31:01] - Checking for HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:31:01] - Found: HKLM\...\Winlogon\Notify\khfefca - This is probably Virtumundo.
[02/17/2007, 0:31:01] - Assigning {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} MSEvents Object
[02/17/2007, 0:31:01] - BHO list has been changed! Starting over...
[02/17/2007, 0:31:01] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[02/17/2007, 0:31:01] - BHO 2: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09} (MSEvents Object)
[02/17/2007, 0:31:01] - ALERT: Found MSEvents Object!
[02/17/2007, 0:31:01] - BHO 3: {72853161-30C5-4D22-B7F9-0BBC1D38A37E} (Groove GFS Browser Helper)
[02/17/2007, 0:31:01] - BHO 4: {81C561CA-EAFE-4E95-9FEA-03C473E31EAF} ()
[02/17/2007, 0:31:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[02/17/2007, 0:31:01] - Checking for HKLM\...\Winlogon\Notify\ssqpo
[02/17/2007, 0:31:02] - Key not found: HKLM\...\Winlogon\Notify\ssqpo, continuing.
[02/17/2007, 0:31:02] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[02/17/2007, 0:31:02] - Finished Searching Browser Helper Objects
[02/17/2007, 0:31:02] - *** Detected MSEvents Object
[02/17/2007, 0:31:02] - Trying to remove MSEvents Object...
[02/17/2007, 0:31:03] - Terminating Process: IEXPLORE.EXE
[02/17/2007, 0:31:03] - Terminating Process: RUNDLL32.EXE
[02/17/2007, 0:31:03] - Disabling Automatic Shell Restart
[02/17/2007, 0:31:03] - Terminating Process: EXPLORER.EXE
[02/17/2007, 0:31:03] - Suspending the NT Session Manager System Service
[02/17/2007, 0:31:03] - Terminating Windows NT Logon/Logoff Manager
[02/17/2007, 0:31:08] - Re-enabling Automatic Shell Restart
[02/17/2007, 0:31:08] - File to disable: C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:31:08] - Renaming C:\WINDOWS\system32\khfefca.dll -> C:\WINDOWS\system32\khfefca.dll.vir
[02/17/2007, 0:31:08] - ! File rename was unsucessful.
[02/17/2007, 0:31:08] - Attempting to Deny Access to C:\WINDOWS\system32\khfefca.dll
[02/17/2007, 0:31:08] - *** IMPORTANT: Delete/Rename/Move on reboot (like Killbox) MAY NOT work.
[02/17/2007, 0:31:08] - processed file: C:\WINDOWS\system32\khfefca.dll

[02/17/2007, 0:31:08] - *** IMPORTANT: The file is disabled and will need to be deleted by the user.
[02/17/2007, 0:31:08] - Removing HKLM\...\Browser Helper Objects\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:31:08] - Removing HKCR\CLSID\{2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:31:08] - Adding Kill Bit for ActiveX for GUID: {2D81C3CA-5A42-4D14-B119-CCFD483CAE09}
[02/17/2007, 0:31:08] - Deleting ATLEvents/MSEvents Registry entries
[02/17/2007, 0:31:08] - Removing HKLM\...\Winlogon\Notify\khfefca
[02/17/2007, 0:31:08] - Searching for Browser Helper Objects:
[02/17/2007, 0:31:08] - Finished Searching Browser Helper Objects
[02/17/2007, 0:31:08] - Finishing up...
[02/17/2007, 0:31:08] - A restart is needed.
[02/17/2007, 0:31:08] - Automatic Reboot on STOP Error is not set. User will have to manually restart.

* After restart the PC, I go to SAFE MODE and DISABLING the WSMSPSVC Service which I found that this service calling C:\WINDOWS\MSNGR.EXE (This was actually the step that I don't do before, that's why VUNDO variant file come back again).

* I modify my registry for showing superhidden file in the windows explorer.

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"Hidden"=dword:00000001
"SuperHidden"=dword:00000001
"ShowSuperHidden"=dword:00000001
"HideFileExt"=dword:00000000

* With my explorer plus UnLocker (a Free tool to kill/delete file by analyze first for a hooking process), I successfully delete MSNGR.EXE, and all vundo variant traces that's left behind. khfefce.dll, ssqpo.dll.

* After I restart again my PC into the normal mode, then I realize that after successfully disabling the MSNGR.EXE, the all the random DLL files is not appear again.

* Then using HijackThis tool I delete WSMSPSVC using Uninstall Service NT.

Now this was my latest HijackThis log from my PC:

Logfile of HijackThis v1.99.1
Scan saved at 2:57:04 AM, on 17/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Rollback\RollbackTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Rollback\RollbackClnt.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\Rollback\shdserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\mmc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WINDOWS\system32\notepad.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=172.16.16.1:8080;http=127.0.0.1:4444;https=172.16.16.1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Rollback] "C:\Program Files\Rollback\RollbackTray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2196325433
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2196421417
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C57FE198-5134-46C6-A103-AD44A4873F7E}: Domain = 1sbs.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{C57FE198-5134-46C6-A103-AD44A4873F7E}: NameServer = 172.16.16.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Beyond Remote Server - Data Apples Corporation - C:\PROGRA~1\DATAAP~1\BEYOND~1\BRServer.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RollbackClientService - Unknown owner - C:\Program Files\Rollback\RollbackClnt.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SHDSERV - Horizon Datasys, Inc. - C:\Program Files\Rollback\shdserv.exe

* And finally my UnInstall list log:

µTorrent
5star Game Copy
Adobe Acrobat 7.0.8 Professional
Adobe Flash Player 9 ActiveX
AdSubtract PRO
Age Of Pirates - Caribbean Tales 1.41
Apollo DVD Copy 4.6.17
A-Ray Scanner 2.0.2.3
At the Doctor's
Australian City Streets Ver 3
Barbie(R) Pet Rescue
BayGenie eBay Auction Sniper Pro Edition 2.8.0.0
Beyond Remote Console and Host
ConvertXtoDVD 2.1.5.173
CureROM Pro 2.0.3
Disney Pixar 2nd and 3rd Grade
Disney's The Jungle Book Year 3
DynAdvance Notifier
EPSON PhotoQuicker3.5
EPSON Printer Software
FinePrint
Fractions & Decimals
GTR 2 1.0.0.0
Harry Potter II
Heroes of Might and Magic V
HijackThis 1.99.1
Hotfix for Windows Media Format SDK (KB902344)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
Hotfix for Windows XP (KB928388)
Hotfix for Windows XP (KB929120)
In Search of the Lost Words
Jungle Games
K-Lite Mega Codec Pack 1.59
Learn to Play Chess with Fritz and Chesster
Learn to Play Chess with Fritz and Chesster 2
Magic ISO Maker v5.2 (build 0190)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Access MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Microsoft Office Ultimate 2007
Microsoft Office Word MUI (English) 2007
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Virtual PC 2004
Mini Car Racing
Motorola SM56 Speakerphone Modem
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 6.0 Parser (KB927977)
Multi-Mail Notifier Professional Edition
Music MasterWorks v3.82
Neo Max
NEO Power Kit
Nero 7 Premium
NOD32 antivirus system
NOD32 FiX v2.1
NVIDIA Drivers
Opera 9.02
Origami Craft Studio
Paws Explore - Fractions
PicaView
Project64 1.6
Realtek AC'97 Audio
Remote Administrator v2.2
Rollback Rx
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
ShadowFlare
Shrek 2
Sid Meier's Pirates!
Sony Ericsson File Manager
SpongeBob SquarePants - Lights, Camera, Pants!
TerraSip Phoner 1.16
Tom and Jerry in Fists of Furry
Unlocker 1.8.5
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB900930)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920342)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
WildSnake Pinball: Christmas Tree 1.34
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Rights Management Client Backwards Compatibility SP2
Windows Rights Management Client with Service Pack 2
Windows Workflow Foundation
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WWW File Share Pro 5.0
Yahoo!7 Messenger

Sorry if I already trying something to fix my own PC before you ask. Thanks.
alcskid
Active Member
 
Posts: 6
Joined: February 16th, 2007, 7:21 am

Unread postby John B. » February 16th, 2007, 1:51 pm

Hi alcskid,

I'm afraid I have unpleasant news for you. You have a Very Dangerous infection on this machine.
The infection is delivered by a Sdbot
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.

We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.

The Decision Whether to ReFormat or Not should be based on:
  • The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
  • The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a Sdbot, the worst kind.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
  • Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
  • Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
  • If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
    Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
  • From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
  • DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
  • Take any other steps you think appropriate for an attempted identity theft.

While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.

John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby alcskid » February 16th, 2007, 8:11 pm

Thanks John for your recommendation. I decided to keep my current installation. I already install comodo personal firewall and winpatrol for my security add on. For AV, I'm still trusted with NOD32.

So far I rescan with VirusBuster latest DAT, and found NO Traces at all for Backdoor.Small.GCJ. And I monitoring everytime the network traffic at my PC. So far so good.

Did you see any suspicios item on my last HijackThis log? Currently I don't find any traces again on winlogon notify area. Please help me analyze further and inform me if you find something suspicious. Cheers Mate !
alcskid
Active Member
 
Posts: 6
Joined: February 16th, 2007, 7:21 am

Unread postby John B. » February 18th, 2007, 3:43 am

Hi,

It looks like you did well in removing the Sdbot but still there maybe settings in the registry which Sdfix would restore and you didn't. For now please do my fixes only and please don't go and fix on your own. I know you're pretty good with fixing malware, but something might go wrong if we do something twice.

Please copy this fix to Notepad/Word, or print it, because you won't always have internet access!

Step 1: Download and Install SDFix
Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Step 2: Boot into Safe Mode
Reboot your computer in Safe Mode.
  • If the computer is running, shut down Windows, and then turn off the power.
  • Wait 30 seconds, and then turn the computer on.
  • Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
  • Ensure that the Safe Mode option is selected.
  • Press Enter. The computer then begins to start in Safe mode.
  • Login on your usual account.
Step 3: Run SDFix
  • Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby alcskid » February 19th, 2007, 5:06 am

Here is the Report.txt:

SDFix: Version 1.66

Run by Anton - Mon 19/02/2007 @ 19:49:00.56

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:

Path:


Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"


Remaining Files:
---------------



Checking For Files with Hidden Attributes :

C:\Documents and Settings\Anton\Application Data\Microsoft\Virtual PC\VPCKeyboard.dll
C:\Games\Mini Car Racing\Game\WCSUP.DLL
C:\NEO Power Kit\Language\greek.dll
C:\NEO Power Kit\Language\japanese.dll
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Add/Remove Programs List:

A-Ray Scanner 2.0.2.3
Adobe Acrobat 7.0.8 Professional
AdSubtract PRO
Age Of Pirates - Caribbean Tales 1.41
Apollo DVD Copy 4.6.17
At the Doctor's
Barbie(R) Pet Rescue
BayGenie eBay Auction Sniper Pro Edition 2.8.0.0
COMODO Firewall Pro
CureROM Pro 2.0.3
EPSON Printer Software
Fractions & Decimals
FinePrint
Multi-Mail Notifier Professional Edition
HijackThis 1.99.1
Microsoft Internationalized Domain Names Mitigation APIs
Windows Internet Explorer 7
Sid Meier's Pirates!
Rollback Rx
Shrek 2
Jungle Games
Microsoft Base Smart Card Cryptographic Service Provider Package
K-Lite Mega Codec Pack 1.59
Magic ISO Maker v5.2 (build 0190)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Mini Car Racing
Microsoft Compression Client Pack 1.0 for Windows XP
Neo Max
Microsoft National Language Support Downlevel APIs
NOD32 antivirus system
NVIDIA Drivers
Paws Explore - Fractions
PicaView
Origami Craft Studio
Remote Administrator v2.2
ShadowFlare
Adobe Flash Player 9 ActiveX
Motorola SM56 Speakerphone Modem
TerraSip Phoner 1.16
Microsoft Office Ultimate 2007
Unlocker 1.8.5
æTorrent
Windows Imaging Component
WinRAR archiver
Microsoft User-Mode Driver Framework Feature Pack 1.0
XML Paper Specification Shared Components Pack 1.0
Yahoo!7 Messenger
SpongeBob SquarePants - Lights, Camera, Pants!
Microsoft .NET Framework 3.0
Sid Meier's Pirates!
Heroes of Might and Magic V
WinPatrol
Windows Communication Foundation
Sony Ericsson OCS
Tom and Jerry in Fists of Furry
EPSON PhotoQuicker3.5
Rollback Rx
Microsoft .NET Framework 2.0
Shrek 2
PC Suite
Harry Potter II
Windows Workflow Foundation
Learn to Play Chess with Fritz and Chesster 2
Microsoft Software Update for Web Folders (English) 12
Microsoft Office Access MUI (English) 2007
Microsoft Office Excel MUI (English) 2007
Microsoft Office PowerPoint MUI (English) 2007
Microsoft Office Publisher MUI (English) 2007
Microsoft Office Outlook MUI (English) 2007
Microsoft Office Word MUI (English) 2007
Microsoft Office Proof (English) 2007
Microsoft Office Proof (French) 2007
Microsoft Office Proof (Spanish) 2007
Microsoft Office Proofing (English) 2007
Microsoft Office InfoPath MUI (English) 2007
Microsoft Office Shared MUI (English) 2007
Microsoft Office OneNote MUI (English) 2007
Microsoft Office Groove MUI (English) 2007
Microsoft Office Groove Setup Metadata MUI (English) 2007
Microsoft Office Shared Setup Metadata MUI (English) 2007
Microsoft Office Access Setup Metadata MUI (English) 2007
Microsoft Office Ultimate 2007
Project64 1.6
Sony Ericsson Mobile Phone Monitor
NEO Power Kit
Adobe Acrobat 7.0 Professional
Learn to Play Chess with Fritz and Chesster
5star Game Copy
Windows Presentation Foundation
ConvertXtoDVD 2.1.5.173
Windows Rights Management Client with Service Pack 2
Disney Pixar 2nd and 3rd Grade
Sony Ericsson File Manager
Microsoft .NET Framework 1.1
Microsoft Virtual PC 2004
DynAdvance Notifier
GTR 2 1.0.0.0
NOD32 FiX v2.1
Disney's The Jungle Book Year 3
Windows Rights Management Client Backwards Compatibility SP2
Nero 7 Premium
Australian City Streets Ver 3
Opera 9.02
Realtek AC'97 Audio
In Search of the Lost Words

Finished

And HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 8:01:11 PM, on 19/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Rollback\RollbackClnt.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\Rollback\shdserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Rollback\RollbackTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AdSubtract\adsub.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=172.16.16.1:8080;http=127.0.0.1:4444;https=172.16.16.1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Rollback] "C:\Program Files\Rollback\RollbackTray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2196325433
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2196421417
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C57FE198-5134-46C6-A103-AD44A4873F7E}: Domain = 1sbs.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{C57FE198-5134-46C6-A103-AD44A4873F7E}: NameServer = 172.16.16.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RollbackClientService - Unknown owner - C:\Program Files\Rollback\RollbackClnt.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SHDSERV - Horizon Datasys, Inc. - C:\Program Files\Rollback\shdserv.exe
alcskid
Active Member
 
Posts: 6
Joined: February 16th, 2007, 7:21 am

Unread postby John B. » February 19th, 2007, 8:49 am

Hi,

You're running an illegal copy of NOD32. Cracked software is a major source of infection and it may very well be why you got infected.
As we don't help people who run illegal software I suggest you to uninstall NOD32 and NOD32 FiX v2.1!!!

It is important to have an Anti Virus program running so I suggest you install another one.
See this link for a listing of some on line & their stand-alone anti virus programs:
Computer Safety On line - Anti-Virus
I use AVG Anti-Virus (Free Edition)!

P2P Warning!
Please note that as long as you are using any form of Peer-to-Peer networking and downloading files from non-documented sources, you can expect infestations of malware to occur
Once upon a time, P2P file sharing was fairly safe. That is no longer true. You may continue to use P2P sharing at your own risk; however, please keep in mind that this practice may be the source of your current malware infestation
Additional information on the safety of Peer to Peer programs themselves is here :
Clean/Infected P2P Programs
Please decide if you want to keep using P2P so I can put it in my next speech if you don't want to keep it.

Step 1: Download and Run ATF Cleaner
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.

Double-click ATF Cleaner.exe to open it.

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache

*The other boxes are optional*
Then click the Empty Selected button.

Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.

Step 2: Run Kaspersky Online Scan
Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended (if available otherwise Standard)
    • Scan Options:
      Scan Archives Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
      Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.

Step 3: Post logs
* Kaspersky log
* Fresh HJT log
* Tell me if you're still having problems or questions?

Greets, John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby alcskid » February 19th, 2007, 4:02 pm

Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 20, 2007 6:33:32 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 19/02/2007
Kaspersky Anti-Virus database records: 269757
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 93670
Number of viruses found: 57
Number of infected objects: 132 / 0
Number of suspicious objects: 0
Duration of the scan process: 05:13:46

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\interMute\AdSubtract\init.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\Anton\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Anton\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Anton\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Anton\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Anton\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anton\Local Settings\History\History.IE5\MSHist012007022020070221\index.dat Object is locked skipped
C:\Documents and Settings\Anton\Local Settings\Temp\~DF3C28.tmp Object is locked skipped
C:\Documents and Settings\Anton\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Anton\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anton\My Documents\Warez\Remote Administrator 21\RADMIN21.EXE/AdmDll.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Anton\My Documents\Warez\Remote Administrator 21\RADMIN21.EXE/raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.20 skipped
C:\Documents and Settings\Anton\My Documents\Warez\Remote Administrator 21\RADMIN21.EXE/radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Documents and Settings\Anton\My Documents\Warez\Remote Administrator 21\RADMIN21.EXE/r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.21 skipped
C:\Documents and Settings\Anton\My Documents\Warez\Remote Administrator 21\RADMIN21.EXE Gentee: infected - 4 skipped
C:\Documents and Settings\Anton\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Anton\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Miscellaneous/Admintoolz/admintoolz/pskill.exe;1 Infected: not-a-virus:NetTool.Win32.PsKill skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Miscellaneous/asx-bufferoverrun/Explorer-Win2k-BufferOverrun.Asx;1 Infected: Virus.Script.ASX.Conp skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Miscellaneous/Jolt2-Win2k/jolt2.exe;1 Infected: Exploit.Win32.Jolt skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Miscellaneous/Netcat2/netcat 2.0/srvcmd.exe;1 Infected: not-a-virus:RemoteAdmin.Win32.SrvCmd skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Modul 13 - Web Based Password Cracking Techniques/Brutus/BrutusA2.exe;1 Infected: not-a-virus:PSWTool.Win32.Brutus skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Modul 13 - Web Based Password Cracking Techniques/mungabunga.exe;1/data0001 Infected: Backdoor.Win32.DSSdoor.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Modul 13 - Web Based Password Cracking Techniques/mungabunga.exe;1/data0003 Infected: HackTool.Win32.Munga.b skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Modul 13 - Web Based Password Cracking Techniques/mungabunga.exe;1 Infected: HackTool.Win32.Munga.b skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Modul 13 - Web Based Password Cracking Techniques/RevelationV2/SetupRevelationV2.exe;1/WISE0012.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Modul 13 - Web Based Password Cracking Techniques/RevelationV2/SetupRevelationV2.exe;1/WISE0013.BIN Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Modul 13 - Web Based Password Cracking Techniques/RevelationV2/SetupRevelationV2.exe;1 Infected: not-a-virus:PSWTool.Win32.SnadBoy.2011 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/A Tool Exploit for WebDav and IIS.tar.gz;1/KaHT_public.tar/KaHT_public/ehttps/ehttps.exe Infected: Exploit.Win32.WebDav.j skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/A Tool Exploit for WebDav and IIS.tar.gz;1/KaHT_public.tar/KaHT_public/KaHT.exe Infected: Exploit.Win32.WebDav.i skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/A Tool Exploit for WebDav and IIS.tar.gz;1/KaHT_public.tar Infected: Exploit.Win32.WebDav.i skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/A Tool Exploit for WebDav and IIS.tar.gz;1 Infected: Exploit.Win32.WebDav.i skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/DComExpl_UnixWin32/DComExploit.exe;1 Infected: Exploit.Win32.DCom.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/execiis-win32.exe;1 Infected: Exploit.Win32.IISError skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/hk/hk.exe;1 Infected: Trojan.Win32.HK skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/IdqOverflow.exe;1 Infected: Exploit.Win32.Snakeover.20 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/IIS WebDav Exploit/wb.exe;1 Infected: Exploit.Win32.WebDav.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/IIS5-Koei.exe;1 Infected: Exploit.Win32.PrinterOverflow.d skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/iis5hack/iis5hack.exe;1 Infected: Exploit.Win32.IndexServerOverflow.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/iis5hack/iis5hack.pl;1 Infected: Exploit.Win32.IndexServerOverflow.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/iiscrack.dll/iiscrack/iiscrack.dll;1 Infected: Exploit.Win32.IISCrack.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/iishack/eEye.retina.vs.iis4/iishack.exe;1 Infected: Trojan.Win32.IIS_Hack skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/iishack/eEye.retina.vs.iis4/ncx.exe;1 Infected: Backdoor.Win32.Ncx.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/iishack/eEye.retina.vs.iis4/ncx99.exe;1 Infected: Backdoor.Win32.Ncx.b skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/IISIDQ.exe;1 Infected: Exploit.Win32.Snakeover.20 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/iisxploit.exe;1 Infected: Exploit.Win32.Xploit.b skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/iis_dos.exe;1 Infected: DoS.Win32.Agent.c skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/ispc/idq.dll;1 Infected: Exploit.Win32.CAN.1999-0412.c skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/ispc/ispc.exe;1 Infected: Exploit.Win32.CAN.1999-0412.c skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/jill-32/jill-win32.exe;1 Infected: Exploit.Win32.PrinterOverflow.g skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/jill-32/nc/NC.EXE;1 Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/jill-32/nc/nc11nt.zip;1/nc.exe Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 11 - Hacking Web Servers/jill-32/nc/nc11nt.zip;1 Infected: not-a-virus:RemoteAdmin.Win32.NetCat skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 12 - Web Application Vulnerabilities/HelpMe2.pl;1 Infected: Exploit.Perl.CAN.2002-0823 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 12 - Web Application Vulnerabilities/htmlbar.msi;1/_D858A5B5474822BC32A1EA1D711ABE6C/_AE63393C2AE41F1B8135DD8834063CFB Infected: not-a-virus:AdWare.Win32.HotBar.aw skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 12 - Web Application Vulnerabilities/htmlbar.msi;1/_D858A5B5474822BC32A1EA1D711ABE6C Infected: not-a-virus:AdWare.Win32.HotBar.aw skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 12 - Web Application Vulnerabilities/htmlbar.msi;1 Infected: not-a-virus:AdWare.Win32.HotBar.aw skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 12 - Web Application Vulnerabilities/IEEN/ieen_c.exe;1 Infected: not-a-virus:NetTool.Win32.IEEN.030 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 12 - Web Application Vulnerabilities/IEEN/ieen_s.exe;1 Infected: not-a-virus:NetTool.Win32.IEEN.030 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 12 - Web Application Vulnerabilities/jill-win32.exe;1 Infected: Exploit.Win32.PrinterOverflow.g skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 12 - Web Application Vulnerabilities/Win32Hlp/s0h_Win32hlp.exe;1 Infected: HackTool.Win32.CntLink skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 12 - Web Application Vulnerabilities/WindowBomb.htm;1 Infected: Trojan.JS.WindowBomb.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 14 - SQL Injection/forceSQL/forceSQL.exe;1 Infected: not-a-virus:PSWTool.Win32.ForceSQL.20 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 14 - SQL Injection/sql2.exe;1 Infected: Exploit.Win32.SQLhuc.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 14 - SQL Injection/sqldict.exe;1 Infected: HackTool.Win32.SQLPass.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 14 - SQL Injection/sqlexec/SQLExec.exe;1 Infected: Trojan.Win32.SQLExec skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 14 - SQL Injection/thcsql/THCsql.exe;1 Infected: Exploit.Win32.CAN.2002-0649.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/AceVirus.bat.txt;1 Infected: Trojan.BAT.KillAll.c skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Anti-Virus Signature Offset Finder/avpoffset.exe;1 Infected: VirTool.Win32.Avpsof skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Batch-File-Virus-Creator.exe;1 Infected: Constructor.Win32.Tvirus skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/casino/CASINO.COM;1 Infected: Virus.DOS.Nuke.1680 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Godmessage_worm0.1/GMW.vbs;1 Infected: Email-Worm.VBS.GMW skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/ILVOEYOU1.txt;1 Infected: Email-Worm.VBS.LoveLetter skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/ILVOEYOU2.txt;1 Infected: Email-Worm.VBS.LoveLetter skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/ILVOEYOU3.txt;1 Infected: Email-Worm.VBS.LoveLetter skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Internet Worm Generator/SSIWG.EXE;1 Infected: Constructor.VBS.SSIWG.20 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Klez Virus Live!/face.exe;1 Infected: Email-Worm.Win32.Klez.h skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Klez Virus Live!/Living.pif;1 Infected: Email-Worm.Win32.Klez.h skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Klez Virus Live!/Lnwtg.exe;1 Infected: Email-Worm.Win32.Klez.h skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Klez Virus Live!/snoopy.exe;1 Infected: Email-Worm.Win32.Klez.h skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Membrain/MBTEST.EXE;1 Infected: Trojan.DOS.Membrain skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Membrain/MEMBRAIN.EXE;1 Infected: Virus.DOS.HLLO.Membrain skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Netbus.vir/NETBUS.EXE;1 Infected: Backdoor.Win32.Pipes skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/Stealth Batch/StealthBatch.exe;1 Infected: Trojan-Dropper.Win32.StealthBat skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/w0rm10n.tar;1/lib.tar/lib/1i0n.sh Infected: Net-Worm.Linux.Ramen.c skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/w0rm10n.tar;1/lib.tar/lib/hack.sh Infected: Net-Worm.Linux.Ramen.b skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/w0rm10n.tar;1/lib.tar/lib/bind Infected: Net-Worm.Linux.Ramen.c skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/w0rm10n.tar;1/lib.tar/lib/randb Infected: Net-Worm.Linux.Ramen skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/w0rm10n.tar;1/lib.tar/lib/scan.sh Infected: Net-Worm.Linux.Ramen.c skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/w0rm10n.tar;1/lib.tar/lib/pscan Infected: Net-Worm.Linux.Ramen.b skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/w0rm10n.tar;1/lib.tar/lib/star.sh Infected: Net-Worm.Linux.Ramen.b skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/w0rm10n.tar;1/lib.tar/lib/bindx.sh Infected: Net-Worm.Linux.Ramen.c skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/w0rm10n.tar;1/lib.tar/lib/getip.sh Infected: Net-Worm.Linux.Ramen skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/w0rm10n.tar;1/lib.tar Infected: Net-Worm.Linux.Ramen skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 16 - Virus/w0rm10n.tar;1 Infected: Net-Worm.Linux.Ramen skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 17 - Novell Hacking/burglar/BURGLAR.NLM;1 Infected: Trojan.Novell.Burglar skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 17 - Novell Hacking/CONTROL/MASTER.EXE;1 Infected: Backdoor.Win32.IpxCtrl skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 17 - Novell Hacking/CONTROL/MINION.EXE;1 Infected: Backdoor.Win32.IpxCtrl skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 17 - Novell Hacking/getit/GETIT.COM;1 Infected: Trojan.DOS.GetLogin.100 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 17 - Novell Hacking/getit/GETIT.OBJ;1 Infected: Trojan.DOS.GetLogin.100 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 17 - Novell Hacking/KEYCOPY/KEYCOPY.COM;1 Infected: Trojan-Spy.DOS.Keycopy skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 17 - Novell Hacking/KEYTRAP/KEYTRAP.COM;1 Infected: Trojan-Spy.DOS.KeyTrap.20 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 18 - Linux Hacking/fbsd_rootkit_1_2_tar.gz;1/fbsd.rootkit.1.2.tar/fbsdrootkit-1.2/install.sh Infected: Rootkit.FreeBSD.Agent.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 18 - Linux Hacking/fbsd_rootkit_1_2_tar.gz;1/fbsd.rootkit.1.2.tar/fbsdrootkit-1.2/dotrip.sh Infected: Rootkit.FreeBSD.Agent.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 18 - Linux Hacking/fbsd_rootkit_1_2_tar.gz;1/fbsd.rootkit.1.2.tar Infected: Rootkit.FreeBSD.Agent.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 18 - Linux Hacking/fbsd_rootkit_1_2_tar.gz;1 Infected: Rootkit.FreeBSD.Agent.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 19 - Evading IDS, Firewalls and Honeypots/ackcmd/AckCmdC.exe;1 Infected: Backdoor.Win32.AckCmd skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 19 - Evading IDS, Firewalls and Honeypots/ackcmd/AckCmdS.exe;1 Infected: Backdoor.Win32.AckCmd skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 21 - Cryptography/distributed.net/dnetc.com;1 Infected: not-a-virus:NetTool.Win32.Calc-DNet.l skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 21 - Cryptography/distributed.net/dnetc.exe;1 Infected: not-a-virus:NetTool.Win32.Calc-DNet.g skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 21 - Cryptography/distributed.net/setup.exe;1/DNETC.EXE Infected: not-a-virus:NetTool.Win32.Calc-DNet.g skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 21 - Cryptography/distributed.net/setup.exe;1/DNETC.COM Infected: not-a-virus:NetTool.Win32.Calc-DNet.l skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 21 - Cryptography/distributed.net/setup.exe;1 Infected: not-a-virus:NetTool.Win32.Calc-DNet.l skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 3 - Scanning/backstealth/backstealth.exe;1 Infected: HackTool.Win32.BackStealth skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 3 - Scanning/firewar/firewar.exe;1 Infected: Exploit.Win32.Firewar skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 3 - Scanning/Lite-SOCKS/Generator.exe;1 Infected: Backdoor.Win32.Aphexdoor.LiteSock skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 3 - Scanning/Lite-SOCKS/Server.exe;1 Infected: Backdoor.Win32.Aphexdoor.LiteSock skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 4 - Enumeration/enum_tar.gz;1/enum/enum.exe Infected: HackTool.Win32.EnumPlus.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 4 - Enumeration/enum_tar.gz;1 Infected: HackTool.Win32.EnumPlus.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 5 - System Hacking/c2myazz/C2MYAZZ.EXE;1 Infected: Spoofer.Win32.Myazz skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 5 - System Hacking/E-Mail Keylogger.exe;1 Infected: Trojan-Spy.Win32.SCKeyLog.20 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 5 - System Hacking/Fearless Keylogger/FKS.exe;1 Infected: Trojan-Spy.Win32.Fearless.11.b skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 5 - System Hacking/getadmin/GetAdmin.exe;1 Infected: Exploit.Win32.GetAdmin.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 5 - System Hacking/getadmin/hk.exe;1 Infected: Trojan.Win32.HK skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 5 - System Hacking/getadmin/starAPI.dll;1 Infected: Exploit.Win32.GetAdmin.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 5 - System Hacking/iks2k20d.exe;1/datview.exe Infected: not-a-virus:Monitor.Win32.IKSlog.20.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 5 - System Hacking/iks2k20d.exe;1/iks.sys Infected: not-a-virus:Monitor.Win32.IKSlog.21 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 5 - System Hacking/iks2k20d.exe;1/iksinstall.exe Infected: not-a-virus:Monitor.Win32.IKSlog.21 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 5 - System Hacking/iks2k20d.exe;1 Infected: not-a-virus:Monitor.Win32.IKSlog.21 skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso/Module 5 - System Hacking/kerbcrack/kerbcrack.exe;1 Infected: not-a-virus:PSWTool.Win32.KerbCrack.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso/Certified Ethical Hacker Lab 3.0/CEH3.01.iso Infected: not-a-virus:PSWTool.Win32.KerbCrack.a skipped
C:\Downloads\Certified Ethical Hacker Lab 3.0.iso ISO image: infected - 114 skipped
C:\Downloads\SAMInside23.7z/SAMInside.exe Infected: not-a-virus:PSWTool.Win32.SAMInside.c skipped
C:\Downloads\SAMInside23.7z 7-Zip: infected - 1 skipped
C:\Downloads\SAMInside23.rar/SAMInside.exe Infected: not-a-virus:PSWTool.Win32.SAMInside.c skipped
C:\Downloads\SAMInside23.rar RAR: infected - 1 skipped
C:\Games\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Movies\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\Program Files\Radmin\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Program Files\Radmin\radmin.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\Program Files\Radmin\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_Motorola SM56 Speakerphone Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\raddrv.dll Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\WINDOWS\system32\r_server.exe Infected: not-a-virus:RemoteAdmin.Win32.RAdmin.22 skipped
C:\WINDOWS\system32\spool\PRINTERS\00002.SPL Object is locked skipped
C:\WINDOWS\system32\spool\PRINTERS\00004.SPL Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

HijackThis log:
Logfile of HijackThis v1.99.1
Scan saved at 6:54:31 AM, on 20/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\sm56hlpr.exe
C:\Program Files\Rollback\RollbackTray.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE
C:\Program Files\DAEMON Tools\daemon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Rollback\RollbackClnt.exe
C:\Program Files\AdSubtract\adsub.exe
C:\WINDOWS\system32\r_server.exe
C:\Program Files\Rollback\shdserv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = ftp=172.16.16.1:8080;http=127.0.0.1:4444;https=172.16.16.1:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SMSERIAL] sm56hlpr.exe
O4 - HKLM\..\Run: [Rollback] "C:\Program Files\Rollback\RollbackTray.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [FinePrint Dispatcher v5] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe" /source=HKLM
O4 - HKLM\..\Run: [EPSON Stylus C45 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I3T1.EXE /P23 "EPSON Stylus C45 Series" /O6 "USB002" /M "Stylus C45"
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: AdSubtract.lnk = C:\Program Files\AdSubtract\adsub.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupda ... 2196325433
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 2196421417
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/s ... wflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C57FE198-5134-46C6-A103-AD44A4873F7E}: Domain = 1sbs.com.au
O17 - HKLM\System\CCS\Services\Tcpip\..\{C57FE198-5134-46C6-A103-AD44A4873F7E}: NameServer = 172.16.16.1
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RollbackClientService - Unknown owner - C:\Program Files\Rollback\RollbackClnt.exe
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\system32\r_server.exe" /service (file missing)
O23 - Service: SHDSERV - Horizon Datasys, Inc. - C:\Program Files\Rollback\shdserv.exe

No question, since I fixed it last time, the problem is gone. Thanks anyway.
alcskid
Active Member
 
Posts: 6
Joined: February 16th, 2007, 7:21 am

Unread postby John B. » February 21st, 2007, 12:34 pm

Hi,

I'm sorry for the delay but we had to discuss something.

I really want to tell you that the downloading of cracked software and illegal downloads is very dangerous and you will be reinfected a lot if you keep downloading like this.
Kaspersky found lots of different malware in some of your downloads so I suggest you remove them.
The infections in cracked software and illegal download are really killing our free internet!

Step 1: Delete bad files
Use Explorer to navigate to and delete the following files (if present):

C:\Downloads\Certified Ethical Hacker Lab 3.0.iso
C:\Downloads\SAMInside23.7z
C:\Downloads\SAMInside23.rar

Now just exit Explorer.

This is my normal post for when you are clear - which you now are - or seem to be.
Please advise of any problems you still have. If you think you're clean please give one more reply so that I can archive this topic.

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
  • Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    Turn off System Restore.
    On the Desktop, right-click My Computer
    Click Properties
    Click the System Restore tab
    Check Turn off System Restore
    Click Apply, and then click OK

    Reboot.

    Turn on System Restore.
    On the Desktop, right-click My Computer
    Click Properties
    Click the System Restore tab
    Uncheck Turn off System Restore
    Click Apply, and then click OK
    NOTE: only do this ONCE, NOT on a regular basis!
  • Make your Internet Explorer more secure - This can be done by following these simple instructions:
    • From within Internet Explorer click on the Tools menu and then click on Options.
    • Click once on the Security tab
    • Click once on the Internet icon so it becomes highlighted.
    • Click once on the Custom Level button.
      • Change the Download signed ActiveX controls to Prompt
      • Change the Download unsigned ActiveX controls to Disable
      • Change the Initialise and script ActiveX controls not marked as safe to Disable
      • Change the Installation of desktop items to Prompt
      • Change the Launching programs and files in an IFRAME to Prompt
      • Change the Navigate sub-frames across different domains to Prompt
      • When all these settings have been made, click on the OK button.
      • If it prompts you as to whether or not you want to save the settings, press the Yes button.
    • Next press the Apply button and then the OK to exit the Internet Properties page.
  • Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.
  • Visit Microsoft's Update Site Frequently - It is important that you visit http://update.microsoft.com/ regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
  • Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
    This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  • Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with the program on a regular basis just as you would an anti virus software in conjunction with Spybot. A tutorial on installing & using this product can be found here:
    Instructions for - Spybot S & D and Ad-aware
  • Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs. A article on anti-malware products with links for this program and others can be found here:
    Computer Safety on line - Anti-Malware
  • Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.

Follow this list and your potential for being infected again will reduce dramatically.

Stand Up and Be Counted!
Please take the time to tell us what you would like to be done about the people who are behind all the problems you have had. We can only get something done about this if the people that we help, like you, are prepared to complain. We have a dedicated forum for collecting these complaints Malware Complaints, you have to be registered to post after registering just find your country room and register your complaint.
The infection you had was Vundo

>> Here << you can see how you can help us.

May your God go with you..

John.
User avatar
John B.
MRU Master Emeritus
 
Posts: 4568
Joined: May 14th, 2006, 5:05 am
Location: The Netherlands

Unread postby alcskid » February 21st, 2007, 6:00 pm

Sorry John,

But you are wrong. Both two files were used for testing purpose only. And my job is on Computer Security specialist. On daily based I was playing with this so many virus, malware and hacking tools. And it's not illegal.

If you go for some like hacking technology seminar or something like that you will get these tools as well for free. So there is nothing wrong with my tools. Don't judge so badly. As long as you know what you are playing with, then that's OK.

You can archive and close this topic. Thanks.
alcskid
Active Member
 
Posts: 6
Joined: February 16th, 2007, 7:21 am

Unread postby 'KotaGuy » February 25th, 2007, 11:54 am

This topic is now closed. If you wish it reopened, please send us an email to 'admin at malwareremoval.com' with a link to your thread.

You can help support this site from this link :
Donations For Malware Removal

Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
'KotaGuy
Admin/Teacher Emeritus
 
Posts: 12472
Joined: April 7th, 2005, 7:06 pm
Location: Alberta, Canada
Advertisement
Register to Remove


  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 496 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware