Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

HELP... My Log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

HELP... My Log

Unread postby DavidJ710 » December 31st, 2005, 12:38 pm

AVG says I have a Klone virus, Zone Alarm says something about a Win32.Sinteri and Win32.Sinteri!Downloader.

Hijack This gave me the following log:

Logfile of HijackThis v1.99.1
Scan saved at 10:22:18 AM, on 12/31/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Trillian\trillian.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Grisoft\AVG Free\avgcc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\David\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://maxysearch.info/google/redir2.fcgi?
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\User\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [084c0f6g.dll] RUNDLL32.EXE 084c0f6g.dll,b 29579562
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Thank you so much for helping a poor newbie.[/b]
DavidJ710
Regular Member
 
Posts: 18
Joined: December 31st, 2005, 12:28 pm
Location: Lincoln, NE
Advertisement
Register to Remove

Unread postby Susan528 » January 1st, 2006, 1:14 am

Hello David and Welcome to Malware Removal,

STEP 1.
======
Open HijackThis. Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://maxysearch.info/google/redir2.fcgi?
O20 - Winlogon Notify: ssldr - ssldr32.dll (file missing)

Click Fix Checked.

Reboot normally and scan with HijackThis. Post (reply) with a new hijackthis log to this thread.

STEP 2.
======
MWAV Scan
Please download MWAV to a convenient location.
This scan only produces a report, it doesn't clean your system. I will analyze the report and recommend a course of action depending on the results.
This scan might take around 3+ hours to finish when set to scan everything.

Double-click on mwav.exe.
Put a check next to the below items before scanning:
  • Memory
  • Startup Folders
  • Drive - All Local Drives
  • Folder - then click "browse" to change the directory to C: (default is C:\Windows)
  • Registry
  • System Folders
  • Services
  • Include Sub-Directory
  • Scan All Files

Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items", please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Second Hijack This Log

Unread postby DavidJ710 » January 1st, 2006, 4:59 pm

Thanks for your help Susan. Here is the second Hijack This Log. The infected files log from mwav will be coming soon...

Logfile of HijackThis v1.99.1
Scan saved at 2:57:14 PM, on 1/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\David\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\User\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [084c0f6g.dll] RUNDLL32.EXE 084c0f6g.dll,b 29579562
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
DavidJ710
Regular Member
 
Posts: 18
Joined: December 31st, 2005, 12:28 pm
Location: Lincoln, NE

MWAV Log

Unread postby DavidJ710 » January 1st, 2006, 6:58 pm

And here are the viruses found by MWAV...

File C:\WINDOWS\system32\084c0f6g.dll tagged as "not-a-virus:AdWare.Win32.Sud.a". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\IVIPromotion.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\system32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe" refers to invalid object "C:\Program Files\ATI Technologies\ATI Control Panel\setup.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe" refers to invalid object "C:\WINDOWS\yourapp.Exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bak". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gba". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".j31". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{00FC6799-866E-44A1-A60C-DCF394CF56FD}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "QuickTime". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "WebNexus". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{09C6BF52-6DBA-4A97-9939-B6C24E4738BF}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31897-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31898-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{aac8802e-d17a-4ad6-89a7-bd133078b0c6}" refers to invalid object "C:\WINDOWS\system32\gkgfe.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}" refers to invalid object "C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C5AF2622-8C75-4dfb-9693-23AB7686A456}" refers to invalid object "C:\WINDOWS\DH.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C7976BEB-AB1E-46F7-8CCD-D4C9CD83BF49}" refers to invalid object "C:\PROGRA~1\SPYWAR~1\swdoctor.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9C027CF-DF75-4D2C-B763-AC1CA31C4AF8}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamiui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}" refers to invalid object "C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll". Action Taken: No Action Taken.
Entry "HKCR\.acl" refers to invalid object "ACLFile". Action Taken: No Action Taken.
Entry "HKCR\.aw" refers to invalid object "AWFile". Action Taken: No Action Taken.
Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.
Entry "HKCR\.elm" refers to invalid object "ELMFile". Action Taken: No Action Taken.
Entry "HKCR\.ffa" refers to invalid object "FFAFile". Action Taken: No Action Taken.
Entry "HKCR\.ffl" refers to invalid object "FFLFile". Action Taken: No Action Taken.
Entry "HKCR\.fft" refers to invalid object "FFTFile". Action Taken: No Action Taken.
Entry "HKCR\.ffx" refers to invalid object "FFXFile". Action Taken: No Action Taken.
Entry "HKCR\.gst" refers to invalid object "MSMap.Datainst.8". Action Taken: No Action Taken.
Entry "HKCR\.lex" refers to invalid object "LEXFile". Action Taken: No Action Taken.
Entry "HKCR\.opc" refers to invalid object "OPCFile". Action Taken: No Action Taken.
Entry "HKCR\.pip" refers to invalid object "PIPFile". Action Taken: No Action Taken.
Entry "HKCR\.stf" refers to invalid object "STFFile". Action Taken: No Action Taken.
Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.
Entry "HKCR\.wll" refers to invalid object "Word.Addin.8". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\system32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\msbackupfile\shell\open\command" refers to invalid object "%SystemRoot%\system32\ntbackup.exe". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.EBankProblem" refers to invalid object "{AE612304-E8F9-45D9-A444-32409D33E954}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.QuarantinedItemProxy" refers to invalid object "{C2CE6266-0404-4C54-96B4-8829852E3537}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.ScripterProxy" refers to invalid object "{9FEF02F5-B3B8-4D7B-8939-72A1C989D1B9}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
File C:\WINDOWS\system32\084c0f6g.dll tagged as "not-a-virus:AdWare.Win32.Sud.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\DH9013.exe infected by "Trojan-Clicker.Win32.Small.jf" Virus! Action Taken: No Action Taken.
File C:\DOCUME~1\David\LOCALS~1\Temp\temp.frBB3C tagged as "not-a-virus:AdWare.Win32.Ihbo.gen". Action Taken: No Action Taken.
File C:\Documents and Settings\David\Local Settings\Temp\temp.frBB3C tagged as "not-a-virus:AdWare.Win32.Ihbo.gen". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001059.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001074.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001115.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001120.dll tagged as "not-a-virus:AdWare.Win32.Ihbo.gen". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001160.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001183.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP14\A0001465.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\084c0f6g.dll tagged as "not-a-virus:AdWare.Win32.Sud.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\DH9013.exe infected by "Trojan-Clicker.Win32.Small.jf" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\David\Local Settings\Temp\temp.frBB3C tagged as "not-a-virus:AdWare.Win32.Ihbo.gen". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001059.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001074.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001115.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001120.dll tagged as "not-a-virus:AdWare.Win32.Ihbo.gen". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001160.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001183.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP14\A0001465.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\WINDOWS\system32\084c0f6g.dll tagged as "not-a-virus:AdWare.Win32.Sud.a". Action Taken: No Action Taken.
File C:\WINDOWS\system32\DH9013.exe infected by "Trojan-Clicker.Win32.Small.jf" Virus! Action Taken: No Action Taken.
DavidJ710
Regular Member
 
Posts: 18
Joined: December 31st, 2005, 12:28 pm
Location: Lincoln, NE

Unread postby Susan528 » January 1st, 2006, 7:53 pm

Hello David

Let’s get rid of those infected files.

Also it appears that you have two anti-virus applications installed and running?
eTrust AntiVirus and
Grisoft Internet security suite
You should only have one anti-virus application installed and running because more than one can interfere with each other.

Show Hidden Files
Please show all files for your system.
You will need to reverse this process when all steps are done.


Delete Files and Folders
Please delete the following files/folders:
C:\Documents and Settings\David\Local Settings\Temp\temp.frBB3C
C:\WINDOWS\system32\084c0f6g.dll
C:\WINDOWS\system32\DH9013.exe


If you have any problem deleting these items, reboot into Safe Mode (tap F8 during bootup, use arrow keys to select Safe Mode, then hit 'enter') and try again.

Cleanmgr
To clean temporary files:
  1. Go > start > run and type cleanmgr and click OK
  2. Scan your system for files to remove.
  3. Make sure Temporary Files, Temporary Internet Files and Recycle Bin are the only things checked.
  4. Click OK to remove those files.
  5. Click Yes to confirm deletion.

System Restore for Windows XP
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)

Turn off System Restore.
  1. On the Desktop, right-click My Computer.
  2. Click Properties.
  3. Click the System Restore tab.
  4. Check Turn off System Restore.
  5. Click Apply, and then click OK.
Reboot.

Turn ON System Restore.
  1. On the Desktop, right-click My Computer.
  2. Click Properties.
  3. Click the System Restore tab.
  4. UN-Check *Turn off System Restore*.
  5. Click Apply, and then click OK.


Please repeat the MWAV scan so we can double-check that those files are deleted.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby DavidJ710 » January 1st, 2006, 11:40 pm

Getting better... When I rebooted it gave me a DLL error about one of the files that MWAV fixed, other than that, here is the latest log...

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\IVIPromotion.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\system32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe" refers to invalid object "C:\Program Files\ATI Technologies\ATI Control Panel\setup.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe" refers to invalid object "C:\WINDOWS\yourapp.Exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bak". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".frBB3C". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gba". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".j31". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{00FC6799-866E-44A1-A60C-DCF394CF56FD}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "QuickTime". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "WebNexus". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{09C6BF52-6DBA-4A97-9939-B6C24E4738BF}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31897-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31898-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{aac8802e-d17a-4ad6-89a7-bd133078b0c6}" refers to invalid object "C:\WINDOWS\system32\gkgfe.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}" refers to invalid object "C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C5AF2622-8C75-4dfb-9693-23AB7686A456}" refers to invalid object "C:\WINDOWS\DH.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C7976BEB-AB1E-46F7-8CCD-D4C9CD83BF49}" refers to invalid object "C:\PROGRA~1\SPYWAR~1\swdoctor.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9C027CF-DF75-4D2C-B763-AC1CA31C4AF8}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamiui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}" refers to invalid object "C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll". Action Taken: No Action Taken.
Entry "HKCR\.acl" refers to invalid object "ACLFile". Action Taken: No Action Taken.
Entry "HKCR\.aw" refers to invalid object "AWFile". Action Taken: No Action Taken.
Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.
Entry "HKCR\.elm" refers to invalid object "ELMFile". Action Taken: No Action Taken.
Entry "HKCR\.ffa" refers to invalid object "FFAFile". Action Taken: No Action Taken.
Entry "HKCR\.ffl" refers to invalid object "FFLFile". Action Taken: No Action Taken.
Entry "HKCR\.fft" refers to invalid object "FFTFile". Action Taken: No Action Taken.
Entry "HKCR\.ffx" refers to invalid object "FFXFile". Action Taken: No Action Taken.
Entry "HKCR\.gst" refers to invalid object "MSMap.Datainst.8". Action Taken: No Action Taken.
Entry "HKCR\.lex" refers to invalid object "LEXFile". Action Taken: No Action Taken.
Entry "HKCR\.opc" refers to invalid object "OPCFile". Action Taken: No Action Taken.
Entry "HKCR\.pip" refers to invalid object "PIPFile". Action Taken: No Action Taken.
Entry "HKCR\.stf" refers to invalid object "STFFile". Action Taken: No Action Taken.
Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.
Entry "HKCR\.wll" refers to invalid object "Word.Addin.8". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\system32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\msbackupfile\shell\open\command" refers to invalid object "%SystemRoot%\system32\ntbackup.exe". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.EBankProblem" refers to invalid object "{AE612304-E8F9-45D9-A444-32409D33E954}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.QuarantinedItemProxy" refers to invalid object "{C2CE6266-0404-4C54-96B4-8829852E3537}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.ScripterProxy" refers to invalid object "{9FEF02F5-B3B8-4D7B-8939-72A1C989D1B9}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001059.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001074.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001115.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001120.dll tagged as "not-a-virus:AdWare.Win32.Ihbo.gen". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001160.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001183.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP14\A0001465.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001059.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001074.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001115.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001120.dll tagged as "not-a-virus:AdWare.Win32.Ihbo.gen". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001160.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001183.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP14\A0001465.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
DavidJ710
Regular Member
 
Posts: 18
Joined: December 31st, 2005, 12:28 pm
Location: Lincoln, NE

Unread postby Susan528 » January 2nd, 2006, 12:09 am

Hello David,

Did you follow the instructions to Reset and Re-enable your System Restore? Those infected "_restore" files still showed in the MWAV scan. You need to reset and re-enable your System restore to get rid of those infected files.

Also what is the dll error you received? Are you still receiving it? MWAV is just a scan. It does not delete anything.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby DavidJ710 » January 2nd, 2006, 2:52 am

Susan,

I followed the instructions as I understood them. I did check the box, reboot and then re-check it... Should I go through and try it again?

Oh, right. I knew that MWAV was just a scan, I meant one of the files you had me delete. The RUNDLL error read as follows:

Error loading 084c0f6g.dll

The specified module could not be found.

Let me know what to do... Thanks so much for your help.
DavidJ710
Regular Member
 
Posts: 18
Joined: December 31st, 2005, 12:28 pm
Location: Lincoln, NE

Unread postby Susan528 » January 2nd, 2006, 8:20 am

Hello David,

This will correct the DLL error.

Open HijackThis. Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:
O4 - HKLM\..\Run: [084c0f6g.dll] RUNDLL32.EXE 084c0f6g.dll,b 29579562
Click Fix Checked.

Please try this again!
Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)
1. Right-click My Computer, and then click Properties.
2. On the System Restore tab, put a check mark in the 'Turn Off System Restore' check box.
3. Click OK, and then click Yes.

4. Restart the computer.
5. Repeat steps 1 - 2, this time clearing the box beside 'Turn Off System Restore', click 'OK'.

Reboot normally.
Please do the MWAV scan again.
scan with HijackThis. Post (reply) with a new hijackthis log and the results of the MWAV scan to this thread.
Please let us know of any complications you had and how the computer is behaving.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby DavidJ710 » January 2nd, 2006, 1:06 pm

Thanks Susan, here is the Hijack This log. MWAV will be scanning momentarily, so the scan will be forthcoming.

Logfile of HijackThis v1.99.1
Scan saved at 11:04:20 AM, on 1/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\David\Desktop\HijackThis.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.wooster.edu
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [UIUCU] C:\DOCUME~1\User\LOCALS~1\Temp\UIUCU.EXE -CLEAN_UP -S
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=presario&pf=laptop
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn/in ... er_gmn.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/S ... anager.ocx
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
DavidJ710
Regular Member
 
Posts: 18
Joined: December 31st, 2005, 12:28 pm
Location: Lincoln, NE

Unread postby DavidJ710 » January 2nd, 2006, 5:01 pm

and here is the MWAV log results...

Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\IVIPromotion.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\system32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe" refers to invalid object "C:\Program Files\ATI Technologies\ATI Control Panel\setup.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe" refers to invalid object "C:\WINDOWS\yourapp.Exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bak". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".frBB3C". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gba". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".j31". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{00FC6799-866E-44A1-A60C-DCF394CF56FD}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "QuickTime". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "WebNexus". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{09C6BF52-6DBA-4A97-9939-B6C24E4738BF}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31897-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31898-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{aac8802e-d17a-4ad6-89a7-bd133078b0c6}" refers to invalid object "C:\WINDOWS\system32\gkgfe.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}" refers to invalid object "C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C5AF2622-8C75-4dfb-9693-23AB7686A456}" refers to invalid object "C:\WINDOWS\DH.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C7976BEB-AB1E-46F7-8CCD-D4C9CD83BF49}" refers to invalid object "C:\PROGRA~1\SPYWAR~1\swdoctor.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9C027CF-DF75-4D2C-B763-AC1CA31C4AF8}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamiui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}" refers to invalid object "C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll". Action Taken: No Action Taken.
Entry "HKCR\.acl" refers to invalid object "ACLFile". Action Taken: No Action Taken.
Entry "HKCR\.aw" refers to invalid object "AWFile". Action Taken: No Action Taken.
Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.
Entry "HKCR\.elm" refers to invalid object "ELMFile". Action Taken: No Action Taken.
Entry "HKCR\.ffa" refers to invalid object "FFAFile". Action Taken: No Action Taken.
Entry "HKCR\.ffl" refers to invalid object "FFLFile". Action Taken: No Action Taken.
Entry "HKCR\.fft" refers to invalid object "FFTFile". Action Taken: No Action Taken.
Entry "HKCR\.ffx" refers to invalid object "FFXFile". Action Taken: No Action Taken.
Entry "HKCR\.gst" refers to invalid object "MSMap.Datainst.8". Action Taken: No Action Taken.
Entry "HKCR\.lex" refers to invalid object "LEXFile". Action Taken: No Action Taken.
Entry "HKCR\.opc" refers to invalid object "OPCFile". Action Taken: No Action Taken.
Entry "HKCR\.pip" refers to invalid object "PIPFile". Action Taken: No Action Taken.
Entry "HKCR\.stf" refers to invalid object "STFFile". Action Taken: No Action Taken.
Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.
Entry "HKCR\.wll" refers to invalid object "Word.Addin.8". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\system32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\msbackupfile\shell\open\command" refers to invalid object "%SystemRoot%\system32\ntbackup.exe". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.EBankProblem" refers to invalid object "{AE612304-E8F9-45D9-A444-32409D33E954}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.QuarantinedItemProxy" refers to invalid object "{C2CE6266-0404-4C54-96B4-8829852E3537}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.ScripterProxy" refers to invalid object "{9FEF02F5-B3B8-4D7B-8939-72A1C989D1B9}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001059.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001074.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001115.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001120.dll tagged as "not-a-virus:AdWare.Win32.Ihbo.gen". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001160.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001183.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP14\A0001465.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001059.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001074.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001115.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001120.dll tagged as "not-a-virus:AdWare.Win32.Ihbo.gen". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001160.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001183.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP14\A0001465.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
DavidJ710
Regular Member
 
Posts: 18
Joined: December 31st, 2005, 12:28 pm
Location: Lincoln, NE

Unread postby Susan528 » January 2nd, 2006, 9:48 pm

Hello David,

Since the _restore files are still present in the MWAV, something is not working right. Normally resetting and re-enabling your system restore would clear out those bad files.

You must have Administrator privileges to do this. But with a limited user account, I would have thought you would receive a warning that you do not have these privileges. Were you signed on with administrator privileges when you did this? Did you receive any error messages or warning?

You can try this script.
http://windowsxp.mvps.org/resetsr.htm
After you save it, double-click it to execute it. You may receive a message asking if you want to allow the script to run. Please allow it since it is safe.

Then instead of running MWAV again (just to check for the _restore files) go to:
Start => All Programs => Accessories => System Tools => System Restore
You should only have one restore point and it should have been created after the execution of the script.

Please let me know if this worked.
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby DavidJ710 » January 2nd, 2006, 10:05 pm

Susan,
I do have Admin priviledges, so I can't imagine why the manual system restore didn't work, but the script seems to have done the trick as I only have one restore point now.

Sorry to be taking so much of your time. Do these types of things usually take this long?

Either way, I am so grateful for your aid. I could never do this on my own.
DavidJ710
Regular Member
 
Posts: 18
Joined: December 31st, 2005, 12:28 pm
Location: Lincoln, NE

Unread postby Susan528 » January 2nd, 2006, 10:16 pm

Hello David,

Glad the script seemed to work. :D Please repeat the MWAV scan. I believe the _restore files will be gone now. Then I will be able to give you the final instructions.

Some logs take longer than others. What disappoints me is when I put time into studying and planning response, responding and then never hearing back from the victim. You have been great at responding which I appreciate very much and thank you!

Susan
User avatar
Susan528
MRU Master
MRU Master
 
Posts: 1594
Joined: April 4th, 2005, 9:20 am
Location: Alabama, USA

Unread postby DavidJ710 » January 3rd, 2006, 1:08 am

Susan,

Hmm... Still more "_restore" files. Very strange.

File C:\Documents and Settings\David\Desktop\ResetSR.VBS infected by "Backdoor.Win32.Delf.akf" Virus! Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\SharedDlls" refers to invalid object "C:\Program Files\InterVideo\Common\Bin\IVIPromotion.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\cmmgr32.exe" refers to invalid object "C:\WINDOWS\system32\cmmgr32.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\setup.exe" refers to invalid object "C:\Program Files\ATI Technologies\ATI Control Panel\setup.exe". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\yourapp.Exe" refers to invalid object "C:\WINDOWS\yourapp.Exe". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".bak". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".frBB3C". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".gba". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".j31". Action Taken: No Action Taken.
Entry "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts" refers to invalid object ".pf". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "InstallShield_{00FC6799-866E-44A1-A60C-DCF394CF56FD}". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "QuickTime". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "WebNexus". Action Taken: No Action Taken.
Entry "HKLM\Software\Microsoft\Windows\CurrentVersion\App Management\ARPCache" refers to invalid object "{09C6BF52-6DBA-4A97-9939-B6C24E4738BF}". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31897-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{8EC31898-D1E6-4758-80BE-31E873AC2903}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{aac8802e-d17a-4ad6-89a7-bd133078b0c6}" refers to invalid object "C:\WINDOWS\system32\gkgfe.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{c0164c20-33c8-4f60-bfd1-557e08a93f58}" refers to invalid object "C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C5AF2622-8C75-4dfb-9693-23AB7686A456}" refers to invalid object "C:\WINDOWS\DH.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{C7976BEB-AB1E-46F7-8CCD-D4C9CD83BF49}" refers to invalid object "C:\PROGRA~1\SPYWAR~1\swdoctor.exe". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{D9C027CF-DF75-4D2C-B763-AC1CA31C4AF8}" refers to invalid object "C:\Program Files\Grisoft\AVG Free\avgamiui.dll". Action Taken: No Action Taken.
Entry "HKCR\CLSID\{ec48db94-98df-4c2f-932f-bbc28af0a316}" refers to invalid object "C:\Program Files\MSN\MSNCoreFiles\OOBE\obemetal.dll". Action Taken: No Action Taken.
Entry "HKCR\.acl" refers to invalid object "ACLFile". Action Taken: No Action Taken.
Entry "HKCR\.aw" refers to invalid object "AWFile". Action Taken: No Action Taken.
Entry "HKCR\.col" refers to invalid object "COLFile". Action Taken: No Action Taken.
Entry "HKCR\.elm" refers to invalid object "ELMFile". Action Taken: No Action Taken.
Entry "HKCR\.ffa" refers to invalid object "FFAFile". Action Taken: No Action Taken.
Entry "HKCR\.ffl" refers to invalid object "FFLFile". Action Taken: No Action Taken.
Entry "HKCR\.fft" refers to invalid object "FFTFile". Action Taken: No Action Taken.
Entry "HKCR\.ffx" refers to invalid object "FFXFile". Action Taken: No Action Taken.
Entry "HKCR\.gst" refers to invalid object "MSMap.Datainst.8". Action Taken: No Action Taken.
Entry "HKCR\.lex" refers to invalid object "LEXFile". Action Taken: No Action Taken.
Entry "HKCR\.opc" refers to invalid object "OPCFile". Action Taken: No Action Taken.
Entry "HKCR\.pip" refers to invalid object "PIPFile". Action Taken: No Action Taken.
Entry "HKCR\.stf" refers to invalid object "STFFile". Action Taken: No Action Taken.
Entry "HKCR\.tuw" refers to invalid object "TUWFile". Action Taken: No Action Taken.
Entry "HKCR\.wll" refers to invalid object "Word.Addin.8". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\ComPlusMetaData.MsCorHost.2" refers to invalid object "{727CDF4F-3BA0-11D3-8738-00C04F79ED0D}". Action Taken: No Action Taken.
Entry "HKCR\Connection Manager Profile\shell\open\command" refers to invalid object "C:\WINDOWS\system32\CMMGR32.EXE "%1"". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSP" refers to invalid object "{9C123EA9-AEC9-4f75-BBC0-7565FA1398966}". Action Taken: No Action Taken.
Entry "HKCR\DSP.DSPDMOProp_Chorus.1" refers to invalid object "{6F63B172-5543-4593-91CE-EDBA65B9FACDB}". Action Taken: No Action Taken.
Entry "HKCR\msbackupfile\shell\open\command" refers to invalid object "%SystemRoot%\system32\ntbackup.exe". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.EBankProblem" refers to invalid object "{AE612304-E8F9-45D9-A444-32409D33E954}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.QuarantinedItemProxy" refers to invalid object "{C2CE6266-0404-4C54-96B4-8829852E3537}". Action Taken: No Action Taken.
Entry "HKCR\SpyDoctor.ScripterProxy" refers to invalid object "{9FEF02F5-B3B8-4D7B-8939-72A1C989D1B9}". Action Taken: No Action Taken.
Entry "HKCR\SymWriter.pdb" refers to invalid object "{520DC67A-752E-11D3-8D56-00C04F680B2B}". Action Taken: No Action Taken.
File C:\Documents and Settings\David\Desktop\ResetSR.VBS infected by "Backdoor.Win32.Delf.akf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001059.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001074.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001115.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001120.dll tagged as "not-a-virus:AdWare.Win32.Ihbo.gen". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001160.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001183.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP14\A0001465.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\Documents and Settings\David\Desktop\ResetSR.VBS infected by "Backdoor.Win32.Delf.akf" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001059.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001074.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001115.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001120.dll tagged as "not-a-virus:AdWare.Win32.Ihbo.gen". Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001160.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP12\A0001183.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
File C:\System Volume Information\_restore{EB635C80-91F6-44CA-A791-6C1B6A6F3650}(2)\RP14\A0001465.exe infected by "Trojan-Proxy.Win32.Delf.an" Virus! Action Taken: No Action Taken.
DavidJ710
Regular Member
 
Posts: 18
Joined: December 31st, 2005, 12:28 pm
Location: Lincoln, NE
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 342 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware