WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93101 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Hijackthis log

Started by sdavis , Jun 14 2006 03:17 AM

This topic is locked

18 replies to this topic

#1 sdavis

New Member

Authentic Member
10 posts

Posted 14 June 2006 - 03:17 AM

An item has turned up on my task bar telling me that my computer is infected with a virus it also changed my home page to an anti virus site. It also installed two short cuts on my desktop. here is my log file

Logfile of HijackThis v1.99.1
Scan saved at 09:54:57, on 14/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Documents and Settings\Stewart Davis\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.02.ie
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.o2.ie/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\Program Files\ProENGINEER Student Edition\i486_nt\obj\pvx_install.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147559256976
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

Advertisements

Register to Remove

#2 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 15 June 2006 - 12:03 AM

Hello sdavis and Welcome to TomCoyote,

Please do the following:

STEP 1.
======
SpySweeper

Double-click My Computer.
Click the Tools menu, and then click Folder Options.
Click the View tab.
Clear "Hide file extensions for known file types."
Under the "Hidden files" folder, select "Show hidden files and folders."
Clear "Hide protected operating system files."
Click Apply, and then click OK.

Please do not delete anything unless you are instructed to.

Download the trial version of Spy Sweeper from Here

Install it using the Standard Install option. (You will be asked for your e-mail address, it is safe to give it. If you receive alerts from your firewall, allow all activities for Spy Sweeper) You will be prompted to check for updated definitions, please do so.
(This may take several minutes)
Click on Options > Sweep Options and check Sweep all Folders on Selected drives. Check Local Disc C. Under What to Sweep, check every box.
Click on Sweep and allow it to fully scan your system.If you are prompted to restart the computer, do so immediately. This is a necessary step to kill the infection!
When the sweep has finished, click Remove. Click Select All and then Next
From 'Results', select the Session Log tab. Click Save to File and save the log somewhere convenient.
Exit Spy Sweeper.

STEP 2.
======
Ewido Trojan Scanner
Please download, install, and update the NEW free version of Ewido trojan scanner:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu".
When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
From the main ewido screen, click on update in the left menu, then click the Start update button.
After the update finishes (the status bar at the bottom will display "Update successful")
Click on the Scanner button in the left menu, then click on Complete System Scan. This scan can take quite a while to run.
If ewido finds anything, it will pop up a notification. Select "clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.
When the scan finishes, click on "Save Report". This will create a text file. Make sure you know where to find this file again.

Empty Recycle Bin
Reboot

Please post(reply) with the results from SpySweeper, ewido and a new hijackthis log.

Proud member of ASAP since 2005

The help you receive here is free. If you wish to show your appreciation, then you may donate to help keep us online.

Want to help others? Come join us in the Class Room and learn how.

#3 sdavis

New Member

Authentic Member
10 posts

Posted 15 June 2006 - 03:06 PM

Thanks Very much for your help think it is sorted i have put the hijack this log first and then the spysweaper. you might be able to tell me if it is all sorted or not

thanks again

Logfile of HijackThis v1.99.1
Scan saved at 21:56:21, on 15/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Canon\MultiPASS4\MPDBMgr.exe
C:\Documents and Settings\Stewart Davis\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.02.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.02.ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\Program Files\ProENGINEER Student Edition\i486_nt\obj\pvx_install.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147559256976
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

********
11:40: | Start of Session, 15 June 2006 |
11:40: Spy Sweeper started
11:40: Sweep initiated using definitions version 699
11:40: Starting Memory Sweep
11:43: Found Adware: spyware quake fakealert
11:43: Detected running threat: C:\WINDOWS\SYSTEM32\ofcukiz.dll (ID = 411)
11:45: Memory Sweep Complete, Elapsed Time: 00:04:30
11:45: Starting Registry Sweep
11:45: Found Adware: multidial
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/muldist.ocx\ (2 subtraces) (ID = 135367)
11:45: Found Adware: security2k hijacker
11:45: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (2 subtraces) (ID = 735573)
11:45: Found Trojan Horse: trojan-downloader-zlob
11:45: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || kernel32.dll (ID = 796421)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/mfc42.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956093)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/mfc42.dll\ || {fc87a650-207d-4392-a6a1-82adbc56fa64} (ID = 956094)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/msvcrt.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956095)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/msvcrt.dll\ || {fc87a650-207d-4392-a6a1-82adbc56fa64} (ID = 956096)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/olepro32.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956097)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/olepro32.dll\ || {fc87a650-207d-4392-a6a1-82adbc56fa64} (ID = 956098)
11:45: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 1497178)
11:45: Found Trojan Horse: mitglieder_trojan
11:45: HKU\S-1-5-21-506438728-1626635386-2531684854-1006\software\datetime\ (118 subtraces) (ID = 135123)
11:45: Registry Sweep Complete, Elapsed Time:00:00:24
11:45: Starting Cookie Sweep
11:45: Found Spy Cookie: clickbank cookie
11:45: stewart davis@clickbank[1].txt (ID = 2398)
11:45: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:45: Starting File Sweep
13:00: muldist.inf (ID = 70204)
13:01: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid Stream
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: File Sweep Complete, Elapsed Time: 01:18:10
13:03: Full Sweep has completed. Elapsed time 01:23:12
13:03: Traces Found: 136
13:07: Removal process initiated
13:07: Quarantining All Traces: mitglieder_trojan
13:07: Quarantining All Traces: security2k hijacker
13:07: Quarantining All Traces: spyware quake fakealert
13:07: Quarantining All Traces: trojan-downloader-zlob
13:07: Quarantining All Traces: multidial
13:07: Quarantining All Traces: clickbank cookie
13:07: Warning: Timed out waiting for explorer.exe
13:07: Warning: Timed out waiting for explorer.exe
13:07: Warning: Launched explorer.exe
13:07: Warning: Quarantine process could not restart Explorer.
13:08: Preparing to restart your computer. Please wait...
13:08: Removal process completed. Elapsed time 00:01:26
13:15: Processing Startup Alerts
13:15: Removed Startup entry: TkBellExe
********
11:35: | Start of Session, 15 June 2006 |
11:35: Spy Sweeper started
11:36: Your spyware definitions have been updated.
11:40: | End of Session, 15 June 2006 |

#4 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 15 June 2006 - 08:39 PM

Hello sdavis, Were you able to download and run ewido? I was hoping to see a report from the ewido scan also.

#5 sdavis

New Member

Authentic Member
10 posts

Posted 16 June 2006 - 12:17 PM

sorry forgot to include as requested --------------------------------------------------------- ewido anti-malware - Scan report --------------------------------------------------------- + Created on: 19:10:17, 16/06/2006 + Report-Checksum: 5B8B33D + Scan result: C:\IRAS\RAS Search.exe -> Heuristic.Win32.Dialer : Cleaned with backup C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP64\A0009878.dll -> Adware.Minibug : Cleaned with backup C:\WINDOWS\SYSTEM32\1024 -> Trojan.Small : Cleaned with backup C:\WINDOWS\SYSTEM32\1024\ld11B5.tmp -> Trojan.Small : Cleaned with backup C:\WINDOWS\SYSTEM32\1024\ld7D44.tmp -> Trojan.Small : Cleaned with backup C:\WINDOWS\SYSTEM32\1024\ld80D6.tmp -> Trojan.Small : Cleaned with backup C:\WINDOWS\SYSTEM32\1024\ldBAE3.tmp -> Trojan.Small : Cleaned with backup C:\WINDOWS\SYSTEM32\1024\ldD9DE.tmp -> Trojan.Small : Cleaned with backup C:\WINDOWS\SYSTEM32\1024\ldEEC2.tmp -> Trojan.Small : Cleaned with backup C:\WINDOWS\SYSTEM32\atmclk.exe -> Trojan.Small : Error during cleaning C:\WINDOWS\SYSTEM32\hp100.tmp -> Downloader.Zlob.so : Cleaned with backup C:\WINDOWS\SYSTEM32\hp101.tmp -> Downloader.Zlob.so : Cleaned with backup C:\WINDOWS\SYSTEM32\hp102.tmp -> Downloader.Zlob.so : Cleaned with backup C:\WINDOWS\SYSTEM32\hp103.tmp -> Downloader.Zlob.so : Cleaned with backup ::Report End

#6 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 16 June 2006 - 01:35 PM

Please do the following:

Only for Windows XP and Windows 2000

Download SmitfraudFix (by S!Ri) to your Desktop.
http://siri.urz.free...mitfraudFix.zip
Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Posted Image

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

Posted Image

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

IMPORTANT: Do NOT run any other options until you are asked to do so!

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.

Please post:
C:\rapport.txt

#7 sdavis

New Member

Authentic Member
10 posts

Posted 19 June 2006 - 03:53 PM

Sorry about the delay

SmitFraudFix v2.61

Scan done at 14:19:43.04, 17/06/2006
Run from C:\Documents and Settings\Stewart Davis\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\atmclk.exe FOUND !
C:\WINDOWS\system32\dcomcfg.exe FOUND !
C:\WINDOWS\system32\ld????.tmp FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\regperf.exe FOUND !
C:\WINDOWS\system32\simpole.tlb FOUND !
C:\WINDOWS\system32\stdole3.tlb FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Stewart Davis\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\STEWAR~1\FAVORI~1

C:\DOCUME~1\STEWAR~1\FAVORI~1\Antivirus Test Online.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{05a91164-3c96-47d6-aa74-2c855791b2d0}"="incaged"

[HKEY_CLASSES_ROOT\CLSID\{05a91164-3c96-47d6-aa74-2c855791b2d0}\InProcServer32]
@="C:\WINDOWS\system32\ofcukiz.dll"

[HKEY_CURRENT_USER\Software\Classes\CLSID\{05a91164-3c96-47d6-aa74-2c855791b2d0}\InProcServer32]
@="C:\WINDOWS\system32\ofcukiz.dll"

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 19:10:17, 16/06/2006
+ Report-Checksum: 5B8B33D

+ Scan result:

C:\IRAS\RAS Search.exe -> Heuristic.Win32.Dialer : Cleaned with backup
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP64\A0009878.dll -> Adware.Minibug : Cleaned with backup
C:\WINDOWS\SYSTEM32\1024 -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\1024\ld11B5.tmp -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\1024\ld7D44.tmp -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\1024\ld80D6.tmp -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\1024\ldBAE3.tmp -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\1024\ldD9DE.tmp -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\1024\ldEEC2.tmp -> Trojan.Small : Cleaned with backup
C:\WINDOWS\SYSTEM32\atmclk.exe -> Trojan.Small : Error during cleaning
C:\WINDOWS\SYSTEM32\hp100.tmp -> Downloader.Zlob.so : Cleaned with backup
C:\WINDOWS\SYSTEM32\hp101.tmp -> Downloader.Zlob.so : Cleaned with backup
C:\WINDOWS\SYSTEM32\hp102.tmp -> Downloader.Zlob.so : Cleaned with backup
C:\WINDOWS\SYSTEM32\hp103.tmp -> Downloader.Zlob.so : Cleaned with backup

::Report End

********
11:40: | Start of Session, 15 June 2006 |
11:40: Spy Sweeper started
11:40: Sweep initiated using definitions version 699
11:40: Starting Memory Sweep
11:43: Found Adware: spyware quake fakealert
11:43: Detected running threat: C:\WINDOWS\SYSTEM32\ofcukiz.dll (ID = 411)
11:45: Memory Sweep Complete, Elapsed Time: 00:04:30
11:45: Starting Registry Sweep
11:45: Found Adware: multidial
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/muldist.ocx\ (2 subtraces) (ID = 135367)
11:45: Found Adware: security2k hijacker
11:45: HKLM\software\microsoft\windows\currentversion\explorer\browser helper objecta\ (2 subtraces) (ID = 735573)
11:45: Found Trojan Horse: trojan-downloader-zlob
11:45: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || kernel32.dll (ID = 796421)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/mfc42.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956093)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/mfc42.dll\ || {fc87a650-207d-4392-a6a1-82adbc56fa64} (ID = 956094)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/msvcrt.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956095)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/msvcrt.dll\ || {fc87a650-207d-4392-a6a1-82adbc56fa64} (ID = 956096)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/olepro32.dll\ || {e8edb60c-951e-4130-93dc-faf1ad25f8e7} (ID = 956097)
11:45: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/system32/olepro32.dll\ || {fc87a650-207d-4392-a6a1-82adbc56fa64} (ID = 956098)
11:45: HKLM\software\microsoft\windows\currentversion\policies\explorer\run\ || wininet.dll (ID = 1497178)
11:45: Found Trojan Horse: mitglieder_trojan
11:45: HKU\S-1-5-21-506438728-1626635386-2531684854-1006\software\datetime\ (118 subtraces) (ID = 135123)
11:45: Registry Sweep Complete, Elapsed Time:00:00:24
11:45: Starting Cookie Sweep
11:45: Found Spy Cookie: clickbank cookie
11:45: stewart davis@clickbank[1].txt (ID = 2398)
11:45: Cookie Sweep Complete, Elapsed Time: 00:00:00
11:45: Starting File Sweep
13:00: muldist.inf (ID = 70204)
13:01: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid Stream
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: Warning: Invalid file - not a PKZip file
13:03: File Sweep Complete, Elapsed Time: 01:18:10
13:03: Full Sweep has completed. Elapsed time 01:23:12
13:03: Traces Found: 136
13:07: Removal process initiated
13:07: Quarantining All Traces: mitglieder_trojan
13:07: Quarantining All Traces: security2k hijacker
13:07: Quarantining All Traces: spyware quake fakealert
13:07: Quarantining All Traces: trojan-downloader-zlob
13:07: Quarantining All Traces: multidial
13:07: Quarantining All Traces: clickbank cookie
13:07: Warning: Timed out waiting for explorer.exe
13:07: Warning: Timed out waiting for explorer.exe
13:07: Warning: Launched explorer.exe
13:07: Warning: Quarantine process could not restart Explorer.
13:08: Preparing to restart your computer. Please wait...
13:08: Removal process completed. Elapsed time 00:01:26
13:15: Processing Startup Alerts
13:15: Removed Startup entry: TkBellExe
********
11:35: | Start of Session, 15 June 2006 |
11:35: Spy Sweeper started
11:36: Your spyware definitions have been updated.
11:40: | End of Session, 15 June 2006 |

Logfile of HijackThis v1.99.1
Scan saved at 22:51:43, on 19/06/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Stewart Davis\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.02.ie/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.02.ie
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewid...oOnlineScan.cab
O16 - DPF: {1ED48504-8834-11D5-AC75-0008C73FD642} (ProductView Express) - file://C:\Program Files\ProENGINEER Student Edition\i486_nt\obj\pvx_install.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147559256976
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe

#8 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 19 June 2006 - 04:33 PM

Hello sdavis,

Let's run another scan please.

Now run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Standard
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:
Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.

Please paste that information from Kapersky in your reply.

#9 sdavis

New Member

Authentic Member
10 posts

Posted 20 June 2006 - 05:38 PM

KASPERSKY ON-LINE SCANNER REPORT Wednesday, June 21, 2006 12:37:28 AM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 20/06/2006 Kaspersky Anti-Virus database records: 189518 Scan Settings Scan using the following antivirus database standard Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ Scan Statistics Total number of scanned objects 115886 Number of viruses found 5 Number of infected objects 4 Number of suspicious objects 17 Duration of the scan process 04:55:38 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy117.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy117.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy155.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy155.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy181.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy181.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy206.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy206.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy211.zip/trkgif.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy211.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy47.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy47.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy79.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy79.zip ZIP: suspicious - 1 skipped C:\Program Files\Delodesk\npf.sys Suspicious: Rootkit.Win32.Agent.ao skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP82\A0011706.tlb Infected: Trojan-Downloader.Win32.Zlob.sp skipped C:\WINDOWS\SYSTEM32\ipxvbame.exe Infected: Trojan.Win32.Crypt.t skipped C:\WINDOWS\SYSTEM32\ld100.tmp Infected: Trojan-Downloader.Win32.Zlob.sd skipped C:\WINDOWS\SYSTEM32\qosvssvc.exe Infected: Trojan.Win32.Crypt.t skipped Scan process completed.

#10 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 20 June 2006 - 07:49 PM

Blacklight

Download Blacklight Beta from here:
http://www.f-secure....light/try.shtml

Hit I accept. It will take you to download page.
Download blbeta.exe and save it to the Desktop.
Once saved... double click blbeta.exe to install the program.
Click accept agreement and Click scan
This app too may fire off a warning from antivirus. Let the driver load.
Wait for it to finish.
If it displays any items...don't do anything with them yet. Just hit exit (close)
It will drop a log on Desktop that starts with fsbl....big number

Please post (reply) with the contents of log that starts with fsbl....big number .

Advertisements

Register to Remove

#11 sdavis

New Member

Authentic Member
10 posts

Posted 21 June 2006 - 04:32 AM

that scan found nothing and did not create a log. Have we eliminated everything on the computer that should not be there. The start up time of the laptop has now become quite extended can i decrease this time again. Thank You once again stewart

#12 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 21 June 2006 - 07:40 AM

Hello sdavis,

I am glad Blacklight did not detect any rootkits. I would like you to locate and submit the following file.

STEP 1.
======
Please show all files for your system.
You will need to reverse this process when all steps are done.

Submit File to Jotti
Please click on Jotti
Use the "Browse" button and locate the following file on your computer:
C:\Program Files\Delodesk\npf.sys
Click the "Submit" button.
Please copy and post (reply) with the results

If Jotti's service load is too high, you can use the following scanner instead:
http://www.virustota...l/index_en.html

Please also check the properties of those files (right-click and select properties from the popupmenu). Look if you can find some company information, etc.
=====================

Also please upload the same file to the following:
http://sandbox.norman.no/live_4.html

Please copy the results from the email you receive and post (reply) so that I can compare the results to Jotti.

#13 sdavis

New Member

Authentic Member
10 posts

Posted 21 June 2006 - 10:06 AM

Service load: 0% 100% File: npf.sys Status: INFECTED/MALWARE MD5 00e0621912d3b116875d78b4be385288 Packers detected: - Scanner results AntiVir Found Trojan/Rootkit.SMA.A ArcaVir Found W32.RootKit.Apropos.A1 Avast Found Win32:Adloader-AC AVG Antivirus Found nothing BitDefender Found nothing ClamAV Found nothing Dr.Web Found nothing F-Prot Antivirus Found nothing Fortinet Found nothing Kaspersky Anti-Virus Found Rootkit.Win32.Agent.ao (probable variant) NOD32 Found nothing Norman Virus Control Found nothing UNA Found nothing VirusBuster Found nothing VBA32 Found Rootkit.Agent.4 (probable variant) not sure what the story is with this response i e-mailed the file to them after i recieved this message Norman Scanner Engine 5.90. 7 Sandbox 05.90, dated 21/05-2006 Your message ID (for later reference): 20060621-918 npf.sys : Not detected by sandbox (Signature: NO_VIRUS) [ General information ] * **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**. * File length: 12288 bytes. * MD5 hash: 00e0621912d3b116875d78b4be385288. © 2004-2006 Norman ASA. All Rights Reserved. The material presented is distributed by Norman ASA as an information source only. Sent by sdavis@iol.ie to sandbox. Received 21.June 2006 at 16.51 - processed 21.June 2006 at 17.24.

#14 Susan528

SuperMember

Authentic Member
3,194 posts

Posted 21 June 2006 - 01:02 PM

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:
http://www.pchell.co.../safemode.shtml

Next, please enable viewing of hidden files as follows:
1) Go to My Computer, and click on the "Tools" menu
2) Click "Folder options"
3) Select the "View" tab
4) Make sure "Show hidden files and folders" is selected
5) Make sure "Hide extensions for known file types" is unchecked
6) Make sure "Hide protected operating system files (recommended)" is unchecked

Delete the following files.
C:\Program Files\Delodesk\npf.sys<==file
C:\WINDOWS\SYSTEM32\ipxvbame.exe<==file
C:\WINDOWS\SYSTEM32\ld100.tmp<==file
C:\WINDOWS\SYSTEM32\qosvssvc.exe<==file

Empty the recycle bin
Reboot

Please run Kapersky and post (reply) with the results.

#15 sdavis

New Member

Authentic Member
10 posts

Posted 22 June 2006 - 07:16 AM

Thursday, June 22, 2006 2:14:54 PM Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600) Kaspersky On-line Scanner version: 5.0.78.0 Kaspersky Anti-Virus database last update: 22/06/2006 Kaspersky Anti-Virus database records: 189905 Scan Settings Scan using the following antivirus database standard Scan Archives true Scan Mail Bases true Scan Target My Computer C:\ D:\ Scan Statistics Total number of scanned objects 116520 Number of viruses found 3 Number of infected objects 2 Number of suspicious objects 17 Duration of the scan process 03:21:20 Infected Object Name Virus Name Last Action C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy1.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy117.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy117.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy155.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy155.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy181.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy181.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy206.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy206.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy211.zip/trkgif.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy211.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy47.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy47.zip ZIP: suspicious - 1 skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy79.zip/msexreg.exe Suspicious: Password-protected-EXE skipped C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\eXactAdvertisingBargainsBuddy79.zip ZIP: suspicious - 1 skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0011829.sys Suspicious: Rootkit.Win32.Agent.ao skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0011830.exe Infected: Trojan.Win32.Crypt.t skipped C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP84\A0011831.exe Infected: Trojan.Win32.Crypt.t skipped Scan process completed.

Body Background

skin color theme