ccjcic
asked on
Very Troublesome Virus!
Ok where do I start. I have cleaned all of the temp files off the computer all the cookies etc. I noticed I couldnt get AVG to install or Adaware because there was a virus or something running killing the process of the install file. So I totally pulled the Hard drive from the machine hooked it up to another machine that was clean and had AVG and Adaware etc. on it. I booted up with the clean machine and put the infected hard drive as the slave. I ran a AVG scan it found about 200 viruses got them removed I have rescanned the hard drive it found nothing. Then I ran adaware while I had the Hard drive hooked up as slave. and it found somethings it removed those. Next I decided to Rehook up the Hard drive to the computer it came out of and boot it up. So I did. Still cant install AVG or adaware or Spybot. I got a program called Counterspy to install and ran a scan found a few more malware things. I removed those. I was able to install a program called winpatrol on the machine that shows running processes startup programs etc... Zonealarm installed but the process is killed. Spybot,adaware,Avg,Avast will not install at all! You click the install file and it will not run. I have noticed this virus likes to rename itself. At one point it was named EXPLORE.exe trying to make it look like EXPLORER.exe in the task manager. I have ran Killbox to try to delete these files and everytime I restart to delete the file it just comes back and is renamed something else. And you cannot kill the process in the task manager. I have also ran mcafee stinger on the machine. If someone can help me figure this one out Big kudos to you! Because I remove spyware and viruses from machines all the time but I cant figure this out!
This is a log showing what the machine looks like when I do a Diagnostic startup from msconfig. The virus or whatever it is is still there I can not install any anti-virus or anti-spyware tools.
Logfile of HijackThis v1.99.1
Scan saved at 11:03:17 AM, on 05/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\system32\userin it.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPA T~1\winpat rol.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Documents and Settings\Nicki\Desktop\New Folder\HijackThis.exe
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.search. defaulteng ine", "http://www.google.com/"); (C:\Documents and Settings\Nicki\Application Data\Mozilla\Profiles\defa ult\d04kir t2.slt\pre fs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ ycomp5_3_1 6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-0 5D28BCF79F 5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ ycomp5_3_1 6_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9 EE0F344C38 5} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 2.dll
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg .exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt r\Binaries \MSConfig. exe /auto
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPA T~1\winpat rol.exe
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsear ch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar 1.dll/cmse arch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar 1.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar 1.dll/cmca che.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar 1.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar 1.dll/cmtr ans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\System32\shdocv w.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\System32\shdocv w.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B 7D41EF1CB5 2} - C:\PROGRA~1\AWS\WEATHE~1\W eather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {1C203F13-95AD-11D0-A84B-0 0A0247B735 B} (Sheridan ActiveTreeView Control) - https://www.ext.ch2m.com/cgi-bin/controls/sstree.cab
O16 - DPF: {2F5B39C5-C6F5-447A-A946-4 8B382C5398 5} - http://www.pacimedia.com/install/pcs_0025.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-F A1D4F56A2A B} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {35020238-5912-11D1-9A00-0 0C04FD8DC2 E} (DameWare DTP Control Class) - https://www.ext.ch2m.com/cgi-bin/controls/ddtp.dll
O16 - DPF: {41F17733-B041-4099-A042-B 518BB6A408 C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4855C21B-E452-4661-A702-E D3493CE74D F} - http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-3 6E7F593073 C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0 F47A330807 8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7 C6C9569B8C 7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0 010B556D97 8} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
========================== ========== ========== =======
Here is what the machine looks like after I do a normal startup
Logfile of HijackThis v1.99.1
Scan saved at 11:34:35 AM, on 05/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e xe
C:\WINDOWS\system32\winlog on.exe
C:\WINDOWS\system32\servic es.exe
C:\WINDOWS\system32\lsass. exe
C:\WINDOWS\system32\svchos t.exe
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\system32\brsvc0 1a.exe
C:\WINDOWS\system32\spools v.exe
C:\WINDOWS\system32\brss01 a.exe
C:\WINDOWS\system32\driver s\KodakCCS .exe
C:\WINDOWS\System32\ScsiAc cess.EXE
C:\WINDOWS\System32\svchos t.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPA T~1\winpat rol.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Common Files\Real\Update_OB\reals ched.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\ps2.ex e
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtr ay.exe
C:\windows\system\hpsysdrv .exe
C:\WINDOWS\System32\hphmon 05.exe
C:\WINDOWS\System32\hkcmd. exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\interMute\PopSubtrac t\PopSub.e xe
C:\Program Files\Common Files\Real\Update_OB\rnath chk.exe
C:\Documents and Settings\Nicki\Desktop\New Folder\HijackThis.exe
R1 - HKCU\Software\Microsoft\Wi ndows\Curr entVersion \Internet Settings,ProxyOverride = localhost
N3 - Netscape 7: user_pref("browser.search. defaulteng ine", "http://www.google.com/"); (C:\Documents and Settings\Nicki\Application Data\Mozilla\Profiles\defa ult\d04kir t2.slt\pre fs.js)
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7 695ECA0567 0} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ ycomp5_3_1 6_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7 84B7D6BE0B 3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEH elper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2 06D7942484 F} - C:\PROGRA~1\SPYBOT~1\SDHel per.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D 0A283367DD 5} - c:\Program Files\Fln\fln.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C F10577473F 7} - c:\program files\google\googletoolbar 2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F ADC6B08487 2} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-0 5D28BCF79F 5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7 859DF00B1D 6} - c:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0 090271D4F8 8} - C:\Program Files\Yahoo!\Companion\Ins talls\cpn\ ycomp5_3_1 6_0.dll
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9 EE0F344C38 5} - C:\Program Files\AIM Toolbar\AIMBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0 09027A5CD4 F} - c:\program files\google\googletoolbar 2.dll
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPA T~1\winpat rol.exe
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex e
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals ched.exe" -osboot
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Pro grams\RegC on.exe" /admincheck
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD .EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe " -atboottime
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.ex e
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr ay.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv .exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon 05.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd. exe
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.e xe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtrac t\PopSub.e xe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsear ch.htm
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar 1.dll/cmse arch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar 1.dll/cmba cklinks.ht ml
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar 1.dll/cmca che.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1 \Office10\ EXCEL.EXE/ 3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar 1.dll/cmsi milar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar 1.dll/cmtr ans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\System32\shdocv w.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0 0401C60850 1} - C:\WINDOWS\System32\shdocv w.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0 0B0D0A1DE4 5} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0 0C04F79568 3} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B 7D41EF1CB5 2} - C:\PROGRA~1\AWS\WEATHE~1\W eather.exe (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {1C203F13-95AD-11D0-A84B-0 0A0247B735 B} (Sheridan ActiveTreeView Control) - https://www.ext.ch2m.com/cgi-bin/controls/sstree.cab
O16 - DPF: {2F5B39C5-C6F5-447A-A946-4 8B382C5398 5} - http://www.pacimedia.com/install/pcs_0025.exe
O16 - DPF: {30528230-99F7-4BB4-88D8-F A1D4F56A2A B} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/...nst20040510.cab
O16 - DPF: {35020238-5912-11D1-9A00-0 0C04FD8DC2 E} (DameWare DTP Control Class) - https://www.ext.ch2m.com/cgi-bin/controls/ddtp.dll
O16 - DPF: {41F17733-B041-4099-A042-B 518BB6A408 C} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {4855C21B-E452-4661-A702-E D3493CE74D F} - http://sp.ask.com/docs/toolbar/download/askbar-inst.cab
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-3 6E7F593073 C} (cpbrkpie Control) - http://a19.g.akamai.net/7/19/7125/4047/ftp...23/cpbrkpie.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0 F47A330807 8} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/ac...ta/SymAData.dll
O16 - DPF: {E77C0D62-882A-456F-AD8F-7 C6C9569B8C 7} (ActiveDataObj Class) - https://www-secure.symantec.com/techsupp/ac.../ActiveData.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0 010B556D97 8} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr vc.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc0 1a.exe
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\system32\cmdtel .exe (file missing)
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\driver s\KodakCCS .exe
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\system32\ahtun. exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3 2.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAc cess.EXE
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLa bs\vsmon.e xe (file missing)
This is a log showing what the machine looks like when I do a Diagnostic startup from msconfig. The virus or whatever it is is still there I can not install any anti-virus or anti-spyware tools.
Logfile of HijackThis v1.99.1
Scan saved at 11:03:17 AM, on 05/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\system32\userin
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPA
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
C:\Documents and Settings\Nicki\Desktop\New
R1 - HKCU\Software\Microsoft\Wi
N3 - Netscape 7: user_pref("browser.search.
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCt
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPA
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDtServ.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsear
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {1C203F13-95AD-11D0-A84B-0
O16 - DPF: {2F5B39C5-C6F5-447A-A946-4
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {35020238-5912-11D1-9A00-0
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {4855C21B-E452-4661-A702-E
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-3
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
==========================
Here is what the machine looks like after I do a normal startup
Logfile of HijackThis v1.99.1
Scan saved at 11:34:35 AM, on 05/11/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.e
C:\WINDOWS\system32\winlog
C:\WINDOWS\system32\servic
C:\WINDOWS\system32\lsass.
C:\WINDOWS\system32\svchos
C:\WINDOWS\System32\svchos
C:\WINDOWS\system32\brsvc0
C:\WINDOWS\system32\spools
C:\WINDOWS\system32\brss01
C:\WINDOWS\system32\driver
C:\WINDOWS\System32\ScsiAc
C:\WINDOWS\System32\svchos
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\BILLPS~1\WINPA
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
C:\Program Files\Common Files\Real\Update_OB\reals
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
C:\WINDOWS\system32\ps2.ex
C:\WINDOWS\LTMSG.exe
C:\WINDOWS\System32\igfxtr
C:\windows\system\hpsysdrv
C:\WINDOWS\System32\hphmon
C:\WINDOWS\System32\hkcmd.
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\interMute\PopSubtrac
C:\Program Files\Common Files\Real\Update_OB\rnath
C:\Documents and Settings\Nicki\Desktop\New
R1 - HKCU\Software\Microsoft\Wi
N3 - Netscape 7: user_pref("browser.search.
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-7
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-2
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-C
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-F
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-0
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0
O3 - Toolbar: AIM Search - {40D41A8B-D79B-43d7-99A7-9
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-0
O4 - HKLM\..\Run: [WinPatrol] C:\PROGRA~1\BILLPS~1\WINPA
O4 - HKLM\..\Run: [sunasDtServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasDTServ.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.ex
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\reals
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [sunasServ] C:\Program Files\Sunbelt Software\CounterSpy Client\sunasServ.exe
O4 - HKLM\..\Run: [SAClient] "C:\Program Files\Insight\BBClient\Pro
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.ex
O4 - HKLM\..\Run: [LTMSG] LTMSG.exe 7
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtr
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.e
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Kodak EasyShare software.lnk = C:\Program Files\Kodak\Kodak EasyShare software\bin\EasyShare.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PopSubtract.lnk = C:\Program Files\interMute\PopSubtrac
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsear
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-0
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-0
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-0
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B
O14 - IERESET.INF: START_PAGE_URL=http://www.insightbb.com
O16 - DPF: {1C203F13-95AD-11D0-A84B-0
O16 - DPF: {2F5B39C5-C6F5-447A-A946-4
O16 - DPF: {30528230-99F7-4BB4-88D8-F
O16 - DPF: {35020238-5912-11D1-9A00-0
O16 - DPF: {41F17733-B041-4099-A042-B
O16 - DPF: {4855C21B-E452-4661-A702-E
O16 - DPF: {9522B3FB-7A2B-4646-8AF6-3
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0
O16 - DPF: {E77C0D62-882A-456F-AD8F-7
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsr
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc0
O23 - Service: Loading Outpost Connections (KDE) - Unknown owner - C:\WINDOWS\system32\cmdtel
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\driver
O23 - Service: Debug oupost relations (LAGOS) - Unknown owner - C:\WINDOWS\system32\ahtun.
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc3
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAc
O23 - Service: TrueVector Internet Monitor (vsmon) - Unknown owner - C:\WINDOWS\system32\ZoneLa
Ok, do you want to waste time doing the uninstall and virus scans or do you want your computer up and running?
First, let me state that it was not a wise idea to boot into--> windows<-- on the "clean" machine..as the act of just it booting can cause it to get a virus from the second hdd.
If there are any files(NON EXE FILES) you want to keep copy them off to the other computer. if you move the HDD put it back into the other computer
Then go to the HDD makers website and download the HDD check utility. they should have a bootdisk option.
Run the utility and select the "wright 0's to drive" option.
after that put in the windows xp cd and reinstall.
after that reinstall all the programs you want.
OR
you can call up Mcafee and say you think you have a load of new virus on your machine, and ask them if you can send them the hdd so they can update their virus scanners. you may or may not get your drive back..but if you have new virus on your machine they might offer you as much as $1000 for the HDD.
First, let me state that it was not a wise idea to boot into--> windows<-- on the "clean" machine..as the act of just it booting can cause it to get a virus from the second hdd.
If there are any files(NON EXE FILES) you want to keep copy them off to the other computer. if you move the HDD put it back into the other computer
Then go to the HDD makers website and download the HDD check utility. they should have a bootdisk option.
Run the utility and select the "wright 0's to drive" option.
after that put in the windows xp cd and reinstall.
after that reinstall all the programs you want.
OR
you can call up Mcafee and say you think you have a load of new virus on your machine, and ask them if you can send them the hdd so they can update their virus scanners. you may or may not get your drive back..but if you have new virus on your machine they might offer you as much as $1000 for the HDD.
ASKER
This is the second computer I have seen this on! The last computer I saw this on I had to do a reinstall but I was determined this time not to have to do it. But I dont know what else to do I guess.
ccjcic:
Tip for the future - rather than post the entire HijackThis log here, please post instead at http://www.hijackthis.de/ and click analyze and then "save this log". That way it's easier to work with and you can just post the link here.
I did that for you in this case, and you can view at:
http://www.hijackthis.de/logfiles/66c9fe61f0c7934ccfc5b4aa9a06e54a.html
Here are some general tips that may help you in such difficult cases:
(1) First, in order to view the files in the System Information Folder, you should make sure that you un-selected "Hide protected operating system files" in Explorer -> Folder options.
(2) If you identify a file that keeps re-creating itself, then just right-click on it and change permissions so that no one (not even system or administrator) has any permission to access it. That effectively renders the file harmless after the next reboot. You should do this after clearing any of the bad entries found by Hijackthis.
Comment for Diane258:
I agree with your advice in general, but I am curious why you think that attaching the drive as a slave drive to another XP system could be harmful just by booting. The only such possibility I am aware of is you were using Win/2000 and accidentally made the bad drive a master drive rather than slave.
Tip for the future - rather than post the entire HijackThis log here, please post instead at http://www.hijackthis.de/ and click analyze and then "save this log". That way it's easier to work with and you can just post the link here.
I did that for you in this case, and you can view at:
http://www.hijackthis.de/logfiles/66c9fe61f0c7934ccfc5b4aa9a06e54a.html
Here are some general tips that may help you in such difficult cases:
(1) First, in order to view the files in the System Information Folder, you should make sure that you un-selected "Hide protected operating system files" in Explorer -> Folder options.
(2) If you identify a file that keeps re-creating itself, then just right-click on it and change permissions so that no one (not even system or administrator) has any permission to access it. That effectively renders the file harmless after the next reboot. You should do this after clearing any of the bad entries found by Hijackthis.
Comment for Diane258:
I agree with your advice in general, but I am curious why you think that attaching the drive as a slave drive to another XP system could be harmful just by booting. The only such possibility I am aware of is you were using Win/2000 and accidentally made the bad drive a master drive rather than slave.
ASKER
Yeah Ive Tryed those 2 tips. Ive tryed everything I know! ha. This has got to be the most pesky virus I have ever seen.
ASKER
Sorry for posting my entire log here.
"Ive Tryed those 2 tips"
If you removed all permissions from a file, then it cannot run the next time, and cannot be recreated under the same name. It can, however, be recreated under a different name.
I assume you are facing the latter situation. That means that you have not identified all the bad files, because you have to either delete all bad files, or remove all permissions from them, and then reboot once in order to render them ineffective.
Did you really remove all the Registry entries identified by HiJackThis as bad or questionable?
You also have to terminate all processes that are known to be bad before the reboot. If you're getting an "access denied" error, get Taskman+ from:
http://www.diamondcs.com.au/index.php?page=taskman
If you removed all permissions from a file, then it cannot run the next time, and cannot be recreated under the same name. It can, however, be recreated under a different name.
I assume you are facing the latter situation. That means that you have not identified all the bad files, because you have to either delete all bad files, or remove all permissions from them, and then reboot once in order to render them ineffective.
Did you really remove all the Registry entries identified by HiJackThis as bad or questionable?
You also have to terminate all processes that are known to be bad before the reboot. If you're getting an "access denied" error, get Taskman+ from:
http://www.diamondcs.com.au/index.php?page=taskman
Download and run Stinger in Safe Mode:
http://vil.nai.com/vil/stinger/
Also try at least 2 of these online virus scanners:
Panda ActiveScan
http://www.pandasoftware.com/activescan
Bitdefender
http://www.bitdefender.com/scan/Msie/index.php
McAfee FreeScan
http://us.mcafee.com/root/mfs/default.asp
Symantec Security Check
http://security.symantec.com/sscv6/
Pc-Cillin (Trend Micro Housecall)
http://housecall.antivirus.com/housecall/start_pcc.asp
PcPitstop
http://pcpitstop.com/antivirus/default.asp
RAV
http://www.ravantivirus.com/scan/
Zee
After the above:
First of all, download NOW this Winsock fix (FREE):
http://downloads.subratam.org/WinsockFix.zip
If you lose internet access after the cleanup, run this tool.
After that, download the fully functional trial version of Spy Sweeper:
http://www.webroot.com/downloads/?WRSID=595f27d74dd2795a56af83b763c321e1
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').
Download Ad-Aware (FREE) from here:
http://lavasoft.element5.com/support/download/
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').
Also excellent is SpyBot Search & Destroy (FREE) available here:
http://www.spychecker.com/download/download_spybot.html
Install, UPDATE and run.
You may need to reboot and run again to clean all the nasties that cannot be deleted at once ('in use').
You should also apply the 'immunize' function, since it blocks roughly 1900 known 'bad' runs/apis/apps.
Even if Ad-Aware and SpyBot S&D are similar, they do clean different things. You should have both of them and use REGULARLY.
You can also install 'preventive' software that will help you control these nasties:
SpywareBlaster (FREE):
http://www.javacoolsoftware.com/spywareblaster.html
Prevents the installation of Active-X based spyware, malware, dialers, etc
Currently protects you against 3500+ nasties.
Advantage: no system resources used!!!
Just download, install and UPDATE.
All of them extremely useful but you must keep them UPDATED.
Suggestion: Make sure you can see all files and folders and run Ad-aware and Spybot S&D in Safe Mode.
Zee
ASKER
Ok heres an Update on whats going on. Here is a new Log file.
http://www.hijackthis.de/logfiles/e88d7c26ca0b422637e0989cbdcb719a.html
I ran Avg,adaware,spybot,counter spy in safe mode
I have one big problem with that log above.
I have a problem with this running process
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
I didnt even open internet explorer. I didnt do anything I restarted the computer and just ran hijack this. So my guess is this isnt IE! So I clicked on it in winpatrol and clicked delete this file on Reboot then I restarted and this is the log I got after I deleted iexplore.exe
http://www.hijackthis.de/logfiles/b36ae7ec01f5dcf4331d23cd754841b8.html
I also cleared up many of the nastys that it was reporting or any unknowns. Still the same results! still cant run AVG adaware etc...
One thing I did notice is that a random file name utilaux.exe showed up in the windows task manager but it did not show up in the hijack this log or in winpatrol. After I clicked kill task in windows task manager and refreshed winpatrol and ran another hijack this log it showed up! but it had been running the whole time! but I had to kill it and then it restarted and then it showed up?? This thing is crazy!
http://www.hijackthis.de/logfiles/e88d7c26ca0b422637e0989cbdcb719a.html
I ran Avg,adaware,spybot,counter
I have one big problem with that log above.
I have a problem with this running process
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
I didnt even open internet explorer. I didnt do anything I restarted the computer and just ran hijack this. So my guess is this isnt IE! So I clicked on it in winpatrol and clicked delete this file on Reboot then I restarted and this is the log I got after I deleted iexplore.exe
http://www.hijackthis.de/logfiles/b36ae7ec01f5dcf4331d23cd754841b8.html
I also cleared up many of the nastys that it was reporting or any unknowns. Still the same results! still cant run AVG adaware etc...
One thing I did notice is that a random file name utilaux.exe showed up in the windows task manager but it did not show up in the hijack this log or in winpatrol. After I clicked kill task in windows task manager and refreshed winpatrol and ran another hijack this log it showed up! but it had been running the whole time! but I had to kill it and then it restarted and then it showed up?? This thing is crazy!
Something is indeed messing with your system.
Is that iexplore.exe file really deleted? That is is the correct location of Internet Explorer, so if you still have the file you can right-click on it and get the Version Info in Properties. Make sure it is from Micosoft. My guess is that it is/was legit but something else launched it.
You might also try RootkitRevealer from sysinternals:
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
Is that iexplore.exe file really deleted? That is is the correct location of Internet Explorer, so if you still have the file you can right-click on it and get the Version Info in Properties. Make sure it is from Micosoft. My guess is that it is/was legit but something else launched it.
You might also try RootkitRevealer from sysinternals:
http://www.sysinternals.com/ntw2k/freeware/rootkitreveal.shtml
Ok, ccjcic , format(wright 0's to the drive not format c: )/reinstall or talk to Mcafee
If the virus is as bad as you say it is then they might be willing to pay for it.
Also, certian windos processes will "read" data form the secondary HDD "execute" information in others, mostly the partition information,Drive volume information, and sometimes a few system files (for the NTFS) but some viruses can still hide in there and infect the other drive.
If the virus is as bad as you say it is then they might be willing to pay for it.
Also, certian windos processes will "read" data form the secondary HDD "execute" information in others, mostly the partition information,Drive volume information, and sometimes a few system files (for the NTFS) but some viruses can still hide in there and infect the other drive.
"Also, certian windos processes will "read" data form the secondary HDD "execute" information in others, mostly the partition information,Drive volume information, and sometimes a few system files (for the NTFS) but some viruses can still hide in there and infect the other drive."
Can you provide any more information on this, either a specific example or a link to a web site that describes it. I am just very curious because I never heard this before. Thanks!
Can you provide any more information on this, either a specific example or a link to a web site that describes it. I am just very curious because I never heard this before. Thanks!
ASKER
What is the best way to get into contact with mcafee?
ASKER
iexplore.exe is not deleted it came back
"iexplore.exe is not deleted it came back"
What does the Version tab show? Is it the Microsoft file? what version?
What does the Version tab show? Is it the Microsoft file? what version?
ASKER
ok it did come back now its gone! internet explorer is totally gone now! but Im sure that was not internet explorer though. I ran that root kit reveal and funny thing is I had to rename it in order to get it to run! it didnt find anything. Ive never seen a virus like this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://www.mcafee.com/us/
you should be able to find contact info there.
be shure to say that you think you have some new viruses.
you should be able to find contact info there.
be shure to say that you think you have some new viruses.
>>iexplore.exe is not deleted it came back
To sort that.
Place a textfile in the internet explorer directory.
Rename it to iexplore.exe
attrib iexplore.exe +r +h +s
won't be able to come back now.
To sort that.
Place a textfile in the internet explorer directory.
Rename it to iexplore.exe
attrib iexplore.exe +r +h +s
won't be able to come back now.
ASKER
Thanks everyone for the help I ended up just doing a reinstall of windows. But if I ever see this virus again I will figure out what is going on!
You're welcome.
Just sorry we couldn't help you a little further.
Cheers,
Zee
ASKER
Ok I Rehooked up the Drive as a slave drive on the Clean computer again and ran an online virus scan from panda. It found the stuff I have post below. I went in and deleted all the files. Then I rehooked up the Hard drive to the machine and started it up. I was able to get AVG,Spybot,adaware installed on the computer! But I started to run an Adaware scan and AVG started picking up things in the C: SYSTEM VOLUME INFORMATION FOLDER I had system restore disabled and if you go in and try to browse to the SYSTEM VOLUME INFORMATION folder it is not even there! but yet AVG is detecting a Trojan there! Well so I closed adaware decided to run an AVG scan on the computer. So I started an AVG scan had to leave for about 15 min. I left and I came back and the computer was in sleep mode when I came back. and i moved the mouse and it restarted all by itself! Next thing I know the Virus is back Avg etc is still installed but none of them will run! I have it booted into safe mode right now running an adaware scan. All the programs will run in safe mode but not in regular mode because that stupid virus keeps poping up!HERE IS THE LOG FROM THE PANDA SCAN:
Incident Status Location
Adware:Adware/DelFinMedia No disinfected F:\Documents and Settings\All Users\Application Data\wsxs\patchme.exe
Spyware:Spyware/Media-moto
Adware:Adware/PurityScan No disinfected F:\Documents and Settings\Nicki\Desktop\New
Adware:Adware/PurityScan No disinfected F:\Documents and Settings\Nicki\Desktop\New
Adware:Adware/Midaddle No disinfected F:\Documents and Settings\Nicki\Local Settings\Temp\bNX.exe
Adware:Adware/Midaddle No disinfected F:\Documents and Settings\Nicki\Local Settings\Temp\mOJhW.exe
Adware:Adware/Transponder No disinfected F:\Documents and Settings\Nicki\Local Settings\Temporary Internet Files\Content.IE5\6FAN4Z81
Adware:Adware/Transponder No disinfected F:\Documents and Settings\Nicki\Local Settings\Temporary Internet Files\Content.IE5\KXCVA5AN
Adware:Adware/Transponder No disinfected F:\Documents and Settings\Nicki\Local Settings\Temporary Internet Files\Content.IE5\O1Q34N2B
Adware:Adware/Transponder No disinfected F:\Documents and Settings\Nicki\Local Settings\Temporary Internet Files\Content.IE5\O1Q34N2B
Adware:Adware/PurityScan No disinfected F:\Documents and Settings\Owner\Application
Adware:Adware/BroadcastPC No disinfected F:\Program Files\Common Files\Java\bpt.cfg
Adware:Adware/FlashTrack No disinfected F:\Program Files\Common Files\Java\Xcpy1.cfg
Adware:Adware/DelFinMedia No disinfected F:\Program Files\Common Files\Uninstall Information\RemoveDisplayU
Spyware:Spyware/BetterInet
Spyware:Spyware/Media-moto
Virus:Trj/Notifier.AA Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\1B154E71
Adware:Adware/Sqwire No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\1B29476C
Spyware:Spyware/Media-moto
Adware:Adware/TopSpyware No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\24D46A9F
Virus:Trj/Idly.A Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\281845F4
Adware:Adware/BroadcastPC No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\2A960050
Adware:Adware/BroadcastPC No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\2A960050
Adware:Adware/BroadcastPC No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\38ED7AB2
Adware:Adware/Twain-Tech No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\3F64A42C
Adware:Adware/FlashTrack No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\42FA539C
Adware:Adware/FlashTrack No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\42FA539C
Virus:Trj/Downloader.CKQ Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\44EB7497
Adware:Adware/TopSpyware No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\44EB7497
Virus:Trj/Downloader.CKQ Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\44EB7497
Adware:Adware/KeenValue No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\46DC875A
Spyware:Spyware/MarketScor
Spyware:Spyware/MarketScor
Virus:Trj/Clicker.AD Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\63D57226
Adware:Adware/Transponder No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\87045C99
Adware:Adware/DelFinMedia No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\89C9A9F5
Adware:Adware/DelFinMedia No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\89C9A9F5
Adware:Adware/KeenValue No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\8B5191DF
Adware:Adware/IEPlugin No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9121719D
Adware:Adware/IEPlugin No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9121719D
Spyware:Spyware/Wast No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9123A2F6
Adware:Adware/Twain-Tech No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9123A2F6
Adware:Adware/IPInsight No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\9123A2F6
Spyware:Spyware/BargainBud
Spyware:Spyware/BargainBud
Spyware:Spyware/BargainBud
Virus:Trj/Agent.QW Disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\B9E684E5
Adware:Adware/PortalScan No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\CB08D3F6
Adware:Adware/PurityScan No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\D01BE892
Spyware:Spyware/BetterInet
Spyware:Spyware/BetterInet
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/WebHancer No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\EB1A51FA
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3
Adware:Adware/SAHAgent No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FEBC66C3
Adware:Adware/nCase No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FF80430A
Adware:Adware/nCase No disinfected F:\Program Files\Sunbelt Software\CounterSpy Client\Quarantine\FF80430A
Virus:Trj/Hpt.C Disinfected F:\RECYCLER\S-1-5-21-31132
Adware:Adware/KeenValue No disinfected F:\updaterInstall_108.exe
Spyware:Spyware/Wast No disinfected F:\WINDOWS\ast_4_mm.exe
Virus:Trj/Casicon.A Disinfected F:\WINDOWS\casicon.exe
Adware:Adware/Coupons No disinfected F:\WINDOWS\cpbrkpie.ocx
Spyware:Spyware/Media-moto
Adware:Adware/BHO No disinfected F:\WINDOWS\ei25.exe
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\inf\bi2.inf
Spyware:Spyware/BetterInet
Spyware:Spyware/AdClicker No disinfected F:\WINDOWS\loads.exe
Adware:Adware/nCase No disinfected F:\WINDOWS\msbbhook.dll
Adware:Adware/PortalScan No disinfected F:\WINDOWS\mwsvm.bin
Virus:Trj/Downloader.CA Disinfected F:\WINDOWS\nhiqirsgt.exe
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\sahagent-mediam
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\sahagent-mediam
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\sahagent-mediam
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\SAHUninstall.ex
Adware:Adware/Twain-Tech No disinfected F:\WINDOWS\SET5A.tmp
Adware:Adware/MyDailyHoros
Adware:Adware/MyDailyHoros
Adware:Adware/Transponder No disinfected F:\WINDOWS\system32\bvvggv
Possible Virus. No disinfected F:\WINDOWS\system32\c14b2s
Adware:Adware/BrowserAid No disinfected F:\WINDOWS\system32\D0CE0C
Adware:Adware/PurityScan No disinfected F:\WINDOWS\system32\devabu
Adware:Adware/CWS.Flsmngr No disinfected F:\WINDOWS\system32\flsmng
Virus:Trj/Lowzones.CL Disinfected F:\WINDOWS\system32\glopjc
Adware:Adware/Twain-Tech No disinfected F:\WINDOWS\system32\hueeqq
Virus:Trj/Casicon.A Disinfected F:\WINDOWS\system32\icon\i
Virus:W32/Bagz.M.worm Disinfected F:\WINDOWS\system32\mbvfha
Adware:Adware/nCase No disinfected F:\WINDOWS\system32\msbb32
Adware:Adware/DelFinMedia No disinfected F:\WINDOWS\system32\nsvsvc
Possible Virus. No disinfected F:\WINDOWS\system32\qmgrmm
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\system32\sahage
Virus:Trj/Prutec.L Disinfected F:\WINDOWS\system32\winsmx
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\system32\xmlpar
Adware:Adware/SAHAgent No disinfected F:\WINDOWS\system32\xmltok
Adware:Adware/PurityScan No disinfected F:\WINDOWS\system32\XPLORE
Spyware:Spyware/Media-moto
Virus:Trj/Downloader.CA Disinfected F:\WINDOWS\ypopoqzbk.exe