Author Topic: Big Problem!!!!! (Read 42864 times)

Ivy · « **on:** October 13, 2007, 10:24:49 AM »

Hi,
I recently checked for windows updates and downloaded all the updates, when the download was complete i got the prompt to restart my computer , so i restarted my computer but the computer would not load windows , since my means of communication with CH is through my computer i was not able to ask for help here , so i called up my comp manufacturers and told him that i had downloaded windows updates and he told me that my OS or windows is not orignal so the updates have messed up my windows, he said i will have to reformat , so i had to take my CPU to his office to get it reformatted ( my seventh reformat in 2 months ), so i had to pay him again !!!!!
Then after the reformat i was trying to install sify broadband , it gave me the message that my antivirus is not compatible with sify , so i had to uninstall AVG and install Trend micro from sify , but from that very day i have been getting these two warnings:
PAK_Generic001
PE_CORELINKC-O
It says unable to quarantine .
I ran spybot but it shows no immediate threats, i run ccleaners everyday, nothing is working .
I ran ewido scan it showed tracking cookies which kept coming back after every scan.
I was thinking about removing trend micro but then sify will say i need a antivirus and it wont allow anyother anti virus .
I know this is a very big problem , hopefully someone will be able to help .
Thanks in advance.

Im using windows xp pro .
Trend micro antivirus plus firewall.

Ivy · « **Reply #1 on:** October 13, 2007, 10:44:10 AM »

Broni · « **Reply #2 on:** October 13, 2007, 10:47:14 AM »

I'll take a look...

Broni · « **Reply #3 on:** October 13, 2007, 10:51:39 AM »

Before I check your HJT log, I did some search, and
- PAK_Generic 001 - is listed at Trend as a trojan
- PE_CORELINKC-O - no info whatsoever, the only thing I found is this web site: pe_corelinkc-o[/b]/]http://www.lenoza.com/seo-test/pe_corelinkc-o/, but it's in Chinese, so I had "some" problems, reading it.

Ivy · « **Reply #4 on:** October 13, 2007, 10:59:05 AM »

Quote from: Broni on October 13, 2007, 10:51:39 AM

Before I check your HJT log, I did some search, and
- PAK_Generic 001 - is listed at Trend as a trojan
- PE_CORELINKC-O - no info whatsoever

I Checked them myself through trend micro , it says malware/virus , threat low.
And im sorry i checked the name again for the secong entry , I had overlooked the dot , its not PE_CORELINKC-O, its PE_CORELINK.C-O
Im unable to delete or remove them , after every 2 minutes i get this warning !!
Thankyou .

Broni · « **Reply #5 on:** October 13, 2007, 11:08:22 AM »

I see...
- PE_CORELINK.C-O, then is listed as a trojan, too...

Now, as for your HJT log, it's mostly clean, except for this questionable entry:

O17 - HKLM\System\CCS\Services\Tcpip\..\{7FE5BF47-CF53-4A96-BDE5-A8E1A087AF8B}: NameServer = 202.144.13.50,202.144.66.6

This particular IPs (202.144.13.50,202.144.66.6) are listed as "Asia Pacific Network Information Centre". If this is NOT your ISP provider, nor it doesn't ring a bell, it has to be fixed...

Here we go:

1. Print this post out, since you won't have an access to it at some point.

2. Download, and install Spybot (if you don't have it) from here: http://www.safer-networking.org/en/download/index.html

3. Close all windows, except for HJT.

4. Put a checkmark next to following HJT entries:

O17 - HKLM\System\CCS\Services\Tcpip\..\{7FE5BF47-CF53-4A96-BDE5-A8E1A087AF8B}: NameServer = 202.144.13.50,202.144.66.6

5. Click on "Fix It" button.

6. Restart your computer in Safe Mode (F8)

7. Run Spybot (click on updates, first), and fix whatever it asks you to fix.

8. Turn off System Restore.

9. Restart in Normal Mode.

10. Turn System Restore on.

11. Run HJT again, and post back its log back here.

Ivy · « **Reply #6 on:** October 13, 2007, 11:16:38 AM »

Quote from: Broni on October 13, 2007, 11:08:22 AM

It is part of my IP settings.
Do i still need to go for the further steps?

Broni · « **Reply #7 on:** October 13, 2007, 11:33:22 AM »

In that case, no.

Quote

after every 2 minutes i get this warning

Are you getting these warnings pop-ups from Trend?

Ivy · « **Reply #8 on:** October 13, 2007, 11:35:41 AM »

Quote from: Broni on October 13, 2007, 11:33:22 AM

Quote
after every 2 minutes i get this warning
Are you getting these warnings pop-ups from Trend?

Yes.

Broni · « **Reply #9 on:** October 13, 2007, 11:47:38 AM »

As I said, your HJT log is clean, so I suspect, it may be false-positive from Trend.
I don't know anything about Trend AV, but it may be some setting, which will allow you to turn those particular warnings off.

Ivy · « **Reply #10 on:** October 13, 2007, 11:51:16 AM »

It is in my console log files.
It also shows tracking cookies on Ewido scan , shall i post the results here of Ewido here?

Broni · « **Reply #11 on:** October 13, 2007, 11:59:12 AM »

Quote

It is in my console log files

But you said something about every 2 minutes pop-ups.

Quote

shall i post the results here of Ewido here?

No need, just get rid of them.

Ivy · « **Reply #12 on:** October 13, 2007, 12:06:34 PM »

Quote from: Broni on October 13, 2007, 11:59:12 AM

Quote
It is in my console log files
But you said something about every 2 minutes pop-ups.

By every 2 minutes i mean , a window (Office scan notification message) appears again and again and When i check the antivirus console , it shows them in the logs.

Quote from: Broni on October 13, 2007, 11:59:12 AM

Quote
shall i post the results here of Ewido here?
No need, just get rid of them.

I said before that i try to delete them in ewido but they keep coming back in the next scan(when i scan again)

Quote from: Ivy on October 13, 2007, 10:24:49 AM

I ran ewido scan it showed tracking cookies which kept coming back after every scan.

Thanks.

Ivy · « **Reply #13 on:** October 13, 2007, 12:26:27 PM »

My Trend Micro Office Scan is running and it shows 37 files infected already , the files are increasing everytime i get the Office scan notification message, im running Ewido and it shows trojan etc , im waiting for the scan to finish.

Broni · « **Reply #14 on:** October 13, 2007, 12:36:27 PM »

I'd like you to go to Kaspersky free online scan, just to see, if same things will show up:
http://www.kaspersky.com/virusscanner

As for tracking cookies, they DO show up, and it's never ending chase.
You may try some extra free tools like "Spyware Terminator", or "Advanced WindowsCare". When installed, they'll monitor your computer in real time against malwares (tracking cookies included), but even with those tools kept up to date, there will always new tracking cookies, which are not in database, yet.
You have to also realize, that tracking cookies are NOT any life threatening things. Just very little bad guys. They don't have any impact on your computer performance.

Ivy · « **Reply #15 on:** October 13, 2007, 12:37:05 PM »

Here is the Ewido Report .
_______________________________________ ___________
ewido anti-spyware online scanner
http://www.ewido.net
_______________________________________ ___________

Name: Downloader.Small.eta
Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8E74LJ2F\x[1].exe
Risk: High

Name: Trojan.Small
Path: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\9GB6P2LM\read[1].exe
Risk: High

Name: Downloader.Small.eta
Path: C:\WINDOWS\~Temp1011.tmp
Risk: High

Name: Downloader.Small.eta
Path: C:\WINDOWS\~Temp4706.tmp
Risk: High

Name: Downloader.Small.eta
Path: C:\WINDOWS\~Temp4982.tmp
Risk: High

Name: Downloader.Small.eta
Path: C:\WINDOWS\~Temp6587.tmp
Risk: High

Name: Downloader.Small.eta
Path: C:\WINDOWS\~Temp7768.tmp
Risk: High

Ivy · « **Reply #16 on:** October 13, 2007, 12:43:36 PM »

Last time it was just the lil bad guys , now its the real bad guys , Trojans.
I removed them again the same Office scan notification message shows up, now my infected files count is gone up to 55 .
Broni what shall i do?

Broni · « **Reply #17 on:** October 13, 2007, 01:02:54 PM »

First of all, forget about Ewido!!!
All cookies they reported, are either temp files, or located in temp directories. Maybe, Ewido wants you to buy something from them.
Read my previous post about tracking cookies.
Install those extra tools, and use Spybot + Ad-aware combo. Forget about Ewido!

As for your next post, I asked you to go to Kaspersky for double check.
NEVER, I say never, trust just one tool. I assure you, you'll feel better.

Ivy · « **Reply #18 on:** October 13, 2007, 01:07:55 PM »

Thanks Broni ,
Could you post some links to "Spyware Terminator", or "Advanced WindowsCare" and Spybot + Ad-aware combo.
Thankyou.

Broni · « **Reply #19 on:** October 13, 2007, 01:17:42 PM »

http://www.spywareterminator.com/
http://www.download.com/Advanced-WindowsCare/3000-2086-10407614.html (with free version, you have to update its database manually - I' recommend, daily)
http://www.safer-networking.org/ (Spybot)
http://www.lavasoftusa.com/ (Ad-aware)

Ivy · « **Reply #20 on:** October 13, 2007, 01:22:34 PM »

I shall download them now .
My windows is not orignal , are you sure its ok to still download them? im a lil scared after the windows update download thing.

Broni · « **Reply #21 on:** October 13, 2007, 01:36:30 PM »

Quote

My windows is not orignal

I didn't see it

Just get those programs...

Ivy · « **Reply #22 on:** October 13, 2007, 02:19:28 PM »

Broni,
I Downloaded spywareterminator.
Do i need to check the boxes which say:
Make Crawler.com my default search engine.
Make Crawler. com my home page.

Ivy · « **Reply #23 on:** October 13, 2007, 02:39:32 PM »

I checked Make Crawler.com my default search engine.
Hope its ok.

Broni · « **Reply #24 on:** October 13, 2007, 02:43:52 PM »

Quote

Make Crawler. com my home page.

No, unless you fell in love with it...LOL

Quote

I checked Make Crawler.com my default search engine.

If you don't like Google, then it's your free choice.

Make sure, you check the option, STerminator starts with Windows started. Maybe, it's default, but double check under Options.
Also, right click on its taskbar icon, and click "Check for updates".

Ivy · « **Reply #25 on:** October 13, 2007, 02:51:21 PM »

Right now its installing additional files, i clicked next on ever option unless i was asked to make a choice like above in the home page n search engine.

Thanks for all the help till now Broni.
Ivy

Ivy · « **Reply #26 on:** October 13, 2007, 02:58:29 PM »

Spyware Terminator installed.
Now i have 3 options to choose from.
Scan for spyware.
Protect against spyware.
Protect against spyware and viruses.
What do i choose?

Broni · « **Reply #27 on:** October 13, 2007, 03:26:16 PM »

Since you have Trend AV installed, I'd go for:

Quote

Protect against spyware.

We don't need any conflict between Trend, and ST.

Ivy · « **Reply #28 on:** October 13, 2007, 03:40:14 PM »

Thankyou Broni.
I have run Spyware Terminator, it gave a clean report(no threats)
On the other hand im continously getting officescan notificatin messages, and my infected files are 160.
I will have to go now, but i really want to fix this.
thanks again for help till now.
Ivy

Broni · « **Reply #29 on:** October 13, 2007, 04:12:56 PM »

Ring in when you come back, and go to Kaspersky...

Ivy · « **Reply #30 on:** October 13, 2007, 10:16:40 PM »

Hi ,
Im back .
Ready for Kaspersky Scan.

Ivy · « **Reply #31 on:** October 13, 2007, 10:27:34 PM »

Broni,
Do i have to remove my antivirus to install Kaspersky ?

(Remember my windows is not orignal)

Broni · « **Reply #32 on:** October 13, 2007, 10:32:11 PM »

No. Go ahead, and do your scan.
Write down any findings.

Ivy · « **Reply #33 on:** October 13, 2007, 10:34:56 PM »

Right now its downloading the Latest Kaspersky Anti-Virus Database.
I will post the results after this finishes.

Broni · « **Reply #34 on:** October 13, 2007, 10:36:23 PM »

Cool!

Ivy · « **Reply #35 on:** October 13, 2007, 11:37:00 PM »

It says i need to disable my antivirus.
How do i disable trend micro?
Shall i simply go to msconfg and disable it from there?

Ivy · « **Reply #36 on:** October 13, 2007, 11:39:04 PM »

If i disable it from mconfg i will have to restart ,but then the installation will be stopped!!

Broni · « **Reply #37 on:** October 13, 2007, 11:46:44 PM »

Quote

Shall i simply go to msconfg and disable it from there?

No. If you have Trend icon in your taskbar (you should), right click on it, and click Exit.
If you don't, bring up Task Manager (CTRL+ALT+DEL), and look under Processes tab.

Ivy · « **Reply #38 on:** October 13, 2007, 11:51:06 PM »

There is no 'exit' option on right clicking.
I looked up in task manager processes ,its not there.

Ivy · « **Reply #39 on:** October 13, 2007, 11:52:57 PM »

There is the option of unload officescan , shall i try that?

Broni · « **Reply #40 on:** October 13, 2007, 11:53:43 PM »

Quote

There is no 'exit' option on right clicking.

Maybe, it's Quit, or Disable. It has to be SOMETHING.
What options do you have there?

Broni · « **Reply #41 on:** October 13, 2007, 11:54:59 PM »

Quote

There is the option of unload officescan , shall i try that?

Most likely...If you'll get some warning about quitting your AV - that's it.

Ivy · « **Reply #42 on:** October 14, 2007, 12:28:47 AM »

Here is the report, i cant believe i have a trojan downloader on my PC.
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 13, 2007 11:25:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2, v.2096 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/10/2007
Kaspersky Anti-Virus database records: 435699

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 18488
Number of viruses found 1
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 00:24:52

Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012007101320071014\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temp\~DF9CC0.tmp Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\System Volume Information\_restore{88F0CDD3-F86F-465E-A138-4DE6072B8AAA}\RP6\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\~Temp3510.tmp Infected: Trojan-Downloader.Win32.Small.eta skipped

C:\WINDOWS\~Temp5988.tmp Infected: Trojan-Downloader.Win32.Small.eta skipped

C:\WINDOWS\~Temp6143.tmp Infected: Trojan-Downloader.Win32.Small.eta skipped

C:\WINDOWS\~Temp6330.tmp Infected: Trojan-Downloader.Win32.Small.eta skipped

C:\WINDOWS\~Temp9910.tmp Infected: Trojan-Downloader.Win32.Small.eta skipped

Scan process completed.

Broni · « **Reply #43 on:** October 14, 2007, 12:39:17 AM »

I'm here...let me take a closer look

Ivy · « **Reply #44 on:** October 14, 2007, 12:54:03 AM »

Here is the critical area report.
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 13, 2007 11:52:06 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2, v.2096 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/10/2007
Kaspersky Anti-Virus database records: 435717

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target Critical Areas
C:\WINDOWS
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\

Scan Statistics
Total number of scanned objects 10653
Number of viruses found 1
Number of infected objects 5
Number of suspicious objects 0
Duration of the scan process 00:07:14

Infected Object Name Virus Name Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped

C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\~Temp3510.tmp Infected: Trojan-Downloader.Win32.Small.eta skipped

C:\WINDOWS\~Temp5988.tmp Infected: Trojan-Downloader.Win32.Small.eta skipped

C:\WINDOWS\~Temp6143.tmp Infected: Trojan-Downloader.Win32.Small.eta skipped

C:\WINDOWS\~Temp6330.tmp Infected: Trojan-Downloader.Win32.Small.eta skipped

C:\WINDOWS\~Temp9910.tmp Infected: Trojan-Downloader.Win32.Small.eta skipped

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF9CC0.tmp Object is locked skipped

Scan process completed.

Broni · « **Reply #45 on:** October 14, 2007, 12:54:25 AM »

I checked couple of sites, and I can see this particular trojan was first detected by AVG.
There is not much info about it. Google has 10 hits, 9 of them in Chinese. I tried automatic translation, but not much help there.
One thing, you can try (I'm gonna go to bed pretty soon)
Download avast!Free Virus Cleaner:
http://www.avast.com/eng/avast-virus-cleaner.html
and see what it can do.

See ya tomorrow.

Ivy · « **Reply #46 on:** October 14, 2007, 12:56:36 AM »

Thanks for help Broni,
Goodnight.

Broni · « **Reply #47 on:** October 14, 2007, 12:59:23 AM »

You can also try free a-squared:
http://www.emsisoft.com/en/software/free/
This a good tool. I have it installed on my rig, running in a real time.
Regards.

Ivy · « **Reply #48 on:** October 14, 2007, 01:02:45 AM »

Thanks i will try downloading them.
Night

Ivy · « **Reply #49 on:** October 14, 2007, 09:23:05 PM »

Broni will http://www.emsisoft.com/en/software/free/ detect or remove the Trojan?
If not we could think of somthing else.

Broni · « **Reply #50 on:** October 14, 2007, 09:32:42 PM »

From their site:

Quote

Remove infections of Trojans, Spyware, Adware, Worms, Keyloggers, Rootkits, Dialers and other malicious programs.

You may also try "Trojan Remover":
http://www.simplysup.com/tremover/download.html
It's fully functional for 30 days.

Ivy · « **Reply #51 on:** October 14, 2007, 09:33:52 PM »

Yes Boss

Broni · « **Reply #52 on:** October 14, 2007, 09:36:38 PM »

LOOOOOOOOOOL

Ivy · « **Reply #53 on:** October 15, 2007, 01:25:57 AM »

Here is my homework Broni.
a-squared Anti-Malware - Version 3.0
Last update: 10/14/2007 10:21:58 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start:   10/14/2007 10:22:51 PM

C:\Documents and Settings\Administrator\Cookies\administrator@computerhope[2].txt    detected: Trace.TrackingCookie
C:\WINDOWS\AppPatch\AcLue.dll    detected: Trojan-Spy.Win32.FtpSend.a
C:\WINDOWS\~Temp3510.tmp    detected: Trojan-Downloader.Win32.Small.eta
C:\WINDOWS\~Temp5988.tmp    detected: Trojan-Downloader.Win32.Small.eta
C:\WINDOWS\~Temp6143.tmp    detected: Trojan-Downloader.Win32.Small.eta
C:\WINDOWS\~Temp6330.tmp    detected: Trojan-Downloader.Win32.Small.eta
C:\WINDOWS\~Temp9198.tmp    detected: Trojan-Downloader.Win32.Small.eta
C:\WINDOWS\~Temp9910.tmp    detected: Trojan-Downloader.Win32.Small.eta

Scanned

Files:    32127
Traces:    338752
Cookies:    29
Processes:    32

Found

Files:    7
Traces:    0
Cookies:    1
Processes:    0
Registry keys:    0

Scan end:   10/14/2007 10:40:52 PM
Scan time:   12:18:01 AM

Now after this result and after removing the above detected things , i restarted my comp, and scanned again and the trojan reappeared, what to do now , i have a few ideas but i need your advice first.
Thanks Broni

Ivy · « **Reply #54 on:** October 15, 2007, 03:26:28 AM »

OK , here is my latest scan report with location
a-squared Anti-Malware - Version 3.0
Last update: 10/14/2007 10:21:58 PM

Scan settings:

Objects: Memory, Traces, Cookies, C:\, D:\
Scan archives: On
Heuristics: On
ADS Scan: On

Scan start:   10/15/2007 1:22:54 AM

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\PQ0A2U4N\x[1].exe    detected: Trojan-Downloader.Win32.Small.eta
C:\System Volume Information\_restore{88F0CDD3-F86F-465E-A138-4DE6072B8AAA}\RP6\A0019378.dll    detected: Trojan-Spy.Win32.FtpSend.a
C:\WINDOWS\~Temp5288.tmp    detected: Trojan-Downloader.Win32.Small.eta

Scanned

Files:    32514
Traces:    338752
Cookies:    27
Processes:    34

Found

Files:    3
Traces:    0
Cookies:    0
Processes:    0
Registry keys:    0

Scan end:   10/15/2007 1:45:45 AM
Scan time:   12:22:51 AM
Since this Trojan Downloader is in Temp files , i tried to delete the Temp files in my C:\ files , but it says i cant delete them as they are used by another program.

Broni ,
The a-squared Anti malware seems to be working , it gave a message that Trojan downloader is tryng to connect to internet , it asked me to allow or deny it, i clicked on Always deny it, since then im not getting any warnings.

I clicked on the description of Trojan Downloader in a-squared Anti malware console (there was the option to click on the trojan name and find info on it , i also did some search in google), It said that a Trojan downloader is a program which downloads programs into your computer, This Trojan downloads files from the Internet without the knowledge or consent of the user. The Trojan itself is a Windows PE EXE file 3072 bytes in size. It is not packed in any way.

When launched, the Trojan checks whether the victim machine is connected to the Internet. If a connection is detected, the Trojan will download the following files from u***ti.lycos.it/vx9:

Trojan Downloader comes with a download which appers to do nothing , like a game download etc. It sends the information of your Hard Drive to the internet.
So i was thinking that i will scan my comp again and even if my comp is protected now , what about the already infected files......

I also tried to go to http://www.simplysup.com/tremover/download.html, but i get a warning that this site is dangerous .
Waaaaa what should i do Broni!!!!!!!

Broni · « **Reply #55 on:** October 15, 2007, 09:04:40 AM »

Well, we are making little progress.
I'm not clear on one thing, though. What was a-squared final say. It couldn't remove all of that trojan, or what?

Quote

I also tried to go to http://www.simplysup.com/tremover/download.html, but i get a warning that this site is dangerous

You got that warning from where?
That download is recommended by Softpedia, so it shouldn't be dangerous. I went there, and I'm still alive...LOL

Ivy · « **Reply #56 on:** October 15, 2007, 09:14:53 AM »

Quote from: Broni on October 15, 2007, 09:04:40 AM

Well, we are making little progress.
I'm not clear on one thing, though. What was a-squared final say. It couldn't remove all of that trojan, or what?

It removed everything that it detected but it keeps giving me those notifications that Trojan-Downloader.Win32.Small.eta is trying to execute somthing allow or deny , so i select deny, In the latest scan it showed no infection , i wonder why it gives the message then!!

Quote from: Broni on October 15, 2007, 09:04:40 AM

You got that warning from where?

It was a Web Security Guard Warning.

Quote from: Broni on October 15, 2007, 09:04:40 AM

That download is recommended by Softpedia, so it shouldn't be dangerous. I went there, and I'm still alive...LOL

Im glad you are doing fine and I pray that you continue to do well

Broni · « **Reply #57 on:** October 15, 2007, 09:46:17 AM »

LOL....Just get that thing...

Ivy · « **Reply #58 on:** October 15, 2007, 10:23:25 AM »

It downloaded the whole thing but then it says the files are corrupted .......it asks me to download again .
Im downloading again......reminds me of the problem that person had in the other thread , you told him to download TCP somthing $:-\$
Shall i ?

Ivy · « **Reply #59 on:** October 15, 2007, 10:42:43 AM »

The download is complete , im updating right now......

Broni · « **Reply #60 on:** October 15, 2007, 10:49:14 AM »

TCP Optimizer

Ivy · « **Reply #61 on:** October 15, 2007, 10:54:04 AM »

Here is the Log for Trojan Remover.
***** NORMAL SCAN FOR ACTIVE MALWARE *****
Trojan Remover Ver 6.6.2.2492. For information, email [email protected]
[Unregistered version]
Scan started at: 10/15/2007 10:17:17 PM
Using Database v6875
Operating System: Windows XP Professional Service Pack 2, v.2096 (Build 2600)
Data directory: C:\Documents and Settings\Administrator\Application Data\Simply Super Software\Trojan Remover\
Logfile directory: C:\Documents and Settings\Administrator\My Documents\Simply Super Software\Trojan Remover Logfiles\
Program directory: C:\Program Files\Trojan Remover\
Running with Administrator privileges

Ivy · « **Reply #62 on:** October 15, 2007, 10:54:50 AM »

**************************************************
Checking Registry exefile command for modifications
Checking Registry comfile command for modifications
Checking Registry piffile command for modifications
Checking Registry batfile command for modifications
Checking Registry regfile command for modifications
Checking Registry cmdfile command for modifications
Checking Registry scrfile command for modifications

**************************************************
10:17:17 PM: Scanning ----------WIN.INI-----------
WIN.INI found in C:\WINDOWS

**************************************************
10:17:17 PM: Scanning --------SYSTEM.INI---------
SYSTEM.INI found in C:\WINDOWS

**************************************************
10:17:17 PM: ----- SCANNING FOR ROOTKIT SERVICES -----
No hidden Services were detected.
**************************************************
10:17:17 PM: Scanning -----WINDOWS REGISTRY-----
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon
This key's "Shell" value calls the following program(s):
Explorer.exe - this entry has been left in place
----------
This key's "Userinit" value calls the following program(s):
C:\WINDOWS\system32\userinit.exe - this entry has been left in place
----------
This key's "System" value appears to be blank
----------
This key's "UIHost" value calls the following program:
logonui.exe - this entry has been left in place
----------

Ivy · « **Reply #63 on:** October 15, 2007, 10:55:24 AM »

--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
--------------------
Checking HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
Value Name = load
The Data Value for this entry appears to be blank
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This Registry Key attempts to run the following program(s):
Value Name = IgfxTray
Value Data = C:\WINDOWS\system32\igfxtray.exe - this command has been left in place
--------------------
Value Name = HotKeysCmds
Value Data = C:\WINDOWS\system32\hkcmd.exe - this command has been left in place
--------------------
Value Name = Cmaudio
Value Data = RunDll32 cmicnfg.cpl,CMICtrlWnd - this command has been left in place [file not found to scan]
--------------------
Value Name = WinampAgent
Value Data = C:\Program Files\Winamp\winampa.exe - this command has been left in place
--------------------
Value Name = OfficeScanNT Monitor
Value Data = C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe" -HideWindow - this command has been left in place
--------------------
Value Name = SpywareTerminator
Value Data = C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe - this command has been left in place
--------------------
Value Name = a-squared
Value Data = C:\Program Files\a-squared Anti-Malware\a2guard.exe - this command has been left in place
--------------------
Value Name = TrojanScanner
Value Data = C:\Program Files\Trojan Remover\Trjscan.exe - this program is Trojan Remover's own scan file
--------------------
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
This Registry Key appears to be empty
--------------------
Checking HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx
This Registry Key appears to be empty
--------------------
Checking HKCU\Software\Microsoft\Windows\CurrentVersion\Run
This Registry Key attempts to run the following program(s):
Value Name = SifyBB
Value Data = C:\Program Files\Sify Broadband\BBImpSec.exe - this command has been left in place
--------------------
Value Name = MSMSGS
Value Data = C:\Program Files\Messenger\msmsgs.exe" /background - this command has been left in place
--------------------
Value Name = SpybotSD TeaTimer
Value Data = C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe - this command has been left in place
--------------------

**************************************************
10:17:18 PM: Scanning -----SHELLEXECUTEHOOKS-----
ValueName: {AEB6717E-7E19-11d0-97EE-00C04FD91972}
File: shell32.dll - this file is expected and has been left in place
----------

**************************************************
10:17:18 PM: Scanning -----HIDDEN REGISTRY ENTRIES-----
Taskdir check completed
----------
No Hidden File-loading Registry Entries found
----------

**************************************************
10:17:19 PM: Scanning -----ACTIVE SCREENSAVER-----
ScreenSaver=C:\WINDOWS\System32\logon.scr - this command has been left in place
--------------------

**************************************************
10:17:19 PM: Scanning ----- REGISTRY ACTIVE SETUP KEYS -----
Checking the StubPath calls in the Active Setup\Installed Components registry keys:
Key=>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}
StubPath=C:\WINDOWS\inf\unregmp2.exe - this reference has been left in place
----------
Key=>{26923b43-4d38-484f-9b9e-de460746276c}
StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
----------
Key=>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}
StubPath=C:\WINDOWS\system32\shmgrate.exe - this reference has been left in place
----------
Key={2C7339CF-2B09-4501-B3F3-F3508C9228ED}
StubPath=C:\WINDOWS\system32\regsvr32.exe - this reference has been left in place
----------
Key={44BBA840-CC51-11CF-AAFA-00AA00B6015C}
StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
----------
Key={7790769C-0471-11d2-AF11-00C04FA35D02}
StubPath=C:\Program Files\Outlook Express\setup50.exe - this reference has been left in place
----------
Key={89820200-ECBD-11cf-8B85-00AA005B4340}
StubPath=regsvr32.exe - this reference has been left in place
----------
Key={89820200-ECBD-11cf-8B85-00AA005B4383}
StubPath=C:\WINDOWS\system32\ie4uinit.exe - this reference has been left in place
----------

**************************************************
10:17:20 PM: Scanning ----- SERVICEDLL REGISTRY KEYS -----
Checking DLL files called from the CurrentControlSet\Services Keys:
--------------------
Key=Alerter
ServiceDLL=%SystemRoot%\system32\alrsvc.dll - this reference has been left in place
--------------------
Key=AppMgmt
ServiceDLL=%SystemRoot%\System32\appmgmts.dll - this reference has been left in place
--------------------
Key=AudioSrv
ServiceDLL=%SystemRoot%\System32\audiosrv.dll - this reference has been left in place
--------------------
Key=BITS
ServiceDLL=C:\WINDOWS\system32\qmgr.dll - this reference has been left in place
--------------------
Key=Browser
ServiceDLL=%SystemRoot%\System32\browser.dll - this reference has been left in place
--------------------
Key=CryptSvc
ServiceDLL=%SystemRoot%\System32\cryptsvc.dll - this reference has been left in place
--------------------
Key=DcomLaunch
ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place
--------------------
Key=Dhcp
ServiceDLL=%SystemRoot%\System32\dhcpcsvc.dll - this reference has been left in place
--------------------
Key=dmserver
ServiceDLL=%SystemRoot%\System32\dmserver.dll - this reference has been left in place
--------------------
Key=Dnscache
ServiceDLL=%SystemRoot%\System32\dnsrslvr.dll - this reference has been left in place
--------------------
Key=ERSvc
ServiceDLL=%SystemRoot%\System32\ersvc.dll - this reference has been left in place
--------------------
Key=EventSystem
ServiceDLL=C:\WINDOWS\system32\es.dll - this reference has been left in place
--------------------
Key=FastUserSwitchingCompatibility
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
--------------------
Key=helpsvc
ServiceDLL=%WINDIR%\PCHealth\HelpCtr\Binaries\pchsvc.dll - this reference has been left in place
--------------------
Key=HidServ
ServiceDLL=%SystemRoot%\System32\hidserv.dll - this file is globally excluded (file cannot be found)
--------------------
Key=HTTPFilter
ServiceDLL=%SystemRoot%\System32\w3ssl.dll - this reference has been left in place
--------------------
Key=lanmanserver
ServiceDLL=%SystemRoot%\System32\srvsvc.dll - this reference has been left in place
--------------------
Key=lanmanworkstation
ServiceDLL=%SystemRoot%\System32\wkssvc.dll - this reference has been left in place
--------------------
Key=LmHosts
ServiceDLL=%SystemRoot%\System32\lmhsvc.dll - this reference has been left in place
--------------------
Key=Messenger
ServiceDLL=%SystemRoot%\System32\msgsvc.dll - this reference has been left in place
--------------------
Key=Netman
ServiceDLL=%SystemRoot%\System32\netman.dll - this reference has been left in place
--------------------
Key=Nla
ServiceDLL=%SystemRoot%\System32\mswsock.dll - this reference has been left in place
--------------------
Key=NtmsSvc
ServiceDLL=%SystemRoot%\system32\ntmssvc.dll - this reference has been left in place
--------------------
Key=RasAuto
ServiceDLL=%SystemRoot%\System32\rasauto.dll - this reference has been left in place
--------------------
Key=RasMan
ServiceDLL=%SystemRoot%\System32\rasmans.dll - this reference has been left in place
--------------------
Key=RemoteAccess
ServiceDLL=%SystemRoot%\System32\mprdim.dll - this reference has been left in place
--------------------
Key=RemoteRegistry
ServiceDLL=%SystemRoot%\system32\regsvc.dll - this reference has been left in place
--------------------
Key=RpcSs
ServiceDLL=%SystemRoot%\system32\rpcss.dll - this reference has been left in place
--------------------
Key=Schedule
ServiceDLL=%SystemRoot%\system32\schedsvc.dll - this reference has been left in place
--------------------
Key=seclogon
ServiceDLL=%SystemRoot%\System32\seclogon.dll - this reference has been left in place
--------------------
Key=SENS
ServiceDLL=%SystemRoot%\system32\sens.dll - this reference has been left in place
--------------------
Key=SharedAccess
ServiceDLL=%SystemRoot%\System32\ipnathlp.dll - this reference has been left in place
--------------------
Key=ShellHWDetection
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
--------------------
Key=srservice
ServiceDLL=C:\WINDOWS\system32\srsvc.dll - this reference has been left in place
--------------------

Ivy · « **Reply #64 on:** October 15, 2007, 11:03:04 AM »

--------------------
Key=SSDPSRV
ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place
--------------------
Key=stisvc
ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place
--------------------
Key=TapiSrv
ServiceDLL=%SystemRoot%\System32\tapisrv.dll - this reference has been left in place
--------------------
Key=TermService
ServiceDLL=%SystemRoot%\System32\termsrv.dll - this reference has been left in place
--------------------
Key=Themes
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
--------------------
Key=TrkWks
ServiceDLL=%SystemRoot%\system32\trkwks.dll - this reference has been left in place
--------------------
Key=upnphost
ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place
--------------------
Key=W32Time
ServiceDLL=C:\WINDOWS\system32\w32time.dll - this reference has been left in place
--------------------
Key=WebClient
ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place
--------------------
Key=winmgmt
ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place
--------------------
Key=WmdmPmSN
ServiceDLL=C:\WINDOWS\system32\mspmsnsv.dll - this reference has been left in place
--------------------
Key=Wmi
ServiceDLL=%SystemRoot%\System32\advapi32.dll - this reference has been left in place
--------------------
Key=wscsvc
ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place
--------------------
Key=wuauserv
ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place
--------------------
Key=WZCSVC
ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place
--------------------
Key=xmlprov
ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place

**************************************************
10:17:24 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Checking files called from the CurrentControlSet\Services Keys:
Key=a2AntiMalware
ImagePath="C:\Program Files\a-squared Anti-Malware\a2service.exe" - this reference has been left in place
----------
Key=ACPI
ImagePath=system32\DRIVERS\ACPI.sys - this reference has been left in place
----------
Key=aec
ImagePath=system32\drivers\aec.sys - this reference has been left in place
----------
Key=AFD
ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place
----------
Key=ALG
ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place
----------
Key=arp8023
ImagePath=\SystemRoot\system32\drivers\arp8023.sys - this reference has been removed [file not found to scan]
----------
Key=AsyncMac
ImagePath=system32\DRIVERS\asyncmac.sys - this reference has been left in place
----------
Key=atapi
ImagePath=system32\DRIVERS\atapi.sys - this reference has been left in place
----------
Key=Atmarpc
ImagePath=system32\DRIVERS\atmarpc.sys - this reference has been left in place
----------
Key=audstub
ImagePath=system32\DRIVERS\audstub.sys - this reference has been left in place
----------
Key=Cdrom
ImagePath=system32\DRIVERS\cdrom.sys - this reference has been left in place
----------
Key=CiSvc
ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place
----------
Key=ClipSrv
ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place
----------
Key=cmuda
ImagePath=system32\drivers\cmuda.sys - this reference has been left in place
----------
Key=COMSysApp
ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place
----------
Key=Disk
ImagePath=system32\DRIVERS\disk.sys - this reference has been left in place
----------
Key=dmadmin
ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place
----------
Key=dmboot
ImagePath=System32\drivers\dmboot.sys - this reference has been left in place
----------
Key=dmio
ImagePath=System32\drivers\dmio.sys - this reference has been left in place
----------
Key=dmload
ImagePath=System32\drivers\dmload.sys - this reference has been left in place
----------
Key=DMusic
ImagePath=system32\drivers\DMusic.sys - this reference has been left in place
----------
Key=drmkaud
ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place
----------
Key=Eventlog
ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
----------
Key=Fdc
ImagePath=system32\DRIVERS\fdc.sys - this reference has been left in place
----------
Key=Flpydisk
ImagePath=system32\DRIVERS\flpydisk.sys - this reference has been left in place
----------
Key=FltMgr
ImagePath=system32\DRIVERS\fltMgr.sys - this reference has been left in place
----------
Key=Ftdisk
ImagePath=system32\DRIVERS\ftdisk.sys - this reference has been left in place
----------
Key=Gpc
ImagePath=system32\DRIVERS\msgpc.sys - this reference has been left in place
----------
Key=HSFHWBS2
ImagePath=system32\DRIVERS\HSFBS2S2.sys - this reference has been left in place
----------
Key=HSF_DP
ImagePath=system32\DRIVERS\HSFDPSP2.sys - this reference has been left in place
----------
Key=HTTP
ImagePath=System32\Drivers\HTTP.sys - this reference has been left in place
----------
Key=i8042prt
ImagePath=system32\DRIVERS\i8042prt.sys - this reference has been left in place
----------
Key=ialm
ImagePath=system32\DRIVERS\ialmnt5.sys - this reference has been left in place
----------
Key=Imapi
ImagePath=system32\DRIVERS\imapi.sys - this reference has been left in place
----------
Key=ImapiService
ImagePath=C:\WINDOWS\system32\imapi.exe - this reference has been left in place
----------
Key=IntelIde
ImagePath=system32\DRIVERS\intelide.sys - this reference has been left in place
----------

Broni · « **Reply #65 on:** October 15, 2007, 11:05:50 AM »

Nothing found, I assume?

Ivy · « **Reply #66 on:** October 15, 2007, 11:07:19 AM »

--------------------
Key=SSDPSRV
ServiceDLL=%SystemRoot%\System32\ssdpsrv.dll - this reference has been left in place
--------------------
Key=stisvc
ServiceDLL=%SystemRoot%\system32\wiaservc.dll - this reference has been left in place
--------------------
Key=TapiSrv
ServiceDLL=%SystemRoot%\System32\tapisrv.dll - this reference has been left in place
--------------------
Key=TermService
ServiceDLL=%SystemRoot%\System32\termsrv.dll - this reference has been left in place
--------------------
Key=Themes
ServiceDLL=%SystemRoot%\System32\shsvcs.dll - this reference has been left in place
--------------------
Key=TrkWks
ServiceDLL=%SystemRoot%\system32\trkwks.dll - this reference has been left in place
--------------------
Key=upnphost
ServiceDLL=%SystemRoot%\System32\upnphost.dll - this reference has been left in place
--------------------
Key=W32Time
ServiceDLL=C:\WINDOWS\system32\w32time.dll - this reference has been left in place
--------------------
Key=WebClient
ServiceDLL=%SystemRoot%\System32\webclnt.dll - this reference has been left in place
--------------------
Key=winmgmt
ServiceDLL=%SystemRoot%\system32\wbem\WMIsvc.dll - this reference has been left in place
--------------------
Key=WmdmPmSN
ServiceDLL=C:\WINDOWS\system32\mspmsnsv.dll - this reference has been left in place
--------------------
Key=Wmi
ServiceDLL=%SystemRoot%\System32\advapi32.dll - this reference has been left in place
--------------------
Key=wscsvc
ServiceDLL=%SYSTEMROOT%\system32\wscsvc.dll - this reference has been left in place
--------------------
Key=wuauserv
ServiceDLL=C:\WINDOWS\system32\wuauserv.dll - this reference has been left in place
--------------------
Key=WZCSVC
ServiceDLL=%SystemRoot%\System32\wzcsvc.dll - this reference has been left in place
--------------------
Key=xmlprov
ServiceDLL=%SystemRoot%\System32\xmlprov.dll - this reference has been left in place

**************************************************
10:17:24 PM: Scanning ----- SERVICES REGISTRY KEYS -----
Checking files called from the CurrentControlSet\Services Keys:
Key=a2AntiMalware
ImagePath="C:\Program Files\a-squared Anti-Malware\a2service.exe" - this reference has been left in place
----------
Key=ACPI
ImagePath=system32\DRIVERS\ACPI.sys - this reference has been left in place
----------
Key=aec
ImagePath=system32\drivers\aec.sys - this reference has been left in place
----------
Key=AFD
ImagePath=\SystemRoot\System32\drivers\afd.sys - this reference has been left in place
----------
Key=ALG
ImagePath=%SystemRoot%\System32\alg.exe - this reference has been left in place
----------
Key=arp8023
ImagePath=\SystemRoot\system32\drivers\arp8023.sys - this reference has been removed [file not found to scan]
----------
Key=AsyncMac
ImagePath=system32\DRIVERS\asyncmac.sys - this reference has been left in place
----------
Key=atapi
ImagePath=system32\DRIVERS\atapi.sys - this reference has been left in place
----------
Key=Atmarpc
ImagePath=system32\DRIVERS\atmarpc.sys - this reference has been left in place
----------
Key=audstub
ImagePath=system32\DRIVERS\audstub.sys - this reference has been left in place
----------
Key=Cdrom
ImagePath=system32\DRIVERS\cdrom.sys - this reference has been left in place
----------
Key=CiSvc
ImagePath=%SystemRoot%\system32\cisvc.exe - this reference has been left in place
----------
Key=ClipSrv
ImagePath=%SystemRoot%\system32\clipsrv.exe - this reference has been left in place
----------
Key=cmuda
ImagePath=system32\drivers\cmuda.sys - this reference has been left in place
----------
Key=COMSysApp
ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235} - this reference has been left in place
----------
Key=Disk
ImagePath=system32\DRIVERS\disk.sys - this reference has been left in place
----------
Key=dmadmin
ImagePath=%SystemRoot%\System32\dmadmin.exe /com - this reference has been left in place
----------
Key=dmboot
ImagePath=System32\drivers\dmboot.sys - this reference has been left in place
----------
Key=dmio
ImagePath=System32\drivers\dmio.sys - this reference has been left in place
----------
Key=dmload
ImagePath=System32\drivers\dmload.sys - this reference has been left in place
----------
Key=DMusic
ImagePath=system32\drivers\DMusic.sys - this reference has been left in place
----------
Key=drmkaud
ImagePath=system32\drivers\drmkaud.sys - this reference has been left in place
----------
Key=Eventlog
ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
----------
Key=Fdc
ImagePath=system32\DRIVERS\fdc.sys - this reference has been left in place
----------
Key=Flpydisk
ImagePath=system32\DRIVERS\flpydisk.sys - this reference has been left in place
----------
Key=FltMgr
ImagePath=system32\DRIVERS\fltMgr.sys - this reference has been left in place
----------
Key=Ftdisk
ImagePath=system32\DRIVERS\ftdisk.sys - this reference has been left in place
----------
Key=Gpc
ImagePath=system32\DRIVERS\msgpc.sys - this reference has been left in place
----------
Key=HSFHWBS2
ImagePath=system32\DRIVERS\HSFBS2S2.sys - this reference has been left in place
----------
Key=HSF_DP
ImagePath=system32\DRIVERS\HSFDPSP2.sys - this reference has been left in place
----------
Key=HTTP
ImagePath=System32\Drivers\HTTP.sys - this reference has been left in place
----------
Key=i8042prt
ImagePath=system32\DRIVERS\i8042prt.sys - this reference has been left in place
----------
Key=ialm
ImagePath=system32\DRIVERS\ialmnt5.sys - this reference has been left in place
----------
Key=Imapi
ImagePath=system32\DRIVERS\imapi.sys - this reference has been left in place
----------
Key=ImapiService
ImagePath=C:\WINDOWS\system32\imapi.exe - this reference has been left in place
----------
Key=IntelIde
ImagePath=system32\DRIVERS\intelide.sys - this reference has been left in place
----------
Key=Ip6Fw
ImagePath=system32\DRIVERS\Ip6Fw.sys - this reference has been left in place
----------
Key=IpFilterDriver
ImagePath=system32\DRIVERS\ipfltdrv.sys - this reference has been left in place
----------
Key=IpInIp
ImagePath=system32\DRIVERS\ipinip.sys - this reference has been left in place
----------
Key=IpNat
ImagePath=system32\DRIVERS\ipnat.sys - this reference has been left in place
----------
Key=IPSec
ImagePath=system32\DRIVERS\ipsec.sys - this reference has been left in place
----------
Key=IRENUM
ImagePath=system32\DRIVERS\irenum.sys - this reference has been left in place
----------
Key=isapnp
ImagePath=system32\DRIVERS\isapnp.sys - this reference has been left in place
----------
Key=Kbdclass
ImagePath=system32\DRIVERS\kbdclass.sys - this reference has been left in place
----------
Key=kmixer
ImagePath=system32\drivers\kmixer.sys - this reference has been left in place
----------
Key=MDM
ImagePath="C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE" - this reference has been left in place
----------
Key=mdmxsdk
ImagePath=system32\DRIVERS\mdmxsdk.sys - this reference has been left in place
----------
Key=mnmsrvc
ImagePath=C:\WINDOWS\system32\mnmsrvc.exe - this reference has been left in place
----------
Key=Mouclass
ImagePath=system32\DRIVERS\mouclass.sys - this reference has been left in place
----------
Key=MRxDAV
ImagePath=system32\DRIVERS\mrxdav.sys - this reference has been left in place
----------
Key=MRxSmb
ImagePath=system32\DRIVERS\mrxsmb.sys - this reference has been left in place
----------
Key=MSDTC
ImagePath=C:\WINDOWS\system32\msdtc.exe - this reference has been left in place
----------
Key=MSIServer
ImagePath=C:\WINDOWS\system32\msiexec.exe /V - this reference has been left in place
----------
Key=MSKSSRV
ImagePath=system32\drivers\MSKSSRV.sys - this reference has been left in place
----------
Key=MSPCLOCK
ImagePath=system32\drivers\MSPCLOCK.sys - this reference has been left in place
----------
Key=MSPQM
ImagePath=system32\drivers\MSPQM.sys - this reference has been left in place
----------
Key=mssmbios
ImagePath=system32\DRIVERS\mssmbios.sys - this reference has been left in place
----------
Key=NdisTapi
ImagePath=system32\DRIVERS\ndistapi.sys - this reference has been left in place
----------
Key=Ndisuio
ImagePath=system32\DRIVERS\ndisuio.sys - this reference has been left in place
----------
Key=NdisWan
ImagePath=system32\DRIVERS\ndiswan.sys - this reference has been left in place
----------
Key=NetBIOS
ImagePath=system32\DRIVERS\netbios.sys - this reference has been left in place
----------
Key=NetBT
ImagePath=system32\DRIVERS\netbt.sys - this reference has been left in place
----------
Key=NetDDE
ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place
----------
Key=NetDDEdsdm
ImagePath=%SystemRoot%\system32\netdde.exe - this reference has been left in place
----------
Key=Netlogon
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=NtLmSsp
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=ntrtscan
ImagePath="C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe" - this reference has been left in place

Ivy · « **Reply #67 on:** October 15, 2007, 11:08:09 AM »

----------
Key=nvmini
ImagePath=system32\DRIVERS\nvmini.sys - this reference has been removed [file not found to scan]
----------
Key=NwlnkFlt
ImagePath=system32\DRIVERS\nwlnkflt.sys - this reference has been left in place
----------
Key=NwlnkFwd
ImagePath=system32\DRIVERS\nwlnkfwd.sys - this reference has been left in place
----------
Key=ose
ImagePath="C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE" - this reference has been left in place
----------
Key=Parport
ImagePath=system32\DRIVERS\parport.sys - this reference has been left in place
----------
Key=PCI
ImagePath=system32\DRIVERS\pci.sys - this reference has been left in place
----------
Key=PCIIde
ImagePath=system32\DRIVERS\pciide.sys - this reference has been left in place
----------
Key=PlugPlay
ImagePath=%SystemRoot%\system32\services.exe - this reference has been left in place
----------
Key=PolicyAgent
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=PptpMiniport
ImagePath=system32\DRIVERS\raspptp.sys - this reference has been left in place
----------
Key=Processor
ImagePath=system32\DRIVERS\processr.sys - this reference has been left in place
----------
Key=ProtectedStorage
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=PSched
ImagePath=system32\DRIVERS\psched.sys - this reference has been left in place
----------
Key=Ptilink
ImagePath=system32\DRIVERS\ptilink.sys - this reference has been left in place
----------
Key=PxHelp20
ImagePath=system32\DRIVERS\PxHelp20.sys - this reference has been left in place
----------
Key=RasAcd
ImagePath=system32\DRIVERS\rasacd.sys - this reference has been left in place
----------
Key=Rasl2tp
ImagePath=system32\DRIVERS\rasl2tp.sys - this reference has been left in place
----------
Key=RasPppoe
ImagePath=system32\DRIVERS\raspppoe.sys - this reference has been left in place
----------
Key=Raspti
ImagePath=system32\DRIVERS\raspti.sys - this reference has been left in place
----------
Key=Rdbss
ImagePath=system32\DRIVERS\rdbss.sys - this reference has been left in place
----------
Key=RDPCDD
ImagePath=System32\DRIVERS\RDPCDD.sys - this reference has been left in place
----------
Key=rdpdr
ImagePath=system32\DRIVERS\rdpdr.sys - this reference has been left in place
----------
Key=RDSessMgr
ImagePath=C:\WINDOWS\system32\sessmgr.exe - this reference has been left in place
----------
Key=redbook
ImagePath=system32\DRIVERS\redbook.sys - this reference has been left in place
----------
Key=RpcLocator
ImagePath=%SystemRoot%\system32\locator.exe - this reference has been left in place
----------
Key=RSVP
ImagePath=%SystemRoot%\system32\rsvp.exe - this reference has been left in place
----------
Key=rtl8139
ImagePath=system32\DRIVERS\RTL8139.SYS - this reference has been left in place
----------
Key=SamSs
ImagePath=%SystemRoot%\system32\lsass.exe - this reference has been left in place
----------
Key=SCardDrv
ImagePath=%SystemRoot%\System32\SCardSvr.exe - this reference has been left in place
----------
Key=SCardSvr
ImagePath=%SystemRoot%\System32\SCardSvr.exe - this reference has been left in place
----------
Key=Secdrv
ImagePath=system32\DRIVERS\secdrv.sys - this reference has been left in place
----------
Key=serenum
ImagePath=system32\DRIVERS\serenum.sys - this reference has been left in place
----------
Key=Serial
ImagePath=system32\DRIVERS\serial.sys - this reference has been left in place
----------
Key=splitter
ImagePath=system32\drivers\splitter.sys - this reference has been left in place
----------
Key=Spooler
ImagePath=%SystemRoot%\system32\spoolsv.exe - this reference has been left in place
----------
Key=sp_rsdrv2
ImagePath=\??\C:\WINDOWS\system32\drivers\sp_rsdrv2.sys - this reference has been left in place
----------
Key=sp_rssrv
ImagePath=C:\PROGRA~1\SPYWAR~1\sp_rsser.exe - this reference has been left in place
----------
Key=sr
ImagePath=system32\DRIVERS\sr.sys - this reference has been left in place
----------
Key=Srv
ImagePath=system32\DRIVERS\srv.sys - this reference has been left in place
----------
Key=swenum
ImagePath=system32\DRIVERS\swenum.sys - this reference has been left in place
----------
Key=swmidi
ImagePath=system32\drivers\swmidi.sys - this reference has been left in place
----------
Key=SwPrv
ImagePath=C:\WINDOWS\system32\dllhost.exe /Processid:{4E25DA22-5178-4094-9642-FFDEECAAE98E} - this reference has been left in place
----------
Key=sysaudio
ImagePath=system32\drivers\sysaudio.sys - this reference has been left in place
----------
Key=SysmonLog
ImagePath=%SystemRoot%\system32\smlogsvc.exe - this reference has been left in place
----------
Key=Tcpip
ImagePath=system32\DRIVERS\tcpip.sys - this reference has been left in place
----------
Key=TermDD
ImagePath=system32\DRIVERS\termdd.sys - this reference has been left in place
----------
Key=TlntSvr
ImagePath=C:\WINDOWS\system32\tlntsvr.exe - this reference has been left in place
----------
Key=tmcomm
ImagePath=\??\C:\WINDOWS\system32\drivers\tmcomm.sys - this reference has been left in place
----------
Key=TmFilter
ImagePath=\??\C:\Program Files\Trend Micro\OfficeScan Client\TmXPFlt.sys - this reference has been left in place
----------
Key=tmlisten
ImagePath="C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe" - this reference has been left in place
----------
Key=TmPreFilter
ImagePath=\??\C:\Program Files\Trend Micro\OfficeScan Client\TmPreFlt.sys - this reference has been left in place
----------
Key=Update
ImagePath=system32\DRIVERS\update.sys - this reference has been left in place
----------
Key=UPS
ImagePath=%SystemRoot%\System32\ups.exe - this reference has been left in place
----------
Key=usbehci
ImagePath=system32\DRIVERS\usbehci.sys - this reference has been left in place
----------
Key=usbhub
ImagePath=system32\DRIVERS\usbhub.sys - this reference has been left in place
----------
Key=USBSTOR
ImagePath=system32\DRIVERS\USBSTOR.SYS - this reference has been left in place
----------
Key=usbuhci
ImagePath=system32\DRIVERS\usbuhci.sys - this reference has been left in place
----------
Key=VgaSave
ImagePath=\SystemRoot\System32\drivers\vga.sys - this reference has been left in place
----------
Key=VSApiNt
ImagePath=\??\C:\Program Files\Trend Micro\OfficeScan Client\VSApiNt.sys - this reference has been left in place
----------
Key=VSS
ImagePath=%SystemRoot%\System32\vssvc.exe - this reference has been left in place
----------
Key=Wanarp
ImagePath=system32\DRIVERS\wanarp.sys - this reference has been left in place
----------
Key=wdmaud
ImagePath=system32\drivers\wdmaud.sys - this reference has been left in place
----------
Key=winachsf
ImagePath=system32\DRIVERS\HSFCXTS2.sys - this reference has been left in place
----------
Key=WmiApSrv
ImagePath=C:\WINDOWS\system32\wbem\wmiapsrv.exe - this reference has been left in place
----------
Key={6080A529-897E-4629-A488-ABA0C29B635E}
ImagePath=system32\drivers\ialmsbw.sys - this reference has been left in place
----------
Key={D31A0762-0CEB-444e-ACFF-B049A1F6FE91}
ImagePath=system32\drivers\ialmkchw.sys - this reference has been left in place
----------

**************************************************
10:18:20 PM: Scanning -----VXD ENTRIES-----
Checking VMM32 VxD files being loaded

Ivy · « **Reply #68 on:** October 15, 2007, 11:09:37 AM »

10:18:20 PM: Scanning ----- WINLOGON\NOTIFY DLLS -----
Checking DLLs called from the Winlogon\Notify key:
Key=crypt32chain
DLLName=crypt32.dll - this reference has been left in place
----------
Key=cryptnet
DLLName=cryptnet.dll - this reference has been left in place
----------
Key=cscdll
DLLName=cscdll.dll - this reference has been left in place
----------
Key=igfxcui
DLLName=igfxsrvc.dll - this reference has been left in place
----------
Key=ScCertProp
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=Schedule
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=sclgntfy
DLLName=sclgntfy.dll - this reference has been left in place
----------
Key=SensLogn
DLLName=WlNotify.dll - this reference has been left in place
----------
Key=termsrv
DLLName=wlnotify.dll - this reference has been left in place
----------
Key=wlballoon
DLLName=wlnotify.dll - this reference has been left in place
----------

**************************************************
10:18:21 PM: Scanning ----- CONTEXTMENUHANDLERS -----
Key = Offline Files
CLSID = {750fdf0e-2a26-11d1-a3ea-080036587f03}
%SystemRoot%\System32\cscui.dll - this ContextMenuHandler has been left in place
----------
Key = Open With
CLSID = {09799AFB-AD67-11d1-ABCD-00C04FC30936}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------
Key = Open With EncryptionMenu
CLSID = {A470F8CF-A1E8-4f65-8335-227475AA5C46}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------
Key = SPTContMenu
CLSID = {BD88A479-9623-4897-8546-BC62B9628F44}
C:\Program Files\Spyware Terminator\sptcontmenu.dll - this ContextMenuHandler has been left in place
----------
Key = Trojan Remover
CLSID = {52B87208-9CCF-42C9-B88E-069281105805}
C:\PROGRA~1\TROJAN~1\Trshlex.dll - this ContextMenuHandler has been left in place
----------
Key = {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------

Ivy · « **Reply #69 on:** October 15, 2007, 11:11:24 AM »

Key = Trojan Remover
CLSID = {52B87208-9CCF-42C9-B88E-069281105805}
C:\PROGRA~1\TROJAN~1\Trshlex.dll - this ContextMenuHandler has been left in place
----------
Key = {a2a9545d-a0c2-42b4-9708-a0b2badd77c8}
%SystemRoot%\system32\SHELL32.dll - this ContextMenuHandler has been left in place
----------

**************************************************
10:18:21 PM: Scanning ----- FOLDER\COLUMNHANDLERS -----
Key = {0D2E74C4-3C34-11d2-A27E-00C04FC30871}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {24F14F01-7B1C-11d1-838f-0000F80461CF}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {24F14F02-7B1C-11d1-838f-0000F80461CF}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------
Key = {66742402-F9B9-11D1-A202-0000F81FEDEE}
%SystemRoot%\system32\SHELL32.dll - this Folder\ColumnHandler has been left in place
----------

**************************************************
10:18:21 PM: Scanning ----- BROWSER HELPER OBJECTS -----
Key = {02478D38-C3F9-4EFB-9B51-7695ECA05670}
C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll - this Browser Helper Object has been left in place
----------
Key = {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx - this Browser Helper Object has been left in place
----------
Key = {1CB20BF0-BBAE-40A7-93F4-6435FF3D0411}
C:\PROGRA~1\Crawler\Toolbar\ctbr.dll - this Browser Helper Object has been left in place
----------
Key = {53707962-6F74-2D53-2644-206D7942484F}
C:\PROGRA~1\SPYBOT~1\SDHelper.dll - this Browser Helper Object has been left in place
----------

**************************************************
10:18:22 PM: Scanning ----- SHELLSERVICEOBJECTS -----
Key = PostBootReminder
CLSID = {7849596a-48ea-486e-8937-a2a3009f31a9}
%SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place
----------
Key = CDBurn
CLSID = {fbeb8a05-beee-4442-804e-409d6c4515e9}
%SystemRoot%\system32\SHELL32.dll - this ShellServiceObject has been left in place
----------
Key = WebCheck
CLSID = {E6FB5E20-DE35-11CF-9C87-00AA005127ED}
%SystemRoot%\system32\webcheck.dll - this ShellServiceObject has been left in place
----------
Key = SysTray
CLSID = {35CEC8A3-2BE6-11D2-8773-92E220524153}
C:\WINDOWS\system32\stobject.dll - this ShellServiceObject has been left in place
----------

**************************************************
10:18:22 PM: Scanning ----- SHAREDTASKSCHEDULER ENTRIES -----
Value = {438755C2-A8BA-11D1-B96B-00A0C90312E1}
Comment = Browseui preloader
File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place
----------
Value = {8C7461EF-2B13-11d2-BE35-3078302C2030}
Comment = Component Categories cache daemon
File: %SystemRoot%\system32\browseui.dll - this SharedTaskScheduler entry has been left in place
----------

Ivy · « **Reply #70 on:** October 15, 2007, 11:12:27 AM »

**************************************************
10:18:22 PM: Scanning ----- IMAGEFILE DEBUGGERS -----
No "Debugger" entries found.

**************************************************
10:18:22 PM: Scanning ----- APPINIT_DLLS -----
The AppInit_DLLs value is blank

**************************************************
10:18:22 PM: Scanning ----- SECURITY PROVIDER DLLS -----
msapsspc.dll - this entry has been left in place
----------
schannel.dll - this entry has been left in place
----------
digest.dll - this entry has been left in place
----------
msnsspc.dll - this entry has been left in place
----------

**************************************************
10:18:23 PM: Scanning ------ USER STARTUP GROUPS ------
Checking Startup Group for All Users
[C:\WINDOWS\Profiles\All Users\Start Menu\Programs\StartUp]
No Startup files for All Users were located to check

**************************************************
10:18:23 PM: Scanning ------ COMMON STARTUP GROUP ------
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
The Common Startup Group attempts to load the following file(s) at boot time:
desktop.ini - this file has been left in place
--------------------

**************************************************
10:18:23 PM: Scanning ------ USER STARTUP GROUPS ------
--------------------
Checking Startup Group for Administrator
[C:\Documents and Settings\Administrator\START MENU\PROGRAMS\STARTUP]
The Startup Group for Administrator attempts to load the following file(s):
desktop.ini - this file has been left in place

**************************************************
10:18:23 PM: Scanning ----- SCHEDULED TASKS -----
No Scheduled Tasks found to scan

**************************************************
10:18:23 PM: ----- ADDITIONAL CHECKS -----
PE386 rootkit checks completed
----------
Winlogon registry rootkit checks completed
----------
Heuristic checks for hidden files/drivers completed
----------

**************************************************
10:18:23 PM: Scanning ------ DOWNLOADED PROGRAM FILES ------
The following files are located in the DOWNLOADED PROGRAM FILES directory:
C:\WINDOWS\Downloaded Program Files\desktop.ini - this file has been left in place
C:\WINDOWS\Downloaded Program Files\ewidoOnlineScan.dll - this file has been left in place
C:\WINDOWS\Downloaded Program Files\kavwebscan.inf - this file has been left in place

**************************************************
10:18:24 PM: Scanning ----- RUNNING PROCESSES -----
[Only loaded modules not scanned already
during this scan will be scanned here]

C:\WINDOWS\System32\smss.exe
[1 loaded module]
--------------------
C:\WINDOWS\system32\csrss.exe
[10 loaded modules in total]
--------------------
C:\WINDOWS\system32\winlogon.exe
[67 loaded modules in total]
--------------------
C:\WINDOWS\system32\services.exe
[22 loaded modules in total]
--------------------
C:\WINDOWS\system32\lsass.exe
[60 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[41 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[42 loaded modules in total]
--------------------
C:\WINDOWS\System32\svchost.exe
[122 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[33 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[48 loaded modules in total]
--------------------
C:\WINDOWS\Explorer.EXE
[110 loaded modules in total]
--------------------
C:\WINDOWS\system32\spoolsv.exe
[42 loaded modules in total]
--------------------
C:\WINDOWS\system32\igfxtray.exe
[25 loaded modules in total]
--------------------
C:\WINDOWS\system32\hkcmd.exe
[25 loaded modules in total]
--------------------
C:\WINDOWS\system32\RunDll32.exe
[34 loaded modules in total]
--------------------
C:\Program Files\Winamp\winampa.exe
[16 loaded modules in total]
--------------------
C:\Program Files\Trend Micro\OfficeScan Client\pccntmon.exe
[34 loaded modules in total]
--------------------
C:\PROGRA~1\SPYWAR~1\SpywareTerminatorShield.exe
[27 loaded modules in total]
--------------------
C:\Program Files\a-squared Anti-Malware\a2guard.exe
[33 loaded modules in total]
--------------------
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[27 loaded modules in total]
--------------------
C:\Program Files\a-squared Anti-Malware\a2service.exe
[27 loaded modules in total]
--------------------
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
[18 loaded modules in total]
--------------------
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
[33 loaded modules in total]
--------------------
C:\PROGRA~1\SPYWAR~1\sp_rsser.exe
[22 loaded modules in total]
--------------------
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
[83 loaded modules in total]
--------------------
C:\WINDOWS\system32\wuauclt.exe
[43 loaded modules in total]
--------------------
C:\WINDOWS\TEMP\MW761.EXE
[16 loaded modules in total]
--------------------
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
[23 loaded modules in total]
--------------------
C:\Program Files\Sify Broadband\BBClient.exe
[67 loaded modules in total]
--------------------
C:\Program Files\Internet Explorer\iexplore.exe
[147 loaded modules in total]
--------------------
C:\Program Files\Sify Broadband\BBImpSec.exe
[50 loaded modules in total]
--------------------
C:\PROGRA~1\Crawler\Toolbar\CToolbar.exe
[50 loaded modules in total]
--------------------
C:\WINDOWS\system32\ctfmon.exe
[13 loaded modules in total]
--------------------
C:\WINDOWS\system32\svchost.exe
[28 loaded modules in total]
--------------------
C:\Documents and Settings\Administrator\Application Data\Simply Super Software\Trojan Remover\uchA.exe
FileSize: 2,363,968
[This is a Trojan Remover component]
[22 loaded modules in total]
--------------------

**************************************************
10:18:53 PM: Checking AUTOEXEC.BAT file
AUTOEXEC.BAT found in C:\
No malicious entries were found in the AUTOEXEC.BAT file

**************************************************
10:18:53 PM: Checking AUTOEXEC.NT file
AUTOEXEC.NT found in C:\WINDOWS\system32
No malicious entries were found in the AUTOEXEC.NT file

**************************************************
10:18:53 PM: Checking HOSTS file
No malicious entries were found in the HOSTS file

Ivy · « **Reply #71 on:** October 15, 2007, 11:15:35 AM »

**************************************************
------ INTERNET EXPLORER HOME/START/SEARCH SETTINGS ------
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Local Page":
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Page_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\"Default_Search_URL":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"CustomizeSearch":
http://dnl.crawler.com/support/sa_customize.aspx?TbId=60327
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\"SearchAssistant":
http://www.crawler.com/search/ie.aspx?tb_id=60327
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Start Page":
http://www.sify.com/
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Local Page":
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\"Search Page":
http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch

**************************************************
=== CHANGES WERE MADE TO THE WINDOWS REGISTRY ===
Scan completed at: 10/15/2007 10:18:53 PM
**********************************************************

This log was soooooooooooooooo big, im extremely tired now, if the above log is not important , let me know Broni , i will delete it if necessary , im really tired , it says i have to restart my computer , some changes have been made (some programs were deleted)
Hopefully this works.

Broni · « **Reply #72 on:** October 15, 2007, 11:29:06 AM »

I can see, you are tired...LOL
Go ahead, restart, and see what it's gonna say after restart...

Ivy · « **Reply #73 on:** October 15, 2007, 12:06:52 PM »

Broni , When i ran that trojan remover thing , it asked me to remove some programs , after the restart , i tried to login , but Internet Explorer wouldnt open , it was gone!!!!!!!
I tried to install it through the motherboard , didnt work!
Then i started my comp in safe mode and i selected The last good configuration that worked option.
Then i got back my internet .
You have no idea how tired im now.
Thanks so much for your help Broni , I have got no trojan warning from Trend Micro since i downloaded a-square , though it says that Trojan downloader is trying to execute somthing , i deny it.
Trojan remover shows my computer is clean now.
What next .

One more thing , now when i start my computer , will it automatically start normally? , i think it will.

Broni · « **Reply #74 on:** October 15, 2007, 12:19:27 PM »

Quote

You have no idea how tired im now.

You think, I'm NOT tired?.....LOL....just kidding.

Quote

though it says that Trojan downloader is trying to execute somthing , i deny it.

Open a-squared, look under Quarantine, and see, if there are any entries there. If so, get rid of them.

Quote

Trojan remover shows my computer is clean now.

I hope, it'll stay that way.

Quote

What next .

Not much. Just keep using your computer, and see if it works OK. Make sure, you have "a-squared" in your startup.

Quote

One more thing , now when i start my computer , will it automatically start normally?

It should.

Good luck

Ivy · « **Reply #75 on:** October 15, 2007, 12:35:30 PM »

Quote from: Broni on October 15, 2007, 12:19:27 PM

Quote
You have no idea how tired im now.
You think, I'm NOT tired?.....LOL....just kidding.

No you are not kidding , im sure you must be tired.

Quote from: Broni on October 15, 2007, 12:19:27 PM

Quote
though it says that Trojan downloader is trying to execute somthing , i deny it.
Open a-squared, look under Quarantine, and see, if there are any entries there. If so, get rid of them.

I did that , no files there.

Quote from: Broni on October 15, 2007, 12:19:27 PM

Quote
Trojan remover shows my computer is clean now.
I hope, it'll stay that way.

Me too., since i havent recieved any trojans since i downloaded a-square , i think my comp is ok for now.

Quote from: Broni on October 15, 2007, 12:19:27 PM

Good luck

Thanks a lot for your help , first time ever my Virus problem has been almost solved, thanks a lot really , Im amazed you never gave up on my biiiiiig problem , thanks soooooooooooooooooooooo much.

Broni · « **Reply #76 on:** October 15, 2007, 12:45:05 PM »

Hey, you are welcome

My pleasure

Computer Hope Forum

News:

Author Topic: Big Problem!!!!! (Read 42864 times)

Ivy

Ivy

Broni

Broni

Ivy

Broni

Ivy

Broni

Ivy

Broni

Ivy

Broni

Ivy

Ivy

Broni

Ivy

Ivy

Broni

Ivy

Broni

Ivy

Broni

Ivy

Ivy

Broni

Ivy

Ivy

Broni

Ivy

Broni

Ivy

Ivy

Broni

Ivy

Broni

Ivy

Ivy

Broni

Ivy

Ivy

Broni

Broni

Ivy

Broni

Ivy

Broni

Ivy

Broni

Ivy

Ivy

Broni

Ivy

Broni

Ivy

Ivy

Broni

Ivy

Broni

Ivy

Ivy

Broni

Ivy

Ivy

Ivy

Ivy

Broni

Ivy

Ivy

Ivy

Ivy

Ivy

Ivy

Broni

Ivy