# bunch of problems, weird processes, 'msdrv.exe', 'kavss.exe'



## tallywack (Mar 2, 2007)

Whenever I'm not connected to the Internet my cpu uses 100% resources but if I'm connected to the Internet its running a bit slow but tolerable. There are also weird processes working on the background such as 'msdrv.exe' and kavss.exe' and there is also 'iexplore.exe' but the username its using is on "System". I believe my computer is also infected with a trojan named 'InfoStealer'. Please help me. I don't want to lose my files.

This is a copy of my hijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:16:41 AM, on 3/3/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\$NtUninstallKB0468735$\kavss.exe
C:\WINDOWS\System32\taskmgr.exe
C:\WINDOWS\msdrv.exe
C:\WINDOWS\msdrv.exe
C:\Program Files\Yahoo!\Messenger\YPager.exe
C:\Program Files\Hijackthis\HijackThis.exe

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\System32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D7E3B41-23CE-469B-BE1B-A64B877923E1} - C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL (file missing)
O2 - BHO: (no name) - {2A866989-3A32-94B1-37FD-00BF8C9398D0} - C:\WINDOWS\System32\guludzm.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: MSNM System - {A646CE7E-951E-44d1-B93C-F7136DA41E58} - C:\WINDOWS\ielocales.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{307CF~1\Bar888.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{307CF~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c18.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - 
O20 - Winlogon Notify: rpcc - C:\WINDOWS\System32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
O21 - SSODL: DCOM Server 37389 - {2C1CD3D7-86AC-4068-93BC-A02304B37389} - C:\WINDOWS\System32\gppm.dll
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - C:\WINDOWS\System32\wfpxlqa.dll
O21 - SSODL: MkpodtBtg - {907CFB1E-3AD6-51B4-3210-3A9C91D48061} - C:\WINDOWS\System32\tv.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\System32\svchosts.exe" -e te-110-12-0000271 (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


----------



## MFDnNC (Sep 7, 2004)

Download http://downloads.andymanchesta.com/RemovalTools/SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
·	Restart your computer
·	After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
·	Instead of Windows loading as normal, the Advanced Options Menu should appear;
·	Select the first option, to run Windows in Safe Mode, then press Enter.
·	Choose your usual account.
·	Open the extracted SDFix folder and double click RunThis.bat to start the script.
·	Type Y to begin the cleanup process.
·	It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
·	Press any Key and it will restart the PC.
·	When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
·	Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
·	Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

==============
Download Superantispyware (SAS)

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
·	It will ask if you want to update the program definitions, click Yes.
·	Under Configuration and Preferences, click the Preferences button.
·	Click the Scanning Control tab.
·	Under Scanner Options make sure the following are checked:
o	Close browsers before scanning
o	Scan for tracking cookies
o	Terminate memory threats before quarantining.
o	Please leave the others unchecked.
o	Click the Close button to leave the control center screen.
·	On the main screen, under Scan for Harmful Software click Scan your computer.
·	On the left check C:\Fixed Drive.
·	On the right, under Complete Scan, choose Perform Complete Scan.
·	Click Next to start the scan. Please be patient while it scans your computer.
·	After the scan is complete a summary box will appear. Click OK.
·	Make sure everything in the white box has a check next to it, then click Next.
·	It will quarantine what it found and if it asks if you want to reboot, click Yes.
·	To retrieve the removal information for me please do the following:
o	After reboot, double-click the SUPERAntispyware icon on your desktop.
o	Click Preferences. Click the Statistics/Logs tab.
o	Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o	It will open in your default text editor (such as Notepad/Wordpad).
o	Please highlight everything in the notepad, then right-click and choose copy.
·	Click close and close again to exit the program.
·	Please paste that information here for me *with a new HijackThis log*.


----------



## tallywack (Mar 2, 2007)

Hi MFDnSC,

Unfortunately I wasn't able to do the first instruction. Is there another way to go around the first step? It's just that my computer doesn't allow me to do anything if I'm not connected to the Internet. All I can do on safe mode is to go to task manager by hitting Ctrl+Alt+Del. Anyway I just proceeded to the next instruction which is to scan my computer using SuperAntiSpware.

Here's the log of SuperAntiSpyware:

SUPERAntiSpyware Scan Log
Generated 03/04/2007 at 05:00 AM

Application Version : 3.5.1016

Core Rules Database Version : 3193
Trace Rules Database Version: 1203

Scan type : Complete Scan
Total Scan Time : 00:51:49

Memory items scanned : 266
Memory threats detected : 1
Registry items scanned : 6088
Registry threats detected : 39
File items scanned : 53739
File threats detected : 21

Trojan.Downloader-WS2F
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SETTINGS\WINSYS2F.DLL
C:\DOCUMENTS AND SETTINGS\ALL USERS\DOCUMENTS\SETTINGS\WINSYS2F.DLL
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#DllName
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Startup
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Impersonate
HKLM\Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\winsys2freg#Asynchronous

Trojan.Search Variant
HKLM\Software\Classes\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}
HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}
HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}
HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\InprocServer32
HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\InprocServer32#ThreadingModel
HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\ProgID
HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\Programmable
HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\TypeLib
HKCR\CLSID\{1D7E3B41-23CE-469B-BE1B-A64B877923E1}\VersionIndependentProgID
C:\PROGRA~1\SEARCH~1\SEARCH~1.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Brians\Cookies\[email protected][1].txt
C:\Documents and Settings\Brians\Cookies\[email protected][1].txt
C:\Documents and Settings\Brians\Cookies\[email protected][3].txt
C:\Documents and Settings\Brians\Cookies\[email protected][1].txt
C:\Documents and Settings\Brians\Cookies\[email protected][2].txt
C:\Documents and Settings\Brians\Cookies\[email protected][1].txt
C:\Documents and Settings\Brians\Cookies\[email protected][1].txt
C:\Documents and Settings\Brians\Cookies\[email protected][2].txt
C:\Documents and Settings\Brians\Cookies\[email protected][1].txt
C:\Documents and Settings\Brians\Cookies\[email protected][2].txt
C:\Documents and Settings\Brians\Cookies\[email protected][2].txt
C:\Documents and Settings\Brians\Cookies\[email protected][1].txt

Trojan.DCOM Server
HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B37389}
HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B37389}\InProcServer32
HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B37389}\InProcServer32#ThreadingModel

Adware.Toolbar888
HKCR\CLSID\{C1B4DEC2-2623-438E-9CA2-C9043AB28508}
HKCR\CLSID\{C1B4DEC2-2623-438E-9CA2-C9043AB28508}\InprocServer32
HKCR\CLSID\{C1B4DEC2-2623-438E-9CA2-C9043AB28508}\InprocServer32#ThreadingModel
HKCR\CLSID\{C1B4DEC2-2623-438E-9CA2-C9043AB28508}\ProgID
HKCR\CLSID\{C1B4DEC2-2623-438E-9CA2-C9043AB28508}\Programmable
HKCR\CLSID\{C1B4DEC2-2623-438E-9CA2-C9043AB28508}\TypeLib
HKCR\CLSID\{C1B4DEC2-2623-438E-9CA2-C9043AB28508}\VersionIndependentProgID
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0\win32
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\FLAGS
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\HELPDIR
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid32
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib#Version

Unclassified.Unknown Origin
HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}
HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32
HKCR\CLSID\{2C1CD3D7-86AC-4068-93BC-A02304B60787}\InProcServer32#ThreadingModel

Trojan.Rustock/LZX32
C:\WINDOWS\system32:lzx32.sys

Trojan.Downloader-H91
C:\DOCUMENTS AND SETTINGS\BRIANS\LOCAL SETTINGS\TEMP\H91746.EXE
C:\DOCUMENTS AND SETTINGS\CUTIE_MARF\LOCAL SETTINGS\TEMP\H91746.EXE
C:\DOCUMENTS AND SETTINGS\GUEST\LOCAL SETTINGS\TEMP\H91746.EXE

Trojan.Downloader-Gen/A
C:\DOCUMENTS AND SETTINGS\CUTIE_MARF\LOCAL SETTINGS\TEMP\A.EXE

Trojan.Downloader-Gen/Installer
C:\DOCUMENTS AND SETTINGS\CUTIE_MARF\LOCAL SETTINGS\TEMP\B122.EXE

Trojan.Freeprod
C:\DOCUMENTS AND SETTINGS\CUTIE_MARF\LOCAL SETTINGS\TEMP\V4X6.GAM5E

-------------------------------------------------------------------------------------------------------

And Here is a copy of the new HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 5:08:08 AM, on 3/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\71578.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/ClickYesToContinue/ie/bridge-c18.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O21 - SSODL: DCOM Server 37389 - {2C1CD3D7-86AC-4068-93BC-A02304B37389} - (no file)
O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file)
O21 - SSODL: MkpodtBtg - {907CFB1E-3AD6-51B4-3210-3A9C91D48061} - C:\WINDOWS\System32\tv.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


----------



## MFDnNC (Sep 7, 2004)

Fix these with HiJackThis  mark them, close IE, click fix checked

O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/Cl...bridge-c18.cab

O21 - SSODL: DCOM Server 37389 - {2C1CD3D7-86AC-4068-93BC-A02304B37389} - (no file)

O21 - SSODL: DCOM Server 60787 - {2C1CD3D7-86AC-4068-93BC-A02304B60787} - (no file)

O21 - SSODL: MkpodtBtg - {907CFB1E-3AD6-51B4-3210-3A9C91D48061} - C:\WINDOWS\System32\tv.dll (file missing)

START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot and post a new hijack log from normal NOT safe mode

*Please give feedback on what worked/didnt work and the current status of your system*


----------



## tallywack (Mar 2, 2007)

Hi MFDnSC,

After scanning the system with SuperAntiSpayware I was able to complete Step #1.

Here is a copy of the log created by SDFix:

SDFix: Version 1.69

Run by Brians - Sun 03/04/2007 @ 5:54:39.76

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
Client IP-IPX
EXAMPLE
EXAMPLE

Path:
\??\C:\WINDOWS\System32\main.sys

EXAMPLE Deleted

Restoring Windows Registry Entries
Restoring Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\system32\wsnpoem\audio.dll - Deleted
C:\WINDOWS\system32\wsnpoem\video.dll - Deleted
C:\Documents and Settings\cutie_marf\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\cutie_marf\Local Settings\Temp\5.dllb - Deleted
C:\Documents and Settings\cutie_marf\Local Settings\Temp\6.dllb - Deleted
C:\Documents and Settings\cutie_marf\Local Settings\Temp\7.dllb - Deleted
C:\Documents and Settings\cutie_marf\Local Settings\Temp\2.dllb - Deleted
C:\Documents and Settings\cutie_marf\Local Settings\Temp\5.dllb - Deleted
C:\Documents and Settings\cutie_marf\Local Settings\Temp\6.dllb - Deleted
C:\Documents and Settings\cutie_marf\Local Settings\Temp\7.dllb - Deleted
C:\as.txt - Deleted
C:\WINDOWS\Pacuks - Deleted
C:\WINDOWS\search_res.txt - Deleted
C:\WINDOWS\system32\main.sys - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted
C:\DOCUME~1\Brians\LOCALS~1\Temp\tmp*.tmp - Deleted

Could Not Remove C:\WINDOWS\system32\wsys.dll

Folder C:\DOCUME~1\Brians\LOCALS~1\Temp\ICD1.tmp - Removed
Folder C:\WINDOWS\system32\wsnpoem - Removed

ADS Check:

C:\WINDOWS\system32
No streams found.

Final Check:

Remaining Services:
------------------

*Rootkit PE386 maybe active, Use a Rootkit scanner!*

Remaining Files:
---------------
C:\WINDOWS\system32\wsys.dll Found

Backups Folder: - C:\SDFix\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes :

C:\Documents and Settings\Brians\Local Settings\Temp\Avalanche.exe
C:\Documents and Settings\Brians\Local Settings\Temp\Batman's PW Changer.exe
C:\Documents and Settings\Brians\Local Settings\Temp\Cam Bomb.exe
C:\Documents and Settings\Brians\Local Settings\Temp\ID Checker2.exe
C:\Documents and Settings\Brians\Local Settings\Temp\TCracker.exe
C:\Documents and Settings\Brians\Local Settings\Temp\Terminal Scan.exe
C:\Documents and Settings\Brians\Local Settings\Temp\$b17a2e8.tmp
C:\Documents and Settings\cutie_marf\Local Settings\Temp\$b17a2e8.tmp
C:\WINDOWS\LastGood.Tmp\INF\oem7.inf
C:\WINDOWS\LastGood.Tmp\INF\oem7.PNF
C:\WINDOWS\system32\msdrives\BIT200.tmp
C:\WINDOWS\Temp\winAB00.tmp

Add/Remove Programs List:

Adobe Photoshop 7.0
Adobe Shockwave Player
Advanced Tools
ASUS Probe V2.21.03
AVG Anti-Spyware 7.5
HijackThis 1.99.1
Hijackthis 1.99.1
Canon Camera Support Core Library
Java Web Start
Advanced Networking Pack for Windows XP
Microsoft Data Access Components KB870669
LimeWire 4.10.9
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
mIRC
Mozilla Firefox (1.0.4)
Nero OEM
Nero Suite
Nimo Codecs Pack v5.0 (Remove Only)
NVIDIA Display Driver
Outlook Express Q823353
Panda ActiveScan
QuickTime
Ran Online 2.12.0.0
Sacred
Adobe Flash Player 9 ActiveX
SiS 900 PCI Fast Ethernet Adapter Driver
SmartMovie Converter (Series 60)
Spybot - Search & Destroy 1.2
Sun Java System Application Server Platform Edition
Norton AntiVirus 2004 Professional (Symantec Corporation)
TaceRanEp3 Auto Patch
Microsoft Web Publishing Wizard 1.53
Windows Genuine Advantage Validation Tool
Winamp (remove only)
Windows XP Service Pack 1
WinRAR archiver
WinZip
Yahoo! Messenger
Macromedia Dreamweaver MX 2004
Norton WMI Update
AutoUpdate
Google Toolbar for Internet Explorer
Macromedia Flash MX 2004
J2SE Runtime Environment 5.0 Update 6
Java 2 SDK, SE v1.4.2_11
Nero 7 Ultra Edition
Platform4 Player ActiveX Control
PowerDVD
Java 2 Runtime Environment, SE v1.4.2_11
DivX
DivX Player
Microsoft Office XP Professional with FrontPage
Camera Support Core Library
Macromedia Extension Manager
Adobe Reader 6.0
PENTAX USB DISK Device
Norton AntiVirus 2004 Professional
Symantec Network Drivers Update
Microsoft .NET Framework 1.1
SUPERAntiSpyware Free Edition
Norton AntiVirus SYMLT MSI
Symantec Script Blocking Installer
CC_ccStart
ccCommon
SymNet
Macromedia Fireworks MX 2004
Norton AntiVirus Parent MSI
Microsoft Plus! for Windows XP
SoundMAX
MSRedist
HighMAT Extension to Microsoft Windows XP CD Writing Wizard

Finished
----------------------------------------------------------------------------------------------------

Will proceed to the next step you advised. Thanks for the replies.


----------



## MFDnNC (Sep 7, 2004)

Please download: http://www.uploads.ejvindh.net/rustbfix.exe and save it to your desktop.

Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). Post the content of those logs along with a new HijackThis log from normal mode.


----------



## tallywack (Mar 2, 2007)

Hi,

I deleted everything inside C:\WINDOWS\Temp and the folder that came up after typing %root% in run.
-------------------------------------------------------------------------------------------------------
Here's a copy of pelog.txt:

************************* Rustock.b-fix -- By ejvindh *************************
Sun 03/04/2007 6:41:12.76

******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
No streams found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32

******************************* End of Logfile ********************************
--------------------------------------------------------------------------------------------------------
Here's a copy of avenger.txt:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\gcdyvxjg

*******************

Script file located at: \??\C:\hjyhfbki.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.
--------------------------------------------------------------------------------------------------------

Here's a copy of hijackthis's log:

Logfile of HijackThis v1.99.1
Scan saved at 6:49:47 AM, on 3/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

-------------------------------------------------------------------------------------------------------

Additional notes I deleted everything from the temp directories before running rustbfix.exe but after the system rebooted twice, I checked these folders again inside C:\WINDOWS\Temp is a file named with numbers and another with the name of 'wuaclt.exe', I tried deleting it but it says it was in use, so i killed the process in task manager. Now I dont have anything in those folders. I'm also running two user accounts, one for me and another is for my sister. Should I also log on to her account and empty the Temp directories? The way I see it the file creates itself everytime I restart the computer. I also get prompt from AVG Anti-Spyware that it found a malicious software with the name of: Downloader.small.ego its location is C:\WINDOWS\Temp\svchost.exe.


----------



## MFDnNC (Sep 7, 2004)

Go to the link below and download the trial version of SpySweeper:

SpySweeper http://www.webroot.com/consumer/products/spysweeper/?acode=af1&rc=855

(It's a 2 week trial.)

* Click the Try Spy Sweeper for FreeDownload the trial link. (Download Antivirus if required)
* Install it. During the install it will prompt for updates, these can be gotten now or later
* Once the program is installed, it will open.
* It will prompt you to update to the latest definitions, if not already done so, before proceding check to ensure that you are up to date (Click Home > Bottom middle of page will tell you) .
* Once the definitions are installed, click Options on the left side.
* Click the Options tab on the left hand side.
* Chose Custom Sweep (Raido Buttom)
* Chose Change Settings (Link)
* Where to Sweep
> Select My Computer
* What to Sweep
> Select all options available (enable Virus scan if available)
* Skip File Types
> Do not skip any file types
* Advanced Options
> Select all options available

* Click Sweep on the left side.
* Click the Black arrow next to start full sweep
* Select Start Custom Sweep
* When it's done scanning, copy Items Found into Notepad
* Make sure everything has a check next to it, then click the Next button.
* It will remove all of the items found.
* Click the Summary tab and click Finish.
* Compare the contents of the notepad to the report
* Place the contens of the notepad into your next reply identifying any items not removed.

If Spy Sweeper Suggests rebooting and scanning again repeat process and copy that information into your next reply as well.

Also post a new Hijack This log.


----------



## tallywack (Mar 2, 2007)

Part 1:

Hi, As requested here is what Spy Sweeper found referred to as 'notepad':

Adware found: searchrelevancy
Adware found: winad
System Monitor found: trojan-busky
Trojan Horse found: trojan-backdoor-adagoe
Trojan Horse found: trojan-ace-x
Trojan Horse found: trojan-backdoor-progdav
System Monitor found: actual spy
Adware found: antivirus pro
Adware found: maxifiles
Adware found: ultimate cleaner
Trojan Horse found: trojan-backdoor-cyn

Here's a list of what happened to them:

Quarantined: System Monitor found: actual spy
Quarantined: Adware found: antivirus pro
Quarantined: Adware found: maxifiles
Quarantined: Adware found: searchrelevancy
Quarantined: Trojan Horse found: trojan-ace-x
Quarantined: Trojan Horse found: trojan-backdoor-adagoe
Quarantined: Trojan Horse found: trojan-backdoor-cyn
Quarantined: Trojan Horse found: trojan-backdoor-progdav
Quarantined: System Monitor found: trojan-busky
Quarantined: Adware found: ultimate cleaner
Quarantined: Adware found: winad

This is a copy of Spy Sweeper's Session Log:

8:56 AM: Removal process completed. Elapsed time 00:00:32
8:55 AM: Quarantining All Traces: antivirus pro
8:55 AM: Quarantining All Traces: searchrelevancy
8:55 AM: Quarantining All Traces: ultimate cleaner
8:55 AM: Quarantining All Traces: maxifiles
8:55 AM: Quarantining All Traces: trojan-ace-x
8:55 AM: Quarantining All Traces: winad
8:55 AM: Quarantining All Traces: trojan-backdoor-cyn
8:55 AM: Quarantining All Traces: actual spy
8:55 AM: Quarantining All Traces: trojan-backdoor-progdav
8:55 AM: Quarantining All Traces: trojan-backdoor-adagoe
8:55 AM: Quarantining All Traces: trojan-busky
8:55 AM: Removal process initiated
8:53 AM: Traces Found: 46
8:53 AM: Custom Sweep has completed. Elapsed time 01:04:01
8:53 AM: C:\WINDOWS\system32\msdrives (2 subtraces) (ID = 2147544846)
8:53 AM: File Sweep Complete, Elapsed Time: 01:01:42
8:53 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox2.zip]
8:53 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\bfast.zip]
8:53 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox5.zip]
8:53 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox4.zip]
8:53 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox9.zip]
8:53 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox.zip]
8:53 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\gator.zip]
8:52 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\valueclick3.zip]
8:52 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox10.zip]
8:51 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\fastclick6.zip]
8:51 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\basementjaxxheadat.zip]
8:51 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\chemicalbrotherscontrol.zip]
8:51 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\chemicalbrothersforever.zip]
8:51 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\chemicalbrothersheyboyheygirl.zip]
8:51 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\chemicalbrothersstarguitar.zip]
8:51 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\christina milian - dip it low.zip]
8:51 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\darkness.zip]
8:51 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\alig.zip]
8:50 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\windows\cache\adobe reader 6.0\enubig\data1.cab]
8:50 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\j-kwon - tipsy.zip]
8:50 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\usher - yeah.zip]
8:50 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\bennybenassisatisfaction.zip]
8:49 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\black eyed peas - let's get it started.zip]
8:49 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\3doors_down_when_im_gone.zip]
8:49 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\50cent.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\50cent21questions.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\50centificant.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\50centpimp.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\aaliyah.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\aaliyah - 4 page letter.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\all_saints_black_coffee.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\anastacia - im outta love.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\anastacia - left outside alone video.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\anastacia - not that kind.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\ashanti_alwaysontime.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\avril lavigne - complicated.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\avril lavigne - sk8er boi.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\avril_lavigne_fuel.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\avril_lavigne_losing_grip.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\avrillavigneimwithyou.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\b2kbumpbumpbump.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\beastieboys_ffyrtp.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\beyoncebabyboy.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\blackeyedpeas.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\bob marley-stir it up.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\boogiepimps.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\britney spears - everytime - new video.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\britney spears - overprotected.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\britney spears - stronger.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\britney_spears_-_oops_i_did_it_again(mj).zip]
8:48 AM:  Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\britneyslave.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\cassidy feat. r. kelly - hotel.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\chingyholidaein.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\chingyonecallaway.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\chingyrightthurr.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\crazyinlove.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\hilaryduff_soyesterday.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\ice_cube_youcandoit.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\kelis - milkshake.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\kelis - trickme.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\usher - burn.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\usher - my way.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\linkinparkpapercut.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\usher - you don't have to call.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\toxic.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\brian\phonestuff\musicvids\usher - you make me wanna.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\doubleclick6.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\avenueainc9.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom14.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom.zip]
8:48 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom13.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\valueclick2.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\targetnet1.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox8.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\doubleclick7.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox7.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox6.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\fastclick4.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\doubleclick4.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\doubleclick3.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\avenueainc6.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\avenueainc5.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom10.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom9.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\avenueainc10.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\targetnet.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom1.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom2.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\alexarelated.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\avenueainc.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\doubleclick.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\fastclick.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox1.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\mediaplex.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\valueclick.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\valueclick4.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\sextracker3.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\sextracker2.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\mediaplex3.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitslink.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox14.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox13.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox12.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox11.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\fastclick2.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\doubleclick1.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\avenueainc3.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom6.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom5.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom7.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom8.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\avenueainc4.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\doubleclick2.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\fastclick3.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\sextracker.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\sextracker1.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\valueclick1.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\webtrendslive.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\mediaplex2.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\fastclick8.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\avenueainc1.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom15.zip]
8:47 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\fastclick5.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom3.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom4.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\avenueainc2.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\fastclick1.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\hitbox3.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\mediaplex1.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\doubleclick5.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\commissionjunction.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\avenueainc7.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom12.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\advertisingcom11.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\avenueainc8.zip]
8:46 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\all users\application data\spybot - search destroy\recovery\fastclick7.zip]
8:46 AM: Warning: SweepDirectories: Cannot find directory "d:". This directory was not added to the list of paths to be scanned.
8:45 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\brians\application data\superantispyware.com\superantispyware\quarantine\quarantine - 03-04-2007 - 05-35-57.sbu]
8:41 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Corrupted] on [c:\documents and settings\cutie_marf\local settings\temporary internet files\content.ie5\fevqnza4\install_messenger[1].exe]
8:34 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Corrupted] on [c:\documents and settings\cutie_marf\local settings\temporary internet files\content.ie5\fevqnza4\friendster[2]]
8:25 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\brians\desktop\blank_paki_ingles_po.xls]
8:16 AM: C:\Documents and Settings\Guest\Local Settings\Temp\17742\acexe.exe (ID = 479725)


----------



## tallywack (Mar 2, 2007)

Part 2:

8:15 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [Access Denied] on [c:\pagefile.sys]
8:15 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\brians\application data\superantispyware.com\superantispyware\quarantine\quarantine - 03-04-2007 - 05-02-37.sbu]
8:14 AM: C:\Documents and Settings\Guest\Local Settings\Temp\mssrv.EXE (ID = 479722)
8:13 AM: C:\Documents and Settings\Guest\Local Settings\Temp\ielocales.dll (ID = 479724)
8:04 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\brians\application data\adobe\acrobat\6.0\messages\enu\read0600win_enuyhoo0014r.pdf]
8:04 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\documents and settings\brians\application data\adobe\acrobat\6.0\messages\enu\read0600win_enuadbe0062r.pdf]
8:03 AM: C:\WINDOWS\Temp\winAB00.tmp (ID = 514)
8:03 AM: Found Trojan Horse: trojan-backdoor-cyn
8:00 AM: C:\Documents and Settings\Guest\Local Settings\Temp\22044\acexe.exe (ID = 479725)
7:59 AM: Warning: AntiVirus engine for IdentifyFileObject.ProcessAVResult returned [File Encrypted] on [c:\program files\adobe\acrobat 6.0\reader\messages\enu\rdrmsgenu.pdf]
7:59 AM: C:\Documents and Settings\Guest\Local Settings\Temp\mslocales.exe (ID = 479723)
7:57 AM: C:\Documents and Settings\Guest\Local Settings\Temp\di.exe (ID = 479178)
7:56 AM: C:\WINDOWS\iedrives.dll (ID = 481680)
7:55 AM: C:\Documents and Settings\Guest\Local Settings\Temp\driverpp.sys (ID = 479182)
7:53 AM: C:\WINDOWS\msdrvctrl.exe (ID = 483108)
7:53 AM: C:\WINDOWS\system32\msdrives\msdrvctrl.exe (ID = 483108)
7:51 AM: Starting File Sweep
7:51 AM: Warning: SweepDirectories: Cannot find directory "a:". This directory was not added to the list of paths to be scanned.
7:51 AM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:51 AM: Starting Cookie Sweep
7:51 AM: Registry Sweep Complete, Elapsed Time:00:00:39
7:51 AM: HKU\S-1-5-21-2025429265-2049760794-725345543-1003\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
7:51 AM: HKU\S-1-5-21-2025429265-2049760794-725345543-1003\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-1008\software\videoextension\ (ID = 2013019)
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-1008\ieplugin.bitbeamerctrl\ (ID = 1911819)
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-1008\anadsc.aureatead\ (ID = 1911805)
7:51 AM: Found Adware: ultimate cleaner
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-1008\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-1008\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-1008\software\adwaredisablekey4\ (ID = 1857752)
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-1008\software\ipwins\ (ID = 1516546)
7:51 AM: Found Adware: maxifiles
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-1008\software\anti-virus-pro\ (ID = 1336312)
7:51 AM: Found Adware: antivirus pro
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-1008\software\asmonitor\ (ID = 102607)
7:51 AM: Found System Monitor: actual spy
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-500\software\microsoft\windows\currentversion\explorer\ || {f710fa10-2031-3106-8872-93a2b5c5c620} (ID = 1858203)
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-500\software\microsoft\windows\currentversion\explorer\ || {6780a29e-6a18-0c70-1dff-1610dde00108} (ID = 1858202)
7:51 AM: Found Trojan Horse: trojan-backdoor-progdav
7:51 AM: HKU\WRSS_Profile_S-1-5-21-2025429265-2049760794-725345543-501\software\videoextension\ (ID = 2013019)
7:51 AM: HKLM\system\currentcontrolset\services\driverpp\ (ID = 2058916)
7:51 AM: HKLM\system\controlset001\services\driverpp\ || type (ID = 2058886)
7:51 AM: HKLM\system\controlset001\services\driverpp\ (ID = 2058885)
7:51 AM: HKLM\system\controlset001\enum\root\legacy_driverpp\ (ID = 2058873)
7:51 AM: Found Trojan Horse: trojan-ace-x
7:51 AM: HKLM\system\currentcontrolset\services\example\ (ID = 1944174)
7:51 AM: HKLM\system\controlset001\services\example\ (ID = 1944151)
7:51 AM: HKLM\system\controlset001\enum\root\legacy_example\ (ID = 1944139)
7:51 AM: Found Trojan Horse: trojan-backdoor-adagoe
7:51 AM: HKLM\software\adwaredisablekey4\ (ID = 1857760)
7:51 AM: Found System Monitor: trojan-busky
7:51 AM: HKCR\winadservx.installer\ (ID = 147246)
7:51 AM: HKLM\software\microsoft\windows\currentversion\shareddlls\ || c:\windows\downloaded program files\winadservx.dll (ID = 147224)
7:51 AM: HKLM\software\microsoft\windows\currentversion\moduleusage\c:/windows/downloaded program files/winadservx.dll\ (ID = 147195)
7:51 AM: HKLM\software\classes\winadservx.installer\ (ID = 147178)
7:51 AM: Found Adware: winad
7:51 AM: HKCR\updater.bho\ (ID = 141303)
7:51 AM: HKCR\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (ID = 141302)
7:51 AM: HKLM\software\classes\updater.bho\ (ID = 141297)
7:51 AM: HKLM\software\classes\typelib\{65a6bb6d-78d0-4e0a-824d-2de1e0d154af}\ (ID = 141295)
7:51 AM: HKLM\software\classes\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (ID = 141293)
7:51 AM: HKCR\interface\{300fa067-9b94-45cf-a30b-cb5221eeb0c3}\ (ID = 141290)
7:51 AM: Found Adware: searchrelevancy
7:51 AM: Starting Registry Sweep
7:51 AM: Memory Sweep Complete, Elapsed Time: 00:01:19
7:49 AM: Starting Memory Sweep
7:49 AM: Start Custom Sweep
7:49 AM: Sweep initiated using definitions version 871
7:47 AM: Your definitions are up to date.
7:46 AM: Your virus definitions have been updated.
7:46 AM: Informational: Loaded AntiVirus Engine: 2.41.0; SDK Version: 4.13; Virus Definitions: 3/3/2007 12:25:22 AM (GMT)
Keylogger: Off
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites: Off
Hosts File Shield: On
Internet Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: Off
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:45 AM: Shield States
7:45 AM: Spyware Definitions: 871
7:45 AM: Informational: Loaded AntiVirus Engine: 2.41.0; SDK Version: 4.13; Virus Definitions: 3/3/2007 12:25:22 AM (GMT)
7:44 AM: Spy Sweeper 5.3.1.2346 started
7:44 AM: Spy Sweeper 5.3.1.2346 started
7:44 AM: | Start of Session, Sunday, March 04, 2007 |
***************


----------



## tallywack (Mar 2, 2007)

Here's a copy of HijackThis's Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:03:54 AM, on 3/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\70796.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


----------



## MFDnNC (Sep 7, 2004)

How are thing now??

Turn off restore points, boot, turn them back on  heres how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


----------



## tallywack (Mar 2, 2007)

Hi, I turned off System Restore and restarted the computer. I didn't go Online first to check if wuauclt.exe will still eat up the resources of my CPU. Unfortunately it's still eating up resources on my computer.

Here's a HiJackThis log during the time that I was not online:

Logfile of HijackThis v1.99.1
Scan saved at 9:36:23 AM, on 3/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

I noticed that there are two processes with the name of 'wuauclt.exe' one located in Temp and the other located in System32. The process that's eating up the resources is the file located in the Temp directory.

I restarted the computer and this time I logged on the Internet upon booting. There are some changes in HiJackThis's log. Here's a copy of that log file:

Logfile of HijackThis v1.99.1
Scan saved at 9:41:58 AM, on 3/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\69343.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

The difference that I was able to notice is that there is just one process with the name of 'wuauclt.exe' now, but a new process showed up which is 69343.exe. Note: CPU usage is now back to normal.

What do you think?


----------



## MFDnNC (Sep 7, 2004)

http://www.pandasoftware.com/products/activescan.htm

When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

Post a new HiJackThis log along with the results from ActiveScan


----------



## tallywack (Mar 2, 2007)

As instructed here's a copy of Panda's Activescan:

Incident Status Location

Adware:adware/wupd Not disinfected c:\windows\system32\ide21201.vxd 
Potentially unwanted tool:application/starr.a Not disinfected c:\windows\system32\wsys.dll 
Adware:adware/ist.istbar Not disinfected Windows Registry 
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Brians\Desktop\SDFix.exe[SDFix\apps\Process.exe] 
Spyware:Cookie/GoStats Not disinfected C:\Documents and Settings\cutie_marf\Application Data\Mozilla\Firefox\Profiles\bmm7c9of.default\cookies.txt[.c2.gostats.com/] 
Adware:Adware/VideoExtension Not disinfected C:\Documents and Settings\Guest\Local Settings\Temp\install.bat 
Adware:Adware/VideoExtension Not disinfected C:\Documents and Settings\Guest\Local Settings\Temp\install2.bat 
Adware:Adware/VideoExtension Not disinfected C:\Documents and Settings\Guest\Local Settings\Temp\start-soft.bat 
Spyware:Cookie/DriveCleaner Not disinfected C:\RECYCLER\NPROTECT\00890887.TXT 
Spyware:Cookie/Searchportal Not disinfected C:\RECYCLER\NPROTECT\00890893.TXT 
Virus:Trj/Rootkit.T Disinfected C:\RECYCLER\NPROTECT\00891187.sys 
Adware:Adware/Secure32 Not disinfected C:\RECYCLER\NPROTECT\00891218 
Spyware:Cookie/Valueclick Not disinfected C:\RECYCLER\NPROTECT\00891222 
Adware:Adware/Adsmart Not disinfected C:\RECYCLER\NPROTECT\00891225 
Adware:Adware/Maxifiles Not disinfected C:\RECYCLER\NPROTECT\00891226 
Spyware:Cookie/Doubleclick Not disinfected C:\RECYCLER\NPROTECT\00891229 
Virus:Trj/Rootkit.T Disinfected C:\RECYCLER\NPROTECT\00891233.sys 
Virus:Trj/Rootkit.T Disinfected C:\RECYCLER\NPROTECT\00891255.sys 
Virus:Trj/Rootkit.T Disinfected C:\RECYCLER\NPROTECT\00891261.sys 
Adware:Adware/WebAttaker Not disinfected C:\RECYCLER\NPROTECT\00891272.DLL 
Virus:Trj/Rootkit.T Disinfected C:\RECYCLER\NPROTECT\00891331.sys 
Virus:Trj/Rootkit.T Disinfected C:\RECYCLER\NPROTECT\00891358.sys 
Virus:Trj/Rootkit.T Disinfected C:\RECYCLER\NPROTECT\00891362.sys 
Virus:Trj/Rootkit.T Disinfected C:\RECYCLER\NPROTECT\00891431.sys 
Adware:Adware/VideoExtension Not disinfected C:\RECYCLER\NPROTECT\00892336.dll 
Virus:Trj/Rootkit.T Disinfected C:\RECYCLER\NPROTECT\00892376.sys 
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\SDFix\apps\Process.exe 
Adware:Adware/WebAttaker Not disinfected C:\SDFix\SDFix\backups\backups.zip[backups/5.dllb]


----------



## tallywack (Mar 2, 2007)

I forgot to post a copy of Hijack This's log, anyway here's the report:

Logfile of HijackThis v1.99.1
Scan saved at 12:14:07 PM, on 3/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\TEMP\69343.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Symantec\LiveUpdate\LUALL.EXE
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {CAFEEFAC-0014-0000-0000-ABCDEFFEDCBA} (Java Runtime Environment 1.4.0) - 
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton AntiVirus\AdvTools\NPROTECT.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe


----------



## tallywack (Mar 2, 2007)

I just ran across a thread in this forum w/ regard to wuauclt.exe, I believe we have the same problem. The thread starter mentioned something about deleting 'wsys.dll' using killbox and that helped him fix the problem. I also have the file named 'wsys.dll' inside my System32 folder, but when I try to delete it I just get a message that Windows was unable to delete it. I guess I also need killbox to remove it from the system.

Here's where I found the thread: http://forums.techguy.org/security/547325-wuauclt-exe-running-99-cpu.html


----------



## MFDnNC (Sep 7, 2004)

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by DELETE ON REBOOT. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

c:\windows\system32\ide21201.vxd 
c:\windows\system32\wsys.dll
C:\Documents and Settings\Guest\Local Settings\Temp\install.bat 
C:\Documents and Settings\Guest\Local Settings\Temp\install2.bat 
C:\Documents and Settings\Guest\Local Settings\Temp\start-soft.bat

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal

*Empty the recycle bin* and the Norton protected recycle bin

Boot and post a new hijack log from normal NOT safe mode

*Please give feedback on what worked/didnt work and the current status of your system*


----------

