# Solved: Bo: heap virus: Read previous thread but need help identifying files to fix



## Nicole1j (Mar 9, 2007)

Hello, I found a thread with a similar problem and followed all the steps but can't identify the files that need to be removed etc. Please help... Underneath is all the information required ..I hope.

Here is the information that shown on McAfee alert message box.

Pathname: c:\program files\internet explorer\iexplore.exe::ReadFile
Detected As: bo:heap
State: Blocked by Buffer Overflow Protection

Logfile of HijackThis v1.99.1
Scan saved at 02:01:52 PM, on 09/03/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\utorrent\utorrent.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
c:\progra~1\intern~1\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BagsFaceSpamBold] C:\Documents and Settings\All Users\Application Data\Meet Flaw Bags Face\Scr Gpl.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent\utorrent.exe"
O4 - HKCU\..\Run: [extradeaf] C:\DOCUME~1\DMatrix\APPLIC~1\OPEN4~1\SendDumbSixth.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Findlop Info:

[TRACE] Enumerating jobs and queues
[TRACE] Activating job 'AC22D5E193AD4DDD.job'
[TRACE] Printing all job properties

ApplicationName: 'c:\docume~1\dmatrix\applic~1\open4~1\Readme locks plus.exe'
Parameters: ''
WorkingDirectory: ''
Comment: ''
Creator: 'DMatrix'
Priority: NORMAL
MaxRunTime: 259200000 (3d 0:00:00)
IdleWait: 10
IdleDeadline: 60
MostRecentRun: 03/09/2007 14:00:00
NextRun: 03/09/2007 15:00:00
StartError: S_OK
ExitCode: 0
Status: SCHED_S_TASK_READY
ScheduledWorkItem Flags:
DeleteWhenDone = 0
Suspend = 0
StartOnlyIfIdle = 0
KillOnIdleEnd = 0
RestartOnIdleResume = 0
DontStartIfOnBatteries = 0
KillIfGoingOnBatteries = 0
RunOnlyIfLoggedOn = 1
SystemRequired = 0
Hidden = 1
TaskFlags: 0

1 Trigger

Trigger 0:
Type: Daily
DaysInterval: 1
StartDate: 10/12/1998
EndDate: 00/00/0000
StartTime: 00:00
MinutesDuration: 1440
MinutesInterval: 60
Flags:
HasEndDate = 0
KillAtDuration = 0
Disabled = 0

Dircetory Info:

Volume in drive C has no label.
Volume Serial Number is 60D5-6FA5

Directory of C:\Documents and Settings\DMatrix\Application Data

28/02/2007 01:41 AM Creative
28/02/2007 12:27 AM IDENTI~1 Identities
04/03/2007 01:43 PM IMAGEZ~1 Image Zone Express
28/02/2007 01:02 AM INTERT~1 InterTrust
01/03/2007 10:48 PM MACROM~1 Macromedia
02/03/2007 10:44 PM MEDIAP~1 Media Player Classic
03/03/2007 08:22 PM OPEN4~1 Open 4
09/03/2007 02:13 PM uTorrent
03/03/2007 08:06 PM WinRAR
0 File(s) 0 bytes
9 Dir(s) 8,321,929,216 bytes free
Volume in drive C has no label.
Volume Serial Number is 60D5-6FA5

Directory of C:\Documents and Settings\All Users\Application Data

28/02/2007 12:41 AM BF8051~1 BF8051E7-626F-4a11-AF7A-625A7B555862
28/02/2007 01:08 AM Creative
28/02/2007 01:27 AM HP
04/03/2007 10:15 AM 1,473 HPZINS~1.LOG hpzinstall.log
03/03/2007 08:22 PM MEETFL~1 Meet Flaw Bags Face
28/02/2007 01:15 AM NETWOR~1 Network Associates
02/03/2007 10:29 PM NVIEW_~1 nView_Profiles
1 File(s) 1,473 bytes
 6 Dir(s) 8,321,929,216 bytes free
Volume in drive C has no label.
Volume Serial Number is 60D5-6FA5

Directory of C:\Program Files

09/03/2007 02:01 PM .
09/03/2007 02:01 PM ..
28/02/2007 01:02 AM Adobe
02/03/2007 10:33 PM Ahead
02/03/2007 10:32 PM COMMON~1 Common Files
28/02/2007 12:17 AM COMPLU~1 ComPlus Applications
28/02/2007 01:51 AM Creative
28/02/2007 01:22 AM HEWLET~1 Hewlett-Packard
09/03/2007 02:01 PM HIJACK~1 Hijackthis
04/03/2007 10:12 AM HP
28/02/2007 01:20 AM INTERN~1 Internet Explorer
02/03/2007 10:42 PM K-LITE~1 K-Lite Codec Pack
28/02/2007 12:50 AM MESSEN~1 Messenger
28/02/2007 01:12 AM MICROS~4 Microsoft ActiveSync
28/02/2007 12:20 AM MICROS~1 microsoft frontpage
28/02/2007 01:12 AM MICROS~2 Microsoft Office
28/02/2007 01:12 AM MICROS~3 Microsoft Visual Studio
28/02/2007 12:47 AM MOVIEM~1 Movie Maker
28/02/2007 12:17 AM MSN
28/02/2007 12:16 AM MSNGAM~1 MSN Gaming Zone
07/03/2007 09:25 PM MSNMES~1 MSN Messenger
28/02/2007 12:45 AM NETMEE~1 NetMeeting
28/02/2007 01:15 AM NETWOR~1 Network Associates
28/02/2007 12:18 AM ONLINE~1 Online Services
28/02/2007 12:45 AM OUTLOO~1 Outlook Express
01/03/2007 11:04 PM utorrent
28/02/2007 12:55 AM VIA
28/02/2007 12:48 AM WINDOW~3 Windows Media Player
28/02/2007 12:45 AM WINDOW~1 Windows NT
03/03/2007 08:06 PM WinRAR
28/02/2007 12:20 AM xerox
0 File(s) 0 bytes
31 Dir(s) 8,321,929,216 bytes free

I have saved remlop.bat on my desktop and double clicked it and downloaded Killbox but I havent run it as I don't know which files to select to fix.

I would greatly appreciate any help that can be provided. Thank you in advance.


----------



## MFDnNC (Sep 7, 2004)

Please Download NoLop to your desktop from

http://www.thespykiller.co.uk/forum/index.php?action=tpmod;dl=item16

First close any other programs you have running as this will require a reboot
·	Double click NoLop.exe to run it
·	Now click the button labelled "Search and Destroy"
<<your computer will now be scanned for infected files>>
·	When scanning is finished you will be prompted to reboot only if infected, Click OK
·	Now click the "REBOOT" Button.
·	A Message should popup from NoLop. If not, double click the program again and it will finish Please Post the contents of C:\NoLop.log along with a fresh HijackThis log
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. -

=================
You may want to print this or save it to notepad as we will go to safe mode.

Fix these with HiJackThis  mark them, close IE, click fix checked

O4 - HKLM\..\Run: [BagsFaceSpamBold] C:\Documents and Settings\All Users\Application Data\Meet Flaw Bags Face\Scr Gpl.exe

O4 - HKCU\..\Run: [extradeaf] C:\DOCUME~1\DMatrix\APPLIC~1\OPEN4~1\SendDumbSixth.exe

DownLoad http://www.downloads.subratam.org/KillBox.zip or
http://www.thespykiller.co.uk/files/killbox.exe

Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

C:\Documents and Settings\All Users\Application Data\Meet Flaw Bags Face
C:\DOCUME~1\DMatrix\APPLIC~1\OPEN4~1

Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

START  RUN  type in %temp% - OK - Edit  Select all  File  Delete

Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

Not all temp files will delete and that is normal
Empty the recycle bin
Boot

Download Superantispyware (SAS)

http://www.superantispyware.com/superantispywarefreevspro.html

Install it and double-click the icon on your desktop to run it.
·	It will ask if you want to update the program definitions, click Yes.
·	Under Configuration and Preferences, click the Preferences button.
·	Click the Scanning Control tab.
·	Under Scanner Options make sure the following are checked:
o	Close browsers before scanning
o	Scan for tracking cookies
o	Terminate memory threats before quarantining.
o	Please leave the others unchecked.
o	Click the Close button to leave the control center screen.
·	On the main screen, under Scan for Harmful Software click Scan your computer.
·	On the left check C:\Fixed Drive.
·	On the right, under Complete Scan, choose Perform Complete Scan.
·	Click Next to start the scan. Please be patient while it scans your computer.
·	After the scan is complete a summary box will appear. Click OK.
·	Make sure everything in the white box has a check next to it, then click Next.
·	It will quarantine what it found and if it asks if you want to reboot, click Yes.
·	To retrieve the removal information for me please do the following:
o	After reboot, double-click the SUPERAntispyware icon on your desktop.
o	Click Preferences. Click the Statistics/Logs tab.
o	Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
o	It will open in your default text editor (such as Notepad/Wordpad).
o	Please highlight everything in the notepad, then right-click and choose copy.
·	Click close and close again to exit the program.
·	Please paste that information here for me *with a new HijackThis log*.

*Please give feedback on what worked/didnt work and the current status of your system*


----------



## Nicole1j (Mar 9, 2007)

Lop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\DMatrix\Desktop
[09/03/2007]
[03:11:16 PM]

---Infection Files Found/Removed---
C:\WINDOWS\tasks\AC22D5E193AD4DDD.job

Beginning Removal...
Rebooting...
Removing Lop's Leftover Files/Folders...
Editing Registry...
**Fix Complete!**

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\Bf8051e7-626f-4a11-af7a-625a7b555862
C:\Documents and Settings\All Users\Application Data\Creative
C:\Documents and Settings\All Users\Application Data\Hp
C:\Documents and Settings\All Users\Application Data\Meet Flaw Bags Face
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Network Associates
C:\Documents and Settings\All Users\Application Data\Nview_profiles -- EMPTY Directory
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Dmatrix\Application Data\Creative
C:\Documents and Settings\Dmatrix\Application Data\Help -- EMPTY Directory
C:\Documents and Settings\Dmatrix\Application Data\Hp
C:\Documents and Settings\Dmatrix\Application Data\Identities
C:\Documents and Settings\Dmatrix\Application Data\Image Zone Express
C:\Documents and Settings\Dmatrix\Application Data\Intertrust
C:\Documents and Settings\Dmatrix\Application Data\Macromedia
C:\Documents and Settings\Dmatrix\Application Data\Media Player Classic
C:\Documents and Settings\Dmatrix\Application Data\Microsoft
C:\Documents and Settings\Dmatrix\Application Data\Open 4
C:\Documents and Settings\Dmatrix\Application Data\Utorrent
C:\Documents and Settings\Dmatrix\Application Data\Winrar -- EMPTY Directory
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft

Logfile of HijackThis v1.99.1
Scan saved at 04:23:11 PM, on 09/03/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent\utorrent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

No error was seen after this step.

I ran Killbox.exe in safe mode and removed the files without any problems and deleted the temp folder and the recycle bin.

So far on reboot the virus message has not reappeared and I am presently running the Superantispyware program.

Thank you for replying so quickly and I will submit the rest of information as soon as the scan is completed.

Thanks again.


----------



## Nicole1j (Mar 9, 2007)

SUPERAntiSpyware Scan Log
Generated 03/09/2007 at 04:42 PM

Application Version : 3.6.1000

Core Rules Database Version : 3196
Trace Rules Database Version: 1206

Scan type : Complete Scan
Total Scan Time : 00:50:23

Memory items scanned : 451
Memory threats detected : 0
Registry items scanned : 5291
Registry threats detected : 0
File items scanned : 48569
File threats detected : 57

Adware.Tracking Cookie
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][3].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][3].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][1].txt
C:\Documents and Settings\DMatrix\Cookies\[email protected][2].txt

Adware.Lop-Gen
C:\!KILLBOX\MEET FLAW BAGS FACE\SCR GPL.EXE
C:\!KILLBOX\OPEN4~1\JTAQZRHH.EXE
C:\!KILLBOX\OPEN4~1\README LOCKS PLUS.EXE
C:\!KILLBOX\OPEN4~1\SENDDUMBSIXTH.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64A9BCA3-836A-45D9-AAA2-15F3B6EDD0ED}\RP45\A0013749.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64A9BCA3-836A-45D9-AAA2-15F3B6EDD0ED}\RP45\A0013750.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64A9BCA3-836A-45D9-AAA2-15F3B6EDD0ED}\RP45\A0013751.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{64A9BCA3-836A-45D9-AAA2-15F3B6EDD0ED}\RP45\A0013752.EXE

Logfile of HijackThis v1.99.1
Scan saved at 04:52:39 PM, on 09/03/2007
Platform: Windows XP SP2, v.2096 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2096)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [RaidTool] C:\Program Files\VIA\RAID\raid_tool.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\utorrent\utorrent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

So far the system seems to be running a lot better and even the internet is faster.

Thanks for looking at my problem and if you detect anything else please let me know.


----------



## MFDnNC (Sep 7, 2004)

Fix this with HiJackThis  mark it, close IE, click fix checked

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

Clean








If you feel its is fixed mark it solved via Thread Tools above

Turn off restore points, boot, turn them back on  heres how

http://service1.symantec.com/SUPPOR...2001111912274039?OpenDocument&src=sec_doc_nam


----------



## Nicole1j (Mar 9, 2007)

Thanks a ton for all your assistance. I have marked the thread as solved.


----------

