Gary - I need your help please!

[Syd]

Gary, do you know what this screen means? It's not the first time I have had this come up and I went and downloaded Fixblast and have now run it twice but both times came up with nothing.

My computer has been acting really slowly lately. This is probably, in part, due to the fact that my hard drive is less than one Gb away from being choc a bloc! I am trying to hang in there for a while until I can afford to buy a whole new system - I have had this one for almost five years now. Perhaps I should also tell you that my Norton Antivirus expired a two months ago before I went on holiday and I still haven't got a new one. Whoops - don't scold me for that one! Also our apartment block is on a communal Internet connection. I have no idea how it works...all I know is that sometimes it is fast and sometimes it is slow. Am I in big trouble now and should I start backing up furiously?

Usually when the computer starts crawling at a snails pace then this screen comes up but then if I hit Refresh it will redirect me again. The last two days, however, it has been more offline than online. I am starting to get worried. Any advice. Thanks Gary or, in fact, anyone who might be able to explain to me what is going on.

Sincerely
Syd

[CJ Swartz]

Syd,

While waiting for Gary or one of the other knowledgeable folks to come by, take a look at this thread --

http://www.retouchpro.com/forums/har...lp-please.html

If you can backup really important files, do it -- not just because there's a problem, but because we always should do it.

There are free programs to scan for spyware and viruses -- while you're waiting, take a look at those and run one. Read what Gary says about the Hijack log -- wait for him if you have any questions about how to do anything, but start thinking about whether you've added any software lately, hardware, downloaded any funny email or programs from the internet, etc. -- something that might help Gary figure out what might be going on.

[BillFrey]

Hi Syd,

Your screen shot shows a url for my.yahoo.com. That's suspicious to begin with. Who would know how much bandwidth you are using and why would they warn you about it if it were a virus/worm?

Looks like a pop up ad that hit it's target.

Always good advice to keep your system free of virus and use a firewall.

[CJ Swartz]

Bill -- just to clarify -- it is Syd who has the problem.

Good advice about the firewall etc., but it may too late for that right now.

[BillFrey]

oops, sorry, CJ. When I scrolled to see the op's name I didn't realize the posts were in reverse order.

I'll fix my reply. Apologies!

[chrishoggy]

first of all you need to get your system protected and scanned, below is a free anti-virus and a free firewall. Both work very well and have never failed me.

Fire wall
http://www.zonelabs.com/store/conten...eeDownload.jsp

Anti-Virus
http://free.grisoft.com/doc/5390/lng...nti-virus-free

Then the next thing I would do is get shut of the Yahoo toolbar you have installed in IE6. Toolbars are never a good thing IMHO. Run windows updates, and make sure you are fully up to date with those. If you can, update to IE7 ,as it is a bit more secure than IE6.
If you can backup your files to CD/DVD and delete them from your system, this will help speed up your system. If you do that, defrag your hard drive after, to clean up the file placement on the drive.

[Syd]

CJ, Chris and Bill thanks so much for your advice. You guys are great. CJ, I am following Gary's advice in that thread right now and hopefully will have something to post for him soon. Chris, I do have Zonealarm and I will look into that Antivirus programme. My colleague at work mentioned AVG. It is free and, according to him, very good too. I had no idea that the toolbar might cause problems. I wouldn't even know how to remove it. Bill, I would never have thought to look at the URL. It looked so official to me and I just kept on wondering who or what Bandwidth Manager was!

Thanks guys.
Sincerely Syd

[Cameraken]

Hi Syd

Sorry to hear you are having problems. I am sure that Gary will need to see your HJT log. You could upload it whilst waiting for Gary if you want to save a little time.

Here are the instructions to post your log.



Click here to download HJTsetup.exe, and save it to your desktop.

• Double click on the HJTsetup.exe icon on your desktop.
• By default it will install to C:\Program Files\Hijack This.
• Continue to click Next in the setup dialogue boxes until you get to the "Select Addition Tasks" dialogue.
• Put a check by Create a desktop icon then click Next again.
• Continue to follow the rest of the prompts from there.
• At the final dialogue box click Finish and it will launch Hijack This.
• Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
• Copy and paste the log here
  

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.


Ken.

[Syd]

Thanks so much Ken. Ok I have done everything as you have instructed and here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 下午 10:29:04, on 2007/2/6
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Wintab32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Norton AntiVirus\navapsvc.exe
D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE
D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\Common Files\Symantec Shared\ccApp.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\conime.exe
D:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - D:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - D:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] D:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [ccApp] "D:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O8 - Extra context menu item: 使用影音傳送帶下載 - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: 使用影音傳送帶下載全部連結 - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/
O15 - Trusted Zone: http://office.microsoft.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02DC897-A387-4AE6-AD76-E98EA833946F}: NameServer = 168.95.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - D:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - D:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - D:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - D:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Wintab32 - Unknown owner - D:\WINDOWS\system32\Wintab32.exe

I haven't fixed anything just like you advised me to. Thanks so much for your help.
Sincerely Syd

[Syd]

Right click My Computer, then click Manage.
This will bring up the Computer Management window.
Expand System Tools then click Event Viewer.
Double click System in the Right Hand pane.

Look for any Error indications (white cross on red background).
If found, double click the entry and an Event Property window will open.

We need details from that window, particularly the Event ID.

_________________

Ok, I did this too and I have only one error: ID 4321

Syd

[Cameraken]

Hi Syd

You do have some nasties in there.
I am still in training at the Malware University and not yet allowed to help you, but I would suggest you do nothing more until Gary replies or he will need a fresh HJT log.

I shall watch with interest as Gary fixes this.

Ken.

[Syd]

Thanks Ken. I won't touch anything. I am too scared too! What I am doing right now is downloading the AVG Antivirus programme but I am not going to install it or uninstall Norton or anything like that. I am going to wait for Gary first. It is 11:15 at night over here so I will probably be going to bed in the next 45 mins or so and, therefore, might not receive any advice you or anyone else might give until tomorrow morning.

Sincerely Syd

[Gary Richardson]

Hi Syd,

Sorry I'm a bit late getting to this, had a few problems lately that needed dealing with, so just got on line.

Before we get started I've a couple of questions.

1. Is Hinet, Chungwa Telecom Co. Ltd. Taipei, Taiwan anything to do with your ISP (Internet Service Provider).

2. How is Synnex concerned with your PC.

I see some Oriental Translation programmes running on your computer, so I'm guessing the first is legit, but I'll wait your answers.

You're using your D:\ drive as your default drive, so my auto systems weren't able to be used and I had to research your log manually, so that added a little time.

OK, had a look through your log, and it's mostly clean, however there's an item showing that I'm interested in.

I'd like you to check a file(s) for Viruses.

• Go to VirusTotal or Jotti's, and scan the following file(s).

Quote:

D:\WINDOWS\system32\conime.exe

• Click on the Browse button at the top of the screen.
• Browse to the file.
• Click OK.
• Click Send, and the file will upload to VirusTotal / Jotti, where it will be scanned by several anti-virus programmes.
• After a while, a window will open, with details of what the scans found.
• Note details of any viruses found.
• Post me the details please.

It's quite possible you have Rootkitted processes running on your computer, so I'd like you to run some scans for me.

Download GMER and unzip it to your Desktop. (It will create a folder GMER)

Alternate Download Site

• Disconnect from the Internet, and close all running programmes.
• There is a small chance this programme may crash your computer, so save any work you have open.
• Open the GMER folder, and double click gmer.exe
• Let the gmer.sys driver load if asked.
• If it gives you a warning at programme start about rootkit activity and asks if you want to run a scan ..... click OK.
• If no warning:
  • Click Rootkit tab.
  • Ensure that All the boxes to the right of the program are checked except Show All.
  • Click Scan.
• Once scan is finished click Copy.
  • Click Start > Run then type Notepad.exe then click OK.
  • This will open a Notepad file.
  • Hit Ctrl+V to paste log into it.
  • Save the log to your Desktop.
• Reconnect to internet and post the log please.

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings.
• In the scan settings make sure that the following are selected:
  • Scan using the following Anti-Virus database:
    • Extended (If available otherwise Standard)
  • Scan Options:
    • Scan Archives
    • Scan Mail Bases
• Click OK.
• Now under select a target to scan select My Computer.
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post please, along with the GMER log, and the details from Jotti/Virus Total.

Post each log separately, so we don't exceed the post size limiter here.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

[Syd]

Gary, firstly thank you so much for responding in such a detailed way. You're a star!

Before we get started I've a couple of questions.

1. Is Hinet, Chungwa Telecom Co. Ltd. Taipei, Taiwan anything to do with your ISP (Internet Service Provider).

2. How is Synnex concerned with your PC.

In response to 1 - Yes, Hinet is our ISP and Chungwa is the local Telecom company.

Gary I am not sure what Synnex is. It sounds like something to do with Norton...or is that Symantec?

Ok, the rest I will get onto right away. I am not sure how much I will be able to finish tonight (it is already after 12) but hopefully I should have everything posted by tomorrow afternoon.

Thanks again for your willingness to help Gary.
Sincerely Syd

[Gary Richardson]

Synnex is the website that this entry on your computer connects to.

O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/

It is what IE uses when it resets to default conditions, usually it is set by the computer manufacturer or machine administrator, but it can be used by an attacker for malicious purposes.

In this case Synnex appears to be the retailer for your computer, (didn't find this info 1st time round), so the entry is likely to be legit. Just like to confirm things like this with the owner of the log I'm looking at.

Always happy to help where I can, I'm monitoring this thread, so I'll be notified when you next post.

[Syd]

Ok Gary here is the first of your requests. Sorry I didn't know how to post the log except by hitting print sceen and taking it into photoshop.

I have already downloaded gmer (sounds a bit like Khmer Rouge - lol) and will set about scanning immediately. If it takes a long time I will likely only post the results in the morning.

Thanks Gary
Syd

[Gary Richardson]

GMER is a Rootkit scanner, its name come from its creator, a Polish programmer Przemyslaw Gmerek, it's one of the best.

Screen print of the Virus Total page is fine.

OK, looks like the conime.exe file is the legit windows file, had to check as there is a Remote access programme BFGhost which uses a file of the same name, as far as I know in the same location (information I found wasn't too specific on this point).

[BillFrey]

I was curious and googled and found this info that might apply.

Quote:

I would also like to add that not every version of conime.exe is a trojan! conime.exe is also installed along with windows xp in the C:\WINDOWS\system32 folder, I also have this file and it turns out it's the ''Microsoft Console IME (Input Method Editor)''. It executes whenever a command prompt is opened, so it seems that it's used for Asian language input support in the command prompt.

[Gary Richardson]

Thanks Bill, I was aware of the legit Windows file, but where there is any doubt that it may have been replaced with a malicious file I always like to check by having the file scanned as Syd did.

[Syd]

Ok Gary here is the GMER report:

GMER 1.0.12.12027 - http://www.gmer.net
Rootkit scan 2007-02-08 01:08:52
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 8119FC20 ZwConnectPort
SSDT \??\D:\WINDOWS\system32\vsdatant.sys ZwOpenProcess
SSDT FFA458C0 ZwOpenThread

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [EFA06E90] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [EFA06E90] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CREATE [EFA00B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_CLOSE [EFA00B50] vsdatant.sys
Device \Driver\AFD \Device\Afd IRP_MJ_DEVICE_CONTROL [EFA00B50] vsdatant.sys
Device \Driver\AFD \Device\Afd FastIoDeviceControl [EFA00510] vsdatant.sys

---- EOF - GMER 1.0.12 ----

Thanks for your help Gary. I am doing the Kaspersky scan right now but it looks like it is going to take ages and it has slowed my computer down to a snail's pace. I will post the results later. Thanks Syd

[Gary Richardson]

OK, that's clean as well, vsdatant is the driver for Zone Alarm (didn't need to look that one up as I have ZA on my box).

Yes a Kaspersky scan is definitely an exercise in patience and can sometimes take hours, however it is very thorough and gives a very good log, also it doesn't "clean" anything so we don't have to worry about it doing any damage by removing something we'd later wish it hadn't.

[Syd]

Ok Gary here it is. It took a while and it seems that my computer is indeed infected. What do you think I should do? I went and downloaded the AVG Free Antivirus Programme off the Net on Tuesday but as of yet haven't installed it . My Norton is still operational even though it can't be updated bcause it has expired. I know I will have to uninstall Norton before I install the new one. Anyway I won't do anything until I have hear from you. As always thanks so much for your time and patience Gary.

Sincerely Syd

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 08, 2007 9:11:49 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/02/2007
Kaspersky Anti-Virus database records: 265913
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 119526
Number of viruses found: 13
Number of infected objects: 29 / 0
Number of suspicious objects: 5
Duration of the scan process: 04:19:53

Infected Object Name / Virus Name / Last Action
C:\Program Files\Norton AntiVirus\Quarantine\021540D6.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\02186AD3.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\000C2914.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F0D2860.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\26C147E1.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F774C4B.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F911C2E.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\30DE56C0.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\30F252AA.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\3137445E.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\373A53AA.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\73203422.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\3BA412CE.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\43AB3F35.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\4EA754D3.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\34B64E0B.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\06145256.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\06177C52.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\048E4A54.htm Infected: Trojan-Downloader.JS.IstBar.k skipped
C:\goldcodec.997.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.baz skipped
C:\goldcodec.997.exe/stream Infected: Trojan-Downloader.Win32.Zlob.baz skipped
C:\goldcodec.997.exe NSIS: infected - 2 skipped
C:\goldcodec.997.exe UPX: infected - 2 skipped
C:\goldcodec.997.exe PE_Patch.UPX: infected - 2 skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
D:\WINDOWS\system32\config\SYSTEM Object is locked skipped
D:\WINDOWS\system32\config\DEFAULT Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\Temp\ZLT0657f.TMP Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
D:\WINDOWS\Internet Logs\DESKTOP.ldb Object is locked skipped
D:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
D:\WINDOWS\NDNuninstall6_98.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped
D:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\user\NTUSER.DAT.LOG Object is locked skipped
D:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPStart.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPPolicy.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SPStop.log Object is locked skipped
D:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
D:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
D:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
D:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
D:\Program Files\Norton AntiVirus\Quarantine\2924786E.htm Infected: Trojan-Clicker.HTML.IFrame.b skipped
D:\Program Files\Norton AntiVirus\Quarantine\2927226A.jar/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
D:\Program Files\Norton AntiVirus\Quarantine\2927226A.jar/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
D:\Program Files\Norton AntiVirus\Quarantine\2927226A.jar/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
D:\Program Files\Norton AntiVirus\Quarantine\2927226A.jar ZIP: infected - 3 skipped
D:\Program Files\Norton AntiVirus\Quarantine\2927226A.jar CryptFF: infected - 3 skipped
D:\Program Files\Norton AntiVirus\Quarantine\292E7663.htm Infected: Trojan-Clicker.HTML.IFrame.b skipped
D:\Program Files\Norton AntiVirus\Quarantine\18825CC9.exe Infected: Trojan-Downloader.Win32.Agent.aey skipped
D:\Program Files\Yahoo!\YPSR\Quarantine\ppqFB.tmp\ACM.dll Infected: not-a-virus:AdTool.Win32.WhenU.g skipped

Scan process completed.

[Gary Richardson]

Hi Syd,

Kaspersky logs are always scary at first view, but actually your system is not so bad as the log looks. Many of the flagged items are locked because the parent process is still active, and thus they cannot be scanned. Can't see any Malicious processes among them, for the most part they are logs and Dat files for legit processes.

There are also a number of Quarantined items in Norton, these are encrypted and as such are no threat to your computer. But as you're wanting to remove Norton we'll delete them anyway.

There are however a couple of things that need looking at.

Download Pocket Killbox and install it to your Desktop. Do not run it yet.

• First copy the filepaths in the box below to your clipboard, by highlighting them and pressing Ctrl+C.

Quote:

C:\goldcodec.997.exe
D:\WINDOWS\NDNuninstall6_98.exe
D:\Program Files\Yahoo!\YPSR\Quarantine\ppqFB.tmp\ACM.dll

• Open Killbox and check a mark in the "RadioBox" which says Delete On Reboot
• Click File > Paste from Clipboard.
• Click All Files button.
• Click on the Red button with a Cross, and answer Yes when prompted to Backup and Delete the pasted files.
• Answer Yes when prompted to Reboot now.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, download and run missingfilesetup.exe. Then try Killbox again.

Now delete the contents of this folder (in bold).

C:\Program Files\Norton AntiVirus\Quarantine <- Do not delete the folder itself.

Download CCleaner to clean temp files from your computer.

• Double click on the file to start the installation of the program.
• Select your language and click OK, then next.
• Read the license agreement and click I Agree.
• Click Next to accept the default location.
• Uncheck Add CCleaner Yahoo Toolbar and use CCleaner from within IE
• Click Install then Finish to complete installation.
• Double click the CCleaner shortcut on the desktop to start the program.
  • On the Windows tab, under Internet Explorer uncheck Cookies if you do not want them deleted.
  • If you use either Firefox or Mozilla, the box to uncheck for Cookies is on the Applications tab, under Firefox/Mozilla.
• Click the Options icon at the left side of the window, then click on Advanced.
  • Uncheck Only delete files in Windows Temp folders older than 48 hours.
• Click the Cleaner icon on the left side of the window, then click Run Cleaner to run the program.
• Caution: It is not recommended that you ever use the Issues feature unless you are very familiar with the registry as it has been known to find legitimate items.
• After CCleaner has completed its process, click Exit.

As you say your definitions for Norton are no longer current, the programme is no use at all, and you should remove it from your computer. Uninstalling Norton is known to give problems, so to best avoid these.

Go to HERE, downloading the Removal Tool to your computer (the one that comes with your copy of Norton is usually not very good).

Disconnect from the internet before Uninstalling Norton.

Double click on the tool to remove Norton from your computer.

Once uninstalled Reboot your computer before installing the AVG Anti-Virus you have already downloaded.

Now run a new HJT scan on your computer and post the log back here (there will probably STILL be components for Norton that need removing from your computer).

I could also do with an Uninstall list from you.

Creating an Uninstall List

• Open HJT, and click on Config, followed by Misc Tools.
• Click on Open Uninstall Manager, and then click on Save List.
• This will create a file uninstall_list.txt and prompt you to save it to your HJT folder.
• Save it please, and copy it to your next post.

We'll probably need to do another Kaspersky scan to make sure we've removed those items successfully, but I'd wait until we've got rid of Norton properly from your Computer before we do that.

[Syd]

Ok Gary...whew! that was another marathon at the computer. I downloaded Killbox and deleted those three files. I then downloaded CCleaner and did exactly as you said except I couldn't find this:

Uncheck Only delete files in Windows Temp folders older than 48 hours.

So I ran the scan anyway and it deleted 168mb Wow! I have always just deleted my temporary files by right clicking on my C: drive and then clicking the clean button. And when I finished I checked back on your notes and found that the above button was under the Advanced Tab so I went and unchecked it. I ran scan again but it said there was nothing to be deleted. Do you think it will make a big difference?

Ok, then I downloaded the Removal Tool and that all went smoothly. (An aside here Gary: thank you for you very detailed, meticulously set out exceptionally clear instructions - oh boy! does Microsoft need someone like you) The only thing it didn't remove was the desktop icon. I suppose I could just drag that into the recycle bin.

Next I installed AVG. I did as I was prompted. (If I sound very obedient here it is not, necessarily, that I always do as I am told. It is just that, in the matter of computers, I make no pretences about my ignorance). It asked me if I wanted to scan right there and then which I did but it was taking ages (you get to choose between a fast scan which uses more memory and a slow scan which uses less and, seeing that from now on I will be doing a daily scan - you have reformed me - I chose the slower one) and so I stopped the scan. Moreover I wanted to get you the next HJT log before I have to go out.

And here it is. Next I will do the Uninstall log as you said and then perhaps while I am out this afternoon I will let AVG do a scan but, don't worry, I won't let it fix anything. I wait until I hear from you later.

Regards Syd


Logfile of HijackThis v1.99.1
Scan saved at 上午 11:54:41, on 2007/2/9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Wintab32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\svchost.exe
D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE
D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Grisoft\AVG Free\avgcc.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - D:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/
O15 - Trusted Zone: http://office.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02DC897-A387-4AE6-AD76-E98EA833946F}: NameServer = 168.95.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AdobeVersionCue - Adobe Sytems - C:\Program Files\Adobe\Adobe Version Cue\service\VersionCue.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Wintab32 - Unknown owner - D:\WINDOWS\system32\Wintab32.exe

[Syd]

Gary

Here is the Uninstall list as requested. Nope, it looks like Symantec is good and truly gone. Even I can tell that. Thanks to you I have become quite and expert on these things of late! LOL Don't worry I won't be giving out any advice!

Here is the log and I am running AVG at the moment. I shall wait for your instructions and perhaps run Kaspersky again tonight before I go to bed.

Sincerely Syd
ACDSee 5.0 PowerPack
Adobe Acrobat 5.0
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Illustrator CS
Adobe Photoshop 7.0
Adobe Photoshop CS
Adobe Photoshop CS2
Adobe Stock Photos 1.0
Adobe SVG Viewer 3.0
ArcSoft PhotoImpression
AVG Free Edition
CCleaner (remove only)
Curves 2 Demo
Dr.eye 譯典通 6.0 (專業版)
Dr.eye 譯典通 6.0 (專業版) 辭典和辭書
eDonkey2000
EPSON CardMonitor
EPSON Copy Utility
EPSON Copy Utility 3
EPSON Photo Print
EPSON PhotoQuicker3.5
EPSON PhotoStarter3.1
EPSON PRINT Image Framer Tool2.1
EPSON Printer Software
EPSON Scan
EPSON Smart Panel
EPSON TWAIN 5
EPSON Web-To-Page
ESCX3500 Reference Guide
ESCX3500 Software Guide
GML Matting 0.1
HijackThis 1.99.1
iTunes
Kaspersky Online Scanner
KnockOut 2
Macromedia Shockwave Player
Microsoft Office Word 2003 Step by Step
Microsoft Office XP Professional with FrontPage
Microsoft Office XP Web Components
MSN Messenger 7.5
Neat Image v5.0 Pro+
Nero 6 Ultra Edition
Net Transport 1.93.276 with FTP Transport 0.91
Pando
Photo Resize Magic 1.0
PIF DESIGNER2.1
PowerDVD
QuickGamma 2.0.0.3
QuickTime
Random Word Generator
Realtek AC'97 Audio
ScanToWeb
SiS 650GX
Spybot - Search & Destroy 1.4
TuneUp Utilities 2006
USB Tablet Driver
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10 安全性更新 (KB911565)
Windows Media Player 10 安全性更新 (KB917734)
Windows Media Player 6.4 安全性更新 (KB925398)
Windows Media Player 安全性更新 (KB911564)
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB886677
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
Windows XP 安全性更新 (KB890046)
Windows XP 安全性更新 (KB893066)
Windows XP 安全性更新 (KB893756)
Windows XP 安全性更新 (KB896358)
Windows XP 安全性更新 (KB896422)
Windows XP 安全性更新 (KB896423)
Windows XP 安全性更新 (KB896424)
Windows XP 安全性更新 (KB896428)
Windows XP 安全性更新 (KB896688)
Windows XP 安全性更新 (KB899587)
Windows XP 安全性更新 (KB899588)
Windows XP 安全性更新 (KB899591)
Windows XP 安全性更新 (KB900725)
Windows XP 安全性更新 (KB901017)
Windows XP 安全性更新 (KB901190)
Windows XP 安全性更新 (KB901214)
Windows XP 安全性更新 (KB902400)
Windows XP 安全性更新 (KB904706)
Windows XP 安全性更新 (KB905414)
Windows XP 安全性更新 (KB905749)
Windows XP 安全性更新 (KB905915)
Windows XP 安全性更新 (KB908519)
Windows XP 安全性更新 (KB908531)
Windows XP 安全性更新 (KB911280)
Windows XP 安全性更新 (KB911562)
Windows XP 安全性更新 (KB911567)
Windows XP 安全性更新 (KB911927)
Windows XP 安全性更新 (KB912812)
Windows XP 安全性更新 (KB912919)
Windows XP 安全性更新 (KB913446)
Windows XP 安全性更新 (KB913580)
Windows XP 安全性更新 (KB914388)
Windows XP 安全性更新 (KB914389)
Windows XP 安全性更新 (KB916281)
Windows XP 安全性更新 (KB917159)
Windows XP 安全性更新 (KB917344)
Windows XP 安全性更新 (KB917422)
Windows XP 安全性更新 (KB917953)
Windows XP 安全性更新 (KB918439)
Windows XP 安全性更新 (KB918899)
Windows XP 安全性更新 (KB919007)
Windows XP 安全性更新 (KB920213)
Windows XP 安全性更新 (KB920214)
Windows XP 安全性更新 (KB920670)
Windows XP 安全性更新 (KB920683)
Windows XP 安全性更新 (KB920685)
Windows XP 安全性更新 (KB921398)
Windows XP 安全性更新 (KB921883)
Windows XP 安全性更新 (KB922616)
Windows XP 安全性更新 (KB922760)
Windows XP 安全性更新 (KB922819)
Windows XP 安全性更新 (KB923191)
Windows XP 安全性更新 (KB923414)
Windows XP 安全性更新 (KB923689)
Windows XP 安全性更新 (KB923694)
Windows XP 安全性更新 (KB923980)
Windows XP 安全性更新 (KB924191)
Windows XP 安全性更新 (KB924270)
Windows XP 安全性更新 (KB924496)
Windows XP 安全性更新 (KB925454)
Windows XP 安全性更新 (KB925486)
Windows XP 安全性更新 (KB926255)
Windows XP 安全性更新 (KB929969)
Windows XP 更新 (KB894391)
Windows XP 更新 (KB896727)
Windows XP 更新 (KB898461)
Windows XP 更新 (KB900485)
Windows XP 更新 (KB910437)
Windows XP 更新 (KB916595)
Windows XP 更新 (KB920872)
Windows XP 更新 (KB922582)
World Machine 1.25 Basic Edition (remove only)
Yahoo! Anti-Spy
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger
Yahoo!奇摩捷徑列
ZoneAlarm
綜合所得稅結算電子申報繳稅系統

[Gary Richardson]

Post 1 of 2



Hi Syd,

Well as expected Norton didn't come out entirely cleanly, so we've got a service that needs removing.

First we'll need to disable Spybot's Tea-Timer facility, as it will interfere with what we're trying to do.

To disable Spybot S&D TeaTimer

• Run Spybot-S&D
• Go to the Mode menu, and make sure Advanced Mode is selected.
• On the left hand side, choose Tools -> Resident
• Uncheck Resident TeaTimer and OK any prompts.
• Restart your computer.

OK, now to get down to removing the service.

• Click Start > Run now type sc stop "Symantec Core LC" click OK.
• Click Start > Run now type sc delete "Symantec Core LC" click OK.

Note: There is a space between sc and stop/delete, and a space between stop/delete and "Symantec Core LC"

Also note the "" and the spaces in the service name, they are important.

Now run a scan with HJT, when it is finished check the following item.

O23 - Service: Symantec Core LC - Symantec Corporation - D:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe


Now close all open Windows and click Fix Checked to remove it.

Now find and delete the following folders (in bold).

D:\Program Files\Common Files\Symantec Shared
D:\Program Files\Symantec (Note: Second folder may be named differently, but will be readily identifiable as a Norton/Symantec folder.)

Re-enable Spybot Tea-Timer.

To enable Spybot S&D TeaTimer

• Run Spybot-S&D
• Go to the Mode menu, and make sure Advanced Mode is selected.
• On the left hand side, choose Tools -> Resident
• Check Resident TeaTimer and OK any prompts.

Now can you run another Kaspersky scan please, and send me the log for that and a new HJT log please.



Looking through your Uninstall list at the moment, if I find anything of concern I'll post further instructions.

[Gary Richardson]

Post 2 of 2



Hi Syd,

OK looked through your Uninstall list.

I see you've got eDonkey2000 installed on your machine. P2P programmes in general are not a good idea from a security point of view, many of them come "packaged" with other undesirable programs (eDonkey is one of these), and even the "clean" packages are unsafe.

You are downloading programs from uncertified "servers" that you have no way to check, and a large amount of malware is spread this way.

My advice is to Uninstall eDonkey2000 using Add/Remove Programs in Control Panel.

If you really feel you just have to have a P2P program, check this page for details of unpackaged "clean" applications. http://p2p.malwareremoval.com/

The last entry in your Uninstall list is just a series of ??????????, this is probably because it is using Oriental Characters (Windows defaults to ? when it can't read the character), any idea what it might be? (Probably OK, but best to check as Malware sometimes uses this method as a means to avoid detection).

[Syd]

Gary you're a star for spending so much time on this. I really appreciate it. Thank you so much.

I opened the Advanced mode in Spybot and went to Tools>Resident but found that the Tea Timer was unchecked already! Don't know how that happened as it definitely isn't anything I would have fiddled with before. Anyway, so as there was no need to restart my computer I went straight to Run and executed the two commands you told me to. Then I did and HJT log but I couldn't find the entry you told me to look for. Just incase I am being a real idiot and it is staring me right in the face and I can't see it, I have included the HJT log for you to look at.

Will take your advice and remove eDonkey.

The last entry in the Uninstall log is a programme for submitting Income Tax online. It is in Chinese so you wouldn't have been able to read the characters. In fact there is quite a lot of Chinese in the Uninstall Log. My browser and Windows are all in Chinese so all those updates and service packs are too.

Hee is the HJT log for you to check. I have no idea where that entry is.

I will start the Kaspersky scan now. Oh, and I ran AVG this afternoon and it found two viruses. It Found and deleted two Viruses. I didn't ask it to delete: it just did that on its own. Unfortunately you can't seem save it as a log but I will type the details for you here. I think the one is just the entry for the virus that Killbox deleted. So that is pretty is pretty good isn't it. It even deletes the reference to the virus! It makes me feel quite confident.

Object Name: goldcodec.997.exe
Object Path : D:\!KillBox\
Discovery : Trojan Horse Downloader.Zlob.DX
File size ; 50.57 KB (51779 bytes)

Object Name: A0048698.exe
Object Path : C:\System Voume Information\_restore{D341 39E 4-9BE4-4AEC
Discovery : Virus identified worm/Generic.VF
File size : 46.5 KB (47616 bytes)



sincerely Syd
Logfile of HijackThis v1.99.1
Scan saved at 下午 10:12:29, on 2007/2/9
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Wintab32.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\Explorer.EXE
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\ZONELABS\vsmon.exe
D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
D:\Program Files\QuickTime\qttask.exe
D:\WINDOWS\system32\ctfmon.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
D:\Program Files\Grisoft\AVG Free\avgcc.exe
D:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\WINDOWS\system32\conime.exe
D:\HJT\HijackThis.exe

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: NTIECatcher Class - {C56CB6B0-0D96-11D6-8C65-B2868B609932} - D:\Program Files\Xi\NetTransport 2\NTIEHelper.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Dr.eye WebPage Translation - {92B255FE-94E2-4BCA-958D-3926CE38913F} - D:\PROGRA~1\Inventec\Dreye\DreyeMT\DREYEI~1.DLL
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - D:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PHIME2002ASync] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] D:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SiSUSBRG] D:\WINDOWS\sisUSBrg.exe
O4 - HKLM\..\Run: [EPSON Stylus CX3500 Series] D:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9BP.EXE /P26 "EPSON Stylus CX3500 Series" /O6 "USB001" /M "Stylus CX3500"
O4 - HKLM\..\Run: [Zone Labs Client] D:\PROGRA~1\ZONELA~1\ZONEAL~1\zlclient.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [IMJPMIG8.1] "D:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AVG7_CC] D:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [UNINST1] rundll32 D:\DOCUME~1\user\LOCALS~1\Temp\UninstManager.dll,UninstallFinalizeFromNonMsiCaller {AC76BA86-0000-0000-0000-000000000000}
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Yahoo! Search - file:///D:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download all by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddList.html
O8 - Extra context menu item: Download by Net Transport - D:\Program Files\Xi\NetTransport 2\NTAddLink.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///D:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///D:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///D:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=Http://www.synnex.com.tw/
O15 - Trusted Zone: http://office.microsoft.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O17 - HKLM\System\CCS\Services\Tcpip\..\{B02DC897-A387-4AE6-AD76-E98EA833946F}: NameServer = 168.95.1.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "D:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - D:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - D:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - D:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs Inc. - D:\WINDOWS\system32\ZONELABS\vsmon.exe
O23 - Service: Wintab32 - Unknown owner - D:\WINDOWS\system32\Wintab32.exe

[Gary Richardson]

OK,

Seems the registry entry was removed when we removed the service (HJT is not always 100% reliable in this regard), so no problem there.

The viruses found were as follows.

1. Was the backup file created by Killbox when you removed it, it is encrypted so no risk to you, the fact that AVG removed it is no problem as we're highly unlikely to want to restore it.

2. The other shows an infected restore point. Some infections contaminate your System Restore points. I usually wait till I'm sure your computer is clean before cleaning out your restore points, they can't infect you unless you perform a System Restore. Best to leave them till the end, just on the highly unlikely case that we screw something up, better an infected RP than no RP. No problem that AVG disinfected that entry.

Latest HJT log looks clean.

Can you run a new Kaspersky scan for me please, just so I can make sure everything's come off cleanly.

[Syd]

Ok Gary ran Kaspersky last night and this is what it came up with. It still found a whole lot but they all seem to be quarantined or locked so I suppose they are no threat?

I have also had the guy from the ADSL company around this morning (because my computer has just being going offline at will and I thought it might be related to some virus) but it seems my wireless connection box (the receiver thingy) might not be stable. Anyway he didin't have a spare with him ( and of course when he was here it acted fine) but said if it continued I should phone him again and he will bring a replacement.

I will do another HJT scan and post the results immediately.

Sincerely Syd

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, February 10, 2007 8:22:55 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 9/02/2007
Kaspersky Anti-Virus database records: 266463
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 105423
Number of viruses found: 9
Number of infected objects: 16 / 0
Number of suspicious objects: 5
Duration of the scan process: 03:22:36

Infected Object Name / Virus Name / Last Action
C:\Program Files\Norton AntiVirus\Quarantine\021540D6.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\02186AD3.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\000C2914.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F0D2860.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\26C147E1.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F774C4B.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\2F911C2E.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\30DE56C0.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\30F252AA.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\3137445E.htm Suspicious: Exploit.HTML.Mht skipped
C:\Program Files\Norton AntiVirus\Quarantine\373A53AA.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\73203422.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\3BA412CE.class Infected: Trojan.Java.ClassLoader.c skipped
C:\Program Files\Norton AntiVirus\Quarantine\43AB3F35.class Infected: Exploit.Java.ByteVerify skipped
C:\Program Files\Norton AntiVirus\Quarantine\4EA754D3.class Infected: Trojan.Java.ClassLoader.Dummy.a skipped
C:\Program Files\Norton AntiVirus\Quarantine\34B64E0B.class Infected: Trojan-Downloader.Java.OpenConnection.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\06145256.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\06177C52.class Infected: Trojan.Java.ClassLoader.v skipped
C:\Program Files\Norton AntiVirus\Quarantine\048E4A54.htm Infected: Trojan-Downloader.JS.IstBar.k skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
D:\WINDOWS\system32\config\SYSTEM Object is locked skipped
D:\WINDOWS\system32\config\DEFAULT Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\Temp\ZLT06d1e.TMP Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\SoftwareDistribution\EventCache\{A7735457-24AE-46A2-A21F-CEF090824478}.bin Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
D:\WINDOWS\Internet Logs\DESKTOP.ldb Object is locked skipped
D:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\user\NTUSER.DAT.LOG Object is locked skipped
D:\Documents and Settings\user\Local Settings\History\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\user\Local Settings\History\History.IE5\MSHist012007021020070211\index.dat Object is locked skipped
D:\Documents and Settings\user\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\user\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\user\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\user\NTUSER.DAT Object is locked skipped
D:\!KillBox\ACM.dll Infected: not-a-virus:AdTool.Win32.WhenU.g skipped
D:\!KillBox\NDNuninstall6_98.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

Scan process completed.