WinAntiVirus does not have a good track record in the "trustworthy" department.
At the very least, they obviously try to fool the unobservant user into thinking that they're looking at Norton/Symantec error messages, subscription notices, etc., when in fact these are bogus ads and other popups from WinAntiVirus.
Additionally, they have even registered the domain "www.symantic.com", so that when users trying to go "www.symant ec.com" mis-spell the URL, they are directed to WinAntiVirus' product page instead of Norton's.
Judging from the user reports I've read, I would highly suggest that you uninstall the program and demand a refund. You may have to bark at them a bit to get it, but other users who requested refunds say that they did get them.
Aside from the above, the following two entries in your log are indicative of trojan infections:
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\System32\winstarter.exe
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
Run a few additional online virus scans and see if they can do a bit more than Panda was able to do for you:
http://housecall.trendmicro.com/
http://www.kaspersky.com/scanforvirus.html
http://us.mcafee.com/root/mfs/default.asp?cid=9435
http://www.ravantivirus.com/scan/
http://www.bitdefender.com/scan/licence.php
Let us know the results of the scans and post a fresh log. As I said earlier, I would suggest that you uninstall WinAntiVirus before we proceed.
HJT log and question about WinAntiVirus2005 pro
Hi I have a IBM Thinkpad T20 with a pentium III running XP professional.
A program highjacked my desktop about two days ago. It turned my desktop black with a big WARNING sign about spyware with a place to click into for a solution. I think that this is an advertisement for some anti-virus company or something so I dont click into it. When a triangular :!: symbol appeared in my task bar I thought that this is my outdated norton antivirus telling me there is a problem. I click into the balloon and it takes me to what looks like a msn search page with a list of places to get anti-spyware. I had had a problem with spyware before on another computer and was able to fix it with help from a forum such as this one. I consider doing the same thing but I didn't have a lot of time so, after remembering how much time it took me the last time, I say to myself "I guess i need updated virus protection software anyway let me just buy this new package that updates daily for one year and get back to work". I buy winantivirus 2005 pro with the anitspyware and anti popup ad firewall package and proceed to install it. it tells me that I have to uninstall all other anti virus anti spyware stuff off of my computer for it to work. This dosent sound right to me and then i start to notice that it seems that the thing that had highjack my desktop was just and advertisment for the company i just bought my anti highjack package. I feel like i just paid protection money to the mob. :mad: did I get taken? any way I still have spyware on my computer. Panda has detected the same thing twice after I ran the WinAntiVirus. Below you can find the HJT log, an activescan report and the one from WAV2005pro. THank you in advance for any help with this problem. Peace G
Activescan:
Incident Status Location
Adware:Adware/SearchAid No disinfected C:\Documents and Settings\Personal\Favorites\Search the web.url
Adware:Adware/CWS.Searchmeup No disinfected C:\WINDOWS\System32\spoolsrv32.exe
Adware:Adware/CWS.Searchmeup No disinfected C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\A0138686.exeggbwkfnq
Virus:Trj/Downloader.ASF Disinfected C:\WINDOWS\system32\spoolsrv32.exe
High Jack This:
Logfile of HijackThis v1.99.1
Scan saved at 1:42:30 PM, on 3/11/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Palm\HOTSYNC.EXE
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe
C:\Program Files\WinAntiVirus 2005 Pro\pgeng.exe
C:\Program Files\WinAntiVirus 2005 Pro\cs_srv.exe
C:\Program Files\WinAntiVirus 2005 Pro\Quar.exe
C:\Program Files\Common Files\WinSoftware\VapFM.exe
C:\WINDOWS\explorer.exe
C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\WinAntiVirus 2005 Pro\WinAV.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.sunrise.ch/en/hom/default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CIEIntegrator Object - {2178F3FB-2560-458f-BDEE-631E2FE0DFE4} - C:\Program Files\WinAntiVirus 2005 Pro\winpgi.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\System32\Belkin\F5U109\PostCopy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [WinTaskMan] C:\WINDOWS\System32\winstarter.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB003" /M "Stylus Photo R200"
O4 - HKLM\..\Run: [AVTray] "C:\Program Files\WinAntiVirus 2005 Pro\AVTray.exe"
O4 - HKCU\..\Run: [window.exe] C:\WINDOWS\System32\window.exe
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O10 - Unknown file in Winsock LSP: c:\program files\winantivirus 2005 pro\mailscan.dll
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://go.sunrise.ch/en/hom/default.asp
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110553832768
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FF2AAB0-80DB-42E9-8845-6B2CE2906C5A}: NameServer = 80.58.61.250,80.58.61.254
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: AVScheduler - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSchSvc.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
O23 - Service: WinAntivirus - Unknown owner - C:\Program Files\WinAntiVirus 2005 Pro\AVSvc.exe
WinAntiVirus would n't let me copy paste thier report here is what I found int he report:
4 files infected with: Win32.bagle.3.gen@mm
1 file infected with: Trojan.dropper.small.oy
1 file infected with: Application.adware.powerreg.3.0
also a file named: hotmail-inbox.dbx (infected but the program says that I should use the mail client to eliminate it.
Hi DMR,
I eliminated the files you pointed out to me as indications of trojan infection and uninstalled the WAV2005. I am currently with out protection. Could you suggest a antivirus/antispyware that I can trust? here are the reports that I came up with. It seems that WIN2005 has left stuff on the hard drive along with Norton. Should these files still be there? Thank you again for you help. Peace.
HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 10:22:09 AM, on 3/12/2005
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE
C:\Palm\HOTSYNC.EXE
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\OdHost.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter\WPC54Cfg.exe
C:\Program Files\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijack This\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://start.earthlink.net/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotmail.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.sunrise.ch/en/hom/default.asp
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PostCopy] C:\WINDOWS\System32\Belkin\F5U109\PostCopy.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [EPSON Stylus Photo R200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2H1.EXE /P30 "EPSON Stylus Photo R200 Series" /O6 "USB003" /M "Stylus Photo R200"
O4 - Startup: HotSync Manager.lnk = C:\Palm\HOTSYNC.EXE
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Wireless-G Notebook Adapter Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter\Startup.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {E30A569E-CDDE-4696-AF05-DB58F1F422C6} - (no file) (HKCU)
O12 - Plugin for .pdf: C:\Program Files\Internet Explorer\PLUGINS\nppdf32.dll
O14 - IERESET.INF: START_PAGE_URL=http://go.sunrise.ch/en/hom/default.asp
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by20fd.bay20.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1110553832768
O16 - DPF: {80DD2229-B8E4-4C77-B72F-F22972D723EA} (AvxScanOnline Control) - http://www.bitdefender.com/scan/Msie/bitdefender.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O16 - DPF: {A3009861-330C-4E10-822B-39D16EC8829D} (CRAVOnline Object) - http://www.ravantivirus.com/scan/ravonline.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/vso/en-us/tools/mcfscan/2,0,0,4443/mcfscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1FF2AAB0-80DB-42E9-8845-6B2CE2906C5A}: NameServer = 80.58.61.250,80.58.61.254
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: NICSer_WPC54G - Unknown owner - C:\Program Files\Linksys\Wireless-G Notebook Adapter\NICServ.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton Utilities\NPROTECT.EXE
Mcafee report:
File Name Virus Name
C:\...\A0138686.exeggbwkfnq Downloader-VV
C:\...\A0138686.exeggbwkfnq Downloader-VV
C:\...\iup1ldapspcs.exezvsrtkjp Proxy-Mitglieder
C:\...\mp3codec543.exeduxwfnfo Proxy-Mitglieder
C:\...\mp3codec543.exefircvscx Proxy-Mitglieder
C:\...\window.exerepggxrp Proxy-Mitglieder
C:\WINDOWS\iup1ldadbehv.exe BackDoor-CHN.gen
C:\WINDOWS\iup1ldaikrrx.exe BackDoor-CHN.gen
C:\WINDOWS\iup1ldartjwb.exe BackDoor-CHN.gen
C:\WINDOWS\system64.exe BackDoor-CHN.gen
RAV Scan:
Scan started at 3/12/2005 12:44:11 AM
Scanning memory...
Scanning boot sectors...
Scanning files...
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume->Message.249: ("Bert summers" [RE: India Press Tour])->(part0002:)->(part0000:)->(SCRIPT0000) - VBS/ActiveXExploit* -> Infected
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\iup1ldapspcs.exezvsrtkjp->(FSGPE) - Win32/Bagle.gen! -> Suspicious
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exeduxwfnfo->(FSGPE) - TrojanProxy:Win32/Mitglieder.BK -> Suspicious
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exefircvscx->(FSGPE) - TrojanProxy:Win32/Mitglieder.BK -> Suspicious
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\window.exerepggxrp->(FSGPE) - Win32/Bagle.gen! -> Suspicious
Scanned
============================
Objects: 40952
Directories: 3131
Archives: 5479
Size(Kb): 257869
Infected files: 1
Found
============================
Viruses found: 1
Suspicious files: 4
Disinfected files: 0
Mail files: 3399
Statistics
Scanned files: 40952
Scanned directories: 3131
Scanned archives: 5479
Size of the scanned files: 264058130
Packed files: 877
Known viruses found: 1
Virus bodies: 1
Suspicious files: 4
Disinfected files: 0
Deleted files: 0
Renamed files: 0
Copied files: 0
I/O errors: 0
Warnings: 0
Corrupted files: 0
New files: 203619
Mail files: 3399
Found viruses
File: C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume->Message.249: ("Bert summers" [RE: India Press Tour])->(part0002:)->(part0000:)->(SCRIPT0000)
Virus: VBS/ActiveXExploit* Status: Infected
File: C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\iup1ldapspcs.exezvsrtkjp->(FSGPE)
Virus: Win32/Bagle.gen! Status: Suspicious
File: C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exeduxwfnfo->(FSGPE)
Virus: TrojanProxy:Win32/Mitglieder.BK Status: Suspicious
File: C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exefircvscx->(FSGPE)
Virus: TrojanProxy:Win32/Mitglieder.BK Status: Suspicious
File: C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\window.exerepggxrp->(FSGPE)
Virus: Win32/Bagle.gen! Status: Suspicious
Bit Defender:
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>related.htm: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\AlexaRelated.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit1.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit2.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit3.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.reg: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\DSOExploit4.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\IGetNet.zip=>winstarter.exe: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\IGetNet.zip=>sbRecovery.ini: password protected
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\A0138686.exeggbwkfnq: infected with Trojan.Dropper.Small.OY
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\A0138686.exeggbwkfnq: disinfection failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume=>(message 38)=>(VBSCRIPT 1): infected with VBS.Redlof.A.dr
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume=>(message 38)=>(VBSCRIPT 1): deleted
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume=>(message 38): updated
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\Hotmail - Inbox.dbxphqghume: update failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\iup1ldapspcs.exezvsrtkjp: infected with Win32.Bagle.9.Gen@mm
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\iup1ldapspcs.exezvsrtkjp: disinfection failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exeduxwfnfo: infected with Win32.Bagle.3.Gen@mm
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exeduxwfnfo: disinfection failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exefircvscx: infected with Win32.Bagle.3.Gen@mm
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\mp3codec543.exefircvscx: disinfection failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\PowerReg Scheduler V3.exeaylnlfdx: infected with Application.Adware.PowerReg.3.0
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\PowerReg Scheduler V3.exeaylnlfdx: disinfection failed
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\window.exerepggxrp: infected with Win32.Bagle.9.Gen@mm
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware\WinAntiVirus 2005 Pro\Quarantine\window.exerepggxrp: disinfection failed
1. Now that you've uninstalled WAV2005, you can safely delete the entire C:\Documents and Settings\All Users.WINDOWS\Application Data\WinSoftware folder (and any other WAV2005 folders that might exist). That will obviously get rid of most of the quarantined infected files the other AV scanners detected. If you still have Norton folders hanging around, you delete them as well.
Once you've done the above, run the online scans again (try the Kaspersky and Trend Micro scans this time too) and have them clean up the leftovers.
2. For a free anti-virus solution, give AVG a try. For more options, a list of free AV, firewall, etc. programs can be found here .
3. Your HijackThis log is clean now. :)
Thanks DMR,
I did all that you told me and ran AVG onmy machine and it said that I am free of malware and spyware. The thing that is wierd is that my machine is running very slow, abnormaly slow. Is there a file that I might have deleted that could have this effect? Besides that I am very happy. thank you again.
The slowdown could be the result of something that got deleted, although the removal of the files/folders I specifically asked you to delete wouldn't cause the behaviour (and it certainly isn't being caused by AVG).
Is the slowdown "global" in the sense that it doesn't matter what programs you have running or what you're doing with/on the computer, or does it only occur under certain circumstances such as when you're online?
The slow down actually miracaluosly stopped yesterday. It was happening when I was running Word. it took forever (like 40 min forever) to open one document. once that was done it began to work normally. I think that it's ok. maybe a bit slower than it was before but normal the only thing that is a bit wierd is that when it was working to open that document it sounded like the Hard Drive was squealing. I mean a real high pitched eeeeeeeeeeeeeeeee. It stopped with the return of normal function but should I be worried? I'm considering reinstalling the Operating system but I dont want to do it if the computer is going to go soon. peace g
Might be time for a disk scan and a defrag; you could have some corrupted or heavily fragmented data on your disk.
Thanks. your right I haven't thought about all the stuff I just deleted. I will give it a try. Take care and thanks for your help.
