I have an AIM virus and I don't know what to do.

Newbie Poster

13 posts since Feb 2006

Reputation Points: 10

Solved Threads: 0

Hi,
Download CCleaner and install it. Do not run it now!

Download KillBox , extract it to your desktop.

Download and install Ewido Security Suite v3.5 . After download, double click on the file to launch the install process. During installation, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu". Launch ewido by double-clicking the "e" icon on your desktop. The program will prompt you to update - click the "OK" button. On the left side of the main screen, click on "Update" and then click "Start Update". The update will start and a progress bar will show the updates being installed. After the updates are installed, you will see "Update Successful" in the lower left corner.
If you are having problems with the updater, use this link to manually update.
Exit Ewido when done - DO NOT perform a scan yet.

Make Windows to show all files:-
Go to Start > My Computer. Go to Tools menu, click Folder Options. Uncheck Hide protected operating system files. Then, click to select the option Show hidden files and folders. Click Apply and then click OK to exit.

Reboot in Safe Mode:-
Restart (or switch ON) the PC. Then, keep tapping the F8 Key. From the menu that will be displayed, out of which choose Safe Mode and press Enter.

Go to Start > Run and type services.msc and press ENTER. Here, navigate to the service named Intranet Service and right-click on it. Then click "Properties". Here, in the "Status" dialog box, select "Stop". Then, under "Startup type" dialog box, select "Disabled". Click "Apply" and then "OK".
Do the same process (of stopping and disabling) for these Services too:-
Network Monitor

Run HijackThis and click Do only a System scan.
Then put a check mark infront of below listed entries:-

O4 - HKLM\..\Run: [ SystemCheck] C:\WINDOWS\Config\system\services.exe
O4 - HKCU\..\Run: [_SystemCheck] C:\WINDOWS\Config\system\services.exe
O4 - HKCU\..\Run: [pro] C:\DOCUME~1\HOGWAR~1\LOCALS~1\Temp\14C.tmp
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - Winlogon Notify: Dynamic Directory - C:\WINDOWS\system32\lvn6095se.dll (file missing)
O20 - Winlogon Notify: ShellServiceObjectDelayLoad - C:\WINDOWS\system32\mtwmdm.dll
O23 - Service: Intranet Service (IntranetService) - Unknown owner - intranet.exe (file missing)
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)

Close all other open programs except Hijackthis and click the button Fix Checked in HijackThis.

Exit from HijackThis. Delete this folders:-
C:\Program Files\Network Monitor

Go to Start > Search. Here click "All files and folders" in the left pane. Next, click on "More advanced options". Here select the options "Search system folders", "Search hidden files and folders" and "Search subfolders". Next, type/copy the below mentioned filename and search for it, if you find it, right-click on it and click delete:-
intranet.exe

Run CCleaner, click "Options" button and here go to "Advanced" tab and uncheck the option "Only delete files in Windows Temp folder older than 48 hours". Click OK to exit from the Options. Finally click "Run Cleaner" and click "OK" to continue cleaning.

Run Ewido, click on the "Scanner" button in the left menu, then click on the "Settings", here select the option "Scan every file" and click "OK". Next, click "Complete System Scan" button to start scan. If ewido finds anything, it will pop up a notification. You can select "Clean" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

Open Killbox.exe. Check the following box:-
Delete on Reboot
Highlight all the entries in the quote box below and then Copy them.
C:\WINDOWS\Config\system\services.exe
C:\WINDOWS\system32\lvn6095se.dll
C:\WINDOWS\system32\mtwmdm.dll
Then in Killbox click File > Paste from Clipboard. At this point the "All Files" button should be enabled so you can click it. Click the "All Files" button.

Then click theRed X button and for the confirmation message that will appear, you will need to click "Yes". A second message will ask to Reboot now? you will need to click "Yes" to allow the reboot.

Note: Killbox will let you know if a file does not exist.

[If you have any issues with this method you can copy and paste the lines one at a time into the killbox top box. Then click the "Single File" button. Then click the Red X and for the confirmation message that will appear, you will need to click Yes. A second message will ask to Reboot now? you will need to click No until the last one at which time you click yes to allow the reboot.]

Reboot to Normal Mode. Perform an online virus scan at Kaspersky Online Scanner . Save the log it gives after the scan.

Run HijackThis again, click Do a System scan and save log, and post the fresh log along with the Kaspersky log.

Practically a Master Poster

645 posts since Jul 2005

Reputation Points: 25

Solved Threads: 51

-------------------------------------------------------------------------------
KASPERSKY ON-LINE SCANNER REPORT
Sunday, February 05, 2006 20:07:46
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky On-line Scanner version: 5.0.67.0
Kaspersky Anti-Virus database last update: 6/02/2006
Kaspersky Anti-Virus database records: 164373
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 60992
Number of viruses found: 32
Number of infected objects: 213
Number of suspicious objects: 1
Duration of the scan process: 5507 sec

Infected Object Name - Virus Name
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00A80000.VBN Infected: Trojan.Win32.StartPage.ahg
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00A80004.VBN Infected: Trojan.Win32.StartPage.ahg
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00C40008.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00C40008.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00EC0000.VBN Infected: Trojan-Clicker.Win32.VB.kc
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00EC0001.VBN Infected: Trojan-Spy.Win32.VB.eh
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\00EC0002.VBN Infected: Trojan-Spy.Win32.VB.eh
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\010C0007.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\010C0007.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02A40007.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02A40007.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80006.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80006.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80007.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80007.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80009.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80009.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E8000B.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E8000B.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E8000C.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.f
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E8000C.VBN Infected: Trojan-Downloader.Win32.Wintool.f
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80010.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80010.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80011.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E80011.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E8001A.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\04E8001A.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05500000.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05540000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05540001.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05A40000.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05A40001.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05B00000.VBN Infected: Backdoor.Win32.VBbot.b
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05B00001.VBN Infected: Trojan-Dropper.Win32.VB.fs
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05B00002.VBN Infected: Backdoor.Win32.SdBot.gen
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05F00000.VBN Infected: Backdoor.Win32.Agent.jn
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05F00010.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05F00010.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05F00011.VBN Infected: IM-Worm.Win32.Harwig.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\05F00012.VBN Infected: IM-Worm.Win32.Harwig.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06840007.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06840007.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\068C0000.VBN Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\068C0001.VBN Infected: Trojan.Win32.Small.ga
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\068C0002.VBN Infected: Trojan.Win32.StartPage.ahg
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\068C0003.VBN Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\068C0004.VBN Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\068C0005.VBN Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\068C0006.VBN Infected: Trojan-Clicker.Win32.VB.kc
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06B00000.VBN Infected: IM-Worm.Win32.Harwig.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06E00000.VBN Infected: Trojan.Win32.StartPage.ahg
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06EC0000.VBN Infected: not-virus:Hoax.Win32.Renos.av
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F80001.VBN Infected: Trojan-Dropper.Win32.Agent.hk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F80009.VBN Infected: Trojan-Dropper.Win32.Agent.hk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F8000A.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F8000A.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F8000B.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F8000C.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F8000D.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F8000F.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F80010.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F80011.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F80012.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\06F80013.VBN Infected: Trojan.Win32.VB.vv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07040000.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07040001.VBN Infected: Exploit.HTML.Mht
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\073C0000.VBN Infected: not-virus:Hoax.Win32.SpyWare.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\076C0007.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\076C0007.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40007.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\07E40007.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A640000.VBN Infected: Trojan.Win32.Small.ga
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A640001.VBN Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A640002.VBN Infected: Trojan-Downloader.Win32.Adload.l
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A640003.VBN Infected: Trojan-Clicker.Win32.VB.kc
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A64000B.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A64000B.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A64000C.VBN Infected: Trojan-Downloader.Win32.Adload.j
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A64000D.VBN Infected: Trojan-Downloader.Win32.Adload.l
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A64000E.VBN Infected: Trojan-Spy.Win32.VB.eh
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A64000F.VBN Infected: Trojan-Downloader.Win32.Agent.td
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A640010.VBN Infected: Trojan-Spy.Win32.VB.eh
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B300000.VBN Infected: Trojan.Win32.EliteBar.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B300001.VBN Infected: Trojan-Downloader.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0000.VBN Infected: Trojan-Dropper.Win32.Small.aeq
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0001.VBN Infected: Trojan-Dropper.Win32.Agent.tv
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0002.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC0003.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC000B.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0BAC000B.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240007.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240007.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240008.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240008.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C24000A.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C24000A.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C24000C.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C24000C.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C24000D.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.f
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C24000D.VBN Infected: Trojan-Downloader.Win32.Wintool.f
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240011.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240011.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240012.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C240012.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C24001B.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C24001B.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C680007.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C680007.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340007.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340007.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34000A.VBN Infected: Trojan-Dropper.Win32.Small.aeq
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34000B.VBN Infected: Trojan-Dropper.Win32.Small.aeq
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34000C.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34000D.VBN Infected: Trojan-Dropper.Win32.Small.aeq
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34000E.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34000F.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340010.VBN Infected: Trojan-Dropper.Win32.Small.aeq
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340011.VBN Infected: Trojan-Dropper.Win32.Small.aeq
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340012.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340013.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340014.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340015.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340016.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340017.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340018.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340019.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34001A.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34001B.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34001C.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34001D.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34001E.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34001F.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340020.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340021.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340022.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340023.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340024.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340025.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340026.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340027.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340028.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340029.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34002A.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34002B.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34002C.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34002D.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34002E.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D34002F.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340030.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340031.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340032.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340033.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340034.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340035.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D340036.VBN Infected: Trojan.Win32.StartPage.nk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D840008.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D840008.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D840009.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D840009.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D84000A.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.f
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D84000A.VBN Infected: Trojan-Downloader.Win32.Wintool.f
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D84000C.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D84000C.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D84000D.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D84000D.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D840010.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D840010.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D840011.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D840011.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D84001A.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D84001A.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C0009.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C0009.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C000A.VBN Infected: Backdoor.Win32.VBbot.b
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C000B.VBN Infected: Backdoor.Win32.VBbot.b
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C000C.VBN Infected: Backdoor.Win32.VBbot.b
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C000D.VBN Infected: Backdoor.Win32.VBbot.b
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C000E.VBN Infected: Backdoor.Win32.VBbot.b
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580000.VBN/GetAccess.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580000.VBN/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580000.VBN Infected: Trojan-Downloader.Java.OpenConnection.aj
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580001.VBN/NudeBox.class Infected: Trojan.Java.ClassLoader.u
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580001.VBN/Worker.class Infected: Trojan.Java.ClassLoader.u
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580001.VBN/VerifierBug.class Infected: Trojan.Java.ClassLoader.u
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580001.VBN/javautil.zip Infected: Trojan-Downloader.Win32.Small.btj
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580001.VBN/javautil.zip/bot.exe Infected: Trojan-Downloader.Win32.Small.bmk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580001.VBN Infected: Trojan-Downloader.Win32.Small.bmk
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580009.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F580009.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F940007.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F940007.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FCC0007.VBN/WToolsS.exe Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0FCC0007.VBN Infected: Trojan-Downloader.Win32.Wintool.a
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\mt[1].htm Infected: Trojan-Clicker.JS.Linker.j
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\ENIDAH4R\mt[2].htm Infected: Trojan-Clicker.JS.Linker.j
C:\Documents and Settings\Missy\Local Settings\Temporary Internet Files\Content.IE5\9SX5RDTN\mashka[1].php Suspicious: Exploit.HTML.Mht
C:\Documents and Settings\Missy\Local Settings\Temporary Internet Files\Content.IE5\YHWNM581\7ap[1]/index.exe Infected: Trojan-Dropper.Win32.Delf.ev
C:\Documents and Settings\Missy\Local Settings\Temporary Internet Files\Content.IE5\YHWNM581\7ap[1]/index.htm Infected: Trojan-Downloader.VBS.Psyme.a
C:\Documents and Settings\Missy\Local Settings\Temporary Internet Files\Content.IE5\YHWNM581\7ap[1] Infected: Trojan-Downloader.VBS.Psyme.a
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002727.EXE:chpmex:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002727.EXE:eefpzo:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002727.EXE:njaxak:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002727.EXE:nulqod:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002727.EXE:vlgadg:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002806.EXE:chpmex:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002806.EXE:eefpzo:$DATA Infected: Trojan.Win32.Agent.bi
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002806.EXE:gejlzb:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002806.EXE:njaxak:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP8\A0002806.EXE:nulqod:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:eefpzo:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:gejlzb:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\_MSRSTRT.EXE:njaxak:$DATA Infected: Trojan-Downloader.Win32.Agent.td
C:\WINDOWS\_MSRSTRT.EXE:vlgadg:$DATA Infected: Trojan.Win32.Agent.bi
C:\WINDOWS\_MSRSTRT.EXE:xfyuby:$DATA Infected: Trojan-Downloader.Win32.Agent.td

Scan process completed.

and here is the Hijack This scan results
Logfile of HijackThis v1.99.1
Scan saved at 8:10:44 PM, on 2/5/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Real\RealPlayer\realplay.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Hogwarts HW_class HW\Desktop\HijackThis.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.cnn.com/"); (C:\Documents and Settings\Hogwarts HW_class HW\Application Data\Mozilla\Profiles\default\zn7p22je.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Hogwarts HW_class HW\Application Data\Mozilla\Profiles\default\zn7p22je.slt\prefs.js)
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136572769414
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Newbie Poster

13 posts since Feb 2006

Reputation Points: 10

Solved Threads: 0

Hi,
Run Webroot SpySweeper and update its definitions. Please download ATF Cleaner by Atribune.

Please boot the PC in Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Run Webroot SpySweeper. Click on "Options" > "Sweep Options" and check "Sweep all Folders on Selected drives". Check "Local Disc C" and under "What to Sweep", check every box. Click on "Sweep" and allow it to fully scan your system. When the sweep has finished, click "Remove" to remove any items found. Exit SpySweeper and reboot your computer.

Reboot to Normal Mode, and can you scan the below mentioned file at www.virustotal.com :-
C:\WINDOWS\_MSRSTRT.EXE
Please post the result of this scan.

Practically a Master Poster

645 posts since Jul 2005

Reputation Points: 25

Solved Threads: 51

Also, please post back whether you getting any popups or not..

Practically a Master Poster

645 posts since Jul 2005

Reputation Points: 25

Solved Threads: 51

I haven't really gotten any popups. A few but not many. Thanks!

This is a report processed by VirusTotal on 02/06/2006 at 18:28:50 (CET) after scanning the file "_MSRSTRT.EXE" file.

Antivirus Version Update Result
AntiVir 6.33.0.81 02.06.2006 no virus found
Avast 4.6.695.0 02.06.2006 no virus found
AVG 718 02.06.2006 no virus found
Avira 6.33.0.81 02.06.2006 no virus found
BitDefender 7.2 02.06.2006 no virus found
CAT-QuickHeal 8.00 02.06.2006 Tool.Win32.Reboot (Not a Virus)
ClamAV devel-20060126 02.06.2006 no virus found
DrWeb 4.33 02.06.2006 no virus found
eTrust-InoculateIT 23.71.69 02.05.2006 no virus found
eTrust-Vet 12.4.2066 02.06.2006 no virus found
Ewido 3.5 02.06.2006 no virus found
Fortinet 2.54.0.0 02.06.2006 no virus found
F-Prot 3.16c 02.04.2006 no virus found
Ikarus 0.2.59.0 02.06.2006 no virus found
Kaspersky 4.0.2.24 02.06.2006 no virus found
McAfee 4689 02.03.2006 no virus found
NOD32v2 1.1395 02.06.2006 no virus found
Norman 5.70.10 02.06.2006 no virus found
Panda 9.0.0.4 02.06.2006 no virus found
Sophos 4.02.0 02.06.2006 no virus found
Symantec 8.0 02.06.2006 no virus found
TheHacker 5.9.3.091 02.06.2006 no virus found
UNA 1.83 02.03.2006 no virus found
VBA32 3.10.5 02.06.2006 no virus found

Newbie Poster

13 posts since Feb 2006

Reputation Points: 10

Solved Threads: 0

Hi,
Can you post a new HijackThis log? Just to make sure that everything's all right!

Practically a Master Poster

645 posts since Jul 2005

Reputation Points: 25

Solved Threads: 51

Logfile of HijackThis v1.99.1
Scan saved at 3:11:25 PM, on 2/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\System32\keyhook.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft AntiSpyware\gcasServ.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\PROGRA~1\AIM\aim.exe
C:\WINDOWS\SYSTEM32\sistray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Hogwarts HW_class HW\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.cnn.com/"); (C:\Documents and Settings\Hogwarts HW_class HW\Application Data\Mozilla\Profiles\default\zn7p22je.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\Hogwarts HW_class HW\Application Data\Mozilla\Profiles\default\zn7p22je.slt\prefs.js)
O3 - Toolbar: Neopets - {CD292324-974F-4224-D074-CACA427AA030} - C:\PROGRA~1\Neopets\Toolbar\Toolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SiS Windows KeyHook] C:\WINDOWS\System32\keyhook.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [AdwareAlert] C:\Program Files\AdwareAlert\AdwareAlert.Exe -boot
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\PROGRA~1\NETSCAPE\NETSCAPE\NETSCP.EXE" -turbo
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM\aim.exe -cnetwait.odl
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\SYSTEM32\sistray.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\PROGRA~1\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/downloads/kws/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by101fd.bay101.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1136572769414
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab30149.cab
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

Newbie Poster

13 posts since Feb 2006

Reputation Points: 10

Solved Threads: 0

Hi,
Log looks clean :) To prevent such infections in future, you can visit this page . Shall i mark this thread as "Solved"?

Practically a Master Poster

645 posts since Jul 2005

Reputation Points: 25

Solved Threads: 51

yes. Thanks so much for your help!

Newbie Poster

13 posts since Feb 2006

Reputation Points: 10

Solved Threads: 0

Hi Swatkat. I have the same exact virus. I was taking the necessary steps to resolve this technical issue before I came across the fact that I do not have the "Intranet Service" and "Network Monitor" services, therefore I cannot stop and disable them. Please reply at your earliest convenience. I will not go on until I hear from you. Thank you!

Also, where can I download HijackThis? I will need it, as stated in your process of resolving this issue. I don't have Webroot SpySweeper either. And as far as the browser goes, I am not using Firefox or Opera. Just Internet Explorer.

Swapnil30

Newbie Poster

21 posts since Feb 2006

Reputation Points: 10

Solved Threads: 1