Member Avatar for cybohemia

Hi. A virus appeared on my computer a few days ago and I've not been able to get rid of it, yet. In fact, I think it's expanded and let in a lot of other viruses, dyfuca and elite toolbar among them.

AVG, Adware and Spybot Search and Destroy all seem to clean things up until I reboot, at which point they all come back. I got the ETremover by SimplyTech, which claims to do the right thing where others will not...but it failed the reboot test, too.

I am worried that they will eat away at my machine and cause real damage if I keep rebooting and letting them return, inviting more malware along the way.

Since all the tools (Adware, Spybot, AVG and ETremover) seem to at least be able to give me a clean session so long as I don't reboot, I've decided not to reboot my machine until everything's solved.

Problem is, I can't seem to get on-line anymore, which I'm guessing is a side-effect of one of the malwares' unhappiness with being removed.

After running those free anti-virus apps, I looked at windows\system32 files that had dates up to when the virus activated (3/30). Some files are definitely bad (like bling.exe which none of the anti-virus stuff removed for some reason) but I am not sure of the others. I'm guessing the names that seem jumbo-ed up (like 2p2nqrd4.dat) are auto-generated and are probably bad stuff? I've moved them all to a flash drive so they're off my system but I am worried I won't be able to reboot since a couple of the files may not be viral - they just have date stamps that is suspiciously from a couple of days ago. Could they have been infected? The files are: msvcp71.dll and winbd32.exe. Should I leave them? That is, will I have a problem if I remove them?

Also, I did a hijack but cannot easily decipher the log. I'm guessing the O4 qhywaaf.exe is bad...? Are the O10's and O20's all bad? Can anyone help?

I am on a Windows XP Tablet op sys, my laptop being a Fujitsu T3010 tablet computer.

I just launched my little startup company a few days ago and have a lot of things to tend to so the timing for this is really bad! :cry:

Thanks so much for any help!!!

============================
Logfile of HijackThis v1.99.1
Scan saved at 1:18:50 AM, on 4/2/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\WINDOWS\System32\igfxext.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
C:\WINDOWS\System32\digtizer.exe
C:\Program Files\QuickTime\qttask.exe
C:\mysql\bin\mysqld.exe
C:\Program Files\Media Access\MediaAccK.exe
C:\Program Files\Media Access\MediaAccess.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\Tablet.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\qhywaaf.exe
C:\PROGRA~1\Zinio\ZDLM.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
C:\Program Files\AXMA\Fax-Internet\faxtray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Metrowerks\CodeWarrior Wireless Studio\bin\IDE.exe
C:\WINDOWS\System32\winlog.exe
C:\WINDOWS\system32\javaw.exe
C:\PROGRA~1\COMMON~1\Nokia\Services\SERVIC~1.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\JGsoft\EditPadPro5\EditPadPro.exe
C:\hjk\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/stuff/web/BoxOfCrap/index.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://channels.aimtoday.com/search/aimtoolbar.jsp
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsupc.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O1 - Hosts: 17.250.248.77 idisk0.mac.com idisk1.mac.com idisk2.mac.com idisk3.mac.com idisk4.mac.com idisk5.mac.com idisk6.mac.com idisk7.mac.com idisk8.mac.com idisk9.mac.com idisk10.mac.com idisk11.mac.com idisk12.mac.com idisk13.mac.com idisk14.mac.com idisk15.mac.com idisk16.mac.com idisk17.mac.com idisk18.mac.com idisk19.mac.com idisk20.mac.com idisk21.mac.com idisk22.mac.com idisk23.mac.com idisk24.mac.com idisk25.mac.com
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FjEvents] c:\Program Files\Fujitsu\Utils\fjevents.exe
O4 - HKLM\..\Run: [FjDspMon] c:\Program Files\Fujitsu\Utils\FjDspMon.exe
O4 - HKLM\..\Run: [Fujitsu Menu] c:\Program Files\Fujitsu\Utils\FjMnuIco.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\G001-1.0.24.0\gnotify.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Shell Logon] C:\winlogon.exe
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [Windows MSConfig Startup Logger] winlog.exe
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [Microsoft Registry Startup SCan] qhywaaf.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Isass.exe
O4 - HKLM\..\RunServices: [Microsoft Registry Startup SCan] qhywaaf.exe
O4 - HKLM\..\RunServices: [Windows MSConfig Startup Logger] winlog.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.EXE 1
O4 - HKCU\..\Run: [Windows MSConfig Startup Logger] winlog.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Microsoft Registry Startup SCan] qhywaaf.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: systray for fax applications.lnk = C:\Program Files\AXMA\Fax-Internet\faxtray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\PROGRA~1\AWS\WEATHE~1\Weather.exe (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {10000000-1000-0000-1000-000000000000} - ms-its:mhtml:file://C:\foo.mht!http://www.free32.com/POP.CHM::/sp.exe
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windupdates.com/cab/6247971CanadaInc/ie/bridge-c6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: loginkey - C:\WINDOWS\SYSTEM32\LoginKey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
O23 - Service: Digitizer Service (Digitizer) - WACOM - C:\WINDOWS\System32\digtizer.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

  • 4 Contributors
  • 11 Replies
  • 361 Views
  • 3 Months Discussion Span
  • Latest Post Latest Post by DMR
Member Avatar for crunchie

Hi and welcome to Daniweb cybohemia.

First of all we have to remove Newdotnet, either from add/remove programs, or by going here and scrolling down to the uninstall tool.

Also remove AdTools Service if in add/remove.

Please go here and have these files scanned.

C:\WINDOWS\System32\digtizer.exe
C:\WINDOWS\System32\winlog.exe

I have a feeling they will come up bad. If they do, then delete them manually after stopping them in task manager.

Go here to TrendMicro for an on-line scan & set it to autoclean for you. When it completes, post back the full filename of any files that cannot be cleaned or deleted.

Try this scan at Panda as well.

The scan here does not require an active X install, but uses java instead.
http://fr.trendmicro-europe.com/consumer/products/housecall_launch.php

Post a new log after the reboot please.

Member Avatar for cybohemia

Hi, Crunchie. Thanks for the note and welcome!

I followed your instructions as much as I could:

1. Removed Newdotnet (using add/remove programs)

2. Removed AdTools Service (using add/remove programs)

3. Scanned digitizer.exe and winlog.exe:

digitizer.exe: I think this file is from my digitizing tablet (Wacom). I don't know if it's been infected but its existence would not catch my attention. The scan was not conclusive: MIGHT BE INFECTED/MALWARE (Sandbox emulation took a long time and/or runtime packers were found, this is suspicious. Normally programs aren't packed and don't force the sandbox into lengthy emulation. Do realize no scanner issued any warning, the file can very well be harmless. Caution is advised, however.)

winlog.exe: INFECTED with Worm/RBot.168448, Backdoor.Win32.Rbot.gen and Unknown.Win32Virus (probable variant).

4. I am unable to do on-line scans as my machine is no longer able to get on-line.

I am a bit concerned about rebooting because it seems like everytime I've done that in the past few days, things have just gotten worse on it.

If that is the only way, I'll give it a go. Before I do, though, I'd just like your thoughts on whether removing the following files from c:\windows\system32 is a good idea (based upon nothing except my newbie guesswork):

70tovmto.ini
2p2nqrd4.dat
2p9h4qmo.ini
baru5s9q.dat
bling.exe
fl2bj0sh.html
FNTCACHE.DAT
msvcp71.dll
o
q19pvbrv.dat
q17i9a4j.ini
ritsacnk.dat
winbd32.exe

bling.exe is a known virus and o is a text file with a reference to some ad site so I think it's okay to remove it. The .ini files vary but point to other jumbo-ed files, like ap9h4qmo.exe. This looks highly suspicious so I moved them to my flash drive. I'm concerned about msvcp71.dll and winbd32.exe, however. The only reason they're on the list is because they have timestamps from the past few days, which seems strange. Is it?

Thanks for your advice!

Member Avatar for crunchie

Hi again. msvcp71.dll is a valid Windows file. winbd32.exe is a nasty. The dat files can be safely deleted. The others you would have to check out the contents/properties and determine for yourself.

Please note the spelling here; digtizer.exe not digitizer.exe. You may have to locate the file and click on properties and get the manufacturer/version etc.

You may be able to get online now that Newdotnet has been removed. If not run this tool;

Download LSPfix from here
Start it once installed. Then click Finish. That's all :).

Member Avatar for cybohemia

Hi - thanks for the advice. I was able to get on-line after removing NewDotNet. I then did the following:

1. Removed both windb32.exe and digtizer.exe as well as all the files I listed except for msvcp71.dll.

2. Scanned Trend Micro, which found 9 things that it was able to remove successfully.

3. Scanned using the Panda site, which found over 40 objects - removed what I could; some I couldn't find (see below, after HJT Log)

4. Removed some of the obvious bad things from HJT, including Media Access and NewDotNet.

5. Rebooted

6. Spybot immediately asks me if I would allow c:\wnlogon.exe, media access, & adtool's values to be deleted from System Startup global entry; I say yes

7. I run HJT, the log file is below

8. I run Spybot; it finds DSOExploit and advertising.com, which it fixes. (But it re-finds something everytime I go through this cycle.)

9. Panda ActiveScan still finds the same virus as the earlier scan (see below, after HJT). I was unable to delete some of the files/folders in part because it appears that they're somehow read-only: I change the properties panel to turn off the read-only but it seems to have no effect. Also, the recycle bin has disappeared and I am unable to delete the folder under C:\RECYCLER.

I can't seem to get rid of all the malware but at least the popups are not happening anymore and I'm on the internet so thanks so much!

Is there something else I can/should do? Thanks!


===================== HJT log
Logfile of HijackThis v1.99.1
Scan saved at 12:54:31 AM, on 4/3/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\SYSTEM32\WISPTIS.EXE
C:\WINDOWS\System32\tabbtnu.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Fujitsu\Utils\fjevents.exe
C:\Program Files\Fujitsu\Utils\FjDspMon.exe
C:\Program Files\Fujitsu\Utils\FjMnuIco.exe
C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\igfxext.exe
C:\PROGRA~1\Zinio\ZDLM.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\microsoft shared\ink\TPA.exe
C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
C:\Program Files\AXMA\Fax-Internet\faxtray.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Apache Group\Apache\Apache.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
C:\mysql\bin\mysqld.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\Tablet.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/stuff/web/BoxOfCrap/index.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.fujitsupc.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [TabletTip] "C:\Program Files\Common Files\microsoft shared\ink\tabtip.exe" /resume
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [FjEvents] c:\Program Files\Fujitsu\Utils\fjevents.exe
O4 - HKLM\..\Run: [FjDspMon] c:\Program Files\Fujitsu\Utils\FjDspMon.exe
O4 - HKLM\..\Run: [Fujitsu Menu] c:\Program Files\Fujitsu\Utils\FjMnuIco.exe
O4 - HKLM\..\Run: [LoadBtnHnd] C:\Program Files\Fujitsu\BtnHnd\BtnHnd.exe
O4 - HKLM\..\Run: [IndicatorUtility] C:\Program Files\Fujitsu\Fujitsu Hotkey Utility\IndicatorUty.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\RunServices: [Microsoft Update] Isass.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Zinio DLM] C:\PROGRA~1\Zinio\ZDLM.exe /hide
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: BTTray.lnk = C:\Program Files\Linksys\Bluetooth Utility\BTTray.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: systray for fax applications.lnk = C:\Program Files\AXMA\Fax-Internet\faxtray.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\Linksys\Bluetooth Utility\btsendto_ie.htm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: {10000000-1000-0000-1000-000000000000} -
O16 - DPF: {15AD6789-CDB4-47E1-A9DA-992EE8E6BAD6} -
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoftware.com/activescan/as5/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: loginkey - C:\WINDOWS\SYSTEM32\LoginKey.dll
O20 - Winlogon Notify: TabBtnWL - C:\WINDOWS\SYSTEM32\TabBtnWL.dll
O20 - Winlogon Notify: tpgwlnotify - C:\WINDOWS\SYSTEM32\tpgwlnot.dll
O23 - Service: Apache - Unknown owner - C:\Program Files\Apache Group\Apache\Apache.exe" --ntservice (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: Bluetooth Service (btwdins) - WIDCOMM, Inc. - C:\Program Files\Linksys\Bluetooth Utility\bin\btwdins.exe
O23 - Service: Digitizer Service (Digitizer) - Unknown owner - C:\WINDOWS\System32\digtizer.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: MySQL - Unknown owner - C:\mysql\bin\mysqld.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\System32\Tablet.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

================= Panda Activescan Log
(Lines beginning with * I removed, ? I couldn't find, the rest I wasn't able to get to)

Incident Status Location
* Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall*.exe

* Adware:Adware/nCase No disinfected C:\Temp\salm_*.dat

Adware:Adware/DownloadWare No disinfected Windows Registry

* Adware:Adware/SAHAgent No disinfected C:\WINDOWS\System32\q17i9a4j.exe

Adware:Adware/WUpd No disinfected Windows Registry

?Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Administrator\Favorites\Finances & Business

Adware:Adware/TopConvert No disinfected Windows Registry

?Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log

Adware:Adware/Minibug No disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll

Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4007.tmp\v3cab.inf

Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4008.tmp\v3cab.inf

Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\NHelper.dll

Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\NHUninstaller.exe

Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\NHUpdater.exe

Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab

Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab[NHelper.dll]

Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab[NHUninstaller.exe]

Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab[NHUpdater.exe]

Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4038.fr2047\EliteToolBar version 60.dll

Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4179\op[1].htm

Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4181\d56[1].exe

Adware:Adware/Medload No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4212\v1\ML.exe

Adware:Adware/Ucmore No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4213\IUCmore.dll

Adware:Adware/Ucmore No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4213\UCMTSAIE.dll

Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4218.exe

Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4219.exe

Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4220.exe

Spyware:Spyware/ISTbar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4221.zip[InstallerApplet.class]

Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4222.exe

Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4223.dll

Adware:Adware/Minibug No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4224.EXE

Adware:Adware/BrilliantDigitalNo disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4225.dll

* Adware:Adware/SAHAgent No disinfected C:\WINDOWS\70tovmto.exe

?Spyware:Spyware/New.net No disinfected C:\WINDOWS\NDNuninstall6_38.exe

* Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ELXOG3KV\AdTools[1].exe

* Adware:Adware/WinAD No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\ELXOG3KV\d56[1].exe

* Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\PMSFYZ5B\AdToolsComm[1].dll

* Adware:Adware/WUpd No disinfected C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\VBJKWDOO\AdToolsKeep[1].exe

?Adware:Adware/SAHAgent No disinfected C:\WINDOWS\system32\q17i9a4j.exe
* Adware:Adware/Ucmore No disinfected C:\WINDOWS\ucmoreiex.exe

Member Avatar for crunchie

I have to go out for a while, but have you tried deleting the files manually that Panda could not disinfect?
Will catch up in a couple of hours or less :).

Go to http://www.daniweb.com/techtalkforums/thread12946.html for the DSO exploit fix. Make certain to have all your MS critical updates too.

Member Avatar for cybohemia

Hi. I did try to manually delete all the files Panda brought up. In the listing from my previously posting, I put an asterisk * in front of the ones I deleted successfully and a ? in front the ones I could not find. The rest of the files, I was unable to delete. I just ran Panda again. This time I used the command console to delete everything in the Recycle bin - I'm not sure if that's the right way of doing things. Even though all that was left was the stuff in the Windows Registry and the stuff I couldn't find (4 files) another running of Panda ActiveScane is turning up a lot of stuff.

Two output logs follow. The first is the first Panda scan. I deleted the "Finance & Business" directory since there didn't seem to be any files there and the listing didn't indicate anything other than the directory. I was able to see the Ssk.log for SurfSideKick but it wouldn't delete. All the rest of the list I thought I was able to delete because they were in the RECYCLED bin but my attempt to erase everything from the command prompt didn't seem to have an effect, as seen in the second Panda Activescan listing, for which I just expected the top three items to stay around. (I don't have the recycler on my desktop anymore - it might be something a virus did.)

The second log shows the latest Panda scan: I was expecting maybe three things - the two Windows Registry items and SurfSideKick. But I still got a lot.

Am flying to Seattle in a few hours - guess I'll have to use my half-clean system. Unless I find a connection there to do some more cleaning.

Any ideas would be greatly appreciated! Thanks again.

====== Panda Active Scans follow (two of them) =======

Incident Status Location

Adware:Adware/DownloadWare No disinfected Windows Registry
? Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Administrator\Favorites\Finances & Business
Adware:Adware/TopConvert No disinfected Windows Registry
? Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log


== deleted all the ones below using command console:
Adware:Adware/Minibug No disinfected C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4007.tmp\v3cab.inf
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4008.tmp\v3cab.inf
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\NHelper.dll
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\NHUninstaller.exe
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\NHUpdater.exe
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab[NHelper.dll]
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab[NHUninstaller.exe]
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab[NHUpdater.exe]
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4038.fr2047\EliteToolBar version 60.dll
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4179\op[1].htm
Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4181\d56[1].exe
Adware:Adware/Medload No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4212\v1\ML.exe
Adware:Adware/Ucmore No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4213\IUCmore.dll
Adware:Adware/Ucmore No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4213\UCMTSAIE.dll
Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4218.exe
Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4219.exe
Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4220.exe
Spyware:Spyware/ISTbar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4221.zip[InstallerApplet.class]
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4222.exe
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4223.dll
Adware:Adware/Minibug No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4224.EXE
Adware:Adware/BrilliantDigitalNo disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4225.dll
Spyware:Spyware/New.net No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4242.exe
Adware:Adware/SAHAgent No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4245.exe
Adware:Adware/SAHAgent No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4246.exe
Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4247.exe
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4248.exe
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4249.dll
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4250.exe
Adware:Adware/Ucmore No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4251.exe


====== Second of Two Panda Active Scans - the latest one =======

Incident Status Location

Adware:Adware/DownloadWare No disinfected Windows Registry
Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Administrator\Favorites\Health & Insurance
Adware:Adware/TopConvert No disinfected Windows Registry
Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4007.tmp\v3cab.inf
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4008.tmp\v3cab.inf
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\NHelper.dll
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\NHUninstaller.exe
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\NHUpdater.exe
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab[NHelper.dll]
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab[NHUninstaller.exe]
Adware:Adware/NavHelper No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4035.fr1D8B\NavHelper\v2.0.4c\v2.0.4c.cab[NHUpdater.exe]
Adware:Adware/EliteBar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4038.fr2047\EliteToolBar version 60.dll
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4179\op[1].htm
Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4181\d56[1].exe
Adware:Adware/Medload No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4212\v1\ML.exe
Adware:Adware/Ucmore No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4213\IUCmore.dll
Adware:Adware/Ucmore No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4213\UCMTSAIE.dll
Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4218.exe
Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4219.exe
Adware:Adware/WinAD No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4220.exe
Spyware:Spyware/ISTbar No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4221.zip[InstallerApplet.class]
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4222.exe
Adware:Adware/WUpd No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4223.dll
Adware:Adware/Minibug No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4224.EXE
Adware:Adware/BrilliantDigitalNo disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4239\S-1-5-21-233559411-1967630633-991910116-500\Dc4225.dll
Spyware:Spyware/New.net No disinfected C:\RECYCLER\S-1-5-21-233559411-1967630633-991910116-500\Dc4242.exe

Member Avatar for crunchie

These can be fixed;

Adware:Adware/DownloadWare No disinfected Windows Registry
? Adware:Adware/EliteBar No disinfected C:\Documents and Settings\Administrator\Favorites\Finances & Business
Adware:Adware/TopConvert No disinfected Windows Registry
? Spyware:Spyware/SurfSideKick No disinfected C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log

Clear out your Temporary internet files and other temp files.
Go to Start > Settings > Control Panel >Internet Options.
Under the General tab click the Delete temporary internet files,
delete all Offline content as well. Clear out Cookies.

Also, go to Start > Find/search > Files or folders > in the named box, type: *.tmp and choose Edit > select all -> File > delete.

Empty/delete the entire contents of the C:\Windows\temp folder and C:\temp folder, if you have one. (Contents but not the folder itself.)

C:\Documents and Settings\username\Local Settings\Temp\

In order to view these files you may have to select 'show hidden files/folders.' Instructions on how to here.

Empty the Recycle Bin if there :). It may recreate itself on reboot.

Member Avatar for cybohemia

My computer appears to virus free now. Thanks so much for all your help!!!

Member Avatar for DMR

You might want to post one (hopefully final) HijackThis log for us to review just to be on the safe side.

Member Avatar for lori2246

I have just run pest patrol on my Win ME Pent 3 machine and it states I have a Panda download that it lists as a Trojan Downloader!! I thought that Panda was a trusted site and did download it when I ran several scans on my machine to check for virus' found by Kaspersky. K listed them as "Trojan Clicker.Win32.VB.dn" which I can't seem to get off my machine. Is K reading the Panda download as a Trojan? K lists them as being in C:\_RESTORE\TEMP\A0026614 (and) A0026608.CPY/data0003. Kaspersky does not seem to be able to do anything to the two viri, just keeps popping up saying they are there. Neither Panda nor Trend Micro says there is a virus, and Symantec and McAffee have no data on that trojan, period!! I just found this site and am still looking for a solution or at least a way to stop the false positve popup if it is ONLY Panda and that is OK. My tech ran virus checker on it and couldn't find it either!! Help Please?

Member Avatar for DMR

Hi lori2246,

First of all- welcome to TechTalk!

We ask that members not tag their questions on to a thread previously started by another member (regardless of how similar your problem might seem). Not only does it divert the focus of the thread away from the original poster's problem, but it also makes it less likely that you yourself will get the individual attention that you need.

You need to start your own thread in this forum and post your question there.

For a full description of our posting guidelines and general rules of conduct, please see this page:

http://www.daniweb.com/techtalkforums/faq.php?faq=daniweb_faq#faq_rules

Thanks for understanding.


* By the way- for an answer to the problem of anti-virus programs not being able to fix infections found in your C:\_RESTORE folder, go here.

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.