View Full Version : Infested Relic: clearing out a laptop
Elhrrah
08-02-2009, 06:58 PM
In a town that has a population smaller than most city blocks, getting PC help can be a problem. Most of the time, I'm the one that fixes the problem. Not this time.
The computer I'm trying to fix is an old Dell laptop from 2001, running service pack one, and an antivirus from 2004. Starting from the top, the old [Norton] antivirus won't uninstall, the required microsoft updater updates won't install, there are so many viruses that I'm clearing 'em out of my flashdrive with each transfer, Microsoft Money 2002 has decided to try and install itself every time an action is done in Windows explorer, and apparently, windows cannot find 'regv.exe'
I've had the laptop in my posession for four hours so far, managed to stop Isass from rebooting it, installed threatfire, and got a wonderful Hijack This log prepared for your ingestion.
Something that I must note, is that the laptop was given to its owner after she got out of the hospital back in 2001. After she had a brain aneurism. I have no recovery disks, installation disks, or any idea how long these things have been going on. There are no system restore points, backups, or hardcopies.
Here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:52 PM, on 8/2/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\msmsgs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = [url]http://www.dellnet.com/[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://www.freeart1cile.com[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html[/url]
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com[/url]
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = [url]http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com[/url]
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\Regv.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat
O4 - HKLM\..\Run: [Microsoft Msn Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat
O4 - HKCU\..\Run: [Microsoft Msn Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] msconfg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Msn Messenger] C:\WINDOWS\System32\msmsgs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Java VM v6.91] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] msconfg.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Java VM v6.91] (User 'Default user')
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249237824388[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249237774507[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: windows drivers32 - Unknown owner - C:\WINDOWS\windrvrs32.exe (file missing)
--
End of file - 8429 bytes
classicsoftware
08-02-2009, 07:29 PM
First:
How to run a scan with Malwarebytes' Anti-Malware
Download Malwarebytes' Anti-Malware from Here (http://www.besttechie.net/tools/mbam-setup.exe) or Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html)
Double Click mbam-setup.exe to install the application.
Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. (See Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts.
Click OK to either and let MBAM proceed with the disinfection process.
If asked to restart the computer, please do so immediately.[/QUOTE]
Second:
Now run Combofix...follow the instructions, exactly.
Please do the following:
Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop (it needs to be run from the Desktop). Double click combofix.exe & follow the prompts.
When finished, it will produce a log for you.
Note:
Do not mouseclick Combofix's window while it is running. That may cause the program to stall...
Third:
IN THE ORDER LISTED BELOW
Re-boot the system
Post the Combofix Log
Post the MBAM log
Post a new HJT log
Tell us how the system is running.
Elhrrah
08-02-2009, 08:51 PM
I've ran Malwarebytes' Anti-Malware, but something is preventing me from running ComboFix. Keeps saying that:
"Windows cannot access the specified device, path, or file. You may not have the appropriate permissions to access the item."
Do you want me to give you the logs from Malwarebytes and HJT anyway?
Update: Now when I try and run ComboFix is says:
"Some files could not be created.
Please close all applications, reboot Windows and restart this installation"
classicsoftware
08-02-2009, 09:31 PM
Yes, give me the MBAM and HJT logs.....
Elhrrah
08-02-2009, 09:36 PM
HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:52 PM, on 8/2/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\msmsgs.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\System32\MsiExec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.freeart1cile.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\Regv.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat
O4 - HKLM\..\Run: [Microsoft Msn Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Update] msconfg.exe
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat
O4 - HKCU\..\Run: [Microsoft Msn Messenger] C:\WINDOWS\System32\msmsgs.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] msconfg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Msn Messenger] C:\WINDOWS\System32\msmsgs.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Java VM v6.91] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] msconfg.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Java VM v6.91] (User 'Default user')
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249237824388[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249237774507[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: windows drivers32 - Unknown owner - C:\WINDOWS\windrvrs32.exe (file missing)
--
End of file - 8429 bytes
next log in next post.
Elhrrah
08-02-2009, 09:37 PM
Malwarebytes' log:
Malwarebytes' Anti-Malware 1.39
Database version: 2547
Windows 5.1.2600
8/2/2009 7:32:55 PM
mbam-log-2009-08-02 (19-32-55).txt
Scan type: Quick Scan
Objects scanned: 97949
Time elapsed: 11 minute(s), 43 second(s)
Memory Processes Infected: 1
Memory Modules Infected: 0
Registry Keys Infected: 1
Registry Values Infected: 12
Registry Data Items Infected: 4
Folders Infected: 1
Files Infected: 10
Memory Processes Infected:
C:\WINDOWS\SYSTEM32\msmsgs.exe (Backdoor.Bot) -> Unloaded process successfully.
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{28abc5c0-4fcb-11cf-aax5-81cx1c635612} (Generic.Bot.H) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Microsoft Update (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\microsoft msn messenger (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\microsoft msn messenger (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run\microsoft msn messenger (Backdoor.Bot) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run\Java VM v6.91 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\Run\Java VM v6.91 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\RunOnce\Java VM v6.91 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Curre ntVersion\RunOnce\Java VM v6.91 (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\intime (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Shell Extensions\reup (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Contro l\WaitToKillServiceT (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\SharedAccess\Parameters\FirewallPolicy\Standard Profile\AuthorizedApplications\List\unwise_.exe (Trojan.Agent) -> Quarantined and deleted successfully.
Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page (Hijack.Homepage) -> Bad: (http://www.freeart1cile.com) Good: (http://www.Google.com/) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\FirewallDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
Folders Infected:
C:\RESTORE\k-1-3542-4232123213-7676767-8888886 (Trojan.Agent) -> Quarantined and deleted successfully.
Files Infected:
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\0GWUPHCA\c1234[1].jpg (Trojan.Buzus) -> Quarantined and deleted successfully.
c:\documents and settings\localservice\local settings\temporary internet files\Content.IE5\0L2F450H\c1234[1].jpg (Trojan.Buzus) -> Quarantined and deleted successfully.
c:\RESTORE\k-1-3542-4232123213-7676767-8888886\Desktop.ini (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\msmsgs.exe (Backdoor.Bot) -> Quarantined and deleted successfully.
C:\WINDOWS\Downloaded Program Files\eghtmldialer.inf (Adware.EGDAccess) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\DrsCh.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\DRIVERS\Regview.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\SYSTEM32\jdk-1_5_0_19-windows-i391-pp\jav.bat (Trojan.Downloader) -> Quarantined and deleted successfully.
c:\documents and settings\gina barger\b9i4b7c5d5x6.exe (Worm.Autorun) -> Quarantined and deleted successfully.
c:\documents and settings\gina barger\l9w9v3t2f8y8.exe (Worm.Autorun) -> Quarantined and deleted successfully.
Thanks for helping; I'm sure that problems like these must chafe quickly.
classicsoftware
08-02-2009, 09:43 PM
I need a fresh hijackthis log. The two logs are identical.....
First log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:52 PM, on 8/2/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Second Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:40:52 PM, on 8/2/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Elhrrah
08-02-2009, 10:07 PM
I'm getting sloppy.
While I wait for the scan to run again, I've got a few questions.
Because the computer comes with no recovery disks, has no set recovery points, an indeterminate original ownership, is there any chance of me being able to restore the system such that I would be able to install service pack 2, and be left with a [somewhat] stable system?
Here's the log:
Malwarebytes' Anti-Malware 1.39
Database version: 2547
Windows 5.1.2600
8/2/2009 9:05:57 PM
mbam-log-2009-08-02 (21-05-57).txt
Scan type: Quick Scan
Objects scanned: 97896
Time elapsed: 11 minute(s), 28 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
classicsoftware
08-03-2009, 09:19 AM
Please run Hijackthis and post a fresh log.
DO NOT install SP2 until the system is clean or you will regret it.
Elhrrah
08-03-2009, 10:31 AM
I really am making a fool of myself; should of slept more last night.
So far I've managed to fix the issue of Microsoft Money trying to install itself, found that somehow the rundll32.exe was missing, replaced the rundll.exe, found that "Windows Cannot Access The Specified Device Path Or File Exe," started a checkdisk, and have been staring at the screen for the last while, waiting for the checkdisk to finish.
Once that finishes, I'll run HJT again - can't believe I ran the wrong program last night - and post the log.
Perhaps I should tell the owner to buy a Mac...
Elhrrah
08-03-2009, 10:51 AM
Third try had better be the charm:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:47:41 AM, on 8/3/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\REGEDIT.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\WINDOWS\System32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\Regv.exe
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] msconfg.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Java VM v6.91] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] msconfg.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Java VM v6.91] (User 'Default user')
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249237824388[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249237774507[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
O23 - Service: windows drivers32 - Unknown owner - C:\WINDOWS\windrvrs32.exe (file missing)
--
End of file - 7755 bytes
classicsoftware
08-03-2009, 10:58 AM
Open Hijackthis and place a check next to:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr/*http://www.yahoo.com/ext/search/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://red.clientapps.yahoo.com/customize/ie/defaults/stp/ymsgr*http://my.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr/*http://www.yahoo.com
F2 - REG:system.ini: Shell=Explorer.exe %windir%\system32\drivers\Regv.exe
O4 - HKUS\S-1-5-18\..\Run: [Microsoft Update] msconfg.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Update] msconfg.exe (User 'Default user')
O23 - Service: sdktemp - Unknown owner - C:\WINDOWS\sdktemp.exe (file missing)
O23 - Service: windows drivers32 - Unknown owner - C:\WINDOWS\windrvrs32.exe (file missing)
Close all open programs and browser windows except for Hijckthis and click fix checked.
Re-boot and post a fresh log.
Elhrrah
08-03-2009, 11:10 AM
Something I must note, is that the system won't shutdown or reboot on its own; I am forced to do so manually.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:07:57 AM, on 8/3/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
C:\WINDOWS\REGEDIT.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [ccApp] C:\Program Files\Common Files\Symantec Shared\ccApp.exe
O4 - HKLM\..\Run: [ccRegVfy] C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Java VM v6.91] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Java VM v6.91] (User 'Default user')
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - [url]http://housecall60.trendmicro.com/housecall/xscan60.cab[/url]
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249237824388[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url]http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249237774507[/url]
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - [url]http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll[/url]
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
--
End of file - 6870 bytes
classicsoftware
08-03-2009, 02:09 PM
You have Norton and Threat Fire running. Pick one and uninstall the other. Re-boot and post a fresh log.
Elhrrah
08-03-2009, 02:35 PM
The original owner told me that Norton was removed; looks like it has been hiding from me.
Add/Remove is inaccessible; nothing in the control pannel is. Downloaded the Norton Removal Tool. The tool has done its work (computer actually restarted on itself, too) and here's the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:30:58 PM, on 8/3/2009
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
C:\WINDOWS\System32\pctspk.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MICAC0~1\System\urlmap.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5_1_5_0.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb0 9.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [Microsoft Update] msconfg.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\DELL\AccessDirect\dadapp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\Money Express.exe"
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Java VM v6.91] C:\WINDOWS\System32\jdk-1_5_0_19-windows-i391-pp\jav.bat (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [Java VM v6.91] (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [Java VM v6.91] (User 'Default user')
O4 - Global Startup: Camio Viewer 2000.lnk = C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: Yahoo! Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0411.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1249237824388
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1249237774507
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yse/ymmapi_416.dll
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe
--
End of file - 5325 bytes
classicsoftware
08-03-2009, 03:10 PM
Now go on line and run Windows update and get this thing up to date. Do not pass go and do not collect $200.00. Do it now and when you are done post a new HJT log.
Elhrrah
08-03-2009, 03:37 PM
Prior to receiving your reply I had started a scan using a portable antivirus, ClamWin. It hasn'tstopped finding viruses, and I am starting to wonder if the scan is running properly. Should I let it run and post the report, or connect the laptop to the internet, and allow it to update?
Also, when I originally tried updating windows, it failed to download most of the updates for the updater; if it does so again, should I try downloading service pack 2 manually, and installing it that way? I found a place where it can be dowloaded (listed below) but I feel hesitant to except it as kosher.
http://www.softwarepatch.com/windows/xpsp2.html
Elhrrah
08-03-2009, 04:27 PM
Here's the log from ClamWin (part one) ; not sure what the best course of action is.
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT: Permission denied
C:\WINDOWS\SYSTEM32\CONFIG\SAM: Permission denied
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY: Permission denied
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE: Permission denied
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM: Permission denied
C:\WINDOWS\SYSTEM32\rundll32.exe: Permission denied
-17 FOUND
C:\Program Files\MSN\MSNCoreFiles\msn6.exe: W32.Virut-17 FOUND
C:\Program Files\MSN\MSNCoreFiles\Setup\msnunin.exe: W32.Virut-17 FOUND
C:\Program Files\MSN\MSNCoreFiles\update.exe: W32.Virut-17 FOUND
C:\Program Files\MSN Gaming Zone\Windows\BCKGZM.EXE: W32.Virut-17 FOUND
C:\Program Files\MSN Gaming Zone\Windows\CHKRZM.EXE: W32.Virut-17 FOUND
C:\Program Files\MSN Gaming Zone\Windows\HRTZZM.EXE: W32.Virut-17 FOUND
C:\Program Files\MSN Gaming Zone\Windows\Rvsezm.exe: W32.Virut-17 FOUND
C:\Program Files\MSN Gaming Zone\Windows\SHVLZM.EXE: W32.Virut-17 FOUND
C:\Program Files\MSN Gaming Zone\Windows\zClientm.exe: W32.Virut-17 FOUND
C:\Program Files\MusicMatch\MusicMatch Jukebox\HWUpdateMove.exe: W32.Virut-17 FOUND
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmdiag.exe: W32.Virut-17 FOUND
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmjb.exe: W32.Virut-17 FOUND
C:\Program Files\MusicMatch\MusicMatch Jukebox\mmjbrun.exe: W32.Virut-17 FOUND
C:\Program Files\MusicMatch\MusicMatch Jukebox\MmjbUpdt.exe: W32.Virut-17 FOUND
C:\Program Files\MusicMatch\MusicMatch Jukebox\MMPurchase.exe: W32.Virut-17 FOUND
C:\Program Files\MusicMatch\MusicMatch Jukebox\mm_tray.exe: W32.Virut-17 FOUND
C:\Program Files\MusicMatch\MusicMatch Jukebox\ti.exe: W32.Virut-17 FOUND
C:\Program Files\MusicMatch\MusicMatch Jukebox\UpdtStub.exe: W32.Virut-17 FOUND
C:\Program Files\NetMeeting\CB32.EXE: W32.Virut-17 FOUND
C:\Program Files\NetMeeting\CONF.EXE: W32.Virut-17 FOUND
C:\Program Files\NetMeeting\WB32.EXE: W32.Virut-17 FOUND
C:\Program Files\Outlook Express\MSIMN.EXE: W32.Virut-17 FOUND
C:\Program Files\Outlook Express\OEMIG50.EXE: W32.Virut-17 FOUND
C:\Program Files\Outlook Express\SETUP50.EXE: W32.Virut-17 FOUND
C:\Program Files\Outlook Express\WAB.EXE: W32.Virut-17 FOUND
C:\Program Files\Outlook Express\WABMIG.EXE: W32.Virut-17 FOUND
C:\Program Files\Real\RealPlayer\realplay.exe: W32.Virut-17 FOUND
C:\Program Files\Real\RealPlayer\Setup\.g2cln.exe: W32.Virut-17 FOUND
C:\Program Files\Real\RealPlayer\Setup\setup.exe: W32.Virut-17 FOUND
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Directcd.exe: W32.Virut-17 FOUND
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\Scandisc.exe: W32.Virut-17 FOUND
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\udfrchk.exe: W32.Virut-17 FOUND
C:\Program Files\Roxio\Easy CD Creator 5\Easy CD Creator\CDCopier.exe: W32.Virut-17 FOUND
C:\Program Files\Roxio\Easy CD Creator 5\Easy CD Creator\Creatr50.exe: W32.Virut-17 FOUND
C:\Program Files\Sierra Imaging\Image Expert 2000\ImageX.exe: W32.Virut-17 FOUND
C:\Program Files\Sierra Imaging\Image Expert 2000\IXApplet.exe: W32.Virut-17 FOUND
C:\Program Files\Sierra Imaging\Image Expert 2000\launch.exe: W32.Virut-17 FOUND
C:\Program Files\Sierra Imaging\Image Expert 2000\MovieProjector.exe: W32.Virut-17 FOUND
C:\Program Files\Sierra Imaging\Image Expert 2000\Player.exe: W32.Virut-17 FOUND
C:\Program Files\Sierra Imaging\Image Expert 2000\QuickTours\quicktour.exe: W32.Virut-17 FOUND
C:\Program Files\Sierra Imaging\Image Expert 2000\scandrv.exe: W32.Virut-17 FOUND
C:\Program Files\Sierra Imaging\Image Expert 2000\Weblayout\utils\SplitHTML.exe: W32.Virut-17 FOUND
C:\Program Files\Sierra Imaging\Image Expert 2000\WebPublish.exe: W32.Virut-17 FOUND
C:\Program Files\Synaptics\SynTP\InstNT.exe: W32.Virut-17 FOUND
C:\Program Files\Synaptics\SynTP\SynMood.exe: W32.Virut-17 FOUND
C:\Program Files\Synaptics\SynTP\SynTPCpl.exe: W32.Virut-17 FOUND
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe: W32.Virut-17 FOUND
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe: W32.Virut-17 FOUND
C:\Program Files\Synaptics\SynTP\SynZMetr.exe: W32.Virut-17 FOUND
C:\Program Files\Synaptics\SynTP\Tutorial.exe: W32.Virut-17 FOUND
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe: W32.Virut-17 FOUND
C:\Program Files\ValuSoft\Ultimate Mahjongg 10\Mahjongg10.exe: W32.Virut-17 FOUND
C:\Program Files\ValuSoft\Ultimate Mahjongg 10\UNWISE.EXE: W32.Virut-17 FOUND
C:\Program Files\Windows Installer Clean Up\msicuu.exe: W32.Virut-17 FOUND
C:\Program Files\Windows Installer Clean Up\MsiZap.exe: W32.Virut-17 FOUND
C:\Program Files\Windows Media Player\DLIMPORT.EXE: W32.Virut-17 FOUND
C:\Program Files\Windows Media Player\MPLAYER2.EXE: W32.Virut-17 FOUND
C:\Program Files\Windows Media Player\SETUP_WM.EXE: W32.Virut-17 FOUND
C:\Program Files\Windows Media Player\WMPLAYER.EXE: W32.Virut-17 FOUND
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE: W32.Virut-17 FOUND
C:\Program Files\Windows NT\DIALER.EXE: W32.Virut-17 FOUND
C:\Program Files\Windows NT\HYPERTRM.EXE: W32.Virut-17 FOUND
C:\Program Files\Windows NT\Pinball\PINBALL.EXE: W32.Virut-17 FOUND
C:\Program Files\Yahoo!\Messenger\blank.html: HTML.Mefir FOUND
C:\Program Files\Yahoo!\Messenger\defaults\blank.html: HTML.Mefir FOUND
C:\Program Files\Yahoo!\Messenger\UNWISE.EXE: W32.Virut-17 FOUND
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe: W32.Virut-17 FOUND
C:\Program Files\Yahoo!\Messenger\YPager.exe: W32.Virut-17 FOUND
C:\Program Files\Yahoo!\Messenger\YServer.exe: W32.Virut-17 FOUND
C:\r6u9k2l4e6a4.exe: W32.Virut-17 FOUND
C:\WINDOWS\EXPLORER.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Fonts\unwise_.exe: W32.Virut-17 FOUND
C:\WINDOWS\Help\SBSI\Training\orun32.exe: W32.Virut-17 FOUND
C:\WINDOWS\Help\SBSI\Training\ounins32_s.exe: W32.Virut-17 FOUND
C:\WINDOWS\HH.EXE: W32.Virut-17 FOUND
C:\WINDOWS\INF\UNREGMP2.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Installer\00010409-78E1-11D2-B60F-006097C998E7\accicons.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\00010409-78E1-11D2-B60F-006097C998E7\bindico.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\00010409-78E1-11D2-B60F-006097C998E7\fpicon.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\00010409-78E1-11D2-B60F-006097C998E7\misc.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\00010409-78E1-11D2-B60F-006097C998E7\outicon.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\00010409-78E1-11D2-B60F-006097C998E7\PEicons.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\00010409-78E1-11D2-B60F-006097C998E7\pptico.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\00010409-78E1-11D2-B60F-006097C998E7\wordicon.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\00010409-78E1-11D2-B60F-006097C998E7\xlicons.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\01001202-823E-46CD-A70E-BEE818F97169\ENCSCICO.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Installer\12BDDF23-B1DB-49C8-92D3-3E6841CCED61\misc.exe.D0DF3458_A845_11D3_8D0A_0050 046416B9.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\12BDDF23-B1DB-49C8-92D3-3E6841CCED61\_BAC710951182_4DAF_A41A_E8B47B62ECED. exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\350C97B0-3D7C-4EE8-BAA9-00BCB3D54227\PLACES.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Installer\609F7AC8-C510-11D4-A788-009027ABA5D0\_1F120C28B6D0_4C9E_836B_10108B9F751F. exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\911B0409-6000-11D3-8CFE-0050048383C9\CAGICON.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Installer\911B0409-6000-11D3-8CFE-0050048383C9\MISC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Installer\911B0409-6000-11D3-8CFE-0050048383C9\MSPICONS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Installer\911B0409-6000-11D3-8CFE-0050048383C9\OPWICON.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Installer\911B0409-6000-11D3-8CFE-0050048383C9\PEicons.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\911B0409-6000-11D3-8CFE-0050048383C9\UNBNDICO.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Installer\911B0409-6000-11D3-8CFE-0050048383C9\WORDICON.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Installer\A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704\cagicon.76D90421_D2BE_11D2_99FF_0060B 0EC3D2E.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\A1B7B9B3-E1D2-41CA-9B4A-F18DC2710704\_41BECA2.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Installer\C769A271-7E1C-48F9-B331-474600DD4C06\cagicon.76D90421_D2BE_11D2_99FF_0060B 0EC3D2E.exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\C769A271-7E1C-48F9-B331-474600DD4C06\PIP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Installer\C769A271-7E1C-48F9-B331-474600DD4C06\_360AB8CCB8D3_477E_A460_2151F35A3517. exe: W32.Virut-17 FOUND
C:\WINDOWS\Installer\E9ED0801-253D-4FE9-AB20-F63DEFE72547\ARPPRODUCTICON.exe: W32.Virut-17 FOUND
C:\WINDOWS\IsUninst.exe: W32.Virut-17 FOUND
C:\WINDOWS\LastGood\System32\logagent.exe: W32.Virut-17 FOUND
C:\WINDOWS\LastGood\System32\pctspk.exe: W32.Virut-17 FOUND
C:\WINDOWS\MSAGENT\AGENTSVR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\NOTEPAD.EXE: W32.Virut-17 FOUND
C:\WINDOWS\PATCH.EXE: W32.Virut-17 FOUND
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpCtr.exe: W32.Virut-17 FOUND
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpHost.exe: W32.Virut-17 FOUND
Elhrrah
08-03-2009, 04:28 PM
part two
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\HelpSvc.exe: W32.Virut-17 FOUND
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\MSCONFIG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\PCHEALTH\HELPCTR\Binaries\NOTIFLAG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\PCHEALTH\UploadLB\Binaries\UploadM.exe: W32.Virut-17 FOUND
C:\WINDOWS\REGEDIT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\runtsckl.exe: W32.Virut-17 FOUND
C:\WINDOWS\SETDEBUG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SETPWRCG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SoftwareDistribution\Download\e9b037746 3edd4b6480f6148a1f88bac\sp1qfe\bitsinst.exe: W32.Virut-17 FOUND
C:\WINDOWS\SoftwareDistribution\Download\e9b037746 3edd4b6480f6148a1f88bac\spuninst.exe: W32.Virut-17 FOUND
C:\WINDOWS\SoftwareDistribution\Download\e9b037746 3edd4b6480f6148a1f88bac\update\update.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ACCWIZ.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ACTMOVIE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\AHUI.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ALG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ARP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\asr_lifhb: Trojan.Downloader.Bat.Ftp.gen-1 FOUND
C:\WINDOWS\SYSTEM32\AT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ATMADM.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ATTRIB.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\BOOTOK.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\BOOTVRFY.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CACLS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CALC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CHARMAP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CHKDSK.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CHKNTFS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CIDAEMON.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CISVC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CKCNV.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CLEANMGR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CLICONFG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CLIPBRD.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CLIPSRV.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CLSPACK.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CMD.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CMDL32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CMMON32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CMSTP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\Com\COMREPL.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\Com\COMREREG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\COMP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\COMPACT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\SetAppPath.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\~WKS99TEMP\LAUNCHER.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\Local Settings\Temp\~WKS99TEMP\UNREGWTR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CONIME.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CONTROL.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CONVERT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CSCRIPT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\CTFMON.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DCOMCNFG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DDESHARE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DEFRAG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DFRGFAT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DFRGNTFS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DIANTZ.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DISKPART.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DISKPERF.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DLLCACHE\iexplore.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DLLCACHE\pctspk.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DLLCACHE\winlogon.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DLLHOST.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DLLHST3G.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DMADMIN.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DMREMOTE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DOSKEY.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DPLAYSVR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DPNSVR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DPVSETUP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DRIVERS\DllSrv.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DRIVERS\dllview.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DRIVERS\RegSrv.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DRIVERS\Regv.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DRWTSN32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DUMPREP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DVDPLAY.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DVDUPGRD.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\DXDIAG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ESENTUTL.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\EUDCEDIT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\EVENTVWR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\EXPAND.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\EXTRAC32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\FC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\FIND.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\FINDSTR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\FINGER.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\FIXMAPI.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\FONTVIEW.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\FORCEDOS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\FREECELL.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\FSUTIL.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\FTP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\HELP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\hkcmd.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\HOSTNAME.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\hpfinsta.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\i: Trojan.Downloader.Bat.Ftp.gen-1 FOUND
C:\WINDOWS\SYSTEM32\IE4UINIT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\IEXPRESS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\igfxcfg.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\igfxdiag.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\igfxtray.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ImageX 2000.scr: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\IMAPI.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\IPCONFIG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\IPSEC6.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\IPV6.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\IPXROUTE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\JDBGMGR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\jdk-1_5_0_19-windows-i391-pp\js.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\JVIEW.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\LABEL.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\LIGHTS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\LNKSTUB.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\LOCATOR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\LODCTR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\LOGAGENT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\LOGOFF.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\LOGON.SCR: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\LOGONUI.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\LPQ.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\LPR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\Macromed\Flash\UninstFl.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\QuitRemote.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\SwInit.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\Macromed\Shockwave 8\UNWISE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MAGNIFY.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MAKECAB.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MAPISRVR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MIGPWD.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MMC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MNMSRVC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MOBSYNC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MOUNTVOL.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MPLAY32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MPNOTIFY.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MRINFO.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MSDTC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MSG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MSHEARTS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MSHTA.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MSIEXEC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MSPAINT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MSSWCHX.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\mstinit.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\MSTSC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NARRATOR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NBTSTAT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NDDEAPIR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NET.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NET1.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NETDDE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\netsetup.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NETSH.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NETSTAT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE: W32.Virut-17 FOUND
Elhrrah
08-03-2009, 04:30 PM
part three
C:\WINDOWS\SYSTEM32\NPP\NPPAGENT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NSLOOKUP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NTSD.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\NTVDM.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ODBCAD32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ODBCCONF.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\OOBE\MSOOBE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\OOBE\OOBEBALN.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\OSK.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\OSUNINST.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\PACKAGER.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\PATHPING.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\pctspk.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\PENTNT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\PERFMON.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\PING.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\PING6.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\PRINT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\PROGMAN.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\PROQUOTA.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ptuninst.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\QAPPSRV.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\QPROCESS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\QWINSTA.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RASAUTOU.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RASDIAL.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RASPHONE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RCIMLBY.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RCP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RDPCLIP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RDSADDIN.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RDSHOST.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RECOVER.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\REG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\REGEDT32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\REGINI.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\REGSVR32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\REGWIZ.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFi les\hkcmd.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFi les\igfxcfg.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFi les\igfxdiag.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ReinstallBackups\0002\DriverFi les\igfxtray.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\REPLACE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RESET.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\Restore\RSTRUI.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\Restore\SRDIAG.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\REXEC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ROUTE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\ROUTEMON.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RSH.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RSM.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RSMSINK.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RSMUI.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RSVP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RTCSHARE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RUNAS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\RWINSTA.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SAVEDUMP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SCARDSVR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SCRNSAVE.SCR: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SDBINST.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SESSMGR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SETHC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SETUP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SFC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SHADOW.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SHMGRATE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SHRPUBW.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SHUTDOWN.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SIGVERIF.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SKEYS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SMLOGSVC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SNDREC32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SNDVOL32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SOL.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SORT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPIDER.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpzcfg0 4.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpzcfg0 9.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpzeng0 4.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpzeng0 9.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpzpre0 4.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpzpre0 9.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpzstc0 4.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpzstc0 9.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpzstw0 9.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztbu0 4.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztbu0 9.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztbx0 4.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztbx0 9.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb0 4.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\hpztsb0 9.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hewlett_p ackarddeskj9200000\hpzcfg04.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hewlett_p ackarddeskj9200000\hpzeng04.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hewlett_p ackarddeskj9200000\hpzpre04.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hewlett_p ackarddeskj9200000\hpzstc04.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hewlett_p ackarddeskj9200000\hpztbu04.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hewlett_p ackarddeskj9200000\hpztbx04.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hpfinsta. exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hpphotosm art_7900_se779c\hpzcfg09.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hpphotosm art_7900_se779c\hpzeng09.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hpphotosm art_7900_se779c\hpzpre09.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hpphotosm art_7900_se779c\hpzstc09.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hpphotosm art_7900_se779c\hpzstw09.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hpphotosm art_7900_se779c\hpztbu09.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\hpphotosm art_7900_se779c\hpztbx09.exe: W32.Virut-17 FOUND
Elhrrah
08-03-2009, 04:32 PM
and finally, part four.
C:\WINDOWS\SYSTEM32\SPOOLSV.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SS3DFO.SCR: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SSBEZIER.SCR: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SSFLWBOX.SCR: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SSMARQUE.SCR: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SSMYPICS.SCR: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SSMYST.SCR: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SSPIPES.SCR: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SSSTARS.SCR: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SSTEXT3D.SCR: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\STIMON.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SUBST.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SYNCAPP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SYSKEY.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SYSOCMGR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\SYSTRAY.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TASKMAN.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TASKMGR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TCMSETUP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TCPSVCS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TELNET.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TFTP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\tourstart.exe: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TRACERT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TRACERT6.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TSCON.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TSCUPGRD.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TSDISCON.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TSKILL.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\TSSHUTDN.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\UNLODCTR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\UPNPCONT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\UPS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\USERINIT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\USMT\MIGLOAD.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\USMT\MIGWIZ.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\USMT\MIGWIZ_A.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\USRMLNKA.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\USRPRBDA.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\USRSHUTA.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\UTILMAN.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\VERIFIER.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\VSSADMIN.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\VSSVC.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\W32TM.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WBEM\MOFCOMP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WBEM\SCRCONS.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WBEM\UNSECAPP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WBEM\WBEMTEST.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WBEM\WINMGMT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WBEM\WMIADAP.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WBEM\WMIAPSRV.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WBEM\WMIPRVSE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WEXTRACT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WIAACMGR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WINHLP32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WINMINE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WINMSD.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WINVER.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WJVIEW.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WMPSTUB.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\wmsoft16288.exe: W32.Virut.di FOUND
C:\WINDOWS\SYSTEM32\WPABALN.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WPNPINST.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WRITE.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WSCRIPT.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\WUPDMGR.EXE: W32.Virut-17 FOUND
C:\WINDOWS\SYSTEM32\XCOPY.EXE: W32.Virut-17 FOUND
C:\WINDOWS\TASKMAN.EXE: W32.Virut-17 FOUND
C:\WINDOWS\Temp\15024.exe: W32.Virut-17 FOUND
C:\WINDOWS\Temp\68662.exe: W32.Virut-17 FOUND
C:\WINDOWS\Temp\71717.exe: W32.Virut-17 FOUND
C:\WINDOWS\tsc.exe: W32.Virut-17 FOUND
C:\WINDOWS\TWUNK_32.EXE: W32.Virut-17 FOUND
C:\WINDOWS\uneng.exe: W32.Virut-17 FOUND
C:\WINDOWS\WINHLP32.EXE: W32.Virut-17 FOUND
C:\x9r5w5s2y2x.exe: W32.Virut-17 FOUND
C:\x9r5w5s2y2x6.exe: W32.Virut-17 FOUND
C:\x9y9d3e.exe: W32.Virut-17 FOUND
----------- SCAN SUMMARY -----------
Known viruses: 550192
Engine version: 0.95.1
Scanned directories: 1718
Scanned files: 28984
Infected files: 923
Data scanned: 4822.36 MB
Data read: 4244.89 MB (ratio 1.14:1)
Time: 5332.688 sec (88 m 52 s)
--------------------------------------
Completed
--------------------------------------
Elhrrah
08-03-2009, 06:26 PM
Attempted to connect to the internet in order to download updates, internet explorer locked-up on the first try and I was forced to shutdown the computer manually. On my second try, it said that the LSA shell [Export Version] has encountered a problem and needs to close, after which it locks up completely.
classicsoftware
08-03-2009, 09:04 PM
I don't know where to guide you from here. I don't know what possessed you to do something other than what I suggested. At this point if you can get on line, download SP2 from Microsoft's site (http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=049c9dbe-3b8e-4f30-8245-9e368d3cdb5a).
Elhrrah
08-03-2009, 09:49 PM
I was acting under the guidance of another individual who had done computer repair in the past. I have had positive results working with him before; just not this time. Moreover, I temporarily lost my ability to connect to the internet in any capacity, and had no ability to verify his suggestions with you. I now regret that.
Following his directions, I had ClamWin quarantine the files it had detected. Now, it is stuck in a login/logoff loop when I try in both normal and safe mode, using both the normal user login and the administrator login.
classicsoftware
08-03-2009, 09:54 PM
When you are cleaning a system, you should only work with one person at a time. Otherwise, this is what happens. I believe Clam Win quarantined necessary Windows files and Windows will not load. Unless you can boot clam win from a thumb drive or boot into safe mode and get those files out of quarantine, I believe this system is toast w/o a wipe and reinstall. Alternately, you might try, last known good configuration.
Elhrrah
08-03-2009, 09:58 PM
ClamWin does run off from a flash drive (the person brought it with him) but I cannot get past the login screen in order to do anything - even in safemode.
Update: Tried the last known good configuration; didn't work.
classicsoftware
08-04-2009, 12:02 AM
Does safe mode work?
Elhrrah
08-04-2009, 12:05 AM
No, safemode does not work.
I've heard mention of a control-f11 command used for dell laptops which resets everything to factory defaults; is there any truth in this?
classicsoftware
08-04-2009, 10:10 AM
You can give it a try. Reformat & reinstall is your only option at this point.
Elhrrah
08-05-2009, 09:59 AM
I have - thank all that is holy - found an installation disk. Hopefully, I should return with good news in an hour or two.
I must thank you for all your help - you've given quite a lot - and the learning experience you've given me. Hopefully, we'll never meet again.
classicsoftware
08-05-2009, 10:18 AM
I have - thank all that is holy - found an installation disk. Hopefully, I should return with good news in an hour or two.
I must thank you for all your help - you've given quite a lot - and the learning experience you've given me. Hopefully, we'll never meet again.
Hopefully we'll meet again under better circumstances....
vBulletin v3.6.1, Copyright ©2000-2012, Jelsoft Enterprises Ltd.