Hi everyone,

The computer I'm using, which has WinNT recently infected by the whole bunch of virus and I don't know what to do. The problem is now more comlicated since the virus seem to change something in the registry that I couldn't get internet connection (This is the BIGGEST problem that I want to solve first) and therefore much harder for me to search for helpful information. After scanning with Norton Antivirus, this is what I get:

Date: 12/23/2005, Time: 1:18:16,
The file
C:\WINNT\system32\encodex.exe
is infected with the Download.Trojan virus.
Unable to repair this file.


Date: 12/23/2005, Time: 1:18:16,
The file
C:\WINNT\system32\encodex.exe
is infected with the Download.Trojan virus.
Access to the file was denied.


Date: 12/23/2005, Time: 1:18:18,
The file
C:\WINNT\system32\howiper.exe
is infected with the Trojan Horse virus.
Unable to repair this file.


Date: 12/23/2005, Time: 1:18:18,
The file
C:\WINNT\system32\howiper.exe
is infected with the Trojan Horse virus.
Access to the file was denied.


Date: 12/23/2005, Time: 1:18:24,
The file
C:\WINNT\system32\favset.exe
is infected with the Trojan.Favadd virus.
Unable to repair this file.


Date: 12/23/2005, Time: 1:18:24,
The file
C:\WINNT\system32\favset.exe
is infected with the Trojan.Favadd virus.
Access to the file was denied.


Date: 12/23/2005, Time: 1:18:26,
The file
C:\WINNT\system32\idemlog.exe
is infected with the Trojan.Adclicker virus.
Unable to repair this file.


Date: 12/23/2005, Time: 1:18:26,
The file
C:\WINNT\system32\idemlog.exe
is infected with the Trojan.Adclicker virus.
Access to the file was denied.


Date: 12/23/2005, Time: 1:18:38,
The file
C:\WINNT\system32\dgprpsetup.exe
is infected with the Trojan.Stwoyle virus.
Unable to repair this file.


Date: 12/23/2005, Time: 1:18:38,
The file
C:\WINNT\system32\dgprpsetup.exe
is infected with the Trojan.Stwoyle virus.
Access to the file was denied.

I know that the program hijackthis can be very helpful for anyone wants to help me with the problems but I'm no expert and not sure if it will display any private infomation to others. Please understand this because it's not my computer and the owner is very strict about putting any unknown programs into his machine. Please, anyone outthere, give mesome advices. Thanks so much in advance

Download HijackThis.
http://www.bleepingcomputer.com/files/hijackthis.php
http://209.133.47.12/~merijn/files/HijackThis.exe
http://www.downloads.subratam.org/hijackthis.zip

If you are on Windows XP, extract the file. Do not just doubleclick on it! This opens HijackThis in a temporary folder. This would interfere with the possibility to make back-ups.

Unzip to a folder other than your Desktop or the Temp folder. Then, doubleclick HijackThis.exe, and click "Scan".

When the scan is finished, the "Scan" button will change into a "Save Log" button.
Press that and copy and paste its contents in this thread.

Most of what it lists will be harmless or even essential, don't fix anything yet. Someone will be along to tell you what steps to take after you post the contents of the scan results.

Okay, this is the log but I'm afraid I have double click the hijackthis.zip file so I'm not sure if that would cause any problems. anyway, I'll try again.

Logfile of HijackThis v1.99.1
Scan saved at 02:10:39, on 7/01/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Utilities\Norton AV\navapsvc.exe
C:\Utilities\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Utilities\Speed Disk\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\UTILIT~1\NORTON~1\navapw32.exe
C:\UTILIT~1\POP-UP~1\dpps2.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Utilities\Spybot\TeaTimer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Utilities\AdFree\AdFree.exe
C:\WINNT\webshots.scr
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\UTILIT~1\WINZIP\winzip32.exe
C:\Minh\Solution\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Utilities\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: WinZip IBS - {99A10100-66BB-11D4-A02A-00600818E7D8} - C:\UTILIT~1\WINZIP\wziebs.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Utilities\Norton AV\NavShExt.dll
O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - (no file)
O2 - BHO: Fire-Trust SiteHound - {C86AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Utilities\SiteHound\SiteHound.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Utilities\Norton AV\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Utilities\SiteHound\SiteHound.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NAV Agent] C:\UTILIT~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\UTILIT~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\UTILIT~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe -startup -product IncrediMail -skip_dialog language
O4 - HKLM\..\Run: [Zone Labs Client] C:\Utilities\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [dmbxj.exe] C:\WINNT\system32\dmbxj.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Utilities\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: AdFree.exe.lnk = C:\Utilities\AdFree\AdFree.exe
O4 - Startup: Webshots.lnk = C:\Utilities\Webshots\Launcher.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Utilities\SiteHound\SiteHound.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com.au/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.google.com.au/
O15 - Trusted Zone: *.usyd.edu.au
O15 - Trusted Zone: http://www.usyd.edu.au
O15 - Trusted Zone: http://www.usyd.edu.au ; *.usyd.edu.au
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujicolor.com.au/en/feeders/XUpload.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C84A3998-06A3-4E4D-B319-63F93A0BA68E}: NameServer = 85.255.114.90,85.255.112.15
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Utilities\Norton AV\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Utilities\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Utilities\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

Thanks

Hi MinhDo,

Check your computer with the following free anti-virus/anti-trojan products.

Housecall Anti Virus Panda Anti Virus Trojan Scan Bit Defender

Post all the logs that you can create with these services.

You might want to save this page on your favorites, so you can find it again when you return. You can also click on your name and click on "Find All Posts" to find your thread.

Run HijackThis, click on "Scan" and check the boxes next to all these items.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\System32\blank.htm

F2 - REG:system.ini: UserInit=userinit.exe

O2 - BHO: CWebDirObj Object - {C003C49F-53E4-4A72-B7D6-0B2B9997392F} - (no file)

O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)

O4 - HKLM\..\Run: [ImInstaller_IncrediMail] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ImInstaller\IncrediMail\imloader.exe -startup -product IncrediMail -skip_dialog language
O4 - HKLM\..\Run: [dmbxj.exe] C:\WINNT\system32\dmbxj.exe

There are restrictions set on Control Panel. If you or your system administrator has not put this restriction on Control Panel, also check this item.

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Then close all windows, and browsers, except HijackThis. Tell HijackThis to "Fix checked".

Restart your computer in Safe Mode. How do I Safe Boot my computer?

Show hidden files. How do I show hidden files?
At the end if the fix you can return the files to hidden status if you want.

Delete the following files in red (it could be that they are deleted already):

C:\WINNT\system32\dmbxj.exe

Restart your computer and post a new log in this thread.

Thanks very much for replying Bobbi. I have done the things you told me to with Hijackthis. It seem to fix the Internet Explorer Toolbar which disappear before, but that is not my main concern. The big problem is I still don't have internet connection. By the way, the file you said before appeared to be C:\WINNT\system32\dmbxg.exe instead of C:\WINNT\system32\dmbxj.exe as you said but I went ahead anyway. Here is the new log after I scan with Hijackthis:




Logfile of HijackThis v1.99.1
Scan saved at 13:56:38, on 9/01/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Utilities\Norton AV\navapsvc.exe
C:\Utilities\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Utilities\Speed Disk\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\UTILIT~1\NORTON~1\navapw32.exe
C:\UTILIT~1\POP-UP~1\dpps2.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Utilities\ZoneAlarm\zlclient.exe
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Utilities\Spybot\TeaTimer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Utilities\AdFree\AdFree.exe
C:\WINNT\webshots.scr
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\UTILIT~1\WINZIP\winzip32.exe
C:\WINNT\system32\notepad.exe
C:\Minh\Solution\Hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Utilities\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: WinZip IBS - {99A10100-66BB-11D4-A02A-00600818E7D8} - C:\UTILIT~1\WINZIP\wziebs.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Utilities\Norton AV\NavShExt.dll
O2 - BHO: Fire-Trust SiteHound - {C86AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\Utilities\SiteHound\SiteHound.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Utilities\Norton AV\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: SiteHound - {73F7F495-A325-4C52-BE48-5F97FA511E89} - C:\Utilities\SiteHound\SiteHound.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NAV Agent] C:\UTILIT~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\UTILIT~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\UTILIT~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Utilities\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Utilities\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - Startup: AdFree.exe.lnk = C:\Utilities\AdFree\AdFree.exe
O4 - Startup: Webshots.lnk = C:\Utilities\Webshots\Launcher.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {11316B13-33F0-4C9F-BD55-09994CCFA8EB} - C:\Utilities\SiteHound\SiteHound.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com.au/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.google.com.au/
O15 - Trusted Zone: *.usyd.edu.au
O15 - Trusted Zone: http://www.usyd.edu.au
O15 - Trusted Zone: http://www.usyd.edu.au ; *.usyd.edu.au
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujicolor.com.au/en/feeders/XUpload.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C84A3998-06A3-4E4D-B319-63F93A0BA68E}: NameServer = 85.255.114.90,85.255.112.15
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Utilities\Norton AV\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Utilities\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Utilities\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe


Please help !!!

Hi MinhDo,

Ok.... The log is clean. Now to the connection...

Since when don't you have a connection? Can you tell me more about it? The more you can tell, the easier it might be for me to help you.

Thanks, I'm glad that the logis clean now. I'd lost the internet connection not long after I've got the virus. I can't remember if I had lost it immediately or after I ran a scan with Ad-aware and deleted a few things. I'll try looking at it again. Could it be because I ran Norton Antivirus and quarantine some items??

That could very well be... Can you check what Norton quarantined?

Can you get onto the net to retrieve email? Or MSN? Anything other than the web? That would tell me if the problem is just with the Internet, or with the way Windows is configured.

Thanks. The problem that I had is everything concerning the Internet because I cannot log into the Network at all. No e-mail can be received and no MSN can be used. The quarantined items from Norton anri-virut are :
-dgprpsetup.exe
-encodex.exe
-favset.exe
-howiper.exe
-idemlog.exe

In that I read that you cannot access anything on the network. That would mean that the protocols are shot in Windows.

Can you reinstall the network protocols? Can you get onto the network then?

Hi Bobbi, I've reinstalled the login program but that doesn't fix anything. The moderm is showing internet activity, the IP address is correct and I've could get file from the network using cmd window but none of other program relating the internet works, there's just no connection

Click "Start", "Run...", type "cmd.exe" and click on "OK". In the new Window type ping www.gladiator-antivirus.com and press Enter. Please copy and paste the results in a next post.

All I've got is the message "Unknown host www.gladiator-antivirus.com"
I tried to ping other site but same thing happens. What should I do

That sounds more like the configuration to your ISP has been changed, or become corrupt. Can you check with them to see if DNS servers and other IP addresses are correct?

Thanks for the help, Bobbi. When you say "them", you mean the network that I have internet connection with? How do I check if ISP corrupted or had been changed, how do I know about DSN servers and other IP are correct??

Them is the Internet Service Provider you have a subscription to. It alsmost sounds like a conspiracy The best thing would be call their helpdesk (or something) and go through your configuration with them. They will know what to do and help you find the answers on your system.

You can always come back afterwards but then at least we know that all the IP addresses and other stuff is correct.

Yep, all is fixed now :punk:

Appearantly 1 of the virus changed my network connection configuration. So basically, I had to go to Control Panel, Network Connection and change properties into "Obtain DNS servers address automatically", and it works. Thanks so much Bobbi, I've learn so much.

Hi MinhDo,

You're welcome.

This is a good time to set up protection against further attacks. Read the article behind this link "How did I get infected". If you don't already have them, you need an antivirus that is updated, a good firewall for example Sygate Personal Firewall or Kerio Personal Firewall or ZoneLabs Zone Alarm, a spyware blocker like SpywareBlaster and also IE-Spyads and spyware detection (Ad-aware SE and SpyBot S+D). All of these have good free versions available... be very cautious about any security software that advertises in popups or other intrusive ways, they are not only usually useless, but also often have malware in them....

Instead of Internet Explorer, use a different browser like Opera, Mozilla or Firefox.

Last, but not least, you need to keep Windows and Internet Explorer up to date by getting all the latest security patches that protects your computer.

This can be accessed by going to http://windowsupdate.microsoft.com/ and following the prompts. If you are running Windows XP get updated to SP-2

Please post back if you are still having any problems....

Hi, I'm back, with new problems :whip: . It's infected with several trojans, Norton antivirus seems abnormal (can't run live update, etc) and the system seems to be very slow, often say "your virtual memory is slow". Please guide me how to solve this. Here is the log that I just scan using hijackthis.exe:

Logfile of HijackThis v1.99.1
Scan saved at 13:55:40, on 1/02/2006
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\drivers\CDAC11BA.EXE
C:\WINNT\system32\cisvc.exe
C:\WINNT\system32\CTsvcCDA.EXE
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\hidserv.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Utilities\Norton AV\navapsvc.exe
C:\Utilities\Norton Utilities\NPROTECT.EXE
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Utilities\Speed Disk\nopdb.exe
C:\WINNT\system32\stisvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Ahead\InCD\InCD.exe
C:\UTILIT~1\NORTON~1\navapw32.exe
C:\UTILIT~1\POP-UP~1\dpps2.exe
C:\Program Files\Telstra\Toolbar\bpumTray.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Utilities\ZoneAlarm\zlclient.exe
C:\WINNT\system32\RunDll32.exe
C:\Utilities\Spybot\TeaTimer.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\Utilities\AdFree\AdFree.exe
C:\WINNT\webshots.scr
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINNT\system32\ZoneLabs\vsmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Telstra\Cable Login\bpcable.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Minh\Solution\Hijack\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Utilities\Spybot\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: WinZip IBS - {99A10100-66BB-11D4-A02A-00600818E7D8} - C:\UTILIT~1\WINZIP\wziebs.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Utilities\Norton AV\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Utilities\Norton AV\NavShExt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [NAV Agent] C:\UTILIT~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Advanced Tools Check] C:\UTILIT~1\NORTON~1\AdvTools\ADVCHK.EXE
O4 - HKLM\..\Run: [Pop-Up Stopper] "C:\UTILIT~1\POP-UP~1\dpps2.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [BigPond Toolbar] "C:\Program Files\Telstra\Toolbar\bpumTray.exe"
O4 - HKLM\..\Run: [POINTER] C:\Program Files\Microsoft Hardware\Mouse\point32.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Utilities\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [BigPondCable] "C:\Program Files\Telstra\Cable Login\bpcable.exe" /r
O4 - HKLM\..\Run: [CmUsbSound] RunDll32 cmcnfgu.cpl,CMICtrlWnd
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Utilities\Spybot\TeaTimer.exe
O4 - HKCU\..\Run: [Creative Detector] "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe" /R
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - Startup: AdFree.exe.lnk = C:\Utilities\AdFree\AdFree.exe
O4 - Startup: Webshots.lnk = C:\Utilities\Webshots\Launcher.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINNT\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download All by FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.google.com.au/
O14 - IERESET.INF: MS_START_PAGE_URL=http://www.google.com.au/
O15 - Trusted Zone: *.usyd.edu.au
O15 - Trusted Zone: http://www.usyd.edu.au
O15 - Trusted Zone: http://www.usyd.edu.au ; *.usyd.edu.au
O16 - DPF: ppctlcab - http://69.44.122.156/scanner/ppctlcab.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/games/clients/y/ct2_x.cab
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {2359626E-7524-4F87-B04E-22CD38A0C88C} (ICSScannerLight Class) - http://download.zonelabs.com/bin/free/cm/ICSCM.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://69.44.122.156/scanner/axscanner.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://appldnld.m7z.net/content.info.apple...iTunesSetup.exe
O16 - DPF: {5D9E4B6D-CD17-4D85-99D4-6A52B394EC3B} - http://www.webshots.com/samplers/WSDownloader.ocx
O16 - DPF: {99B6E512-3893-4155-9964-8EB8E06099CB} (WebSpyWareKiller Class) - http://download.zonelabs.com/bin/promotion...ctor/WebSWK.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.fujicolor.com.au/en/feeders/XUpload.ocx
O16 - DPF: {F00F4763-7355-4725-82F7-0DA94A256D46} (IncrediMail) - http://www5.incredimail.com/contents/setup...er/imloader.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15016/CTPID.cab
O23 - Service: BigPond Broadband Cable Login (bpcService) - Unknown owner - C:\Program Files\Telstra\Cable Login\bpcService.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINNT\system32\drivers\CDAC11BA.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINNT\system32\CTsvcCDA.EXE
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Utilities\Norton AV\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Utilities\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\Utilities\Speed Disk\nopdb.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINNT\system32\ZoneLabs\vsmon.exe

I also forgot to mention that my computer was infected by these:


C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q2GK4HB7\mm[1].htm
is infected with the Download.Trojan virus.
Unable to repair this file.


C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q2GK4HB7\mm[1].htm
is infected with the Download.Trojan virus.
Access to the file was denied.


C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q2GK4HB7\login[1].htm
is infected with the Trojan.Phel virus.
Unable to repair this file.


C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Q2GK4HB7\login[1].htm
is infected with the Trojan.Phel virus.
Access to the file was denied.



C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUZ5Y62F\bbs005111[1].gif
is infected with the Trojan.Phel virus.
Unable to repair this file.



C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUZ5Y62F\bbs005111[1].gif
is infected with the Trojan.Phel virus.
Access to the file was denied.


C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUZ5Y62F\bbs005111[1].gif
is infected with the Trojan.Phel virus.
Unable to repair this file.


C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUZ5Y62F\bbs005111[1].gif
is infected with the Trojan.Phel virus.
Access to the file was denied.


C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUZ5Y62F\exploit[1].wmf
is infected with the Trojan.Ducky.B virus.
Unable to repair this file.


C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUZ5Y62F\exploit[1].wmf
is infected with the Trojan.Ducky.B virus.
Access to the file was denied.


C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUZ5Y62F\exploit[1].wmf
is infected with the Trojan.Ducky.B virus.
Unable to repair this file.



C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUZ5Y62F\exploit[1].wmf
is infected with the Trojan.Ducky.B virus.
Access to the file was denied.



C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUZ5Y62F\exploit[1].wmf
is infected with the Trojan.Ducky.B virus.
Unable to repair this file.



C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JUZ5Y62F\exploit[1].wmf
is infected with the Trojan.Ducky.B virus.
Access to the file was denied.



C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\13DZ5YNX\bbs005111[1].css
is infected with the Trojan.Desktophijack.C virus.
Unable to repair this file.



C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\13DZ5YNX\bbs005111[1].css
is infected with the Trojan.Desktophijack.C virus.
Access to the file was denied.

I don't know which box to tick and "fix check" after scan with hijackthis.exe. Can somebody pls help

Hi MinhDo,

Your log looks clean. The files you've shown are in the cache from Internet Explorer. Go to "Start" -> "Run" and type in the box: "cleanmgr". Let it scan your system for files to remove. Make sure these 3 are checked and then press "Ok" to remove:

• Temporary Files
• Temporary Internet Files
• Recycle Bin

Defragment your hard disc, and tell me if the problems are still there.

Hey, thanks so much Bobbi. I've done all that and hopefully it'll be alright. By the way, how do you know my log is clean? That bunch to me, is just like a totally dinfferent language . Can you show me how to differentiate, pls

Hi MinhDo,

You can get trained in dealing with these logs. I suggest you go to SpywareInfo and post a message in this thread to enter Boot Camp. ;) That way you can get trained in dealing with HijackThis and other logs and infections.