[Not curable - Virut!] Please help to checkhijackthis log !!

supreme · #1 (**permalink**) 14-10-2009, 12:55 AM

Please help me to check below hijack log file....
I feel my server was something wrong & below error message alway prompt out... !!

Thanks !!

===============================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:49:37 AM, on 10/14/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\bin\tomcat.exe
C:\Program Files\Trend Micro\ISVW\Web\FTP\isftpd.exe
C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\ISNTSysMonitor.exe
C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\IsntSmtp.exe
C:\Program Files\Trend Micro\ISVW\Web\HTTP\IWSSHTTPMain.exe
C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\scheduler.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\wmiprvse.exe
C:\WINDOWS\System32\snmp.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINDOWS\system32\sysdown.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\logon.scr
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = *.*.*.*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\ApacheMonitor.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1229579345093
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O23 - Service: Apache2 - Unknown owner - c:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\Apache.exe (file missing)
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterScan VirusWall Management Console - Alexandria Software Consulting - C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\bin\tomcat.exe
O23 - Service: InterScan VirusWall for FTP (ISFTPD) - Trend Micro, Inc. - C:\Program Files\Trend Micro\ISVW\Web\FTP\isftpd.exe
O23 - Service: InterScan VirusWall System Monitor (ISNTSysMonitor) - Trend Micro Inc. - C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\ISNTSysMonitor.exe
O23 - Service: InterScan VirusWall for HTTP (ISVWHTTP) - Trend Micro Inc. - C:\Program Files\Trend Micro\ISVW\Web\HTTP\IWSSHTTPMain.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Protected Storage Manager (rspp) - Unknown owner - cmd /c start C:\WINDOWS\system32\wmiprvse.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHP) - Hewlett-Packard Company - C:\hp\hpsmh/bin/smhstart.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\..\BM\TMBMSRV.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe

--
End of file - 9075 bytes

broni · #2 (**permalink**) 14-10-2009, 06:08 PM

Print these instructions out.

NOTE. If any of the programs listed below refuse to run, try renaming executive file to something else; for instance, rename hijackthis.exe to scanner.exe

***VERY IMPORTANT! Make sure, you update Superantispyware, and Malwarebytes before running the scans.***

STEP 1. Download SUPERAntiSpyware Free for Home Users:
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

* Double-click SUPERAntiSpyware.exe and use the default settings for installation.
* An icon will be created on your desktop. Double-click that icon to launch the program.
* If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here: SUPERAntiSpyware.com - Database Definition Information.)
* Close SUPERAntiSpyware.

PHYSICALLY DISCONNECT FROM THE INTERNET

Restart computer in Safe Mode.
To enter Safe Mode, restart computer, and keep tapping F8 key, until menu appears; select Safe Mode; you'll see "Safe Mode" in all four corners of your screen

* Open SUPERAntiSpyware.
* Click Scan your Computer... button.
* Click Scanning Preferences/Control Center... button.
* Under General and Startup tab, make sure, Start SUPERAntiSpyware when Windows starts option is UN-checked.
* Click the Scanning Control tab.
* Under Scanner Options make sure the following are checked (leave all others unchecked):
- Close browsers before scanning.
- Terminate memory threats before quarantining.
* Click the Close button to leave the control center screen.
* On the left, make sure you check C:\Fixed Drive.
* On the right, choose Perform Complete Scan.
* Click Next to start the scan. Please be patient while it scans your computer.
* After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click OK.
* Make sure everything has a checkmark next to it and click Next.
* A notification will appear that Quarantine and Removal is Complete. Click OK and then click the Finish button to return to the main menu.
* If asked if you want to reboot, click Yes.
* To retrieve the removal information after reboot, launch SUPERAntispyware again.
- Click Preferences, then click the Statistics/Logs tab.
- Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
- If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
- Please copy and paste the Scan Log results in your next reply.
* Click Close to exit the program.
Post SUPERAntiSpyware log.

RECONNECT TO THE INTERNET

RESTART COMPUTER!

STEP 2. Download Malwarebytes' Anti-Malware: Malwarebytes.org to your desktop.
(Malwarebytes is free to use as a manual scanner. Payment is only required if you wish to have it run and update automatically which is not necessary for our purposes)

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

RESTART COMPUTER!

STEP 3. Download GMER: GMER - Rootkit Detector and Remover, by clicking on Download EXE button.
Alternative downloads:
- |MG| GMER 1.0.15.15125 Download
- http://www.softpedia.com/get/Interne...ers/GMER.shtml
Double click on downloaded .exe file, select Rootkit tab and click the Scan button.
When scan is completed, click Save button, and save the results as gmer.log
Warning ! Please, do not select the "Show all" checkbox during the scan.
Post the log to your next reply.

RESTART COMPUTER

STEP 4.
Post fresh HijackThis log.
NOTE. If you're using Vista, right click on HijackThis, and click Run as Administrator
Do NOT attempt to "fix" anything!

DO NOT make any other changes to your computer (like installing programs, using other cleaning tools, etc.), until it's officially declared clean!!!

supreme · #3 (**permalink**) 15-10-2009, 06:15 AM

SUPERAntiSpyware Scan Log

================================================== ====

SUPERAntiSpyware Scan Log
SUPERAntiSpyware.com | Remove Malware | Remove Spyware - AntiMalware, AntiSpyware, AntiAdware!

Generated 10/15/2009 at 08:28 AM

Application Version : 4.29.1004

Core Rules Database Version : 4166
Trace Rules Database Version: 2088

Scan type : Complete Scan
Total Scan Time : 00:36:42

Memory items scanned : 584
Memory threats detected : 0
Registry items scanned : 3863
Registry threats detected : 33
File items scanned : 18559
File threats detected : 23

Trojan.Smitfraud Variant-Gen/IEDef
HKLM\Software\Classes\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\Control
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\InprocServer32
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\ProgID
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\Programmable
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\TypeLib
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\Version
HKCR\CLSID\{889D2FEB-5411-4565-8998-1DD2C5261283}\VersionIndependentProgID
HKCR\XunLeiBHO.ThunderIEHelper.1
HKCR\XunLeiBHO.ThunderIEHelper.1\CLSID
HKCR\XunLeiBHO.ThunderIEHelper
HKCR\XunLeiBHO.ThunderIEHelper\CLSID
HKCR\XunLeiBHO.ThunderIEHelper\CurVer
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\0\win32
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\FLAGS
HKCR\TypeLib\{87CA3845-37FE-414C-81CF-E08A7D0F6779}\1.0\HELPDIR
D:\APPSINST\TRENDMICRO\ISVW-SMB-PATCH\2-ISVWSMB-NT50-PATCH-B1166\TEMP\EXPLORER\PD\JDOWNLOADER\DOWNLOADS\UID 283916_BY_HDZONE_070905\UID 283916_BY_HDZONE(070905)\THUNDER V5.9.3.951\COMDLLS\XUNLEIBHO_NOW.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Exp lorer\Browser Helper Objects\{889D2FEB-5411-4565-8998-1DD2C5261283}
HKU\S-1-5-21-1563544717-3592955746-4026306627-500\Software\Microsoft\Windows\CurrentVersion\Ext\ Stats\{889D2FEB-5411-4565-8998-1DD2C5261283}
HKCR\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9}
HKCR\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9}\ProxyStubClsid
HKCR\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9}\ProxyStubClsid32
HKCR\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9}\TypeLib
HKCR\Interface\{988934A4-064B-11D3-BB80-00104B35E7F9}\TypeLib#Version
HKCR\Interface\{A1DD29ED-2598-48E9-9793-64A9CD08AC94}
HKCR\Interface\{A1DD29ED-2598-48E9-9793-64A9CD08AC94}\ProxyStubClsid
HKCR\Interface\{A1DD29ED-2598-48E9-9793-64A9CD08AC94}\ProxyStubClsid32
HKCR\Interface\{A1DD29ED-2598-48E9-9793-64A9CD08AC94}\TypeLib
HKCR\Interface\{A1DD29ED-2598-48E9-9793-64A9CD08AC94}\TypeLib#Version

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@atdmt[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adsre venue[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@adbri te[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@revsc i[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@games tats[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@triba lfusion[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@bs.se rving-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@conte nt.yieldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.g amestats[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubl eclick[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@servi ng-sys[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.m ediafire[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad1.c lickhype[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@conte nt.yieldmanager[3].txt
C:\Documents and Settings\Administrator\Cookies\administrator@media fire[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yi eldmanager[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.a dmaxasia[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.u s.e-planning[1].txt
C:\Documents and Settings\Administrator\Cookies\administrator@ads.a d4game[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@doubl eclick[2].txt

Scvhost Worm
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\MICROSOFT\EXPLORER\BC\SCVHO ST.EXE

Trojan.Dropper/Gen
C:\DOCUMENTS AND SETTINGS\ADMINISTRATOR\LOCAL SETTINGS\APPLICATION DATA\MICROSOFT\WINDOWS\MICROSOFT\EXPLORER\TH\SCVHO ST.EXE

================================================== ====

mbam-log-2009-10-15

================================================== ====

Malwarebytes' Anti-Malware 1.41
Database version: 2964
Windows 5.2.3790 Service Pack 2

10/15/2009 1:00:17 PM
mbam-log-2009-10-15 (13-00-17).txt

Scan type: Quick Scan
Objects scanned: 1021730
Time elapsed: 36 minute(s), 40 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 2
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects\{01443aec-0fd1-40fd-9c87-e93d1494c233} (Trojan.BHO.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01443aec-0fd1-40fd-9c87-e93d1494c233} (Trojan.BHO.H) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
D:\Appsinst\TrendMICRO\ISVW-SMB-patch\2-isvwsmb-nt50-patch-b1166\temp\explorer\pd\JDownloader\downloads\UID 283916_by_HDzone_070905\UID 283916_by_HDzone(070905)\Thunder v5.9.3.951\ComDlls\TDAtOnce_Now.dll (Trojan.BHO.H) -> Quarantined and deleted successfully.

================================================== ====

gmer-log

================================================== ====

GMER 1.0.15.15125 - GMER - Rootkit Detector and Remover
Rootkit scan 2009-10-15 13:12:23
Windows 5.2.3790 Service Pack 2
Running: ecyg5wqx.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\1\uwlcrpoc.sys

---- System - GMER 1.0.15 ----

SSDT 89644F80 ZwCreateKey
SSDT 89644480 ZwCreateProcess
SSDT 89644740 ZwCreateProcessEx
SSDT 89645C40 ZwCreateSection
SSDT 89646120 ZwCreateThread
SSDT 89645500 ZwDeleteKey
SSDT 896457C0 ZwDeleteValueKey
SSDT 896462C0 ZwLoadDriver
SSDT 89644A00 ZwOpenProcess
SSDT 89645DE0 ZwOpenSection
SSDT 89645240 ZwSetValueKey
SSDT 89644CC0 ZwTerminateProcess
SSDT 89645F80 ZwWriteVirtualMemory

---- Kernel code sections - GMER 1.0.15 ----

.text ntoskrnl.exe!KeQuerySystemTime + D8 8083E674 4 Bytes [80, 4F, 64, 89] {OR BYTE [EDI+0x64], 0x89}
.text ntoskrnl.exe!KeQuerySystemTime + F0 8083E68C 8 Bytes [80, 44, 64, 89, 40, 47, 64, ...]
.text ntoskrnl.exe!KeQuerySystemTime + FC 8083E698 4 Bytes [40, 5C, 64, 89]
.text ntoskrnl.exe!KeQuerySystemTime + 108 8083E6A4 4 Bytes [20, 61, 64, 89]
.text ntoskrnl.exe!KeQuerySystemTime + 134 8083E6D0 4 Bytes [00, 55, 64, 89]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\Explorer.EXE[3692] C:\WINDOWS\Explorer.EXE section is writeable [0x01001000, 0x44FAD, 0xE0000060]
.reloc C:\WINDOWS\Explorer.EXE[3692] C:\WINDOWS\Explorer.EXE section is executable [0x01100000, 0x38E5, 0xE2000060]
.text C:\WINDOWS\Explorer.EXE[3740] C:\WINDOWS\Explorer.EXE section is writeable [0x01001000, 0x44FAD, 0xE0000060]
.reloc C:\WINDOWS\Explorer.EXE[3740] C:\WINDOWS\Explorer.EXE section is executable [0x01100000, 0x38E5, 0xE2000060]

---- Devices - GMER 1.0.15 ----

Device Ntfs.sys (NT File System Driver/Microsoft Corporation)

AttachedDevice TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.)

Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device rdpdr.sys (Microsoft RDP Device redirector/Microsoft Corporation)

AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)
AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.)

Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation)

AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- EOF - GMER 1.0.15 ----

================================================== ====

hijackthis.log

================================================== ====

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:13:25 PM, on 10/15/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\bin\tomcat.exe
C:\Program Files\Trend Micro\ISVW\Web\FTP\isftpd.exe
C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\ISNTSysMonitor.exe
C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\IsntSmtp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\wmiprvse.exe
C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\scheduler.exe
C:\WINDOWS\System32\snmp.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINDOWS\system32\sysdown.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dwwin.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\dumprep.exe
C:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = *.*.*.*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\ApacheMonitor.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1229579345093
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apache2 - Unknown owner - c:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\Apache.exe (file missing)
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterScan VirusWall Management Console - Alexandria Software Consulting - C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\bin\tomcat.exe
O23 - Service: InterScan VirusWall for FTP (ISFTPD) - Trend Micro, Inc. - C:\Program Files\Trend Micro\ISVW\Web\FTP\isftpd.exe
O23 - Service: InterScan VirusWall System Monitor (ISNTSysMonitor) - Trend Micro Inc. - C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\ISNTSysMonitor.exe
O23 - Service: InterScan VirusWall for HTTP (ISVWHTTP) - Trend Micro Inc. - C:\Program Files\Trend Micro\ISVW\Web\HTTP\IWSSHTTPMain.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Protected Storage Manager (rspp) - Unknown owner - cmd /c start C:\WINDOWS\system32\wmiprvse.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHP) - Hewlett-Packard Company - C:\hp\hpsmh/bin/smhstart.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\..\BM\TMBMSRV.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe

--
End of file - 9198 bytes

================================================== ====

broni · #4 (**permalink**) 15-10-2009, 06:24 AM

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Doubleclick the drweb-cureit.exe file and click Scan to run express scan. Click OK in pop-up window to allow scan.
This will scan the files currently running in memory and when something is found, click the Yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, select Complete scan.
Click the green arrow at the right, and the scan will start.
Click Yes to all if it asks if you want to cure/move the file.
When the scan has finished, in the menu, click File and choose Save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Important! Reboot your computer because it could be possible that files in use will be moved/deleted during reboot.
Copy and paste that log in the next reply. You can use Notepad to open the DrWeb.cvs report.

NOTE. During the scan, pop-up window will open asking for full version purchase. Simply close the window by clicking on X in upper right corner.

Post fresh HijackThis log as well.

supreme · #5 (**permalink**) 16-10-2009, 12:26 AM

DrWeb.CSV

================================================== =

cqniccmd.VIR;C:\WINDOWS\system32;Win32.Virut.5;Inc urable.Moved.;
dns.VIR;C:\WINDOWS\system32;Win32.Virut.5;Incurabl e.Moved.;
evntwin.VIR;C:\WINDOWS\system32;Win32.Virut.5;Incu rable.Moved.;
expand.VIR;C:\WINDOWS\system32;Win32.Virut.5;Incur able.Moved.;
flattemp.VIR;C:\WINDOWS\system32;Win32.Virut.5;Inc urable.Moved.;
label.VIR;C:\WINDOWS\system32;Win32.Virut.5;Incura ble.Moved.;
rdshost.VIR;C:\WINDOWS\system32;Win32.Virut.5;Incu rable.Moved.;
relog.VIR;C:\WINDOWS\system32;Win32.Virut.5;Incura ble.Moved.;
savedump.VIR;C:\WINDOWS\system32;Win32.Virut.5;Inc urable.Moved.;
vdsldr.VIR;C:\WINDOWS\system32;Win32.Virut.5;Incur able.Moved.;
winmsd.VIR;C:\WINDOWS\system32;Win32.Virut.5;Incur able.Moved.;
wlbs.VIR;C:\WINDOWS\system32;Win32.Virut.5;Incurab le.Moved.;
wpabaln.VIR;C:\WINDOWS\system32;Win32.Virut.5;Incu rable.Moved.;
Welcome.html;C:\Program Files\Trend Micro\ISVW\UI\j2re1.4.2;Trojan.Starman.100;Cured.;
ftsbody.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
ftsdhtml.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
ftsform.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-admin-lic-active_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-ftp-config_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-ftp-config_text1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-http-config_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-http-config_text1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-pop3-config_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-pop3-config_text1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-pop3-config_text2.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-pop3-config_text3.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-pop3-content-targ_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-pop3-content-targ_text1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-pop3-spam-targ_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-server-config-alerts_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-config-incoming_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-config-relay_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-config-server_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-config-server_text1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-config-server_text2.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-config-server_text3.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-config-server_text4.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-content-incoming-targ_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-content-incoming-targ_text1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-content-incoming-targ_text2.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-content-outgoing-targ_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-content-outgoing-targ_text1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-content-outgoing-targ_text2.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-quarantine-search_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-smtp-spam-targ_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-update-proxy_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-update-proxy_text1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
H-update-proxy_text2.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
How_Viruses_Spread_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
idxbody.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
idxdhtml.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
idxform.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
idxlist.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
ISVW.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
ISVW_csh.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
Methods_of_Virus_Detection_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
Methods_of_Virus_Detection_text1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
Methods_of_Virus_Detection_text2.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
Methods_of_Virus_Detection_text3.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
Methods_of_Virus_Detection_text4.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
Methods_of_Virus_Detection_text5.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
navframe.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
navpane1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
navpane2.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
tabframe.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
tocdhtml.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
toclist.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
Types_of_Antivirus_Programs_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
Types_of_Antivirus_Programs_text1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
Types_of_Viruses_text0.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
Types_of_Viruses_text1.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
_blank.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\ROOT\L10N\en\help;Trojan.Starman.100;C ured.;
interruptMsg.htm;C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\webapps\user\html;Trojan.Starman.100;Cured.;
CasPol.exe;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
dfscmd.exe;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
DotNetInstaller.exe;C:\sysclean\backup;Win32.Virut .5;Incurable.Moved.;
evcreate.exe;C:\sysclean\backup;Win32.Virut.5;Incu rable.Moved.;
eventcreate.exe;C:\sysclean\backup;Win32.Virut.5;I ncurable.Moved.;
eventtriggers.exe;C:\sysclean\backup;Win32.Virut.5 ;Incurable.Moved.;
evtrig.exe;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
hscupd.exe;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
hscupd.VIR;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
IEExec.exe;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
imjpdadm.exe;C:\sysclean\backup;Win32.Virut.5;Incu rable.Moved.;
InstallUtil.exe;C:\sysclean\backup;Win32.Virut.5;I ncurable.Moved.;
jsc.exe;C:\sysclean\backup;Win32.Virut.5;Incurable .Moved.;
ldifde.exe;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
ldifde.VIR;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
MigPol.exe;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
migpol.VI0;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
migpol.VIR;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
MigPolWin.exe;C:\sysclean\backup;Win32.Virut.5;Inc urable.Moved.;
migpolwin.VI0;C:\sysclean\backup;Win32.Virut.5;Inc urable.Moved.;
migpolwin.VIR;C:\sysclean\backup;Win32.Virut.5;Inc urable.Moved.;
mnmsrvc.exe;C:\sysclean\backup;Win32.Virut.5;Incur able.Moved.;
mofcomp.exe;C:\sysclean\backup;Win32.Virut.5;Incur able.Moved.;
mofcomp.VIR;C:\sysclean\backup;Win32.Virut.5;Incur able.Moved.;
msdtc.exe;C:\sysclean\backup;Win32.Virut.5;Incurab le.Moved.;
msg.exe;C:\sysclean\backup;Win32.Virut.5;Incurable .Moved.;
RegAsm.exe;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
RegSvcs.exe;C:\sysclean\backup;Win32.Virut.5;Incur able.Moved.;
regsvcs.VI0;C:\sysclean\backup;Win32.Virut.5;Incur able.Moved.;
regsvcs.VIR;C:\sysclean\backup;Win32.Virut.5;Incur able.Moved.;
rsdiag.exe;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
sc.exe;C:\sysclean\backup;Win32.Virut.5;Incurable. Moved.;
sfmpsexe.exe;C:\sysclean\backup;Win32.Virut.5;Incu rable.Moved.;
tapicfg.exe;C:\sysclean\backup;Win32.Virut.5;Incur able.Moved.;
tasklist.exe;C:\sysclean\backup;Win32.Virut.5;Incu rable.Moved.;
tsecimp.exe;C:\sysclean\backup;Win32.Virut.5;Incur able.Moved.;
tsprof.exe;C:\sysclean\backup;Win32.Virut.5;Incura ble.Moved.;
dns.VIR;C:\WINDOWS\$NtServicePackUninstall$;Win32. Virut.5;Incurable.Moved.;
find.VIR;C:\WINDOWS\$NtServicePackUninstall$;Win32 .Virut.5;Incurable.Moved.;
ftp.VIR;C:\WINDOWS\$NtServicePackUninstall$;Win32. Virut.5;Incurable.Moved.;
fxssend.VIR;C:\WINDOWS\$NtServicePackUninstall$;Wi n32.Virut.5;Incurable.Moved.;
gprslt.VIR;C:\WINDOWS\$NtServicePackUninstall$;Win 32.Virut.5;Incurable.Moved.;
osk.exe;C:\WINDOWS\$NtServicePackUninstall$;Win32. Virut.5;Cured.;
sc.VIR;C:\WINDOWS\$NtServicePackUninstall$;Win32.V irut.5;Incurable.Moved.;
utilman.VIR;C:\WINDOWS\$NtServicePackUninstall$;Wi n32.Virut.5;Incurable.Moved.;
ciadmin.htm;C:\WINDOWS\Help;Trojan.Starman.100;Cur ed.;
SmartNav.htm;C:\WINDOWS\Microsoft.NET\Framework\v1 .1.4322\ASP.NETClientFiles;Trojan.Starman.100;Cure d.;
AboutCompat.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System \CompatCtr;Trojan.Starman.100;Cured.;
CompatOffline.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Syst em\CompatCtr;Trojan.Starman.100;Cured.;
LearnCompat.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System \CompatCtr;Trojan.Starman.100;Cured.;
privacy.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\DFS ;Trojan.Starman.100;Cured.;
uplddrvinfo.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System \DFS;Trojan.Starman.100;Cured.;
xmldialog.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\D FS;Trojan.Starman.100;Cured.;
dvdupgrd.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\DV DUpgrd;Trojan.Starman.100;Cured.;
ErrorMessagesOffline.htm;C:\WINDOWS\PCHEALTH\HELPC TR\System\ErrMsg;Trojan.Starman.100;Cured.;
dglogshelp.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\ NetDiag;Trojan.Starman.100;Cured.;
blank.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\panel s;Trojan.Starman.100;Cured.;
rcRequest.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\r c;Trojan.Starman.100;Cured.;
helpeeaccept.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Syste m\Remote Assistance;Trojan.Starman.100;Cured.;
RAStartPage.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System \Remote Assistance;Trojan.Starman.100;Cured.;
ConnIssue.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\R emote Assistance\Common;Trojan.Starman.100;Cured.;
LearnInternet.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Syst em\Remote Assistance\Common;Trojan.Starman.100;Cured.;
RCMoreInfo.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\ Remote Assistance\Common;Trojan.Starman.100;Cured.;
DividerBar.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\ Remote Assistance\Interaction\Client;Trojan.Starman.100;C ured.;
RAChatClient.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Syste m\Remote Assistance\Interaction\Client;Trojan.Starman.100;C ured.;
RAClient.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\Re mote Assistance\Interaction\Client;Trojan.Starman.100;C ured.;
RAStatusBar.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System \Remote Assistance\Interaction\Client;Trojan.Starman.100;C ured.;
rcscreen6_head.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Sys tem\Remote Assistance\Interaction\Client;Trojan.Starman.100;C ured.;
setting.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\Rem ote Assistance\Interaction\Client;Trojan.Starman.100;C ured.;
ErrorMsgs.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\R emote Assistance\Interaction\Common;Trojan.Starman.100;C ured.;
RCFileXfer.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\ Remote Assistance\Interaction\Common;Trojan.Starman.100;C ured.;
voicefirewallmsg.htm;C:\WINDOWS\PCHEALTH\HELPCTR\S ystem\Remote Assistance\Interaction\Common;Trojan.Starman.100;C ured.;
VOIPMsgs.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\Re mote Assistance\Interaction\Common;Trojan.Starman.100;C ured.;
DividerBar1.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System \Remote Assistance\Interaction\Server;Trojan.Starman.100;C ured.;
RAChatServer.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Syste m\Remote Assistance\Interaction\Server;Trojan.Starman.100;C ured.;
SettingServer.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Syst em\Remote Assistance\Interaction\Server;Trojan.Starman.100;C ured.;
TakeControlMsgs.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Sy stem\Remote Assistance\Interaction\Server;Trojan.Starman.100;C ured.;
msinfo.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\sysi nfo;Trojan.Starman.100;Cured.;
sysComponentInfo.htm;C:\WINDOWS\PCHEALTH\HELPCTR\S ystem\sysinfo;Trojan.Starman.100;Cured.;
sysEvtLogInfo.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Syst em\sysinfo;Trojan.Starman.100;Cured.;
sysHealthInfo.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Syst em\sysinfo;Trojan.Starman.100;Cured.;
sysinfosum.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\ sysinfo;Trojan.Starman.100;Cured.;
sysRemoteInfo.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Syst em\sysinfo;Trojan.Starman.100;Cured.;
sysServicesInfo.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Sy stem\sysinfo;Trojan.Starman.100;Cured.;
sysSoftwareInfo.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Sy stem\sysinfo;Trojan.Starman.100;Cured.;
AboutWU.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\Upd ateCtr;Trojan.Starman.100;Cured.;
Learn.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\Updat eCtr;Trojan.Starman.100;Cured.;
LearnInternet.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Syst em\UpdateCtr;Trojan.Starman.100;Cured.;
learnWU.htm;C:\WINDOWS\PCHEALTH\HELPCTR\System\Upd ateCtr;Trojan.Starman.100;Cured.;
updatecenter.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Syste m\UpdateCtr;Trojan.Starman.100;Cured.;
Connection.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors \CN=Microsoft Corporation,L=Redmond,S=Washington,C=US;Trojan.Sta rman.100;Cured.;
OfflineDC.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\ CN=Microsoft Corporation,L=Redmond,S=Washington,C=US;Trojan.Sta rman.100;Cured.;
OfflineOptions.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Ven dors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US;Trojan.Sta rman.100;Cured.;
rcstatus.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\C N=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance;Trojan.Starman.100;Cured.;
ConnIssue-pro.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Mic rosoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common;Trojan.Starman.100;Cured.;
ConnIssue.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\ CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common;Trojan.Starman.100;Cured.;
LearnInternet.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vend ors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common;Trojan.Starman.100;Cured.;
RCMoreInfo.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors \CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Common;Trojan.Starman.100;Cured.;
rcscreen1.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\ CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common;Trojan.Starman.100;Cu red.;
rcscreen2.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\ CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common;Trojan.Starman.100;Cu red.;
rcscreen3.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\ CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Common;Trojan.Starman.100;Cu red.;
escalationhelp-pro.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Mic rosoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email;Trojan.Starman.100;Cur ed.;
escalationhelp.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Ven dors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email;Trojan.Starman.100;Cur ed.;
rcscreen5.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\ CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email;Trojan.Starman.100;Cur ed.;
rcscreen6.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\ CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email;Trojan.Starman.100;Cur ed.;
rcscreen6_head.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Ven dors\CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email;Trojan.Starman.100;Cur ed.;
rcscreen8.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\ CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email;Trojan.Starman.100;Cur ed.;
rcscreen9.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\ CN=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email;Trojan.Starman.100;Cur ed.;
reminder.htm;C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\C N=Microsoft Corporation,L=Redmond,S=Washington,C=US\Remote Assistance\Escalation\Email;Trojan.Starman.100;Cur ed.;
fpagloss.htm;C:\WINDOWS\ServicePackFiles\i386;Troj an.Starman.100;Cured.;
netmeet.htm;C:\WINDOWS\ServicePackFiles\i386;Troja n.Starman.100;Cured.;
tsweb1.htm;C:\WINDOWS\ServicePackFiles\i386;Trojan .Starman.100;Cured.;
wsgcgens.htm;C:\WINDOWS\ServicePackFiles\i386;Troj an.Starman.100;Cured.;
wsggloss.htm;C:\WINDOWS\ServicePackFiles\i386;Troj an.Starman.100;Cured.;
wsgindex.htm;C:\WINDOWS\ServicePackFiles\i386;Troj an.Starman.100;Cured.;
wsgpauth.htm;C:\WINDOWS\ServicePackFiles\i386;Troj an.Starman.100;Cured.;
wsgpcnfg.htm;C:\WINDOWS\ServicePackFiles\i386;Troj an.Starman.100;Cured.;
wsgpperf.htm;C:\WINDOWS\ServicePackFiles\i386;Troj an.Starman.100;Cured.;
wsgpscrp.htm;C:\WINDOWS\ServicePackFiles\i386;Troj an.Starman.100;Cured.;
wsgpsec.htm;C:\WINDOWS\ServicePackFiles\i386;Troja n.Starman.100;Cured.;
wsgpset.htm;C:\WINDOWS\ServicePackFiles\i386;Troja n.Starman.100;Cured.;
wsgpsmtp.htm;C:\WINDOWS\ServicePackFiles\i386;Troj an.Starman.100;Cured.;
default.htm;C:\WINDOWS\SoftwareDistribution\Downlo ad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starman .100;Cured.;
empty.htm;C:\WINDOWS\SoftwareDistribution\Download \7c205249e4e58548a01567c8dc12d1b5;Trojan.Starman.1 00;Cured.;
fpagloss.htm;C:\WINDOWS\SoftwareDistribution\Downl oad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starma n.100;Cured.;
navtree.htm;C:\WINDOWS\SoftwareDistribution\Downlo ad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starman .100;Cured.;
netmeet.htm;C:\WINDOWS\SoftwareDistribution\Downlo ad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starman .100;Cured.;
tree.htm;C:\WINDOWS\SoftwareDistribution\Download\ 7c205249e4e58548a01567c8dc12d1b5;Trojan.Starman.10 0;Cured.;
tsweb1.htm;C:\WINDOWS\SoftwareDistribution\Downloa d\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starman. 100;Cured.;
wsgcgens.htm;C:\WINDOWS\SoftwareDistribution\Downl oad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starma n.100;Cured.;
wsggloss.htm;C:\WINDOWS\SoftwareDistribution\Downl oad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starma n.100;Cured.;
wsgindex.htm;C:\WINDOWS\SoftwareDistribution\Downl oad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starma n.100;Cured.;
wsgpauth.htm;C:\WINDOWS\SoftwareDistribution\Downl oad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starma n.100;Cured.;
wsgpcnfg.htm;C:\WINDOWS\SoftwareDistribution\Downl oad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starma n.100;Cured.;
wsgpperf.htm;C:\WINDOWS\SoftwareDistribution\Downl oad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starma n.100;Cured.;
wsgpscrp.htm;C:\WINDOWS\SoftwareDistribution\Downl oad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starma n.100;Cured.;
wsgpsec.htm;C:\WINDOWS\SoftwareDistribution\Downlo ad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starman .100;Cured.;
wsgpset.htm;C:\WINDOWS\SoftwareDistribution\Downlo ad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starman .100;Cured.;
wsgpsmtp.htm;C:\WINDOWS\SoftwareDistribution\Downl oad\7c205249e4e58548a01567c8dc12d1b5;Trojan.Starma n.100;Cured.;
eraseme_51737.exe;C:\WINNT\system32;BackDoor.IRC.S dbot.4974;Deleted.;
xsys.dll;C:\WINNT\system32;Tool.Moo;;

================================================== =

hijackthis.log

================================================== =

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:25:33 AM, on 10/16/2009
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v8.00 (8.00.6001.18702)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
C:\WINDOWS\System32\dns.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\bin\tomcat.exe
C:\Program Files\Trend Micro\ISVW\Web\FTP\isftpd.exe
C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\ISNTSysMonitor.exe
C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\IsntSmtp.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
C:\WINDOWS\system32\wmiprvse.exe
C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\scheduler.exe
C:\WINDOWS\System32\snmp.exe
C:\hp\hpsmh\bin\smhstart.exe
C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
C:\WINDOWS\system32\CpqRcmc.exe
C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
C:\WINDOWS\system32\sysdown.exe
C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe
C:\Program Files\Trend Micro\Client Server Security Agent\CNTAoSMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\ISVW\Web\HTTP\IWSSHTTPMain.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\rdpclip.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cpqteam.exe
C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\dumprep.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\dwwin.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = res://shdoclc.dll/softAdmin.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = res://shdoclc.dll/softAdmin.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = Bing
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = Bing
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = Hotmail, News, Sport, Music, Movies, Money, Cars, Shopping, Windows Live from MSN UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings,ProxyServer = *.*.*.*
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [CPQTEAM] cpqteam.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\Client Server Security Agent\pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\ApacheMonitor.exe
O15 - ESC Trusted Zone: http://runonce.msn.com
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...oUploader5.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/ho...vex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1229579345093
O16 - DPF: {8100D56A-5661-482C-BEE8-AFECE305D968} (Facebook Photo Uploader 5 Control) - http://upload.facebook.com/controls/...Uploader55.cab
O18 - Protocol: hpapp - {24F45006-5BD9-41B7-9BD9-5F8921C8EBD1} - C:\Program Files\Compaq\Cpqacuxe\Bin\hpapp.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Apache2 - Unknown owner - c:\Program Files\Trend Micro\OfficeScan Client\Apache2\bin\Apache.exe (file missing)
O23 - Service: HP Insight NIC Agent (CpqNicMgmt) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQNiMgt\cpqnimgt.exe
O23 - Service: HP ProLiant Remote Monitor Service (CpqRcmc) - Hewlett-Packard Company - C:\WINDOWS\system32\CpqRcmc.exe
O23 - Service: HP Version Control Agent (cpqvcagent) - Hewlett-Packard Company - C:\hp\hpsmh\data\cgi-bin\vcagent\vcagent.exe
O23 - Service: HP Insight Foundation Agents (CqMgHost) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgHost\cqmghost.exe
O23 - Service: HP Insight Server Agents (CqMgServ) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgServ\cqmgserv.exe
O23 - Service: HP Insight Storage Agents (CqMgStor) - Hewlett-Packard Company - C:\WINDOWS\system32\CPQMgmt\CqMgStor\cqmgstor.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InterScan VirusWall Management Console - Alexandria Software Consulting - C:\Program Files\Trend Micro\ISVW\UI\Tomcat 4.1\bin\tomcat.exe
O23 - Service: InterScan VirusWall for FTP (ISFTPD) - Trend Micro, Inc. - C:\Program Files\Trend Micro\ISVW\Web\FTP\isftpd.exe
O23 - Service: InterScan VirusWall System Monitor (ISNTSysMonitor) - Trend Micro Inc. - C:\Program Files\Trend Micro\ISVW\Mail\ISNTSmtp\ISNTSysMonitor.exe
O23 - Service: InterScan VirusWall for HTTP (ISVWHTTP) - Trend Micro Inc. - C:\Program Files\Trend Micro\ISVW\Web\HTTP\IWSSHTTPMain.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: Trend Micro Client/Server Security Agent RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\ntrtscan.exe
O23 - Service: Protected Storage Manager (rspp) - Unknown owner - cmd /c start C:\WINDOWS\system32\wmiprvse.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: HP ProLiant System Shutdown Service (sysdown) - Compaq Computer Corporation - C:\WINDOWS\system32\sysdown.exe
O23 - Service: HP System Management Homepage (SysMgmtHP) - Hewlett-Packard Company - C:\hp\hpsmh/bin/smhstart.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\..\BM\TMBMSRV.exe
O23 - Service: Trend Micro Client/Server Security Agent Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\tmlisten.exe
O23 - Service: Trend Micro Client/Server Security Agent Personal Firewall (TmPfw) - Trend Micro Inc. - C:\Program Files\Trend Micro\Client Server Security Agent\TmPfw.exe

--
End of file - 9381 bytes

================================================== =

broni · #6 (**permalink**) 16-10-2009, 01:36 AM

Really bad news

You are infected with a polymorphic file infector. This infection can and will infect all the machine's executable files .exe, .scr, .rar, .zip, .htm, .html. Because there are a number of bugs in its code, it may create executable files that are corrupted beyond repair resulting in an inoperative machine.

Malware experts say that a Complete Reformat and Reinstall is the only way to clean the infection. This includes All Drives that contain following files:
*.exe
*.scr
*.htm
*.html
*.xml
*.zip
*.rar
*.doc
*.jpg
*.pdf

Backup all your documents and important items only.
DO NOT backup any files mentioned above.

I suggest you do the following immediately:

* Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.
* From a clean computer, change *all* your online passwords -- for email, for banks, financial accounts, PayPal, eBay, online companies, any online forums or groups you belong to.
* DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

For more information on Virut, and why you need to reformat, have a read of miekiemoes blog here.

To find out how to carry out an XP Reformat and Reinstall, please see this page. If you are using Vista, then check this page instead.

Once you have reformatted and reinstalled Windows, have a look at this page for some useful tips on staying clean, along with links to some freeware to help.

To find out more information about how you may have got infected in the first place, you can read this article.

I am sorry I cannot give any better news.

supreme · #7 (**permalink**) 16-10-2009, 01:58 AM

really a bad news....
anyway still thanks for your advise..
I will reformat my server again...

thanks !!

broni · #8 (**permalink**) 16-10-2009, 02:07 AM

I'm sorry