View Full Version : Virtumondo + various dialers / downloader / etc
Virtumondo wont go away and other things keep popping up. have tried Norton AV, Onecare, AVG, AVG-Anti-Spyware, Sunbelt counterspy, Vundofix, Spybot s&d and the online scanners recommended on this site. Virtomundo still there and the others just keep coming back. One enabled my CMOS Password and had me calling the Thinkpad vendor and others keep disabling my Windows Firewall.
Here is the HJT log:
Logfile of HijackThis v1.99.1
Scan saved at 4:54:06 PM, on 7/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {185DFFCD-DF15-4C78-A238-9782EE5638E7} - C:\WINDOWS\system32\vtspp.dll (file missing)
O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\jkkjhfd.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Suite 3.0.lnk = C:\Program Files\Office Suite3.0\program\quickstart.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: jkkjhfd - C:\WINDOWS\SYSTEM32\jkkjhfd.dll
O20 - Winlogon Notify: winghd32 - C:\WINDOWS\SYSTEM32\winghd32.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Documents and Settings\Los Angeles\mysql-noinstall-5.0.45-win32\mysql-5.0.45-win32\bin\mysqld-nt.exe" MySQL (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
Hi iMammal
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
- vundofix report
DRRRRRR!!!!! My Logs are too long to post - over 20k. I'll post VundoFix.Log and HijackThis.log now and post ComboFix.log separately...
The jkkj* file in C:\windows\system32\ is gone!!
That's one thing that I couldn't delete manually before.
Hope I'm disinfected...
.............................................................
VundoFix.log .....................................................................
..............................................................................................
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 4:01:35 PM 7/19/2007
Listing files found while scanning....
C:\windows\system32\cbmjkavo.dll
C:\windows\system32\hxvsnssr.dll
C:\WINDOWS\system32\kmnnn.bak2
C:\WINDOWS\system32\kmnnn.ini
C:\WINDOWS\system32\kmnnn.ini2
C:\WINDOWS\system32\kmnnn.tmp
C:\WINDOWS\system32\lomigjdx.dll
C:\windows\system32\mwqvpntx.exe
C:\WINDOWS\system32\nnnmk.dll
C:\windows\system32\priakhaw.dll
C:\windows\system32\qbhcndjt.ini
C:\WINDOWS\System32\qoppq.dll
C:\windows\system32\rjbtuvuj.dll
C:\windows\system32\rssnsvxh.ini
C:\WINDOWS\system32\saqybdjm.dll
C:\windows\system32\sdmjdwgb.exe
C:\windows\system32\tjdnchbq.dll
C:\windows\system32\tnhegysf.dll
C:\windows\system32\wahkairp.ini
C:\windows\system32\wdhxaoqe.dll
C:\windows\system32\xdjgimol.ini
Beginning removal...
Attempting to delete C:\windows\system32\cbmjkavo.dll
C:\windows\system32\cbmjkavo.dll Has been deleted!
Attempting to delete C:\windows\system32\hxvsnssr.dll
C:\windows\system32\hxvsnssr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kmnnn.bak2
C:\WINDOWS\system32\kmnnn.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\kmnnn.ini
C:\WINDOWS\system32\kmnnn.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\kmnnn.ini2
C:\WINDOWS\system32\kmnnn.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\kmnnn.tmp
C:\WINDOWS\system32\kmnnn.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\lomigjdx.dll
C:\WINDOWS\system32\lomigjdx.dll Could not be deleted.
Attempting to delete C:\windows\system32\mwqvpntx.exe
C:\windows\system32\mwqvpntx.exe Could not be deleted.
Attempting to delete C:\WINDOWS\system32\nnnmk.dll
C:\WINDOWS\system32\nnnmk.dll Has been deleted!
Attempting to delete C:\windows\system32\priakhaw.dll
C:\windows\system32\priakhaw.dll Has been deleted!
Attempting to delete C:\windows\system32\qbhcndjt.ini
C:\windows\system32\qbhcndjt.ini Has been deleted!
Attempting to delete C:\windows\system32\rjbtuvuj.dll
C:\windows\system32\rjbtuvuj.dll Has been deleted!
Attempting to delete C:\windows\system32\rssnsvxh.ini
C:\windows\system32\rssnsvxh.ini Has been deleted!
Attempting to delete C:\windows\system32\sdmjdwgb.exe
C:\windows\system32\sdmjdwgb.exe Could not be deleted.
Attempting to delete C:\windows\system32\tjdnchbq.dll
C:\windows\system32\tjdnchbq.dll Has been deleted!
Attempting to delete C:\windows\system32\tnhegysf.dll
C:\windows\system32\tnhegysf.dll Has been deleted!
Attempting to delete C:\windows\system32\wahkairp.ini
C:\windows\system32\wahkairp.ini Has been deleted!
Attempting to delete C:\windows\system32\wdhxaoqe.dll
C:\windows\system32\wdhxaoqe.dll Has been deleted!
Attempting to delete C:\windows\system32\xdjgimol.ini
C:\windows\system32\xdjgimol.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 11:51:02 PM 7/20/2007
Listing files found while scanning....
C:\windows\system32\lomigjdx.dll
C:\windows\system32\mwqvpntx.exe
C:\WINDOWS\System32\qoppq.dll
C:\WINDOWS\System32\qppoq.bak1
C:\WINDOWS\System32\qppoq.bak2
C:\WINDOWS\System32\qppoq.ini
C:\windows\system32\sdmjdwgb.exe
Beginning removal...
Attempting to delete C:\windows\system32\lomigjdx.dll
C:\windows\system32\lomigjdx.dll Has been deleted!
Attempting to delete C:\windows\system32\mwqvpntx.exe
C:\windows\system32\mwqvpntx.exe Has been deleted!
Attempting to delete C:\WINDOWS\System32\qppoq.bak1
C:\WINDOWS\System32\qppoq.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\System32\qppoq.bak2
C:\WINDOWS\System32\qppoq.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\System32\qppoq.ini
C:\WINDOWS\System32\qppoq.ini Has been deleted!
Attempting to delete C:\windows\system32\sdmjdwgb.exe
C:\windows\system32\sdmjdwgb.exe Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 8:55:32 AM 7/21/2007
Listing files found while scanning....
C:\WINDOWS\System32\qoppq.dll
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 9:18:10 AM 7/21/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 11:25:30 AM 7/21/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 7:17:35 PM 7/21/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 11:05:18 PM 7/21/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 2:00:16 AM 7/22/2007
Listing files found while scanning....
C:\WINDOWS\system32\ppstv.bak1
C:\WINDOWS\system32\ppstv.ini
C:\WINDOWS\system32\vtspp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ppstv.bak1
C:\WINDOWS\system32\ppstv.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ppstv.ini
C:\WINDOWS\system32\ppstv.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtspp.dll
C:\WINDOWS\system32\vtspp.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 2:49:52 AM 7/22/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.6
Checking Java version...
Sun Java not detected
Scan started at 3:12:00 PM 7/23/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
....................................................................................
HijackThis.Log ................................................................
....................................................................................
Logfile of HijackThis v1.99.1
Scan saved at 3:17:29 PM, on 7/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Office Suite3.0\program\soffice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Documents and Settings\Los Angeles\putty\PUTTY.EXE
C:\Program Files\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {185DFFCD-DF15-4C78-A238-9782EE5638E7} - C:\WINDOWS\system32\vtspp.dll (file missing)
O2 - BHO: (no name) - {1FB63E52-4D6E-48C1-A08F-F630FE50F337} - C:\WINDOWS\system32\jkkjhfd.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Suite 3.0.lnk = C:\Program Files\Office Suite3.0\program\quickstart.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: jkkjhfd - C:\WINDOWS\SYSTEM32\jkkjhfd.dll
O20 - Winlogon Notify: winghd32 - C:\WINDOWS\SYSTEM32\winghd32.dll
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Documents and Settings\Los Angeles\mysql-noinstall-5.0.45-win32\mysql-5.0.45-win32\bin\mysqld-nt.exe" MySQL (file missing)
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
......................................................................................
...ComboFix.Log ......................................................................
......................................................................................
"Los Angeles" - 2007-07-23 15:19:38 - ComboFix 07-07-23.6 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\awtqpom.dll
C:\WINDOWS\system32\cbxxuvu.dll
C:\WINDOWS\system32\gebbxwu.dll
C:\WINDOWS\system32\ljjhhed.dll
C:\WINDOWS\system32\tuvtusq.dll
C:\WINDOWS\system32\urqqron.dll
C:\WINDOWS\system32\awtqpom.dll
C:\WINDOWS\system32\cbxxuvu.dll
C:\WINDOWS\system32\gebbxwu.dll
C:\WINDOWS\system32\ljjhhed.dll
C:\WINDOWS\system32\tuvtusq.dll
C:\WINDOWS\system32\urqqron.dll
C:\WINDOWS\system32\winghd32.dll
C:\WINDOWS\system32\jkkjhfd.dll
C:\WINDOWS\system32\jkkjhfd.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\mit.bat
C:\WINDOWS\system32\racle~1
((((((((((((((((((((((((( Files Created from 2007-06-23 to 2007-07-23 )))))))))))))))))))))))))))))))
2007-07-23 15:18 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-23 14:32 266,336 --a------ C:\WINDOWS\system32\byvss.dll
2007-07-23 08:31 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-22 21:57 <DIR> d-------- C:\button
2007-07-22 13:21 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-22 13:21 208,248 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-22 11:15 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-22 09:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.housecall6.6
2007-07-22 02:34 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-07-21 23:15 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\devphp
2007-07-21 22:59 <DIR> d--hs---- C:\WINDOWS\CSC
2007-07-21 22:44 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-07-21 18:55 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-07-21 08:54 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-19 16:01 <DIR> d-------- C:\VundoFix Backups
2007-07-19 12:09 81,024 --a------ C:\WINDOWS\system32\drivers\msfwdrv.sys
2007-07-19 12:09 105,856 --a------ C:\WINDOWS\system32\drivers\msfwhlpr.sys
2007-07-19 11:44 67,784 --a------ C:\WINDOWS\system32\drivers\MpFilter.sys
2007-07-19 11:44 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2007-07-19 11:40 <DIR> d-------- C:\DOCUME~1\LOSANG~1\fp-def
2007-07-19 11:38 <DIR> d-------- C:\DOCUME~1\LOSANG~1\f-prot
2007-07-19 11:17 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-07-19 07:31 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-07-19 01:12 <DIR> d-------- C:\Program Files\DVDFab Decrypter 3
2007-07-19 00:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-07-19 00:57 <DIR> d-------- C:\Program Files\DVD Shrink
2007-07-18 23:48 266,262 --a------ C:\WINDOWS\system32\cbxwt.dll
2007-07-18 22:02 <DIR> d-------- C:\Program Files\Symantec
2007-07-18 22:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-07-18 22:00 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-07-18 17:44 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-07-18 16:52 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-07-18 16:52 0 --a------ C:\WINDOWS\system32\SBFC.dat
2007-07-18 16:45 <DIR> d-------- C:\DOCUME~1\LOSANG~1\APPLIC~1\Sunbelt Software
2007-07-18 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-07-18 16:18 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-07-18 15:50 786,432 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-07-17 20:58 <DIR> d-------- C:\Program Files\FileZilla
2007-07-17 19:49 <DIR> d-------- C:\DOCUME~1\LOSANG~1\APPLIC~1\TrojanHunter
2007-07-17 19:28 <DIR> d-------- C:\Program Files\Dev-PHP2
2007-07-17 19:28 <DIR> d-------- C:\DOCUME~1\LOSANG~1\APPLIC~1\DevPHP
2007-07-17 15:02 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-07-17 15:01 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-07-17 14:59 <DIR> d-------- C:\Program Files\TrojanHunter 4.7
2007-07-14 18:09 <DIR> d-------- C:\WINDOWS\provisioning
2007-07-14 18:09 <DIR> d-------- C:\WINDOWS\peernet
2007-07-14 17:58 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-07-14 17:33 <DIR> d-------- C:\wamp
2007-07-14 17:30 <DIR> d-------- C:\WINDOWS\EHome
2007-07-14 17:06 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2007-07-14 17:06 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2007-07-14 16:33 <DIR> d-------- C:\Program Files\Zend
2007-07-14 16:31 <DIR> d-------- C:\Program Files\Apache Group
2007-07-14 16:15 <DIR> d-------- C:\home
2007-07-14 15:22 <DIR> d-------- C:\DOCUME~1\LOSANG~1\APPLIC~1\WinRAR
2007-07-14 02:38 <DIR> d-------- C:\DOCUME~1\LOSANG~1\race
2007-07-14 02:38 <DIR> d-------- C:\DOCUME~1\LOSANG~1\HOWTO_transcode_divx_to_dvd_files
2007-07-14 02:38 <DIR> d-------- C:\DOCUME~1\LOSANG~1\fla
2007-07-14 02:38 <DIR> d-------- C:\DOCUME~1\LOSANG~1\Documents
2007-07-14 02:38 <DIR> d-------- C:\DOCUME~1\LOSANG~1\all2dvd_wiki_files
2007-07-14 02:38 <DIR> d-------- C:\DOCUME~1\LOSANG~1\280607655_files
2007-07-14 02:38 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.fontconfig
2007-07-14 02:38 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.BitTornado
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\www.spoj.pl
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\www.nsa.gov
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\www.math.tau.ac.il
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\www.intel.com
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\www.cs.purdue.edu
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\www.cis.njit.edu
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\www.bio.ifi.lmu.de
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\webreprints.djreprints.com
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\siamdl.aip.org
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\Mac.OS.X.Tiger.CD.Kit
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\forums.topcoder.com
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\csf.topcoder.com
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\acmicpc-live-archive.uva.es
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\acm.uva.es
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\acm.sgu.ru
2007-07-14 02:37 <DIR> d-------- C:\DOCUME~1\LOSANG~1\acm.pku.edu.cn
2007-07-14 02:35 <DIR> d-------- C:\DOCUME~1\LOSANG~1\rt73-cvs-2007032105
2007-07-14 02:35 <DIR> d-------- C:\DOCUME~1\LOSANG~1\rt2x00-2.0.0-b3
2007-07-14 02:35 <DIR> d-------- C:\DOCUME~1\LOSANG~1\HARDWARE_rt2x00_files
2007-07-14 02:35 <DIR> d-------- C:\DOCUME~1\LOSANG~1\divxtuff
2007-07-14 02:35 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.ssh
2007-07-14 02:35 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.ncftp
2007-07-14 02:35 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.mplayer
2007-07-14 02:35 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.config
2007-07-14 02:34 <DIR> d-------- C:\DOCUME~1\LOSANG~1\morris
2007-07-14 02:34 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.icons
2007-07-14 02:34 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.gnome2_private
2007-07-14 02:34 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.gnome2
2007-07-14 02:34 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.gconfd
2007-07-14 02:34 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.gconf
2007-07-14 02:34 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.elinks
2007-07-14 02:34 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.e16
2007-07-14 02:34 <DIR> d-------- C:\DOCUME~1\LOSANG~1\.BitchX
2007-07-14 02:07 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-07-14 02:07 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-07-14 02:07 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2007-07-14 00:16 52,736 --a------ C:\WINDOWS\system32\drivers\i8042prt.sys
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-15 21:37:00 27,376 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{185DFFCD-DF15-4C78-A238-9782EE5638E7}]
C:\WINDOWS\system32\vtspp.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe" [2004-10-14 09:11]
"SoundMAX"="C:\Program Files\Analog Devices\SoundMAX\Smax4.exe" [2004-09-23 12:41]
"AGRSMMSG"="AGRSMMSG.exe" [2003-06-27 08:53 C:\WINDOWS\AGRSMMSG.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2006-11-16 21:00]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-06-24 14:34]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-06-24 14:33]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-06-15 15:17]
"OneCareUI"="C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe" [2007-06-11 12:40]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Aim6"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"@"="" []
C:\Documents and Settings\Los Angeles\Start Menu\Programs\Startup\
Office Suite 3.0.lnk - C:\Program Files\Office Suite3.0\program\quickstart.exe [2002-07-04 06:00:00]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Monitor Apache Servers.lnk - C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe [2007-01-09 23:20:44]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Notification Packages scecli ACGina
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\OneCareMP]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]
R1 ANC;ANC;C:\WINDOWS\system32\drivers\ANC.SYS
R1 IBMTPCHK;IBMTPCHK;\??\C:\WINDOWS\System32\Drivers\IBMBLDID.sys
R1 MSFWHLPR;MSFWHLPR;C:\WINDOWS\system32\DRIVERS\msfwhlpr.sys
R1 PQNTDrv;PQNTDrv;C:\WINDOWS\system32\drivers\PQNTDrv.sys
R2 MSFWDrv;MSFWDrv;C:\WINDOWS\system32\DRIVERS\msfwdrv.sys
R2 msfwsvc;OneCare Firewall;"C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe"
R2 OneCareMP;OneCare AntiSpyware and AntiVirus;"C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe"
R2 SoundMAX Agent Service (default);SoundMAX Agent Service;C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
R3 E100B;Intel(R) PRO Adapter Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 IBMPMDRV;IBMPMDRV;C:\WINDOWS\system32\DRIVERS\ibmpmdrv.sys
R3 MpFilter;Microsoft Malware Protection Driver;C:\WINDOWS\system32\DRIVERS\MpFilter.sys
R3 NSCIRDA;NSC Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\nscirda.sys
R3 SynTP;Synaptics TouchPad Driver;C:\WINDOWS\system32\DRIVERS\SynTP.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver for Windows XP;C:\WINDOWS\system32\DRIVERS\w70n51.sys
S3 aec;Microsoft Kernel Acoustic Echo Canceller;C:\WINDOWS\system32\drivers\aec.sys
S3 SysmonLog;Performance Logs and Alerts;C:\WINDOWS\system32\smlogsvc.exe
S3 wampapache;wampapache;"c:\wamp\apache2\bin\httpd.exe" -k runservice
S3 wampmysqld;wampmysqld;c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld
S3 WmiApSrv;WMI Performance Adapter;C:\WINDOWS\System32\wbem\wmiapsrv.exe
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-23 15:41:59
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden registry entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\wampmysqld]
"ImagePath"="c:\wamp\mysql\bin\mysqld-nt.exe --defaults-file=c:\wamp\mysql\my.ini wampmysqld"
Completion time: 2007-07-23 15:49:06 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-23 15:48
--- E O F ---
................................................................................
ComboFix - Quarentined File .Log ...........................................
........................................................................................
2007-07-12 21:27 19968 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\winghd32.dll.vir
2007-07-16 09:55 31254 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cbxxuvu.dll.vir
2007-07-18 13:01 31254 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkjhfd.dll.vir
2007-07-18 16:46 31254 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ljjhhed.dll.vir
2007-07-21 11:34 31254 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\awtqpom.dll.vir
2007-07-21 19:56 31254 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tuvtusq.dll.vir
2007-07-21 23:33 31254 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\gebbxwu.dll.vir
2007-07-21 23:34 101 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mit.bat.vir
2007-07-22 14:51 31254 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\urqqron.dll.vir
2007-07-23 15:32 106 --a------ C:\Qoobox\Quarantine\catchme.log
Folder PATH listing
Volume serial number is 44CD-2819
C:\QOOBOX
\---Quarantine
| catchme.log
|
+---C
| \---WINDOWS
| \---system32
| awtqpom.dll.vir
| cbxxuvu.dll.vir
| gebbxwu.dll.vir
| jkkjhfd.dll.vir
| ljjhhed.dll.vir
| mit.bat.vir
| tuvtusq.dll.vir
| urqqron.dll.vir
| winghd32.dll.vir
|
\---Registry_backups
Hi
HijackThis log is taken before combofix.
Please post a fresh HijackThis log :)
Logfile of HijackThis v1.99.1
Scan saved at 5:13:51 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Office Suite3.0\program\soffice.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {185DFFCD-DF15-4C78-A238-9782EE5638E7} - C:\WINDOWS\system32\vtspp.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Suite 3.0.lnk = C:\Program Files\Office Suite3.0\program\quickstart.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Documents and Settings\Los Angeles\mysql-noinstall-5.0.45-win32\mysql-5.0.45-win32\bin\mysqld-nt.exe" MySQL (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
Hi
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {185DFFCD-DF15-4C78-A238-9782EE5638E7} - C:\WINDOWS\system32\vtspp.dll (file missing)
Close all windows including browser and press fix checked.
Reboot.
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
Post:
- a fresh HijackThis log
- kaspersky report
KASPERSKY ONLINE SCANNER REPORT
Thursday, July 26, 2007 9:13:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/07/2007
Kaspersky Anti-Virus database records: 368293
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 121262
Number of viruses found 8
Number of infected objects 39
Number of suspicious objects 8
Duration of the scan process 02:46:58
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DF17HD8N\antzom[1].exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JZVPH71P\anti4[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLog-07192007-114721.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edb.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\MPSSVCPolicyIdLog.etl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku1.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku2.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku3.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\YazzleSudoku3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-07-26_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Los Angeles\.housecall6.6\Quarantine\monpower.exe.bac_a03956 Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\Los Angeles\.housecall6.6\Quarantine\synmon.exe.bac_a03956 Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\Los Angeles\.housecall6.6\Quarantine\syswin.exe.bac_a03956 Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\Los Angeles\.housecall6.6\Quarantine\win20.tmp.exe.bac_a03956/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Los Angeles\.housecall6.6\Quarantine\win20.tmp.exe.bac_a03956 NSIS: infected - 1 skipped
C:\Documents and Settings\Los Angeles\.housecall6.6\Quarantine\win20.tmp.exe.bac_a03956 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Los Angeles\.housecall6.6\Quarantine\winserver.exe.bac_a03956 Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\Documents and Settings\Los Angeles\.housecall6.6\Quarantine\xc42[1].exe.bac_a03956/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Los Angeles\.housecall6.6\Quarantine\xc42[1].exe.bac_a03956 NSIS: infected - 1 skipped
C:\Documents and Settings\Los Angeles\.housecall6.6\Quarantine\xc42[1].exe.bac_a03956 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\cert8.db Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\history.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\key3.db Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\parent.lock Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\user60.rdb Object is locked skipped
C:\Documents and Settings\Los Angeles\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Los Angeles\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Apache Software Foundation\Apache2.2\logs\access.log Object is locked skipped
C:\Program Files\Apache Software Foundation\Apache2.2\logs\error.log Object is locked skipped
C:\Program Files\HijackThis\backups\backup-20070721-192712-481.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\prov.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\edb.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\tmp.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\WinSS_st.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\onecaremp_log.bin Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\WinSSSvc_log.bin Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\awtqpom.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\cbxxuvu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gebbxwu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkkjhfd.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ljjhhed.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvtusq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\urqqron.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\winghd32.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP139\A0014192.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP142\A0015317.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP145\A0016111.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP146\A0016122.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP154\A0018363.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP160\A0019440.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP160\A0019440.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP160\A0019441.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020489.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020490.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020491.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020492.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020493.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020494.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020495.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020497.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP168\change.log Object is locked skipped
C:\VundoFix Backups\cbmjkavo.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\VundoFix Backups\wdhxaoqe.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
///////////////////////////////////////////////////////////////////////////////
////////////////////////////HiJackThis.log ////////////////////////////////////
///////////////////////////////////////////////////////////////////////////////
Logfile of HijackThis v1.99.1
Scan saved at 5:29:52 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Office Suite3.0\program\soffice.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft Windows OneCare Live\WinSSUI.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Adobe\Adobe Dreamweaver CS3\Dreamweaver.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {185DFFCD-DF15-4C78-A238-9782EE5638E7} - C:\WINDOWS\system32\vtspp.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Suite 3.0.lnk = C:\Program Files\Office Suite3.0\program\quickstart.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Documents and Settings\Los Angeles\mysql-noinstall-5.0.45-win32\mysql-5.0.45-win32\bin\mysqld-nt.exe" MySQL (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
Hi
Did you have troubles removing this entry?
O2 - BHO: (no name) - {185DFFCD-DF15-4C78-A238-9782EE5638E7} - C:\WINDOWS\system32\vtspp.dll (file missing)
Empty these folders:
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery
C:\Documents and Settings\Los Angeles\.housecall6.6\Quarantine
C:\QooBox\Quarantine\
C:\VundoFix Backups
Empty Recycle Bin
Please download ATF Cleaner by Atribune (http://www.atribune.org/ccount/click.php?id=1) and save
it to desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit to close ATF-Cleaner.
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
I don't remember any unpleasant dialogues with HJT about removing or fixing anything and there are no BHOs in any recent HJT scans. I'll post the log after this Kasperski scan in a few hours.
I don't remember any unpleasant dialogues with HJT about removing or fixing anything and there are no BHOs in any recent HJT scans.
//////////////////////Kasperski log//////////////
////////////////////////////////////////////////////
KASPERSKY ONLINE SCANNER REPORT
Friday, July 27, 2007 4:46:57 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/07/2007
Kaspersky Anti-Virus database records: 368293
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 121219
Number of viruses found 7
Number of infected objects 19
Number of suspicious objects 0
Duration of the scan process 02:53:51
Infected Object Name Virus Name Last Action
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DF17HD8N\antzom[1].exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JZVPH71P\anti4[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLog-07192007-114721.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edb.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\MPSSVCPolicyIdLog.etl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-07-27_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\cert8.db Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\history.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\key3.db Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\parent.lock Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\call256.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\chat512.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\chatmember256.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\chatsync\d4\d4d5199a5fb5f2cd.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\index2.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\profile256.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\user1024.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\user16384.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\user256.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Skype\imammal\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\user60.rdb Object is locked skipped
C:\Documents and Settings\Los Angeles\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\5449A528d01 Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Temp\~DF9875.tmp Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Temp\~DFE0B1.tmp Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Los Angeles\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Apache Software Foundation\Apache2.2\logs\access.log Object is locked skipped
C:\Program Files\Apache Software Foundation\Apache2.2\logs\error.log Object is locked skipped
C:\Program Files\HijackThis\backups\backup-20070721-192712-481.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\prov.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\edb.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\tmp.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\WinSS_st.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\onecaremp_log.bin Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\WinSSSvc_log.bin Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP139\A0014192.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP142\A0015317.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP145\A0016111.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP146\A0016122.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP154\A0018363.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP160\A0019440.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP160\A0019440.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP160\A0019441.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020489.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020490.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020491.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020492.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020493.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020494.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020495.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020497.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP169\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP169\change.log Object is locked skipped
Scan process completed.
/////////////////////////////////////////////////////////////
//////////////////////// HJT Log //////////////////////////
////////////////////////////////////////////////////////////
Logfile of HijackThis v1.99.1
Scan saved at 4:51:45 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Office Suite3.0\program\soffice.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Los Angeles\putty\PUTTY.EXE
C:\PROGRA~1\Adobe\ADOBEF~2\Flash.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Suite 3.0.lnk = C:\Program Files\Office Suite3.0\program\quickstart.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Documents and Settings\Los Angeles\mysql-noinstall-5.0.45-win32\mysql-5.0.45-win32\bin\mysqld-nt.exe" MySQL (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
Hi
Please download the Killbox (http://download.bleepingcomputer.com/spyware/KillBox.exe).
Save it to the desktop.
Please run Killbox.
Select "Delete on Reboot" and "All files"
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\DF17HD8N\antzom[1].exe
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\JZVPH71P\anti4[1].exe
Go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here (http://www.eudaemonia.me.uk/downloads/Files/missingfilesetup.exe) to download and run missingfilesetup.exe. Then try TheKillbox again..
If your computer does not restart automatically, please restart it manually.
Empty this folder:
C:\!KillBox
Empty Recycle Bin
Re-scan with kaspersky
Post:
- a fresh HijackThis log
- kaspersky report
Logfile of HijackThis v1.99.1
Scan saved at 5:54:50 PM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\Program Files\ThinkPad\ConnectUtilities\SvcGuiHlpr.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
C:\Program Files\Office Suite3.0\program\soffice.exe
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\HijackThis\scanner.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Office Suite 3.0.lnk = C:\Program Files\Office Suite3.0\program\quickstart.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Software Foundation\Apache2.2\bin\ApacheMonitor.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase8300.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ac Profile Manager Service (AcPrfMgrSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcPrfMgrSvc.exe
O23 - Service: Access Connections Main Service (AcSvc) - Lenovo - C:\Program Files\ThinkPad\ConnectUtilities\AcSvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Software Foundation\Apache2.2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe" /h ccCommon (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\System32\ibmpmsvc.exe (file missing)
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MySQL - Unknown owner - C:\Documents and Settings\Los Angeles\mysql-noinstall-5.0.45-win32\mysql-5.0.45-win32\bin\mysqld-nt.exe" MySQL (file missing)
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: wampapache - Unknown owner - c:\wamp\apache2\bin\httpd.exe" -k runservice (file missing)
O23 - Service: wampmysqld - Unknown owner - c:\wamp\mysql\bin\mysqld-nt.exe
KASPERSKY ONLINE SCANNER REPORT
Saturday, July 28, 2007 5:51:58 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 29/07/2007
Kaspersky Anti-Virus database records: 369030
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 121366
Number of viruses found 7
Number of infected objects 19
Number of suspicious objects 0
Duration of the scan process 02:40:55
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\OneCare Protection\Support\MPLog-07192007-114721.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\edb.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Protection Service\MPSSVCPolicyIdLog.etl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-07-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\cert8.db Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\GoogleToolbarData\googlesafebrowsing.db Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\history.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\key3.db Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\parent.lock Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Los Angeles\Application Data\user60.rdb Object is locked skipped
C:\Documents and Settings\Los Angeles\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\9D34EEBAd01 Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Application Data\Mozilla\Firefox\Profiles\h8g76ty6.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Temp\~DFB3CC.tmp Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Los Angeles\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Los Angeles\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Apache Software Foundation\Apache2.2\logs\access.log Object is locked skipped
C:\Program Files\Apache Software Foundation\Apache2.2\logs\error.log Object is locked skipped
C:\Program Files\HijackThis\backups\backup-20070721-192712-481.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Ent.dat Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\prov.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\service.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\ClientSD\Prov\user.xml.bak Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\edb.log Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\tmp.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\Database\WinSS_st.edb Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\onecaremp_log.bin Object is locked skipped
C:\Program Files\Microsoft Windows OneCare Live\WinSSSvc_log.bin Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP139\A0014192.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP142\A0015317.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP145\A0016111.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP146\A0016122.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP154\A0018363.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP160\A0019440.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP160\A0019440.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP160\A0019441.exe Infected: Trojan-Clicker.Win32.Small.mv skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020489.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020490.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020491.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020492.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020493.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020494.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020495.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP163\A0020497.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP169\A0023611.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP169\A0023612.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{87B5B58C-D29B-4D56-9092-447F66A3447F}\RP169\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F421C4E9-8262-4A22-A93F-0D224C56845B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Hi
Logs look good.
All viruses are in system restore and inactive.
I give you later instructions how to empty it.
Other than that, any problems left?
seems to be clean. Boots a little bit slower than I remember it did when I first got it... but that may be the 3 different anti-virus/spyware programs and some of the other services I had installed since. Thanks!
Hi
Then you're clean!
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:
Disable and Enable System Restore. - If you are using Windows XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
You can find instructions on how to enable and reenable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)
Reenable system restore with instructions from tutorial above
Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
Use an AntiVirus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
See this link for a listing of some online & their stand-alone antivirus programs:
Virus, Spyware, and Malware Protection and Removal Resources (http://www.bleepingcomputer.com/forums/topic405.html)
Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.
Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.
For a tutorial on Firewalls and a listing of some available ones see the link below:
Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Install Ad-Aware - Install and download Ad-Aware. You should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.
A tutorial on installing & using this product can be found here:
Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Install Spybot - Search and Destroy - Install and download Spybot - Search and Destroy with its TeaTimer option.
This will provide real-time spyware & hijacker protection on your computer alongside your virus protection. You should also scan your computer with program on a regular basis just as you would an anti virus software. A tutorial on installing & using this product can be found here:
Instructions for - Spybot S & D and Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.
A tutorial on installing & using this product can be found here:
Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.
Here are some additional utilities that will enhance your safety
IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)
Happy surfing and stay clean!
Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.