PDA

View Full Version : Help! SpoonUninstall.exe Trojan? (HJT & Combofix Log included)



johnreese
2007-07-29, 03:57
Hi

To my shock today when I booted up my computer I received this message:

http://img512.imageshack.us/img512/2640/trojanhorse28julywx9.gif

A quick Google led me to this excellent forum. I have followed the common instructions on a few thread, did a Combifix and an SAS scan along with HijackThis. Here are the logs, I'd appreciate it if someone could help me remove this trojan.

Hijack This Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:08:00, on 29/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlservr.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Desktop Notepad\Desktop Notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TorCP\torcp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Privoxy\privoxy.exe
C:\Program Files\Tor\tor.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freemail.asiamail.com/scripts/common/index.main?signin=1&lang=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=82.2.236.201:12678
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DNP] C:\Program Files\Desktop Notepad\Desktop Notepad.exe
O4 - HKLM\..\Run: [ACT_APL] "C:\Program Files\ACT\ACT for Windows\ACT_APL.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TorCP] C:\Program Files\TorCP\torcp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5376B9CB-F9F8-408F-B7F8-314AB50F497C}: NameServer = 195.74.113.58,195.74.113.62
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DirectX Service (DirectNubn) - Unknown owner - C:\WINDOWS\system32\directx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 9765 bytes

=========> Continued next post... too long to fit all in one.

johnreese
2007-07-29, 03:58
Combofix Log:

"john" - 2007-07-28 22:16:33 [GMT 1:00] - ComboFix 07-07-24 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-28 )))))))))))))))))))))))))))))))


2007-07-28 22:15 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-28 22:11 <DIR> d-------- C:\Program Files\Trend Micro


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-28 21:00:03 -------- d-----w C:\DOCUME~1\john\APPLIC~1\Tor
2007-07-28 20:24:07 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-07-28 20:23:10 -------- d-----w C:\DOCUME~1\john\APPLIC~1\Skype
2007-07-27 22:07:47 -------- d-----w C:\Program Files\eMule
2007-07-27 00:50:03 -------- d-----w C:\DOCUME~1\john\APPLIC~1\uTorrent
2007-07-21 18:06:16 -------- d-----w C:\DOCUME~1\john\APPLIC~1\MySQL
2007-07-20 23:50:04 -------- d-----w C:\Program Files\digiXMAS
2007-06-27 17:51:15 -------- d-----w C:\Program Files\wamp
2007-06-16 14:41:30 -------- d-----w C:\Program Files\Web Scraper Plus+
2007-06-16 14:40:25 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-16 14:27:00 -------- d-----w C:\Program Files\Microsoft SQL Server
2007-06-15 23:36:43 -------- d-----w C:\Program Files\screen-scraper basic edition
2007-06-06 23:26:19 -------- d-----w C:\Program Files\Colorimeter_HCFR
2007-06-05 22:34:27 1,793 ----a-w C:\DOCUME~1\john\APPLIC~1\SAS7_000.DAT
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2006-02-17 01:12:07 54,311 ----a-w C:\Program Files\tor-bundle-uninstall.exe
2006-02-11 00:41:03 26,657 ----a-w C:\Program Files\BUNDLE_LICENSE
2007-04-20 21:22:01 56 --sh--r C:\WINDOWS\system32\76810C1E7C.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 17:48]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 23:20 C:\WINDOWS\STSYSTRA.EXE]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-04-14 21:05]
"IntelMeM"="C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe" [2003-09-03 20:12]
"AnyDVD"="C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" [2006-05-20 17:34]
"SnoopFreeUI"="SnoopFreeUI.exe" [2005-12-16 01:54 C:\WINDOWS\SnoopFreeUI.exe]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-19 22:36]
"Comodo Firewall"="C:\Program Files\Comodo\Firewall\CPF.exe" [2006-09-16 02:20]
"@"="" []
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 17:15]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-03-04 06:40]
"DNP"="C:\Program Files\Desktop Notepad\Desktop Notepad.exe" [2007-03-25 10:31]
"ACT_APL"="C:\Program Files\ACT\ACT for Windows\ACT_APL.exe" [2005-09-14 20:02]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"TorCP"="C:\Program Files\TorCP\torcp.exe" [2005-12-11 20:51]

C:\Documents and Settings\john\Start Menu\Programs\Startup\
Privoxy.lnk - C:\Program Files\Privoxy\privoxy.exe [2004-01-31 12:18:30]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logo Calibration Loader.lnk - C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe [2007-02-09 01:25:22]
ProfileReminder.lnk - C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe [2007-02-09 01:25:23]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^john^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\john\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Samsung PanelMgr]
C:\WINDOWS\Samsung\PanelMgr\ssmmgr.exe /autorun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSBkgdUpdate]
C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UVS10 Preload]
C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet

R0 Inspect;Comodo Network Engine;C:\WINDOWS\system32\DRIVERS\inspect.sys
R1 avgio;avgio;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgio.sys
R1 avipbb;avipbb;C:\WINDOWS\system32\DRIVERS\avipbb.sys
R1 Cinemsup;Cinemsup;C:\WINDOWS\system32\drivers\Cinemsup.sys
R1 CmdMon;Comodo Application Engine;C:\WINDOWS\system32\DRIVERS\cmdmon.sys
R1 sscdbhk5;sscdbhk5;C:\WINDOWS\system32\drivers\sscdbhk5.sys
R1 ssrtln;ssrtln;C:\WINDOWS\system32\drivers\ssrtln.sys
R2 ASCTRM;ASCTRM;C:\WINDOWS\system32\drivers\ASCTRM.sys
R2 drvnddm;drvnddm;C:\WINDOWS\system32\drivers\drvnddm.sys
R2 ElbyCDIO;ElbyCDIO Driver;C:\WINDOWS\system32\Drivers\ElbyCDIO.sys
R2 MSSQL$ACT7;MSSQL$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe -sACT7
R2 MSSQL$PROVIDUSSTD;MSSQL$PROVIDUSSTD;C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlservr.exe -sPROVIDUSSTD
R2 NetFxUpdate_v1.1.4322;Microsoft .NET Framework v1.1.4322 Update;C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
R2 PDIHWCTL;PDIHWCTL;\??\C:\WINDOWS\system32\drivers\pdihwctl.sys
R2 tfsnboio;tfsnboio;C:\WINDOWS\system32\dla\tfsnboio.sys
R2 tfsncofs;tfsncofs;C:\WINDOWS\system32\dla\tfsncofs.sys
R2 tfsndrct;tfsndrct;C:\WINDOWS\system32\dla\tfsndrct.sys
R2 tfsndres;tfsndres;C:\WINDOWS\system32\dla\tfsndres.sys
R2 tfsnifs;tfsnifs;C:\WINDOWS\system32\dla\tfsnifs.sys
R2 tfsnopio;tfsnopio;C:\WINDOWS\system32\dla\tfsnopio.sys
R2 tfsnpool;tfsnpool;C:\WINDOWS\system32\dla\tfsnpool.sys
R2 tfsnudf;tfsnudf;C:\WINDOWS\system32\dla\tfsnudf.sys
R2 tfsnudfa;tfsnudfa;C:\WINDOWS\system32\dla\tfsnudfa.sys
R3 AnyDVD;AnyDVD;C:\WINDOWS\system32\Drivers\AnyDVD.sys
R3 avgntflt;avgntflt;\??\C:\Program Files\AntiVir PersonalEdition Classic\avgntflt.sys
R3 E100B;Intel(R) PRO Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 IntelC51;IntelC51;C:\WINDOWS\system32\DRIVERS\IntelC51.sys
R3 IntelC52;IntelC52;C:\WINDOWS\system32\DRIVERS\IntelC52.sys
R3 IntelC53;IntelC53;C:\WINDOWS\system32\DRIVERS\IntelC53.sys
R3 mohfilt;mohfilt;C:\WINDOWS\system32\DRIVERS\mohfilt.sys
R3 STHDA;High Definition Audio Driver (WDM) - SigmaTel CODEC;C:\WINDOWS\system32\drivers\sthda.sys
S2 DgiVecp;Team MFP Comm Driver;C:\WINDOWS\system32\Drivers\DgiVecp.sys
S2 DirectNubn;DirectX Service;C:\WINDOWS\system32\directx.exe
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 61883;61883 Unit Device;C:\WINDOWS\system32\DRIVERS\61883.sys
S3 Avc;AVC Device;C:\WINDOWS\system32\DRIVERS\avc.sys
S3 AVCSTRM;AVC Streaming Filter Driver;C:\WINDOWS\system32\DRIVERS\avcstrm.sys
S3 Bridge;MAC Bridge;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 BridgeMP;MAC Bridge Miniport;C:\WINDOWS\system32\DRIVERS\bridge.sys
S3 eyeonedp;eye-one display;C:\WINDOWS\system32\DRIVERS\eyeonedp.sys
S3 MSDV;Microsoft DV Camera and VCR;C:\WINDOWS\system32\DRIVERS\msdv.sys
S3 MSSQL$SONY_MEDIAMGR;MSSQL$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlservr.exe -sSONY_MEDIAMGR
S3 MSTAPE;Microsoft AV/C Tape Subunit Device;C:\WINDOWS\system32\DRIVERS\mstape.sys
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\NSNDIS5.SYS
S3 PRISM_A02;Belkin 54Mbps Wireless USB Network Adapter;C:\WINDOWS\system32\DRIVERS\PRISMAXP.sys
S3 RIOUNIV;Rio universal USB driver;C:\WINDOWS\system32\Drivers\RIOUNIV.sys
S3 SKYNETU;TechniSat DVB-PC TV Star USB;C:\WINDOWS\system32\DRIVERS\SkyNETU.SYS
S3 SM_SUGE1_FUService;SUGE1 Status Monitor Service;"C:\Program Files\Samsung\Samsung SCX-4200 Series\SPanel\ssmsrvc /Service
S3 SQLAgent$ACT7;SQLAgent$ACT7;C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlagent.EXE -i ACT7
S3 SQLAgent$PROVIDUSSTD;SQLAgent$PROVIDUSSTD;C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlagent.EXE -i PROVIDUSSTD
S3 SQLAgent$SONY_MEDIAMGR;SQLAgent$SONY_MEDIAMGR;C:\Program Files\Sony\Shared Plug-Ins\Media Manager\MSSQL$SONY_MEDIAMGR\Binn\sqlagent.EXE -i SONY_MEDIAMGR
S3 ssmdrv;ssmdrv;C:\WINDOWS\system32\DRIVERS\ssmdrv.sys
S3 wampapache;wampapache;"C:\Program Files\wamp\apache2\bin\httpd.exe" -k runservice
S3 wampmysqld;wampmysqld;"C:\Program Files\wamp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\wamp\mysql\my.ini" wampmysqld
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S3 X-Rite;X-Rite USB Service;C:\WINDOWS\system32\DRIVERS\XrUsb.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-28 22:22:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\wampmysqld]
"ImagePath"="\"C:\Program Files\wamp\mysql\bin\mysqld-nt.exe\" \"--defaults-file=C:\Program Files\wamp\mysql\my.ini\" wampmysqld"

Completion time: 2007-07-28 22:22:56

--- E O F ---

Many thanks in advance for your help... I'm tearing my hair out.

Blade81
2007-07-29, 20:57
Hi

Delete c:\windows\system32\SpoonUninstall.exe if you haven't already done that.


Start hjt, click do a system scan only, check:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Close all browsers and other windows. Click fix checked.



Download ATF (Atribune Temp File) Cleaner© by Atribune (http://www.atribune.org/ccount/click.php?id=1) to your desktop.

Double-click ATF Cleaner.exe to open it

Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.

If you use Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

If you use Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.

Click Exit on the Main menu to close the program.



Please do an online scan with
Kaspersky
WebScanner (http://www.kaspersky.com/virusscanner)

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky,
Click Yes.
The program will launch and then begin downloading the latest
definition files:
Once the files have been downloaded click on NEXT

Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise
Standard)

Scan Options:
Scan Archives
Scan Mail Bases

Click OK
Now under select a target to scan:Select My Computer

This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been
infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post with a fresh hjt log.




Note for Internet Explorer 7 users: If at any time you have trouble with the Accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

If having a problme doing the above

Make sure that your Internet security settings are set to default values.

To set default security settings for Internet Explorer:

* Open Internet Explorer.
* Go to the Tools menu, then choose Internet Options.
* Click on the Security tab.
* Make sure that all four item (Internet, Local intranet, Trusted sites, and Restricted sites) are set to their default settings.

johnreese
2007-07-31, 13:06
Many thanks for your prompt reply. I've followed the steps you outlined... man is my computer infected or what. Here's the online Kapersky scan log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 31, 2007 10:48:05 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/07/2007
Kaspersky Anti-Virus database records: 369942
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
P:\

Scan Statistics:
Total number of scanned objects: 123512
Number of viruses found: 18
Number of infected objects: 90 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:04:48

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\InboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\ActivityLog\OutboxLOG.txt Object is locked skipped
C:\Documents and Settings\All Users\Documents\ACT\ACT for Windows 8\Databases\ACT8Demo.ADF Object is locked skipped
C:\Documents and Settings\All Users\Documents\ACT\ACT for Windows 8\Databases\ACT8Demo.ALF Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\cert8.db Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\history.dat Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\key3.db Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\parent.lock Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\search.sqlite Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\john\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\History\History.IE5\MSHist012007073120070801\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\~DFF59A.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\My Documents\HTPC\Codec\NVIDIA.PureVideo.Decoder.1.02.145\NVIDIA.PureVideo.Decoder.v1.02.233.rar/NVIDIA.PureVideo.Decoder.v1.02.233/decode.exe Infected: not-a-virus:AdWare.Win32.180Solutions.as skipped
C:\Documents and Settings\john\My Documents\HTPC\Codec\NVIDIA.PureVideo.Decoder.1.02.145\NVIDIA.PureVideo.Decoder.v1.02.233.rar RAR: infected - 1 skipped

============>continued next post... too long to fit in one.

johnreese
2007-07-31, 13:09
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169754928.H726935P11849.ksh005.hosting.com/[From Haines Simon <otikl@googlemail.com>][Date Thu, 25 Jan 2007 14:57:04 -0500]/UNNAMED/UNNAMED/[From Haines Simon <otikl@googlemail.com>][Date Thu, 25 Jan 2007 14:57:04 -0500]/Greeting Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169754928.H726935P11849.ksh005.hosting.com/[From Haines Simon <otikl@googlemail.com>][Date Thu, 25 Jan 2007 14:57:04 -0500]/UNNAMED/UNNAMED Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169754928.H726935P11849.ksh005.hosting.com/[From Haines Simon <otikl@googlemail.com>][Date Thu, 25 Jan 2007 14:57:04 -0500]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169754928.H726935P11849.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1173366331.H81529P18997.ksh005.hosting.com/[From "BB&T" <service_567807947647252ib@bbt.com>]/html Infected: Trojan-Spy.HTML.Bankfraud.ra skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1173366331.H81529P18997.ksh005.hosting.com/[From "BB&T" <service_567807947647252ib@bbt.com>]/barometer.gif Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1173366331.H81529P18997.ksh005.hosting.com Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169756249.H854086P20201.ksh005.hosting.com/[From Hahn <lvyzl@googlemail.com>][Date Thu, 25 Jan 2007 13:26:25 -0700]/UNNAMED/flash Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169756249.H854086P20201.ksh005.hosting.com/[From Hahn <lvyzl@googlemail.com>][Date Thu, 25 Jan 2007 13:26:25 -0700]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169756249.H854086P20201.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170015767.H930637P32676.ksh005.hosting.com/[From pool-72-78-215-40.phlapa.fios.verizon.net [72.78.215.40]][Date Sun, 28 Jan 2007 21:22:39 +0100]/UNNAMED/[From Ramirez Robin <utwi@googlemail.com>][Date Sun, 28 Jan 2007 15:22:22 -0500]/flash Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170015767.H930637P32676.ksh005.hosting.com/[From pool-72-78-215-40.phlapa.fios.verizon.net [72.78.215.40]][Date Sun, 28 Jan 2007 21:22:39 +0100]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170015767.H930637P32676.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170232995.H91166P9257.ksh005.hosting.com/[From MAILER-DAEMON@mailgw2.ipc.ynu.ac.jp (Mail Delivery System)][Date Wed, 31 Jan 2007 17:42:44 +0900 (JST)]/Flash Infected: Email-Worm.Win32.Zhelatin.k skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170232995.H91166P9257.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.k skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170154577.H642439P30694.ksh005.hosting.com/[From Alice Duffy <uudjtm@googlemail.com>][Date Tue, 30 Jan 2007 12:55:27 +0200]/UNNAMED/Postcard.exe Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170154577.H642439P30694.ksh005.hosting.com/[From Alice Duffy <uudjtm@googlemail.com>][Date Tue, 30 Jan 2007 12:55:27 +0200]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170154577.H642439P30694.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169811721.H37007P14975.ksh005.hosting.com/[From MAILER-DAEMON@womantalk.ru (Mail Delivery System)][Date Fri, 26 Jan 2007 14:42:12 +0300 (MSK)]/Read Infected: Email-Worm.Win32.Zhelatin.a skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169811721.H37007P14975.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.a skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1175859719.H807327P8120.ksh005.hosting.com/[From "Branch Banking and Trust" <referencenumber7402840643ib@bbt.com>]/html Infected: Trojan-Spy.HTML.Bankfraud.rw skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1175859719.H807327P8120.ksh005.hosting.com Infected: Trojan-Spy.HTML.Bankfraud.rw skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170134083.H261042P27821.ksh005.hosting.com/[From check-in <uzleu@googlemail.com>][Date Tue, 30 Jan 2007 14:14:17 +0900]/UNNAMED/Postcard.exe Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170134083.H261042P27821.ksh005.hosting.com/[From check-in <uzleu@googlemail.com>][Date Tue, 30 Jan 2007 14:14:17 +0900]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170134083.H261042P27821.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1175859706.H647606P8074.ksh005.hosting.com/[From "Branch Banking and Trust" <referencenumber7402840643ib@bbt.com>]/html Infected: Trojan-Spy.HTML.Bankfraud.rw skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1175859706.H647606P8074.ksh005.hosting.com Infected: Trojan-Spy.HTML.Bankfraud.rw skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1175924750.H787527P6401.ksh005.hosting.com/[From "Branch Banking and Trust" <support_829946062197876ib@bbt.com>]/html Infected: Trojan-Spy.HTML.Bankfraud.rw skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1175924750.H787527P6401.ksh005.hosting.com/[From "Branch Banking and Trust" <support_829946062197876ib@bbt.com>]/content.gif Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1175924750.H787527P6401.ksh005.hosting.com Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169871482.H99401P4299.ksh005.hosting.com/[From Jessie <qxxoe@googlemail.com>][Date Sat, 20 Jan 2007 00:25:07 -0300]/UNNAMED/Full Infected: Email-Worm.Win32.Zhelatin.a skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169871482.H99401P4299.ksh005.hosting.com/[From Jessie <qxxoe@googlemail.com>][Date Sat, 20 Jan 2007 00:25:07 -0300]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.a skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169871482.H99401P4299.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.a skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170024359.H687927P30034.ksh005.hosting.com/[From Vivien <ombv@googlemail.com>][Date Sun, 28 Jan 2007 14:45:51 -0800]/UNNAMED/Greeting Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170024359.H687927P30034.ksh005.hosting.com/[From Vivien <ombv@googlemail.com>][Date Sun, 28 Jan 2007 14:45:51 -0800]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170024359.H687927P30034.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1173725551.H798451P833.ksh005.hosting.com/[From "BB&T" <operator-id133493581698ib@bbt.com>]/html Infected: Trojan-Spy.HTML.Bankfraud.rw skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1173725551.H798451P833.ksh005.hosting.com/[From "BB&T" <operator-id133493581698ib@bbt.com>]/angola.gif Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1173725551.H798451P833.ksh005.hosting.com Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170237499.H475537P30304.ksh005.hosting.com/[From Madison <neppba@googlemail.com>][Date Wed, 31 Jan 2007 15:26:13 +0530]/UNNAMED/postcard.exe Infected: Email-Worm.Win32.Zhelatin.k skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170237499.H475537P30304.ksh005.hosting.com/[From Madison <neppba@googlemail.com>][Date Wed, 31 Jan 2007 15:26:13 +0530]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.k skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170237499.H475537P30304.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.k skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170589538.H307670P32499.ksh005.hosting.com/[From Gertrude <ebxs@googlemail.com>][Date Sun, 4 Feb 2007 13:45:11 +0200]/UNNAMED/Greeting Infected: Email-Worm.Win32.Zhelatin.o skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170589538.H307670P32499.ksh005.hosting.com/[From Gertrude <ebxs@googlemail.com>][Date Sun, 4 Feb 2007 13:45:11 +0200]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.o skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170589538.H307670P32499.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.o skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170153489.H274603P22178.ksh005.hosting.com/[From Robert Amos <guhsq@googlemail.com>][Date Tue, 30 Jan 2007 19:44:27 +0900]/UNNAMED/Postcard.exe Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170153489.H274603P22178.ksh005.hosting.com/[From Robert Amos <guhsq@googlemail.com>][Date Tue, 30 Jan 2007 19:44:27 +0900]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170153489.H274603P22178.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170129836.H12054P16411.ksh005.hosting.com/[From c-68-48-242-196.hsd1.va.comcast.net [68.48.242.196]][Date Mon, 29 Jan 2007 20:03:23 -0800]/UNNAMED/[From "Penelope M. Lambert" <gknsin@googlemail.com>][Date Mon, 29 Jan 2007 23:03:35 -0500]/Postcard.exe Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170129836.H12054P16411.ksh005.hosting.com/[From c-68-48-242-196.hsd1.va.comcast.net [68.48.242.196]][Date Mon, 29 Jan 2007 20:03:23 -0800]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170129836.H12054P16411.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169943894.H159538P28340.ksh005.hosting.com/[From MAILER-DAEMON@postino7.prima.com.ar][Date 28 Jan 2007 00:25:23 -0000]/UNNAMED/[From Nathaniel Orr <uaqiu@googlemail.com>][Date Fri, 26 Jan 2007 19:24:13 -0500]/greeting Infected: Email-Worm.Win32.Banwarum.l skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169943894.H159538P28340.ksh005.hosting.com/[From MAILER-DAEMON@postino7.prima.com.ar][Date 28 Jan 2007 00:25:23 -0000]/UNNAMED Infected: Email-Worm.Win32.Banwarum.l skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169943894.H159538P28340.ksh005.hosting.com Infected: Email-Worm.Win32.Banwarum.l skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169756151.H381078P18753.ksh005.hosting.com/[From Hahn <lvyzl@googlemail.com>][Date Thu, 25 Jan 2007 16:15:41 -0400]/UNNAMED/flash Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169756151.H381078P18753.ksh005.hosting.com/[From Hahn <lvyzl@googlemail.com>][Date Thu, 25 Jan 2007 16:15:41 -0400]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1169756151.H381078P18753.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.d skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1171399499.H484589P12956.ksh005.hosting.com/[From Nance Nieves <gin@googlemail.com>][Date Tue, 13 Feb 2007 14:45:34 -0800]/UNNAMED/Postcard.exe Infected: Email-Worm.Win32.Zhelatin.ab skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1171399499.H484589P12956.ksh005.hosting.com/[From Nance Nieves <gin@googlemail.com>][Date Tue, 13 Feb 2007 14:45:34 -0800]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.ab skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1171399499.H484589P12956.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.ab skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1173554666.H363542P12831.ksh005.hosting.com/[From "Branch Banking and Trust" <reference-159084561459976ib@bbt.com>]/html Infected: Trojan-Spy.HTML.Bankfraud.rw skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1173554666.H363542P12831.ksh005.hosting.com/[From "Branch Banking and Trust" <reference-159084561459976ib@bbt.com>]/cacophonist.gif Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1173554666.H363542P12831.ksh005.hosting.com Infected: Trojan-Spy.HTML.Bankfraud.ri skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1171414421.H811773P28702.ksh005.hosting.com/[From mforward.dtag.de [194.25.242.123]][Date Wed, 14 Feb 2007 01:21:10 +0100]/UNNAMED/[From Tuttle <fhpucv@googlemail.com>][Date Tue, 13 Feb 2007 18:51:21 -0600]/postcard.exe Infected: Email-Worm.Win32.Zhelatin.ab skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1171414421.H811773P28702.ksh005.hosting.com/[From mforward.dtag.de [194.25.242.123]][Date Wed, 14 Feb 2007 01:21:10 +0100]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.ab skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1171414421.H811773P28702.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.ab skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170699762.H8126P27559.ksh005.hosting.com/[From [220.122.132.47]][Date Tue, 6 Feb 2007 03:22:32 +0900]/UNNAMED/[From GMAT <tke@googlemail.com>][Date Tue, 6 Feb 2007 03:22:34 +0900]/postcard.exe Infected: Trojan-Downloader.Win32.Tibs.kj skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170699762.H8126P27559.ksh005.hosting.com/[From [220.122.132.47]][Date Tue, 6 Feb 2007 03:22:32 +0900]/UNNAMED Infected: Trojan-Downloader.Win32.Tibs.kj skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170699762.H8126P27559.ksh005.hosting.com Infected: Trojan-Downloader.Win32.Tibs.kj skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170017782.H646253P5901.ksh005.hosting.com/[From Shields P. Archie <sbl@googlemail.com>][Date Sun, 28 Jan 2007 15:56:07 -0500]/UNNAMED/Greeting Infected: Email-Worm.Win32.Zhelatin.h skipped

============>continued next post... too long to fit in one.

johnreese
2007-07-31, 13:10
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170017782.H646253P5901.ksh005.hosting.com/[From Shields P. Archie <sbl@googlemail.com>][Date Sun, 28 Jan 2007 15:56:07 -0500]/UNNAMED Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/new/1170017782.H646253P5901.ksh005.hosting.com Infected: Email-Worm.Win32.Zhelatin.h skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/cur/1169575908.H877827P24086.ksh005.hosting.com:2,/[From ray01.scl.genome.ad.jp [133.103.96.22]][Date Wed, 24 Jan 2007 03:11:10 +0900 (JST)]/UNNAMED/[From "Julian I. Hurley" <ddnxnb@googlemail.com>][Date Mon, 22 Jan 2007 17:57:18 -0500]/Greeting Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/cur/1169575908.H877827P24086.ksh005.hosting.com:2,/[From ray01.scl.genome.ad.jp [133.103.96.22]][Date Wed, 24 Jan 2007 03:11:10 +0900 (JST)]/UNNAMED Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/cur/1169575908.H877827P24086.ksh005.hosting.com:2, Infected: Trojan-Proxy.Win32.Lager.dp skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/cur/1169652163.H802474P13116.ksh005.hosting.com:2,/[From Schmidt Valentine <xqo@googlemail.com>][Date Wed, 24 Jan 2007 13:25:46 -0300]/UNNAMED/Greeting Infected: Trojan-Downloader.Win32.Small.ciw skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/cur/1169652163.H802474P13116.ksh005.hosting.com:2,/[From Schmidt Valentine <xqo@googlemail.com>][Date Wed, 24 Jan 2007 13:25:46 -0300]/UNNAMED Infected: Trojan-Downloader.Win32.Small.ciw skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/cur/1169652163.H802474P13116.ksh005.hosting.com:2, Infected: Trojan-Downloader.Win32.Small.ciw skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/cur/1169665773.H502293P12870.ksh005.hosting.com:2,/[From MAILER-DAEMON@arrino.hst.terra.com.br (Mail Delivery System)][Date Wed, 24 Jan 2007 17:09:25 -0200 (BRST)]/Greeting Infected: Email-Worm.Win32.Poca.b skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed/./mail/cur/1169665773.H502293P12870.ksh005.hosting.com:2, Infected: Email-Worm.Win32.Poca.b skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz/packed Infected: Email-Worm.Win32.Poca.b skipped
C:\Documents and Settings\john\My Documents\Backup\backup-domain.com-7-29-2007.tar.gz GZIP: infected - 81 skipped
C:\Documents and Settings\john\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\john\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-07-31.03-57-32.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\eMule\Incoming\Programme1.2.3.7.Incl.patch\Programme1.exe Infected: Trojan.Win32.Agent.acw skipped
C:\Program Files\eMule\Incoming\Programme1.2.3.7.Incl.patch.zip/Programme1.exe Infected: Trojan.Win32.Agent.acw skipped
C:\Program Files\eMule\Incoming\Programme1.2.3.7.Incl.patch.zip ZIP: infected - 1 skipped
C:\Program Files\eMule\Incoming\programme2 2.1.1 crack(1).zip/programme2 2.1.1 crack.exe Infected: Trojan-Downloader.Win32.Bagle.ak skipped
C:\Program Files\eMule\Incoming\programme2 2.1.1 crack(1).zip ZIP: infected - 1 skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\inf\explorer.exe Infected: Backdoor.Win32.Rukap.gen skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F9012F78-3EE0-456D-9EE4-F5A1CEB68F50}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\SnopFree.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_174.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_d8.dat Object is locked skipped
C:\WINDOWS\Temp\T30DebugLogFile.txt Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:00:58, on 31/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlservr.exe
C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\stsystra.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TorCP\torcp.exe
C:\Program Files\Tor\tor.exe
C:\Program Files\Privoxy\privoxy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freemail.asiamail.com/scripts/common/index.main?signin=1&lang=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=82.2.236.201:12678
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DNP] C:\Program Files\Desktop Notepad\Desktop Notepad.exe
O4 - HKLM\..\Run: [ACT_APL] "C:\Program Files\ACT\ACT for Windows\ACT_APL.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TorCP] C:\Program Files\TorCP\torcp.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5376B9CB-F9F8-408F-B7F8-314AB50F497C}: NameServer = 195.74.113.58,195.74.113.62
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DirectX Service (DirectNubn) - Unknown owner - C:\WINDOWS\system32\directx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 9564 bytes


My initial hunch was to delete the infected files, but thought that it's best to await further instructions from you before doing so. Many thanks in advance again.

Blade81
2007-07-31, 17:28
Hi

Yes, delete those and post back when you're ready :)

johnreese
2007-07-31, 20:22
Hi Blade81

Just wondering... can I delete C:\WINDOWS\inf\explorer.exe which is infected?

Thanks.

Blade81
2007-07-31, 21:33
Yeah. Actually it looks like that whole C:\WINDOWS\inf folder might be worth deleting. Are there any other files in that folder?

johnreese
2007-07-31, 23:41
Hi again

I ran the Kapersky scan again before your last post... took 2 hours so at that point I didn't manage to delete the infected explorer.exe file. Here's the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 31, 2007 9:11:57 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 31/07/2007
Kaspersky Anti-Virus database records: 370193
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\
L:\
M:\
N:\
P:\

Scan Statistics:
Total number of scanned objects: 125077
Number of viruses found: 1
Number of infected objects: 1 / 0
Number of suspicious objects: 0
Duration of the scan process: 02:07:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Documents\ACT\ACT for Windows\Email\ActEmailMessageStore.mdf Object is locked skipped
C:\Documents and Settings\All Users\Documents\ACT\ACT for Windows\Email\ActEmailMessageStoreLog.LDF Object is locked skipped
C:\Documents and Settings\All Users\Documents\ACT\ACT for Windows 8\Databases\ACT8Demo.ADF Object is locked skipped
C:\Documents and Settings\All Users\Documents\ACT\ACT for Windows 8\Databases\ACT8Demo.ALF Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\john\Application Data\Adobe\Acrobat\7.0\Server.err Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\cert8.db Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\history.dat Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\key3.db Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\parent.lock Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\search.sqlite Object is locked skipped
C:\Documents and Settings\john\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\call256.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\callmember256.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\chat256.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\chat512.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\chatmsg1024.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\chatmsg16384.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\chatmsg2048.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\chatmsg4096.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\chatmsg512.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\chatmsg8192.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\index2.dat Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\profile256.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\transfer256.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\transfer512.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\user1024.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\user16384.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\user256.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\user4096.dbb Object is locked skipped
C:\Documents and Settings\john\Application Data\Skype\john\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\john\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\Application Data\Mozilla\Firefox\Profiles\rqone31b.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\john\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\History\History.IE5\MSHist012007073120070801\index.dat Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\Acr9DFE.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0000\~efe2.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\Adobelm_Cleanup.0001.dir.0001\~efe2.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temp\~DF193C.tmp Object is locked skipped
C:\Documents and Settings\john\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\john\My Documents\ACT\ACT for Windows 8\Databases\hdtvtest.ADF Object is locked skipped
C:\Documents and Settings\john\My Documents\ACT\ACT for Windows 8\Databases\hdtvtest.ALF Object is locked skipped
C:\Documents and Settings\john\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\john\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\logs\starwind.2007-07-31.14-52-21.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsys.dll Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\LOG\ERRORLOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\inf\explorer.exe Infected: Backdoor.Win32.Rukap.gen skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\SnopFree.sys Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_218.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_304.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

=============>continued next post, too long to fit in one.

johnreese
2007-07-31, 23:46
New HijackThis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:34:09, on 31/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\WINDOWS\SnoopFreeUI.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Desktop Notepad\Desktop Notepad.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TorCP\torcp.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Microsoft SQL Server\MSSQL$ACT7\Binn\sqlservr.exe
C:\Program Files\Microsoft SQL Server\MSSQL$PROVIDUSSTD\Binn\sqlservr.exe
C:\Program Files\Tor\tor.exe
C:\Program Files\Privoxy\privoxy.exe
C:\WINDOWS\System32\SnoopFreeSvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Acrobat\Acrobat.exe
C:\DOCUME~1\john\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
C:\DOCUME~1\john\LOCALS~1\Temp\Adobelm_Cleanup.0001
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Macromedia\Dreamweaver 8\Dreamweaver.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://freemail.asiamail.com/scripts/common/index.main?signin=1&lang=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.co.uk/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = socks=82.2.236.201:12678
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Act.UI.InternetExplorer.Plugins.AttachFile.CAttachFile - {D5233FCD-D258-4903-89B8-FB1568E7413D} - mscoree.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
O4 - HKLM\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKLM\..\Run: [SnoopFreeUI] SnoopFreeUI.exe
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DNP] C:\Program Files\Desktop Notepad\Desktop Notepad.exe
O4 - HKLM\..\Run: [ACT_APL] "C:\Program Files\ACT\ACT for Windows\ACT_APL.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TorCP] C:\Program Files\TorCP\torcp.exe
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: Privoxy.lnk = C:\Program Files\Privoxy\privoxy.exe
O4 - Global Startup: Logo Calibration Loader.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\CalibrationLoader\CalibrationLoader.exe
O4 - Global Startup: ProfileReminder.lnk = C:\Program Files\GretagMacbeth\i1\Eye-One Match 3\ProfileReminder.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\J River\Media Center 11\DMDownload.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Attach Web page to ACT! contact - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra 'Tools' menuitem: Attach Web page to ACT! contact... - {6F431AC3-364A-478b-BBDB-89C7CE1B18F6} - mscoree.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3451DEDE-631F-421C-8127-FD793AFC6CC8} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {44990200-3C9D-426D-81DF-AAB636FA4345} (Symantec SmartIssue) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsi.cab
O16 - DPF: {44990301-3C9D-426D-81DF-AAB636FA4345} (Symantec Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{5376B9CB-F9F8-408F-B7F8-314AB50F497C}: NameServer = 195.74.113.58,195.74.113.62
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: DirectX Service (DirectNubn) - Unknown owner - C:\WINDOWS\system32\directx.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

--
End of file - 9864 bytes


Should I go ahead and delete the whole INF folder? A bit worried coz there are so many files in there, for example:

http://img505.imageshack.us/img505/6480/windowsinfvq5.gif

Many thanks again in advance.

Blade81
2007-08-01, 13:30
Hi

Great thing you posted that screenshot. :) After seeing it I'm confirmed that you need only delete that explorer.exe which Kaspersky found. Post me back if and when you've successfully deleted the file. I'll then give you some instructions to keep clean in future :)

johnreese
2007-08-01, 20:23
Hi Blade81

I've gone ahead and deleted explore.exe, did a Kapersky scan and everything seems fine. Thanks a lot for all your help, much appreciated. Would be grateful for some prevention tips too.

Blade81
2007-08-01, 20:57
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.


THESE STEPS ARE VERY IMPORTANT

Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis


Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...

Updating Java:

Download the latest version of Java Runtime Environment (JRE) 6u2 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says
The J2SE Runtime Environment (JRE) allows end-users to run Java applications.

Click the
Download
button to the right.
Check the box that says:
Accept License Agreement.

The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on jre-6u2-windows-i586-p.exe to install the newest version.



UPDATING WINDOWS AND INTERNET EXPLORER

IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.

If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.


Make your Internet Explorer more secure

This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
Change the allow paste operations via script to Disable
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.



The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.

Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)

Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)

hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok




Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.



Once again, please post and tell me how things are going with your system... problems etc.

Have a great day,
Blade :cool:

johnreese
2007-08-04, 05:57
Thanks for the advice Blade81, and for all your help again. Have a good weekend. :)

Blade81
2007-08-04, 11:54
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.