View Full Version : Need Malware Help Please
C-Dunham
2007-08-08, 21:17
I am having some trouble getting rid of a few different malware files.
Here is my HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:49:38 PM, on 8/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\cdunham\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lakeviewspartans.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.bc-lakeview.k12.mi.us:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.bc-lakeview.k12.mi.us;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,winwork.exe
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\klokpbsx.dll",forkonce
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_09\bin\npjpi142_09.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mistreamnet.com
O15 - Trusted Zone: http://www.mistreamnet.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186539998140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186539988406
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bc-lakeview.k12.mi.us
O17 - HKLM\Software\..\Telephony: DomainName = bc-lakeview.k12.mi.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bc-lakeview.k12.mi.us
O20 - AppInit_DLLs: c:\windows\system32\vtsqqqq.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rtemegod.html
--
End of file - 5021 bytes
The online internet scan will not allow me to scan it says the FTP server is invalid when it tries to update the signatures
If there is something I missed in the please read post please let me know so I can get you that information thank you in advance.
Hello and welcome to the forums
My name is Katana and I will be helping you to remove any infection(s) that you may have.
Please note that I am training, this means that any reply I give to you has to be checked first by an expert.
I apologize for any delay this might cause.
Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)
If you can do those three things, everything should go smoothly :D
I am looking at your log and will get back to you ASAP :)
Hi C-Dunham,
A couple of questions for you,
Your log looks quite short, have you disabled anything or done any other fixes ?
Your Antivirus does not appear to be running, have you intentionally disabled it ?
C:\Program Files\Messenger\rtemegod.html -- Did you set this as a desktop component ?
Do you use World of Warcraft (http://www.worldofwarcraft.com) site at all ??
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.
Updating Java:
Download the latest version of Java Runtime Environment (JRE) 6u2
http://java.sun.com/javase/downloads/index.jsp
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement".
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
Check for any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove each Java version.
Reboot your computer once all Java components are removed.
Then from your desktop double-click on the download to install the newest version.
VundoFix
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Move HJT
Your copy of HijackThis needs to be in a folder of it's own. When HJT fixes anything, it makes backups of the original files in the folder it is in. For this reason it cannot be run from a Zip file or from Temporary folders because the backups will be deleted. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!
1. On your desktop, right-click and select 'New > Folder' then name the folder 'HJT'.
2. Drag and Drop HijackThis.exe to the new folder.
Installed Programs
Please could you give me a list of the programs that are installed. This will help me create a fix for you.
Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.
Rename HJT
Please open your Hijack This folder
Right click on Hijackthis.exe
Select Rename
Rename Hijack This to showme.exe
Double click showme
Click on the Do a system scan and save a log file button.
Logs/Information to Post in Reply
Please post the following logs/Information in your reply
the answers to my couple of questions
VundoFix log
Installed Programs list
A fresh HJT (showme) log
C-Dunham
2007-08-11, 05:52
Thank you for your reply sorry I took so long to try this I am actually away from home and will be back home tomorrow and try these things.
As for the questions Yes I have ran Ad-Aware 2007 a few times and spybot S&D a couple of times hopign they would just get rid of it before I came here.
And no I do not use the World of Warcraft Site.
My antivirus is not disabled by me, but it is havign problems
C-Dunham
2007-08-13, 01:04
VundoFix Log
VundoFix V6.5.7
Checking Java version...
Scan started at 6:45:54 PM 8/12/2007
Listing files found while scanning....
C:\windows\system32\eucjawnp.dll
C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.bak2
C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\igfate.dll
C:\windows\system32\ikvjtbpm.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\khfcbyy.dll
C:\windows\system32\klokpbsx.dll
C:\WINDOWS\system32\mpcevypn.dll
C:\windows\system32\nfxsxilx.dll
C:\windows\system32\pnwajcue.ini
C:\WINDOWS\system32\tmp15.tmp.dll
C:\windows\system32\vtsqqqq.dll
C:\windows\system32\xsbpkolk.ini
ertw1.dll
Beginning removal...
Attempting to delete C:\windows\system32\eucjawnp.dll
C:\windows\system32\eucjawnp.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\hhhkj.bak1
C:\WINDOWS\system32\hhhkj.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\hhhkj.bak2
C:\WINDOWS\system32\hhhkj.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\hhhkj.ini
C:\WINDOWS\system32\hhhkj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\igfate.dll
C:\WINDOWS\system32\igfate.dll Has been deleted!
Attempting to delete C:\windows\system32\ikvjtbpm.dll
C:\windows\system32\ikvjtbpm.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\jkhhh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\khfcbyy.dll
C:\WINDOWS\system32\khfcbyy.dll Has been deleted!
Attempting to delete C:\windows\system32\klokpbsx.dll
C:\windows\system32\klokpbsx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mpcevypn.dll
C:\WINDOWS\system32\mpcevypn.dll Has been deleted!
Attempting to delete C:\windows\system32\nfxsxilx.dll
C:\windows\system32\nfxsxilx.dll Has been deleted!
Attempting to delete C:\windows\system32\pnwajcue.ini
C:\windows\system32\pnwajcue.ini Has been deleted!
Attempting to delete C:\windows\system32\vtsqqqq.dll
C:\windows\system32\vtsqqqq.dll Could not be deleted.
Attempting to delete C:\windows\system32\xsbpkolk.ini
C:\windows\system32\xsbpkolk.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\eucjawnp.dll
C:\windows\system32\eucjawnp.dll Has been deleted!
Attempting to delete C:\windows\system32\vtsqqqq.dll
C:\windows\system32\vtsqqqq.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Progam List
ac3
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Reader 7.0.5
Agere Systems AC'97 Modem
AT&T Labs' Natural Voices - Desktop 1.4
Audacity 1.2.6
Basic Math Skills 2003 TRL
Broadcom NetXtreme Ethernet Controller
Graphing Calculator Viewer
GroupWise
GroupWise Internet Browser Mail Integration
GroupWise Tip of the Day C3PO
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Inspiration 7.6
Intel(R) Graphics Media Accelerator Driver for Mobile
InterVideo DVD Check
InterVideo WinDVD
iTunes
Java(TM) 6 Update 2
Java(TM) SE Development Kit 6 Update 2
Life Skills Math 2003 TRL
Logger Pro 3.3
Lords of the Realm III
Macromedia Shockwave Player
MathGV 3.1
MathType 5
MetaFrame Presentation Server Client
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Text-to-Speech Engine 4.0 (English)
Mozilla Firefox (2.0.0.6)
MSXML 4.0 SP2 (KB927978)
PDF Magic 3
Physical Science 2004 TRL
QuickTime
RealPlayer
SAPI 5.1 Text-to-Speech
Scan and Read Pro
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Sid Meier's Civilization 4
Sonic DLA
Sonic RecordNow!
Sonic Update Manager
SoundMAX
Spybot - Search & Destroy 1.4
Symantec AntiVirus
Synaptics Pointing Device Driver
Talking Calculator
Talking Word Processor
TEC
Texas Instruments PCIxx21/x515 drivers.
Text-To-Audio
Ultimate Talking Dictionary
Universal Reader
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
WG_TRL
Windows Genuine Advantage v1.3.0254.0
Windows Internet Explorer 7
Windows NT Messaging
WinZip
Wrestling Scoreboard 1.0.0
HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:02:05 PM, on 8/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\cdunham\Desktop\HJT\showme.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.lakeviewspartans.org/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.bc-lakeview.k12.mi.us:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 10.*;*.bc-lakeview.k12.mi.us;<local>
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,,winwork.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {135BFE49-CD18-4E80-2AA7-05E6C3809207} - C:\Program Files\Messenger\qudaruk698.dll
O2 - BHO: (no name) - {2FE1C57A-08FC-4056-A2EC-EF762ACF6FDC} - C:\Program Files\Windows Media Player\merox4444.dll
O2 - BHO: H - {30EDD4CB-8BC1-4f9f-99A6-A6938E9AACE0} - C:\WINDOWS\system32\down.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {9A1436B1-9D6E-420B-B23C-82D5F2DE717B} - C:\WINDOWS\system32\jkhhh.dll (file missing)
O2 - BHO: H - {D0367266-A0E9-4644-A039-0A0CF65FD09A} - ertw1.dll (file missing)
O2 - BHO: (no name) - {e1b3c6d6-ea87-44c2-8723-d6b4d5e451af} - C:\WINDOWS\system32\igfate.dll (file missing)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - F:\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.mistreamnet.com
O15 - Trusted Zone: http://www.mistreamnet.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1186539998140
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1186539988406
O16 - DPF: {88D969C0-F192-11D4-A65F-0040963251E5} (XML DOM Document 4.0) - file://C:\WINDOWS\msxml4.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = bc-lakeview.k12.mi.us
O17 - HKLM\Software\..\Telephony: DomainName = bc-lakeview.k12.mi.us
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = bc-lakeview.k12.mi.us
O20 - AppInit_DLLs: c:\windows\system32\vtsqqqq.dll
O20 - Winlogon Notify: SensLogon - C:\WINDOWS\SYSTEM32\ertw1.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Unknown owner - C:\Program Files\Symantec AntiVirus\DefWatch.exe (file missing)
O23 - Service: SAVRoam (SavRoam) - Unknown owner - C:\Program Files\Symantec AntiVirus\SavRoam.exe (file missing)
O23 - Service: Smart Card (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Print Spooler (Spooler) - Unknown owner - C:\WINDOWS\system32\spoolsv.exe (file missing)
O23 - Service: Symantec AntiVirus - Unknown owner - C:\Program Files\Symantec AntiVirus\Rtvscan.exe (file missing)
O24 - Desktop Component 0: (no name) - C:\Program Files\Messenger\rtemegod.html
--
End of file - 6068 bytes
Hi C-Dunham,
I'm afraid I have unpleasant news for you. You have evidence of a Very Dangerous infection on this machine.
It is a Backdoor Trojan ----- See HERE (http://www.symantec.com/enterprise/security_response/writeup.jsp?docid=2007-052710-0541-99&tabid=1) for more details on this particular one
It allows outsiders COMPLETE access to every keystroke, account, and password you use while on this machine, and complete access to any other data present...
IF this computer has been used for any kind of important data, my best recommendation is to Disconnect from Internet, Re-Format the entire drive and re-install your Operating system and Applications.
We can likely clean the infected files off the computer, and if you wish we will attempt to do so, but we cannot be sure that the infection didn't do something to your system to reduce the system security. In that instance, even after removal of the infection, you could be subject to another attack or takeover as soon as you re-connect to the Internet.
The Decision Whether to ReFormat or Not should be based on:
The use of the computer - this is the primary factor in the decision whether to re-format and re-install, or just disinfect.
The variety of malware - this influences the decision on whether to re-format and re-install, or just disinfect. IN THIS CASE we have a Backdoor Trojan, the worst kind.
If the Computer has been used for any important data, you are strongly advised to do the following, immediately:
Disconnect the infected computer from the internet and from any networked computers until the computer can be cleaned.
Back up all important data on the machine. Do not back up any Applications (programs). Those should be re-installed from the original source CDs or websites.
If you have ever used this computer for shopping, banking, or any transactions relating to your financial well being:
Call all of your banks, credit card companies, and financial institutions, informing them that you may be a victim of identity theft, and to put a watch on your accounts or change all your account numbers.
From a clean computer, change ALL your online passwords -- for ISP login, email, banks, financial accounts, PayPal, eBay, online companies, and any online forums or groups you belong to.
DO NOT change passwords or do any transactions while using the infected computer because the attacker will get the new password and transaction information.
Take any other steps you think appropriate for an attempted identity theft.
While you are deciding whether to ReFormat and Re-Install, a useful link is here: http://www.dslreports.com/faq/10063
Please let me know what you decide.
I am sorry to be the bearer of bad news, but it is best that you know the full impact of this infection :sad:
This topic has been moved to archives.
If you need the thread re-opened, please send me a private message (pm) and provide a link.
Applies only to the original poster, anyone else with similar problems please start your own topic.
Thank you katana. :)