PDA

View Full Version : Please help



CplAvers
2007-08-19, 02:55
Help! I have a problem that i can't get off my computer. I keep running S&D and sometimes it says it fixes it but it doesn't. I have turned off sys restore and tried that to no avail. here are the kaspersky log and hjt log. thank you.

C:\WINDOWS\83122.0xe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\83122.0xe NSIS: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{1E2928AD-60EC-40CA-9D0C-EFA581CD7AE3}.crmlog Object is locked skipped
C:\WINDOWS\retadpu1000106.0xe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\akegyptd.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\arieioca.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\awfengen.0xe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\system32\badfjrbi.0ll Infected: Trojan-Spy.Win32.Agent.ps skipped
C:\WINDOWS\system32\bfwtmrmy.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\bnifkvyw.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\ccxkxkpg.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\cftrrxkr.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\cgkfhyly.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\checkdll\d77012.0xe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cskwgyuv.0xe Infected: Trojan.Win32.Small.ju skipped
C:\WINDOWS\system32\dwjidewe.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\ekjgkopu.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\esgppqjm.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\eublrnwq.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\eukceajg.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\f02WtR\f02WtR1065.0xe Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\WINDOWS\system32\fgfgqpxs.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\fmmrfrrq.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\fqghbqma.0ll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINDOWS\system32\frsrvmyn.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\fwivhncl.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\gkvtjwit.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\grxtjpof.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\gtjgnwax.0xe Infected: Trojan.Win32.Small.ju skipped
C:\WINDOWS\system32\gtppdykc.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\gwfoctjc.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hrirpfwx.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\hwjvorgv.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\ibtgmosa.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\isvcfyao.0xe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\jagofede.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\jrmpuggo.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\jsqdwlee.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\jthalcug.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\kcewemef.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\kesaydhe.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\khqpcdhy.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\lhgcnpro.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\ljraalsq.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\lmmifxbp.0xe Infected: Trojan.Win32.Small.ju skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\mcknkycl.0ll Infected: Trojan-Spy.Win32.Agent.ps skipped
C:\WINDOWS\system32\mcpseqot.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\mpyoeelt.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\obetscln.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\obnbncgr.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\ocndlcjk.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\oellsdbp.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\paljwckv.0xe Infected: Trojan.Win32.Small.ju skipped
C:\WINDOWS\system32\ptelvfcp.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\puessloy.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\pwqrwcvq.0xe Infected: Trojan.Win32.Agent.amc skipped
C:\WINDOWS\system32\qaferjrp.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\qfodjqbf.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\qmievxer.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\qrkdlfbu.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\qxovcixa.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\qyhcnbkf.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\rdisslrm.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\rntqudtp.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\rpscescm.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\rsxijpag.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\sgsrkpyl.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\sgvghohp.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\sopnyycj.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\taeevniw.0ll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINDOWS\system32\tcepioen.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\tjicufhc.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\tqburbcf.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\txqefdqg.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\uifkmosb.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\ushxsaaq.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\utoftvef.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\uywcusda.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\vdlbpxvf.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\vgcggmkw.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\vgvqkntc.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wmpskwhf.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\wnaaucwf.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\xbuxclja.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\xeelshtm.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\xfdtwmdu.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\xjqryoqx.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\xobaepyq.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\xsppteiu.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\xuhwofvs.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\xyohgrgy.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\ydjbhegb.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\yetkwpqe.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\yunyrqpi.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\yvjtkvpp.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\yyxfhpom.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\Tony\LOCALS~1\Temp\JETF82.tmp Object is locked skipped
C:\DOCUME~1\Tony\LOCALS~1\Temp\snapsnet.0xe/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\DOCUME~1\Tony\LOCALS~1\Temp\snapsnet.0xe NSIS: infected - 1 skipped
C:\DOCUME~1\Tony\LOCALS~1\Temp\yazzlesnet.0xe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\DOCUME~1\Tony\LOCALS~1\Temp\yazzlesnet.0xe NSIS: infected - 1 skipped
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:36:58 PM, on 8/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSLAUNCH.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - https://streaming.endeavors.com/microsoft/imaging/clientdownloads/OTAI.CAB

CplAvers
2007-08-19, 02:55
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax2918.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\microsoft frontpage\zyrorym.html
End of file - 10119 bytes

pskelley
2007-08-19, 17:12
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Looks like a Vundo infection and it looks nasty. First read this please:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< BADLY out of date and likely why you are infected. Download the newest version and uninstall all old versions in Add Remove Programs.

Return here >> C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT.exe, call it CplAvers.exe or whatever you wish, the next HJT log should show the infection.

Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Thanks...this is a start, this is a nasty infection and this will take some time.

CplAvers
2007-08-19, 21:59
Thank you for replying! I was afraid it was going to be bad. I have updated Java, ran vundofix and HJT. here are the logs. Thank you.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:57:18 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\CplAvers.exe.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSLAUNCH.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O2 - BHO: 0 - {0773B652-7166-4AC7-6292-BD3A18702E66} - (no file)
O2 - BHO: XNetIEObj Class - {1808648B-3102-4293-8AD3-06AF71D3321B} - C:\Program Files\Endeavors\AppExpress\bho_2_5_5_17070\bho.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: 0 - {B1FB8330-9183-415D-0396-B4B7875DDCD6} - (no file)
O2 - BHO: 0 - {E381A792-0798-40F7-6DA3-BAA956E9C079} - (no file)
O2 - BHO: (no name) - {F2ABD732-EFBE-429D-A133-93DFCDB94F38} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: 0 - {F7A82D00-1C36-489A-0487-15ACD80307F1} - C:\Program Files\microsoft frontpage\vijidas917.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - https://streaming.endeavors.com/microsoft/imaging/clientdownloads/OTAI.CAB
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax2918.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\microsoft frontpage\zyrorym.html

--
End of file - 11178 bytes

VundoFix V6.5.7

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 1:33:37 PM 8/19/2007

Listing files found while scanning....

C:\windows\system32\1037\tfpnati.dll
C:\windows\system32\cvmtodfv.dll
C:\windows\system32\iifebcy.dll
C:\WINDOWS\system32\jkkljge.dll
C:\windows\system32\kmxvsobr.dll
C:\windows\system32\rbosvxmk.ini
C:\windows\system32\srutv.tmp
C:\windows\system32\swabnngy.ini
C:\WINDOWS\system32\vifuhksw.dll
C:\windows\system32\vturs.dll
C:\WINDOWS\system32\vtutt.dll
C:\windows\system32\wvuuuvv.dll
C:\WINDOWS\system32\ygnnbaws.dll

Beginning removal...

Attempting to delete C:\windows\system32\1037\tfpnati.dll
C:\windows\system32\1037\tfpnati.dll Has been deleted!

Attempting to delete C:\windows\system32\cvmtodfv.dll
C:\windows\system32\cvmtodfv.dll Has been deleted!

Attempting to delete C:\windows\system32\iifebcy.dll
C:\windows\system32\iifebcy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkljge.dll
C:\WINDOWS\system32\jkkljge.dll Has been deleted!

Attempting to delete C:\windows\system32\kmxvsobr.dll
C:\windows\system32\kmxvsobr.dll Has been deleted!

Attempting to delete C:\windows\system32\rbosvxmk.ini
C:\windows\system32\rbosvxmk.ini Has been deleted!

Attempting to delete C:\windows\system32\srutv.tmp
C:\windows\system32\srutv.tmp Has been deleted!

Attempting to delete C:\windows\system32\swabnngy.ini
C:\windows\system32\swabnngy.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vifuhksw.dll
C:\WINDOWS\system32\vifuhksw.dll Has been deleted!

Attempting to delete C:\windows\system32\vturs.dll
C:\windows\system32\vturs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Has been deleted!

Attempting to delete C:\windows\system32\wvuuuvv.dll
C:\windows\system32\wvuuuvv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ygnnbaws.dll
C:\WINDOWS\system32\ygnnbaws.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ygnnbaws.dll
C:\WINDOWS\system32\ygnnbaws.dll Has been deleted!

Performing Repairs to the registry.
Done!

pskelley
2007-08-19, 22:26
Thanks for returning your information, here is some information for you:

C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546

Since this is a nasty infections, please run combofix to see if any of it is left:
Thanks to sUBs and anyone else who helped with this fix.

1) Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

(save those logs until you finish)

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: 0 - {0773B652-7166-4AC7-6292-BD3A18702E66} - (no file)

(this item is valid but damaged, if you use it, download it again once we have finished)
O2 - BHO: XNetIEObj Class - {1808648B-3102-4293-8AD3-06AF71D3321B} - C:\Program Files\Endeavors\AppExpress\bho_2_5_5_17070\bho.dll (file missing)

O2 - BHO: (no name) - {549B5CA7-4A86-11D7-A4DF-000874180BB3} - (no file)
O2 - BHO: 0 - {B1FB8330-9183-415D-0396-B4B7875DDCD6} - (no file)
O2 - BHO: 0 - {E381A792-0798-40F7-6DA3-BAA956E9C079} - (no file)
O2 - BHO: (no name) - {F2ABD732-EFBE-429D-A133-93DFCDB94F38} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: 0 - {F7A82D00-1C36-489A-0487-15ACD80307F1} - C:\Program Files\microsoft frontpage\vijidas917.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O24 - Desktop Component 0: (no name) - C:\Program Files\microsoft frontpage\zyrorym.html

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\microsoft frontpage\zyrorym.html <<< delete that file

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the combofix log, a new HJT log and some comments about how the computer is running.

Thanks

CplAvers
2007-08-19, 23:14
Here are the new logs. the computer seems to be running much better than before. Haven't seen a popup or anything else. Also been faster. Thank you!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:06:36 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\FSGK32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
C:\Program Files\Charter High-Speed Security Suite\Common\FSMB32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FCH32.EXE
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FAMEH32.EXE
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fssm32.exe
C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsus.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsav32.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\HP Software Update\HPWuSchd.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\system32\hphmon05.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\WINDOWS\system32\bcmntray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Charter High-Speed Security Suite\FSGUI\fsguidll.exe
C:\Program Files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\Program Files\Trend Micro\HijackThis\CplAvers.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.netscape.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\system32\hphmon05.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\bcmntray
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [F-Secure Manager] "C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [F-Secure TNB] "C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BackupNotify] C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: V CAST Music Monitor.lnk = C:\Program Files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q304&bd=pavilion&pf=laptop
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - https://www-secure.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {9BDF4724-10AA-43D5-BD15-AEA0D2287303} (ZPA_TexasHoldem Object) - http://zone.msn.com/bingame/zpagames/zpa_txhe.cab45837.cab
O16 - DPF: {AF087E66-838E-4A97-8A0B-0DDDA5DEA239} (OTAutoInstall Class) - https://streaming.endeavors.com/microsoft/imaging/clientdownloads/OTAI.CAB
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - https://www-secure.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {ED28050F-D713-43BA-A376-DCC5C35407D5} (MsnMusicAx Class) - http://entimg.msn.com/client/msnmusax2918.cab
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/_media/dalaillama/ampx.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Automatic Update Agent (FSAUA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\Program Files\Charter High-Speed Security Suite\Common\FSMA32.EXE
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10612 bytes

CplAvers
2007-08-19, 23:16
ComboFix 07-08-14.4 - "Tony" 2007-08-19 14:37:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.138 [GMT -5:00]


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\microsoft frontpage\zyrorym.html
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\system32\B1
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.0xe
C:\WINDOWS\system32\X1


((((((((((((((((((((((((( Files Created from 2007-07-19 to 2007-08-19 )))))))))))))))))))))))))))))))


2007-08-19 14:36 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-19 13:33 <DIR> d-------- C:\VundoFix Backups
2007-08-18 18:33 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-18 12:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-08-18 12:34 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-17 15:29 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-08-17 00:26 1,608,026 ---hs---- C:\WINDOWS\system32\ttutv.ini2
2007-08-16 04:12 <DIR> d-------- C:\DOCUME~1\Tony\APPLIC~1\F-Secure
2007-08-16 02:04 51,104 --a------ C:\WINDOWS\system32\drivers\fsdfw.sys
2007-08-16 02:04 29,984 --a------ C:\WINDOWS\system32\drivers\fsndis5.sys
2007-08-16 02:02 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\F-Secure
2007-08-16 02:01 <DIR> d-------- C:\Program Files\Charter High-Speed Security Suite
2007-08-16 02:01 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\fssg
2007-08-16 01:20 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-08-15 23:31 1,611,935 ---hs---- C:\WINDOWS\system32\ttutv.bak2
2007-08-15 11:31 6,421 --ahs---- C:\WINDOWS\system32\ttutv.bak1
2007-08-14 19:01 <DIR> d-------- C:\WINDOWS\system32\temp9
2007-08-14 19:01 <DIR> d-------- C:\WINDOWS\system32\checkdll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-19 14:41 --------- d-------- C:\Program Files\microsoft frontpage
2007-08-16 01:14 --------- d-------- C:\Program Files\Symantec
2007-08-16 01:14 --------- d-------- C:\Program Files\Norton AntiVirus
2007-08-16 01:14 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-08-16 01:14 --------- d-------- C:\DOCUME~1\Tony\APPLIC~1\Symantec
2007-06-26 10:13 851968 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-26 09:09 658944 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 01:08 1104896 --a------ C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 08:31 282112 --a------ C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-14 13:09 96256 --a------ C:\WINDOWS\system32\dllcache\inseng.dll
2007-06-14 13:09 615424 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-14 13:09 55808 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-14 13:09 532480 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-14 13:09 474112 --a------ C:\WINDOWS\system32\dllcache\shlwapi.dll
2007-06-14 13:09 449024 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-14 13:09 39424 --a------ C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-06-14 13:09 357888 --a------ C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-06-14 13:09 3058688 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-06-14 13:09 251392 --a------ C:\WINDOWS\system32\dllcache\iepeers.dll
2007-06-14 13:09 205312 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-06-14 13:09 16384 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-14 13:09 151040 --a------ C:\WINDOWS\system32\dllcache\cdfview.dll
2007-06-14 13:09 1494528 --a------ C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-06-14 13:09 146432 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-14 13:09 1054208 --a------ C:\WINDOWS\system32\dllcache\danim.dll
2007-06-14 13:09 1023488 --a------ C:\WINDOWS\system32\dllcache\browseui.dll
2007-06-14 09:07 18432 --a------ C:\WINDOWS\system32\dllcache\iedw.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\system32\dllcache\explorer.exe
2007-06-13 05:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-05-25 21:32 838788 ---hs---- C:\WINDOWS\evwaalau.ini2
2006-11-30 15:51:10 712,724 --sh--w C:\WINDOWS\ualaawve.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0773B652-7166-4AC7-6292-BD3A18702E66}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B1FB8330-9183-415D-0396-B4B7875DDCD6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E381A792-0798-40F7-6DA3-BAA956E9C079}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2ABD732-EFBE-429D-A133-93DFCDB94F38}]
C:\WINDOWS\system32\vtutt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7A82D00-1C36-489A-0487-15ACD80307F1}]
C:\Program Files\microsoft frontpage\vijidas917.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2004-03-12 09:57]
"nwiz"="nwiz.exe" [2004-03-12 09:57 C:\WINDOWS\system32\nwiz.exe]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 03:01]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-07-15 14:09]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-07-15 14:08]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd.exe" [2003-08-04 19:28]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 10:38]
"DXDllRegExe"="dxdllreg.exe" []
"HPHUPD05"="c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe" []
"HPHmon05"="C:\WINDOWS\system32\hphmon05.exe" [2003-05-22 21:55]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-18 11:18]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-07-30 10:33]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-11-02 19:09]
"HPDJ Taskbar Utility"="C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb09.exe" [2003-09-17 23:02]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2005-03-09 19:10]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-03-09 19:10]
"Broadcom Wireless Manager UI"="C:\WINDOWS\system32\bcmntray" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"F-Secure Manager"="C:\Program Files\Charter High-Speed Security Suite\Common\FSM32.exe" [2007-04-26 06:43]
"F-Secure TNB"="C:\Program Files\Charter High-Speed Security Suite\FSGUI\TNBUtil.exe" [2007-04-26 06:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RecordNow!"="" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"BackupNotify"="C:\Program Files\HP\Digital Imaging\bin\backupnotify.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]

C:\Documents and Settings\Tony\Start Menu\Programs\Startup\
V CAST Music Monitor.lnk - C:\Program Files\Verizon Wireless\V CAST Music Essentials Manager\V CAST Music Monitor.exe [2007-06-18 11:25:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06]
America Online 9.0 Tray Icon.lnk - C:\Program Files\America Online 9.0\aoltray.exe [2005-01-30 19:46:41]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2003-09-16 07:19:24]
Quicken Scheduled Updates.lnk - C:\Program Files\Quicken\bagent.exe [2004-01-29 01:36:18]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\microsoft frontpage\zyrorym.html
FriendlyName=

R0 FSFW;F-Secure Firewall Driver;C:\WINDOWS\system32\drivers\fsdfw.sys
R1 F-Secure HIPS;F-Secure HIPS;\??\C:\Program Files\Charter High-Speed Security Suite\HIPS\fshs.sys
R1 SbcpHid;SbcpHid;\??\C:\WINDOWS\system32\Drivers\SbcpHid.sys
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
R3 EMCR;EMCR;C:\WINDOWS\system32\DRIVERS\EMCR7SK.sys
R3 F-Secure Gatekeeper;F-Secure Gatekeeper;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\minifilter\fsgk.sys
S3 usbbus;LGE CDMA Composite USB Device;C:\WINDOWS\system32\DRIVERS\lgusbbus.sys
S3 UsbDiag;LGE CDMA USB Serial Port;C:\WINDOWS\system32\DRIVERS\lgusbdiag.sys
S3 USBModem;LGE CDMA USB Modem;C:\WINDOWS\system32\DRIVERS\lgusbmodem.sys
S4 F-Secure Filter;F-Secure File System Filter;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSfilter.sys
S4 F-Secure Recognizer;F-Secure File System Recognizer;\??\C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\Win2K\FSrec.sys


**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-19 14:41:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????2?6?7?9??????? ?|?B???????????????B? ??????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-19 14:42:11
C:\ComboFix-quarantined-files.txt ... 2007-08-19 14:42

--- E O F ---

pskelley
2007-08-19, 23:46
That's sounding good:bigthumb: here are some suggestions for after we finish that may improve performace even more:
http://www.castlecops.com/postitle175256-0-0-.html
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/atwork/getstarted/speed.mspx?wt_svl=20292a&mg_id=20292b

There is some more junk showing in combofix log that looks like Vundo but I would like to see is Kaspersky will identify the stuff for us.
First remove Vundofix and vundofix backups...combofix and the Qoobox/quarantine folder. The scan will see that stuff as infected if you don't delete it from your computer. Once you do that, then do this:

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

CplAvers
2007-08-20, 08:27
here is the new kaspersky. thanks!
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, August 20, 2007 12:25:04 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 20/08/2007
Kaspersky Anti-Virus database records: 361415
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 65085
Number of viruses found: 14
Number of infected objects: 97
Number of suspicious objects: 0
Duration of the scan process: 01:29:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\F-Secure\logs\FSMA\fsma.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ce05ef78eeb71ee3f98747ae95971cc_38d42447-66fe-482d-aab0-1822a51d5f39 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030410\0102\0102\values Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Temp\JETD76A.tmp Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tony\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\perf.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\power.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\History\ha.bpf Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\History\index.txt Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Spam Control\log\fs_sa_log.txt Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\Program Files\microsoft frontpage\vijidas.0ll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\microsoft frontpage\vijidas917.0ll Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\f02WtR\f02WtR1065.0xe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\83122.0xe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\83122.0xe NSIS: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\retadpu1000106.0xe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4A6DAFA3-F778-4B0A-B3E3-0C4591EDD0AD}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\akegyptd.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\arieioca.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\awfengen.0xe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\system32\badfjrbi.0ll Infected: Trojan-Spy.Win32.Agent.ps skipped
C:\WINDOWS\system32\bfwtmrmy.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\bnifkvyw.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\ccxkxkpg.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\cftrrxkr.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\cgkfhyly.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\checkdll\d77012.0xe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cskwgyuv.0xe Infected: Trojan.Win32.Small.ju skipped
C:\WINDOWS\system32\dwjidewe.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\ekjgkopu.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\esgppqjm.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\eublrnwq.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\eukceajg.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\fgfgqpxs.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\fmmrfrrq.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\fqghbqma.0ll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINDOWS\system32\frsrvmyn.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\fwivhncl.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\gkvtjwit.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\grxtjpof.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\gtjgnwax.0xe Infected: Trojan.Win32.Small.ju skipped
C:\WINDOWS\system32\gtppdykc.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\gwfoctjc.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hrirpfwx.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\hwjvorgv.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\ibtgmosa.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\isvcfyao.0xe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\jagofede.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\jrmpuggo.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\jsqdwlee.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\jthalcug.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\kcewemef.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\kesaydhe.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\khqpcdhy.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\lhgcnpro.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\ljraalsq.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\lmmifxbp.0xe Infected: Trojan.Win32.Small.ju skipped
C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\mcknkycl.0ll Infected: Trojan-Spy.Win32.Agent.ps skipped
C:\WINDOWS\system32\mcpseqot.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\mpyoeelt.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\obetscln.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\obnbncgr.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\ocndlcjk.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\oellsdbp.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\paljwckv.0xe Infected: Trojan.Win32.Small.ju skipped
C:\WINDOWS\system32\ptelvfcp.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\puessloy.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\pwqrwcvq.0xe Infected: Trojan.Win32.Agent.amc skipped
C:\WINDOWS\system32\qaferjrp.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\qfodjqbf.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\qmievxer.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\qrkdlfbu.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\qxovcixa.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\qyhcnbkf.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\rdisslrm.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\rntqudtp.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\rpscescm.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\rsxijpag.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\sgsrkpyl.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\sgvghohp.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\sopnyycj.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\taeevniw.0ll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\WINDOWS\system32\tcepioen.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\tjicufhc.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\tqburbcf.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\txqefdqg.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\uifkmosb.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\ushxsaaq.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\utoftvef.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\uywcusda.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\vdlbpxvf.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\vgcggmkw.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\vgvqkntc.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wmpskwhf.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\wnaaucwf.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\xbuxclja.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\xeelshtm.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\xfdtwmdu.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\xjqryoqx.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\xobaepyq.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\xsppteiu.0ll Infected: Trojan.Win32.BHO.o skipped
C:\WINDOWS\system32\xuhwofvs.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\xyohgrgy.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\ydjbhegb.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\yetkwpqe.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\yunyrqpi.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\yvjtkvpp.0ll Infected: Trojan-Spy.Win32.VBStat.j skipped
C:\WINDOWS\system32\yyxfhpom.0ll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2007-08-20, 15:27
Thanks for returning the scan results, C:\WINDOWS\system32\akegyptd.0ll <<< here is the google:
http://www.google.com/search?hl=en&q=.0ll+&btnG=Google+Search
and see this: http://support.f-secure.com/fin/home/supportissue/fsis2005/general/general-issue-2004092802.shtml

Some program you used, possibly your antivirus program? has renamed these files because of the reasons explained in the f-secure information I posted.
Since the are renamed and we removed all bad files, then they should not be a problem but we need to get them off your computer. Before we try to do this manually, let's run a tool and see if it will recome them.

Download Dr.Web CureIt to the desktop:
ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found: http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:
http://users.telenet.be/bluepatchy/miekiemoes/images/move.gif
This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.


The option would be to delete them manually. This would be a little time consuming but no real deal, see the first one:
C:\WINDOWS\system32\akegyptd.0ll Infected: Trojan.Win32.BHO.g skipped
You would simply open the C:\WINDOWS\system32\ folder and delete all files with the akegyptd.0ll <<< renamed like this.
If you wish to see if the scan I posted will remove them that is fine, if you need me to post a list of them, let me know.

The good news is they can not harm you now.

Keep me posted.

CplAvers
2007-08-21, 00:08
The computer is still kinda slow and I have been getting page cannot be displayed on some pages even though I am connected. Here is the new log. Thank you.
GPsetup.exe;C:\Documents and Settings\Tony\My Documents;Adware.Casino;Incurable.Moved.;
vijidas.0ll;C:\Program Files\microsoft frontpage;Trojan.StartPage.19992;Deleted.;
vijidas917.0ll;C:\Program Files\microsoft frontpage;Trojan.StartPage.19992;Deleted.;
f02WtR1065.0xe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32\f02WtR;Trojan.DownLoader.24715;Deleted.;
cvmtodfv.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
iifebcy.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
jkkljge.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
kmxvsobr.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
tfpnati.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
vifuhksw.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
vturs.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
wvuuuvv.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
ygnnbaws.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;
bksp.dll;C:\WINDOWS;Trojan.Virtumod;Deleted.;
Golden Palace Casino PT setup.exe;C:\WINDOWS;Adware.Casino;Incurable.Moved.;
retadpu1000106.0xe;C:\WINDOWS;Trojan.DownLoader.24772;Deleted.;
ualaawve.dll;C:\WINDOWS;Trojan.Virtumod;Deleted.;
akegyptd.0ll;C:\WINDOWS\system32;Adware.Duncan;Incurable.Moved.;
arieioca.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
badfjrbi.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
bfwtmrmy.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
bnifkvyw.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
ccxkxkpg.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
cftrrxkr.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
cgkfhyly.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
cskwgyuv.0xe;C:\WINDOWS\system32;Trojan.StartPage.1536;Deleted.;
dwjidewe.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
ekjgkopu.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
esgppqjm.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
eublrnwq.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
eukceajg.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
fgfgqpxs.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
fmmrfrrq.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
fqghbqma.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
frsrvmyn.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
fwivhncl.0ll;C:\WINDOWS\system32;Trojan.Juan;Incurable.Moved.;
gkvtjwit.0ll;C:\WINDOWS\system32;Adware.Duncan;Incurable.Moved.;
grxtjpof.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
gtjgnwax.0xe;C:\WINDOWS\system32;Trojan.StartPage.1536;Deleted.;
gtppdykc.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
gwfoctjc.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
hrirpfwx.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
hwjvorgv.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
ibtgmosa.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
isvcfyao.0xe;C:\WINDOWS\system32;Trojan.Click.2799;Deleted.;
jagofede.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
jrmpuggo.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
jsqdwlee.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
jthalcug.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
kcewemef.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
kesaydhe.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
khqpcdhy.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
lhgcnpro.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
ljraalsq.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
lmmifxbp.0xe;C:\WINDOWS\system32;Trojan.LowZones.177;Deleted.;
lstdtqqu.exe;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
mcknkycl.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
mcpseqot.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
mpyoeelt.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
obetscln.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
obnbncgr.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
ocndlcjk.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
oellsdbp.0ll;C:\WINDOWS\system32;Adware.Duncan;Incurable.Moved.;
paljwckv.0xe;C:\WINDOWS\system32;Trojan.LowZones.177;Deleted.;
ptelvfcp.0ll;C:\WINDOWS\system32;Trojan.Juan;Incurable.Moved.;
puessloy.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
pwqrwcvq.0xe;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
qaferjrp.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
qfodjqbf.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
qmievxer.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
qrkdlfbu.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
qxovcixa.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
qyhcnbkf.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
rdisslrm.0ll;C:\WINDOWS\system32;Trojan.Juan;Incurable.Moved.;
rntqudtp.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
rpscescm.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
rsxijpag.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
sgsrkpyl.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
sgvghohp.0ll;C:\WINDOWS\system32;Adware.Duncan;Incurable.Moved.;
sopnyycj.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
taeevniw.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
tcepioen.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
tjicufhc.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
tqburbcf.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
txqefdqg.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
uifkmosb.0ll;C:\WINDOWS\system32;Adware.Duncan;Incurable.Moved.;
ushxsaaq.0ll;C:\WINDOWS\system32;Adware.Duncan;Incurable.Moved.;
utoftvef.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
uywcusda.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
vdlbpxvf.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
vgcggmkw.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
vgvqkntc.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
wepaokxt.exe;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
wmpskwhf.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
wnaaucwf.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
xbuxclja.0ll;C:\WINDOWS\system32;Trojan.Juan;Incurable.Moved.;
xeelshtm.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
xfdtwmdu.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
xjqryoqx.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
xobaepyq.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
xsppteiu.0ll;C:\WINDOWS\system32;Trojan.Juan;Incurable.Moved.;
xuhwofvs.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
xyohgrgy.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
ydjbhegb.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
yetkwpqe.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
yunyrqpi.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
yvjtkvpp.0ll;C:\WINDOWS\system32;Trojan.Virtumod;Deleted.;
yyxfhpom.0ll;C:\WINDOWS\system32;Trojan.Juan;Deleted.;
d77012.0xe;C:\WINDOWS\system32\checkdll;Trojan.DownLoader.26881;Deleted.;

pskelley
2007-08-21, 00:23
OK, you have just been through a major infection, it is going to take a little time to get you back to normal. Sometimes the damage is so severe it takes a reinstallation of the Operating System or even a reformat. Please be patient as we see what we can do.

Here is information for you to view:
http://www.microsoft.com/windows/IE/community/columns/IEtopten.mspx

This scan you just ran found stuff that should have been removed before you ran Kaspersky. Please remove every tool we downloaded except ATF-Cleaner and Kaspersky.

That includes:

DrWeb
VundoFix
C:\VundoFix Backups
combofix
C:\Qoobox\quarantine

When all tools we downloaded for the cleanup are removed, then run a Kaspersky scan and post it.

Thanks

CplAvers
2007-08-21, 20:08
here is the new kaspersky log. Thanks!
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, August 21, 2007 12:07:47 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 21/08/2007
Kaspersky Anti-Virus database records: 362348
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 68140
Number of viruses found: 4
Number of infected objects: 14
Number of suspicious objects: 0
Duration of the scan process: 02:06:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\F-Secure\logs\FSMA\fsma.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5ce05ef78eeb71ee3f98747ae95971cc_38d42447-66fe-482d-aab0-1822a51d5f39 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030410\0102\0102\values Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Tony\DoctorWeb\Quarantine\akegyptd.0ll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\Tony\DoctorWeb\Quarantine\fwivhncl.0ll Infected: Trojan.Win32.BHO.o skipped
C:\Documents and Settings\Tony\DoctorWeb\Quarantine\gkvtjwit.0ll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\Tony\DoctorWeb\Quarantine\oellsdbp.0ll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\Tony\DoctorWeb\Quarantine\ptelvfcp.0ll Infected: Trojan.Win32.BHO.o skipped
C:\Documents and Settings\Tony\DoctorWeb\Quarantine\rdisslrm.0ll Infected: Trojan.Win32.BHO.o skipped
C:\Documents and Settings\Tony\DoctorWeb\Quarantine\sgvghohp.0ll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\Tony\DoctorWeb\Quarantine\uifkmosb.0ll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\Tony\DoctorWeb\Quarantine\ushxsaaq.0ll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\Tony\DoctorWeb\Quarantine\xbuxclja.0ll Infected: Trojan.Win32.BHO.o skipped
C:\Documents and Settings\Tony\DoctorWeb\Quarantine\xsppteiu.0ll Infected: Trojan.Win32.BHO.o skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Musicmatch\Jukebox\mmjbaltlog.txt Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Musicmatch\Jukebox\mmjblog.txt Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Musicmatch\MIM\Database\Default.ldb Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Application Data\Musicmatch\MIM\Database\Default.mdb Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\History\History.IE5\MSHist012007082020070821\index.dat Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Temp\JET3C92.tmp Object is locked skipped
C:\Documents and Settings\Tony\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Tony\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Tony\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\dbupdate.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\deleteme_msg.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\fsqh.exe.Qrt.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\perf.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Anti-Virus\power.dat Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\History\ha.bpf Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\History\index.txt Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\policy.bpf Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Common\policy.ipf Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\FSAUA\fsbwupst.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.dbg Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\FSAUA\program\fsaua.log Object is locked skipped
C:\Program Files\Charter High-Speed Security Suite\Spam Control\log\fs_sa_log.txt Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\WINDOWS\83122.0xe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\WINDOWS\83122.0xe NSIS: infected - 1 skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\awfengen.0xe Infected: Trojan.Win32.Agent.ny skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\AVP4DD7.tmp Object is locked skipped
C:\WINDOWS\Temp\AVP4DD8.tmp Object is locked skipped
C:\WINDOWS\Temp\AVP4DDB.tmp Object is locked skipped
C:\WINDOWS\Temp\AVP4DDC.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

pskelley
2007-08-21, 22:46
KASPERSKY ONLINE SCANNER REPORT Tuesday, August 21, 2007 12:07:47 PM

Number of infected objects: 14


That includes:
DrWeb <<< If you would have deleted DrWeb, the quarantined junk would have gone with it.

C:\Documents and Settings\Tony\DoctorWeb\Quarantine\ Delete the folder in red

These have all been renamed and as such are benign, but delete them anyway.

C:\WINDOWS\83122.0xe <<< delete
C:\WINDOWS\83122.0xe <<< delete
C:\WINDOWS\system32\awfengen.0xe <<< delete

That should give you a clean computer, let's do this now:

System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

pskelley
2007-08-28, 00:30
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks