View Full Version : Problems with Virtumonde and CmdService
Last week, an unrequested download ran on my computer. I could not get rid of it. I turned to Spybot, which showed several issues. Earlier in the week, there were no issues. Now the system is slow and browser windows popp up every few minutes to advertisements.
Spybot sidebar instructions for Virtumonde directed me to this forum for assistance. I have completed "Before you post" steps and hope they provide sufficient information to help get rid of these problems. Can someone please help?
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:23 PM, on 8/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\plite731.exe
C:\Program Files\Internet Explorer\niwo22011.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [niwo] C:\Program Files\Internet Explorer\niwo22011.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\Greg\APPLIC~1\CROSOF~1.NET\ntvdm.exe" -vt yazb
O4 - HKCU\..\Run: [Sue] "C:\Program Files\?ppPatch\l?ass.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125541547371
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173792747484
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remoteaccess.med.utah.edu/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleMTSRecoveryService - Unknown owner - C:\oracle\ora92\bin\omtsreco.exe (file missing)
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
--
End of file - 8245 bytes
Next are the f-secure scan results logs (I have Kaspersky results also if needed but they made this initial post too long):
f-secure on-line scan log --
Scanning Report
Saturday, August 18, 2007 21:44:36 - 10:39:48
Computer name: LAPTOP1
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\
Result: 45 malware found
Tracking Cookie (spyware)
* System (Disinfected)
* System
* System
* System
* System
* System
* System
Trojan-Downloader.Win32.Agent.bls (virus)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091721.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091736.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091772.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091877.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Delf.biu (virus)
* C:\DOCUMENTS AND SETTINGS\GREG\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\L03R7IVF\MSIESETTINGS[1].EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.buy (virus)
* C:\WINDOWS\SYSTEM32\TMPS2\MTIDOCS.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.Small.eqn (virus)
* C:\WINDOWS\SYSTEM32\CHKFIG5\D0125.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091918.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091719.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091757.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091856.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091871.EXE (Renamed & Submitted)
Trojan-Downloader.Win32.VB.awj (virus)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091919.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091920.EXE (Renamed & Submitted)
Trojan-Proxy.Win32.VB.x (virus)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091922.EXE (Renamed & Submitted)
Trojan.Win32.BHO.ab (virus)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091901.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091902.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091903.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091904.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091905.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091906.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091907.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091908.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091909.DLL (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091924.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091720.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091759.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091780.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091797.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091819.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091838.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091858.EXE (Renamed & Submitted)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091873.EXE (Renamed & Submitted)
W32/NetMon.C (virus)
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091735.EXE (Submitted)
W32/Vundo.dam (virus)
* C:\WINDOWS\SYSTEM32\EFCDD.DLL
* C:\SYSTEM VOLUME INFORMATION\_RESTORE{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091843.DLL (Submitted)
* C:\DOCUMENTS AND SETTINGS\GREG\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\VGADKYV0\CSS4[1] (Submitted)
Win32.TrojanDownloader.Agent (spyware)
* System (Disinfected)
Statistics
Scanned:
* Files: 99022
* System: 5088
* Not scanned: 4
Actions:
* Disinfected: 2
* Renamed: 33
* Deleted: 0
* None: 10
* Submitted: 36
Files not scanned:
* C:\HIBERFIL.SYS
* C:\PAGEFILE.SYS
* C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
* C:\WINDOWS\SOFTWAREDISTRIBUTION\EVENTCACHE\{1C3C7B8F-5448-46DC-A62E-76DF33E5295A}.BIN
Options
Scanning engines:
* F-Secure AVP: 7.0.171, 2007-08-17
* F-Secure Blacklight: 1.0.64
* F-Secure Draco: 1.0.35, 0260-23-12
* F-Secure Libra: 2.4.2, 2007-08-16
* F-Secure Orion: 1.2.37, 2007-08-16
* F-Secure Pegasus: 1.19.0, 2007-07-12
Scanning options:
* Scan defined files: COM EXE SYS OV? BIN SCR DLL SHS HTM HTML HTT VBS JS INF VXD DO? XL? RTF CPL WIZ HTA PP? PWZ P?T MSO PIF . ACM ASP AX CNV CSC DRV INI MDB MPD MPP MPT OBD OBT OCX PCI TLB TSP WBK WBT WPC WSH VWP WML BOO HLP TD0 TT6 MSG ASD JSE VBE WSC CHM EML PRC SHB BAT LNK ANI AVB CEO CMD LSP MAP MHT MIF PDF PHP POT WMF NWS TAR TGZ WSF ZL? {* ZIP JAR ARJ LZH TAR TGZ GZ CAB RAR BZ2 HQX
* Use Advanced heuristics
I already tried the VundoFix.exe process and it could not remove several files. After a restart it did not seem to work either. Spybot had very similar results asking if it could run at the next restart.
Thank you in advance for your time and I appreciate the clear instructions and service this forum provides. I've read through some of the other posts and they seem very thourough and professional.
Angelfire777
2007-08-20, 10:11
Hi, welcome to Safer Networking!
*Look in your control panels add/remove programs for any of these and uninstall them:
Oin
Yazzle by Oin
Purityscan by Oin
Snowballwars by Oin
or anything similar with Oin or Outerinfo in it.
Zolero
Tizzletalk
MediaTickets
Cowabanga
Reboot.
_____
Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.
_____
Download combofix.exe (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe)
1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
____
HJT Uninstall list
Open HijackThis > Click "Misc Tools Section"
Click "Open Uninstall Manager".
Click "Save List".
Save it to your Desktop.
Copy the contents of the file to your next reply.
On your next reply, please include a
Fresh HijackThis log.
SDFix log
combofix log
HJT uninstall list
Thank you for the assistance. I found none of the listed application in the programs list to be uninstalled. Here is the fresh HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:35 AM, on 8/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\plite731.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Ncao] "C:\DOCUME~1\Greg\APPLIC~1\CROSOF~1.NET\ntvdm.exe" -vt yazb
O4 - HKCU\..\Run: [Sue] "C:\Program Files\?ppPatch\l?ass.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125541547371
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173792747484
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remoteaccess.med.utah.edu/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleMTSRecoveryService - Unknown owner - C:\oracle\ora92\bin\omtsreco.exe (file missing)
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
--
End of file - 8009 bytes
Here is the SDFix Report:
SDFix: Version 1.99
Run by Greg on Mon 08/20/2007 at 05:50 AM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\system32\TFTP1692 - Deleted
C:\WINDOWS\system32\TFTP2076 - Deleted
C:\WINDOWS\system32\TFTP2320 - Deleted
C:\WINDOWS\system32\TFTP2396 - Deleted
C:\WINDOWS\system32\TFTP2428 - Deleted
C:\WINDOWS\system32\TFTP2544 - Deleted
C:\WINDOWS\system32\TFTP2812 - Deleted
C:\WINDOWS\system32\TFTP2848 - Deleted
C:\WINDOWS\system32\TFTP2896 - Deleted
C:\WINDOWS\system32\TFTP3028 - Deleted
C:\WINDOWS\system32\TFTP3220 - Deleted
C:\WINDOWS\system32\TFTP3240 - Deleted
C:\WINDOWS\system32\TFTP3264 - Deleted
C:\WINDOWS\system32\TFTP3276 - Deleted
C:\WINDOWS\system32\TFTP3308 - Deleted
C:\WINDOWS\system32\TFTP3448 - Deleted
C:\WINDOWS\system32\TFTP3836 - Deleted
C:\WINDOWS\system32\TFTP4032 - Deleted
C:\WINDOWS\system32\TFTP4040 - Deleted
C:\WINDOWS\system32\TFTP736 - Deleted
C:\WINDOWS\TISKY002.exe - Deleted
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\WINDOWS\\SYSTEM32\\ftp.exe"="C:\\WINDOWS\\SYSTEM32\\ftp.exe:*:Enabled:File Transfer Program"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:
---------------
File Backups: - C:\SDFix\backups\backups.zip
Registry Backups: - C:\SDFix\backups\backupreg.zip
Full Registry Backup: - C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
Files with Hidden Attributes:
C:\Documents and Settings\Greg\My Documents\Visual Studio Projects\gs.isysguy.com\gs.isysguy.suo
C:\WINDOWS\R3JlZw\asappsrv.dll
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\All Users\Application Data\Microsoft\visualstudio\7.1\vs000223.tmp
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091800.vbs
Finished
Here is the Combo_Fix Report:
ComboFix 07-08-17.2 - "Greg" 2007-08-20 6:20:50.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.133 [GMT -6:00]
* Created a new restore point
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Program Files\Internet Explorer\niwo22011.exe
C:\Program Files\Outlook Express\rybilozy.dll
C:\WINDOWS\SYSTEM32\lnppo.bak1
C:\WINDOWS\SYSTEM32\lnppo.ini
C:\WINDOWS\SYSTEM32\lnppo.tmp
C:\WINDOWS\system32\oppnl.dll
C:\WINDOWS\system32\twqwasyo.dll
C:\WINDOWS\tk58.exe
((((((((((((((((((((((((( Files Created from 2007-07-20 to 2007-08-20 )))))))))))))))))))))))))))))))
2007-08-20 05:49 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-18 10:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-18 10:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-17 00:20 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 00:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-16 23:27 <DIR> d-------- C:\VundoFix Backups
2007-08-16 06:06 43,542 --a------ C:\WINDOWS\SYSTEM32\efccbyy.dll
2007-08-16 06:06 41 --a------ C:\WINDOWS\plite731_uninstaller_.bat
2007-08-16 06:06 <DIR> d--hs---- C:\WINDOWS\R3JlZw
2007-08-16 06:05 43,542 --a------ C:\WINDOWS\SYSTEM32\urqpppq.dll
2007-08-16 06:05 13,824 --a------ C:\WINDOWS\plite731.exe
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\tmps2
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\syschks22
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\SS1
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\ICM2
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\dll2
2007-08-16 06:05 <DIR> d-------- C:\WINDOWS\SYSTEM32\chkfig5
2007-08-16 06:05 <DIR> d-------- C:\Temp
2007-08-15 07:05 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-07-28 12:31 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Juniper Networks
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-19 21:44 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-16 06:17 --------- d-------- C:\DOCUME~1\Greg\APPLIC~1\.gaim
2007-07-19 00:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 17:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 08:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 08:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 08:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 08:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 08:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 08:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 08:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 08:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 08:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 08:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 08:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 08:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 08:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 08:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 08:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 08:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 08:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 08:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 08:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 08:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 02:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 02:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 02:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 01:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:27 363520 --------- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-06-26 00:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 00:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 07:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 07:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 04:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 04:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2006-02-19 04:28 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{417CDCBA-0F9E-458D-9BDE-F6DF265CEEFB}]
C:\WINDOWS\system32\efcdd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44218730-94E0-4b24-BBF0-C3D8B2BCE2C3}]
C:\WINDOWS\system32\rwuuxwjs.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53FDC6FF-7D7F-458B-BFA3-6110F834745D}]
C:\WINDOWS\system32\vtuvt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}]
2007-08-16 06:05 43542 --a------ C:\WINDOWS\system32\urqpppq.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDD90BF7-00C1-4850-8D4F-F682372EAFA1}]
C:\WINDOWS\system32\mljgd.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2002-08-22 18:28]
"CARPService"="carpserv.exe" [2003-01-23 14:06 C:\WINDOWS\SYSTEM32\carpserv.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-03 16:00]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2002-12-17 19:16]
"bascstray"="BascsTray.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 13:20]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 09:18]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_01\bin\jusched.exe" [2003-08-19 17:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-11-20 16:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-07-15 09:03]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-07-22 20:17]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"plite731"="C:\WINDOWS\plite731.exe" [2007-08-16 06:05]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
"Ncao"="C:\DOCUME~1\Greg\APPLIC~1\CROSOF~1.NET\ntvdm.exe" []
"Sue"="C:\Program Files\?ppPatch\l?ass.exe" []
C:\Documents and Settings\Greg\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 12:36:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-19 14:48:26]
DESKTOP.INI [2002-09-03 12:36:04]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-07-24 22:14:24]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}"= C:\WINDOWS\system32\urqpppq.dll [2007-08-16 06:05 43542]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdd]
C:\WINDOWS\system32\efcdd.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-01-12 16:17 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpppq]
urqpppq.dll 2007-08-16 06:05 43542 C:\WINDOWS\SYSTEM32\urqpppq.dll
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\System32\Drivers\CVPNDRVA.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
R3 Intel_MIPMNMP;Intel Adapter Switching Driver;C:\WINDOWS\system32\DRIVERS\mipmnxp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver;C:\WINDOWS\system32\DRIVERS\w70n51.sys
S3 wportcls;wportcls;\??\C:\DOCUME~1\Greg\LOCALS~1\Temp\wportcls.sys
Contents of the 'Scheduled Tasks' folder
2007-08-20 10:44:37 C:\WINDOWS\Tasks\backup.job - C:\Tasks\backup\backup.bat
2007-08-20 06:01:01 C:\WINDOWS\Tasks\rotate.job - C:\Tasks\scrnsvr\rotate.bat
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-20 06:34:22
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-20 6:39:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-20 06:39
C:\ComboFix2.txt ... 2007-08-17 00:39
--- E O F ---
Unfortunately, the HJT Uninstall List could not be produced. HJT would close when I clicked the "Save List..." button. Is there another such list that can be produced?
Angelfire777
2007-08-21, 12:48
Hi,
Unfortunately, the HJT Uninstall List could not be produced. HJT would close when I clicked the "Save List..." button. Is there another such list that can be produced?
That's probably because of a certain infection you have on your machine.
______
Remove MS Java
The Microsoft Java Virtual Machine, or MS Java VM, is used to run Java applets that can be found on web sites. When you visit a web site that has a Java applet, the MS JVM will compile and execute that applet on your machine. Microsoft no longer supports the MS JVM and it has become obsolete. There have also been known security issues with unpatched versions of the MS JVM and you should remove it and install the safer SUN JVM as an alternative (instructions follow).
Instructions on how to remove MS Java can be found >here< (http://www.bleepingcomputer.com/tutorials/tutorial97.html)
______
Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
Close your browsers and all open windows except for HijackThis then click "Fix checked."
Combofix Deletions
Open notepad."
Copy and paste the text inside the code box below to notepad
http://http://forums.spybot.info/showthread.php?p=113055
File::
C:\VundoFix Backups
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\plite731.exe
Folder::
C:\WINDOWS\R3JlZw
C:\WINDOWS\SYSTEM32\tmps2
C:\WINDOWS\SYSTEM32\syschks22
C:\WINDOWS\SYSTEM32\SS1
C:\WINDOWS\SYSTEM32\ICM2
C:\WINDOWS\SYSTEM32\dll2
C:\WINDOWS\SYSTEM32\chkfig5
C:\Temp
C:\DOCUME~1\Greg\APPLIC~1\CROSOF~1.NET
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{417CDCBA-0F9E-458D-9BDE-F6DF265CEEFB}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{44218730-94E0-4b24-BBF0-C3D8B2BCE2C3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53FDC6FF-7D7F-458B-BFA3-6110F834745D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BDD90BF7-00C1-4850-8D4F-F682372EAFA1}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"plite731"=-
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ncao"=-
"Sue"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57D6708C-88E2-4CAB-9FA4-78BB8CA3A3C4}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdd]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpppq]
Collect::
C:\WINDOWS\SYSTEM32\efccbyy.dll
C:\WINDOWS\SYSTEM32\urqpppq.dll
Filelook::
C:\DOCUME~1\Greg\LOCALS~1\Temp\wportcls.sys
Save and Name it as "CFScript"
Drag and drop CFScript.txt to your copy of combofix.
You can take a look at the image below if you're unsure on how to do it.
http://img263.imageshack.us/img263/9894/cfscriptno0.gif
Combofix wil restart your machine then it will produce a log afterwards.
Please post the contents of that log along with a fresh HijackThis log.
Additonally, please follow all of combofix's instructions regarding the submission of some malware for analysing and make sure that you don't leave that part out.
_____
Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type find.bat in the File name and save it to your desktop.
@echo off
cd\
dir /a:d "\program files\?ppPatch" > files.txt
notepad files.txt
exit
Locate Find.bat on your Desktop and double-click on it. It will open Notepad with some text in it. Please post the text here.
______
Please navigate to these files:
C:\Tasks\backup\backup.bat
C:\Tasks\scrnsvr\rotate.bat
Both of those are batch files but I cannot find any information regarding those. So, I want you to right click on each of those files then click "edit." A notepad will open for each of them and they will contain some text. Please post the contents of those files to your next reply.
CAUTION: DO NOT DOUBLE CLICK THOSE FILES, THEY MAY BE POTENTIALLY HARMFUL.
______
Please do an online scan with Kaspersky WebScanner (http://www.kaspersky.com/virusscanner)
Click on Kaspersky Online Scanner
You will be promted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then begin downloading the latest definition files:
Once the files have been downloaded click on NEXT
Now click on Scan Settings
In the scan settings make that the following are selected:
Scan using the following Anti-Virus database:
Extended (if available otherwise Standard)
Scan Options:
Scan Archives
Scan Mail Bases
Click OK
Now under select a target to scan:Select My Computer
This will program will start and scan your system.
The scan will take a while so be patient and let it run.
Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button:
Save the file to your desktop.
Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.
_______
Your Java is out of date....
Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components.
Click Start > Control Panel
Click Add/Remove Programs
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.
Then download Java Runtime Environment 6u2 (http://java.sun.com/javase/downloads/index.jsp), and install it to your computer.
_______
After all these, see if you can get the hijackthis uinstall list now.
On your next reply, please include a
Fresh HijackThis log.
kaspersky scan log
new combofix log
contents of backup.bat and rotate.bat
contents of files.txt
HJT uninstall list
Thank you for your help. I have removed the MS Java and installed the new SUN version. I also removed the R0-HKLM...about:blank entry in HJT. The other two O9 entries were not present perhaps because of the MS Java removal?
____________
The results of the comboFix script you provided are shown below:
ComboFix 07-08-17.2 - "Greg" 2007-08-21 7:38:40.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.159 [GMT -6:00]
Command switches used :: C:\Documents and Settings\Greg\Desktop\Cleaners\CFScript.txt
* Created a new restore point
FILE::
C:\VundoFix Backups
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\plite731.exe
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\Temp
C:\WINDOWS\plite731.exe
C:\WINDOWS\plite731_uninstaller_.bat
C:\WINDOWS\R3JlZw
C:\WINDOWS\R3JlZw\asappsrv.dll
C:\WINDOWS\SYSTEM32\chkfig5
C:\WINDOWS\SYSTEM32\chkfig5\D0125.0XE
C:\WINDOWS\SYSTEM32\dll2
C:\WINDOWS\SYSTEM32\dll2\concdll2.exe
C:\WINDOWS\SYSTEM32\efccbyy.dll
C:\WINDOWS\SYSTEM32\ICM2
C:\WINDOWS\SYSTEM32\ICM2\nb22011.exe
C:\WINDOWS\SYSTEM32\nmnnn.bak1
C:\WINDOWS\SYSTEM32\nmnnn.bak2
C:\WINDOWS\SYSTEM32\nmnnn.ini
C:\WINDOWS\system32\nnnmn.dll
C:\WINDOWS\SYSTEM32\SS1
C:\WINDOWS\SYSTEM32\syschks22
C:\WINDOWS\SYSTEM32\syschks22\hhadz002.exe
C:\WINDOWS\SYSTEM32\tmps2
C:\WINDOWS\SYSTEM32\tmps2\MTIDOCS.0XE
C:\WINDOWS\system32\uirpiiud.dll
C:\WINDOWS\SYSTEM32\urqpppq.dll
C:\WINDOWS\system32\xarvwjej.dll
((((((((((((((((((((((((( Files Created from 2007-07-21 to 2007-08-21 )))))))))))))))))))))))))))))))
2007-08-20 05:49 <DIR> d-------- C:\WINDOWS\ERUNT
2007-08-18 10:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-08-18 10:13 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2007-08-17 00:20 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-08-17 00:12 <DIR> d-------- C:\Program Files\Trend Micro
2007-08-16 23:27 <DIR> d-------- C:\VundoFix Backups
2007-08-15 07:05 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-07-28 12:31 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Juniper Networks
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-08-20 20:43 --------- d-------- C:\Program Files\Mozilla Thunderbird
2007-08-16 06:17 --------- d-------- C:\DOCUME~1\Greg\APPLIC~1\.gaim
2007-07-19 00:59 3583488 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-07-12 17:31 765952 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-06-27 08:34 823808 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-06-27 08:34 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-06-27 08:34 6058496 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-06-27 08:34 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-06-27 08:34 477696 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-06-27 08:34 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-06-27 08:34 44544 --------- C:\WINDOWS\system32\dllcache\iernonce.dll
2007-06-27 08:34 384512 --------- C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-06-27 08:34 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-06-27 08:34 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-06-27 08:34 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-06-27 08:34 232960 --------- C:\WINDOWS\system32\dllcache\webcheck.dll
2007-06-27 08:34 230400 --------- C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-06-27 08:34 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-06-27 08:34 153088 --------- C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-06-27 08:34 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-06-27 08:34 124928 --------- C:\WINDOWS\system32\dllcache\advpack.dll
2007-06-27 08:34 1152000 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-06-27 08:34 105984 --------- C:\WINDOWS\system32\dllcache\url.dll
2007-06-27 08:34 102400 --------- C:\WINDOWS\system32\dllcache\occache.dll
2007-06-27 02:27 63488 --------- C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-06-27 02:27 625152 --------- C:\WINDOWS\system32\dllcache\iexplore.exe
2007-06-27 02:27 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-06-27 01:00 161792 --------- C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-26 02:27 363520 --------- C:\WINDOWS\system32\dllcache\w3svc.dll
2007-06-26 00:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-26 00:08 1104896 --------- C:\WINDOWS\system32\dllcache\msxml3.dll
2007-06-19 07:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
2007-06-19 07:31 282112 --------- C:\WINDOWS\system32\dllcache\gdi32.dll
2007-06-13 04:23 1033216 --a------ C:\WINDOWS\explorer.exe
2007-06-13 04:23 1033216 --------- C:\WINDOWS\system32\dllcache\explorer.exe
2006-02-19 04:28 12288 --a------ C:\WINDOWS\Fonts.\RandFont.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 15:24 C:\WINDOWS\SYSTEM32\Ati2mdxx.exe]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2002-08-22 18:28]
"CARPService"="carpserv.exe" [2003-01-23 14:06 C:\WINDOWS\SYSTEM32\carpserv.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-01-03 16:00]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2002-12-17 19:16]
"bascstray"="BascsTray.exe" []
"PRONoMgr.exe"="C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe" [2002-12-18 13:20]
"DVDSentry"="C:\WINDOWS\System32\DSentry.exe" [2002-07-17 09:18]
"AdaptecDirectCD"="C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe" [2002-12-17 11:28]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2003-11-20 16:02]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-07-15 09:03]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2006-02-19 03:41]
"ClamWin"="C:\Program Files\ClamWin\bin\ClamTray.exe" [2007-07-22 20:17]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56]
C:\Documents and Settings\Greg\Start Menu\Programs\Startup\
DESKTOP.INI [2002-09-03 12:36:04]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-02-19 14:48:26]
DESKTOP.INI [2002-09-03 12:36:04]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2003-07-24 22:14:24]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2006-02-19 05:21:22]
HP Photosmart Premier Fast Start.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe [2006-02-10 08:56:20]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Sebring]
C:\WINDOWS\System32\LgNotify.dll 2003-01-12 16:17 110592 C:\WINDOWS\SYSTEM32\LgNotify.dll
R1 cdudf_xp;cdudf_xp;C:\WINDOWS\system32\drivers\cdudf_xp.sys
R1 pwd_2k;pwd_2k;C:\WINDOWS\system32\drivers\pwd_2k.sys
R1 UdfReadr_xp;UdfReadr_xp;C:\WINDOWS\system32\drivers\UdfReadr_xp.sys
R2 BASFND;BASFND;\??\C:\WINDOWS\System32\Drivers\BASFND.sys
R2 CVPND;Cisco Systems, Inc. VPN Service;"C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe"
R2 CVPNDRVA;Cisco Systems IPsec Driver;\??\C:\WINDOWS\System32\Drivers\CVPNDRVA.sys
R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\System32\inetsrv\inetinfo.exe
R2 StreamDispatcher;StreamDispatcher;C:\WINDOWS\system32\DRIVERS\strmdisp.sys
R3 DNE;Deterministic Network Enhancer Miniport;C:\WINDOWS\system32\DRIVERS\dne2000.sys
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
R3 Intel_MIPMNMP;Intel Adapter Switching Driver;C:\WINDOWS\system32\DRIVERS\mipmnxp.sys
R3 mmc_2K;mmc_2K;C:\WINDOWS\system32\drivers\mmc_2K.sys
R3 O2SCBUS;O2Micro SmartCardBus Reader;C:\WINDOWS\system32\DRIVERS\ozscr.sys
S3 CVirtA;Cisco Systems VPN Adapter;C:\WINDOWS\system32\DRIVERS\CVirtA.sys
S3 dvd_2K;dvd_2K;C:\WINDOWS\system32\drivers\dvd_2K.sys
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE
S3 w70n51;Intel(R) PRO/Wireless 7100 Adapter Driver;C:\WINDOWS\system32\DRIVERS\w70n51.sys
S3 wportcls;wportcls;\??\C:\DOCUME~1\Greg\LOCALS~1\Temp\wportcls.sys
Contents of the 'Scheduled Tasks' folder
2007-08-21 10:44:27 C:\WINDOWS\Tasks\backup.job - C:\Tasks\backup\backup.bat
2007-08-21 06:01:01 C:\WINDOWS\Tasks\rotate.job - C:\Tasks\scrnsvr\rotate.bat
**************************************************************************
catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-21 07:50:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-08-21 7:54:17 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-21 07:53
C:\ComboFix2.txt ... 2007-08-20 06:39
C:\ComboFix3.txt ... 2007-08-17 00:39
--- E O F ---
______________
Also, the find.bat results are as follows (I don't know if you expected something more but this is all that was shown):
Volume in drive C has no label.
Volume Serial Number is 7810-9037
Directory of C:\program files
______________
The backup.bat and rotate.bat batch files in c:\tasks are just some personal batch files I created for my own use. The contents are below:
backup.bat
::keep only four backups on-hand
::delete oldest backup
del archive\info3.tar.gz
::Rename old archives
rename archive\info2.tar.gz info3.tar.gz
rename archive\info1.tar.gz info2.tar.gz
rename archive\info0.tar.gz info1.tar.gz
::Create new archive
tar -cvf archive\info0.tar c:\info\*
::Compress new archive
gzip -9v archive\info0.tar
::FTP Archive to server
ftp -s:ftp.scr home.net
exit
rotate.bat
rename C:\Files\ScreenSaverSlides\current 0
rename C:\Files\ScreenSaverSlides\4 current
rename C:\Files\ScreenSaverSlides\3 4
rename C:\Files\ScreenSaverSlides\2 3
rename C:\Files\ScreenSaverSlides\1 2
rename C:\Files\ScreenSaverSlides\0 1
The Kaspersky MyComputer Scan report is below:
Tuesday, August 21, 2007 10:55:32 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 21/08/2007
Kaspersky Anti-Virus database records: 386723
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 90442
Number of viruses found 15
Number of infected objects 76
Number of suspicious objects 10
Duration of the scan process 03:03:07
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\.clamwin\quarantine\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/retadpu1000106.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde10.zip/retadpu77.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde10.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip/retadpu77.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde6.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/retadpu77.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Greg\Application Data\Mozilla\Firefox\Profiles\s0x26kpt.default\cert8.db Object is locked skipped
C:\Documents and Settings\Greg\Application Data\Mozilla\Firefox\Profiles\s0x26kpt.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Greg\Application Data\Mozilla\Firefox\Profiles\s0x26kpt.default\history.dat Object is locked skipped
C:\Documents and Settings\Greg\Application Data\Mozilla\Firefox\Profiles\s0x26kpt.default\key3.db Object is locked skipped
C:\Documents and Settings\Greg\Application Data\Mozilla\Firefox\Profiles\s0x26kpt.default\parent.lock Object is locked skipped
C:\Documents and Settings\Greg\Application Data\Mozilla\Firefox\Profiles\s0x26kpt.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Greg\Application Data\Mozilla\Firefox\Profiles\s0x26kpt.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Greg\Application Data\Mozilla\Firefox\Profiles\s0x26kpt.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Greg\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Greg\Desktop\Cleaners\[4]-Submit_2007-08-21_ 73831.84.zip/efccbyy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\Greg\Desktop\Cleaners\[4]-Submit_2007-08-21_ 73831.84.zip/urqpppq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\Documents and Settings\Greg\Desktop\Cleaners\[4]-Submit_2007-08-21_ 73831.84.zip ZIP: infected - 2 skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\History\History.IE5\MSHist012007082120070822\index.dat Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Temp\ClamWin1.log Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Temp\~DFB69A.tmp Object is locked skipped
C:\Documents and Settings\Greg\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Greg\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Greg\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Greg\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Juniper Networks\Common Files\NCService.log Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe.vir Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\QooBox\Quarantine\C\Program Files\Internet Explorer\niwo22011.exe.vir Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\QooBox\Quarantine\C\Program Files\Outlook Express\rybilozy.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\Outlook Express\rybilozy303.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\Outlook Express\rybilozy357.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\Outlook Express\rybilozy373.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\Outlook Express\rybilozy582.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\Outlook Express\rybilozy847.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\Outlook Express\rybilozy914.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\Outlook Express\rybilozy937.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\Outlook Express\rybilozy94.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\svhost\wr-1-0000077.exe.vir Infected: Virus.Win32.Virut.i skipped
C:\QooBox\Quarantine\C\WINDOWS\R3JlZw\asappsrv.dll.vir Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\QooBox\Quarantine\C\WINDOWS\svhost.exe.vir Infected: Trojan-Proxy.Win32.VB.x skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\chkfig5\D0125.0XE.vir Infected: Virus.Win32.Virut.i skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\dll2\concdll2.exe.vir Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\f02WtR\f02WtR1065.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
Kaspersky scan report con't:
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\f10WtR\f10WtR1099.exe.vir Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ICM2\nb22011.exe.vir/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ICM2\nb22011.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tmps2\MTIDOCS.0XE.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\SDFix\backups\backups.zip/backups/TISKY002.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091719.0XE Infected: Virus.Win32.Virut.i skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091720.0XE Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091721.0XE Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091735.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091736.0XE Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091738.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091757.0XE Infected: Virus.Win32.Virut.i skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091759.0XE Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091772.0XE Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091780.0XE Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091797.0XE Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091819.0XE Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091838.0XE Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091841.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091842.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091856.0XE Infected: Virus.Win32.Virut.i skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091858.0XE Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091871.0XE Infected: Virus.Win32.Virut.i skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091873.0XE Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP562\A0091877.0XE Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091901.0LL Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091902.0LL Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091903.0LL Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091904.0LL Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091905.0LL Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091906.0LL Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091907.0LL Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091908.0LL Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091909.0LL Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091916.exe Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091918.0XE Infected: Virus.Win32.Virut.i skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091919.0XE Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091920.0XE Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091922.0XE Infected: Trojan-Proxy.Win32.VB.x skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0091924.0XE Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0092023.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP563\A0092024.exe Infected: Virus.Win32.Virut.i skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP564\A0092056.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP564\A0092064.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP565\A0092121.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP565\A0092122.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP565\A0092124.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP568\A0092317.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP568\A0092319.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP568\A0092319.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP568\A0092320.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP568\change.log Object is locked skipped
C:\VundoFix Backups\jkkkiif.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\ljjhffd.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\pfirewall.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_63c.dat Object is locked skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
I uninstalled the old Java JRE/J2SE, restarted and downloaded the new version.
________
I was able to create the HJT uninstall log successfully this time. Here are the results:
ActivePerl 5.8.6 Build 811
Adobe Atmosphere Player for Acrobat and Adobe Reader
Adobe Creative Suite
Adobe Photoshop Album 2.0 Starter Edition
Adobe Reader 8.1.0
Adobe SVG Viewer 3.0
ALPS Touch Pad Driver
ArcSoft PhotoImpression 4
ATI Control Panel
ATI Display Driver
Audacity 1.2.6
Barbie(TM) Horse Adventures(TM)
Broadcom Advanced Control Suite
Broadcom ASF Management Applications
ClamWin Free Antivirus 0.91.1
Conexant D480 MDC V.92 Modem
Dell Solution Center
Digital Line Detect
DVDSentry
Easy CD Creator 5 Basic
Ethereal 0.9.15
FileZilla (remove only)
Firegraphic 6
Folder Size for Windows
Gaim (remove only)
Gaim-Encryption Plugin (remove only)
GTK+ Runtime 2.6.8 rev a (remove only)
HijackThis 2.0.2
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
HP Document Viewer 7.0
HP Imaging Device Functions 7.0
HP Photosmart and Deskjet 7.0.A
HP Photosmart Essential
HP Photosmart Premier Software 6.5
HP Software Update
HP Solution Center 7.0
Intel(R) PROSet
InterVideo WinDVD
Java(TM) 6 Update 2
Juniper Networks Network Connect 5.4.0
Kaspersky Online Scanner
LDS Gospel Resource
LDS Scriptures CD-ROM Standard Edition
MetaFrame Presentation Server Web Client for Win32
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Money 2000 Standard Edition
Microsoft National Language Support Downlevel APIs
Microsoft Office Visio Professional 2003
Microsoft Office XP Professional
Microsoft Office XP Professional with FrontPage
Microsoft Outlook Web Access S/MIME
Microsoft Project Professional 2002
Modem Helper
Mozilla Firefox (2.0.0.6)
Mozilla Thunderbird (1.5.0.12)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
NetWaiting
OCR Software by I.R.I.S 7.0
Pdf995
Personal Ancestral File 5
PHP 4.3.9
Playtime For Baby & Toddler
QuickSet
QuickTime
RealPlayer Enterprise
Remedy User 6.0
Savings Bond Wizard
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939373)
SmartFTP
Spybot - Search & Destroy 1.4
Tar-1.13 Binaries (GnuWin32)
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Vim 6.3 (self-installing)
VPN Client
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB884020
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinPcap 3.0
WinSCP 3.6.1
WinZip
WinZip Command Line Support Add-On
______
Finally, here is the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:30:36 PM, on 8/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125541547371
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173792747484
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remoteaccess.med.utah.edu/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleMTSRecoveryService - Unknown owner - C:\oracle\ora92\bin\omtsreco.exe (file missing)
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
--
End of file - 8251 bytes
Angelfire777
2007-08-22, 15:27
Hello..
The other two O9 entries were not present perhaps because of the MS Java removal?
Correct.
Before we continue, I would like you to scan a file for me.
Please go HERE (http://virusscan.jotti.org/). Copy and paste the following file path in to the box.
C:\DOCUMEnts and settings\Greg\LOCAL settings\Temp\wportcls.sys
Then click submit.
Please post the results to your next reply.
If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.
Here are the results of the scan from jotti:
The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file
The other scanner produced similar results. When I went to check the file, it was not present - even with the setting to view hidden files enabled. A search found no such file.
Angelfire777
2007-08-23, 15:13
Hi,
Thanks for finding that out for me.
____
Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
____
Click start > run > copy and paste:
sc delete wportcls
Using Windows explorer, delete these folders:
C:\program files\?ppPatch <<The ? may be any alphanumeric character. Find the subdirectory inside the program files folder that has that name. Most likely, you'll find it in the last part of the list of subdirectories inside the program files folder.
C:\VundoFix Backups
C:\QooBox <<combofix quarantine
C:\SDFix
Delete all the contents of this folder:
C:\Documents and Settings\All Users\.clamwin\quarantine
Delete the following file:
C:\Documents and Settings\Greg\Desktop\Cleaners\[4]-Submit_2007-08-21_ 73831.84.zip
Empty your recycle bin.
____
Reboot, post a fresh HijackThis log and tell me how's your machine running.
I deleted the "R0-HKLM...about:blank" entry in HJT, ran the "sc delete wportcls" command, deleted the specified directories and files. I did not find any "?ppPatch" directory in c:\Program Files. A weekly scheduled scan of ClamWin ran last evening and there were 66 quarantined files I deleted. The ...\Cleaners\zip file was already gone - probably in the ClamWin quarantine but I forgot to check before deleting.
_______
After clearing the recycle bin and rebooting, here is the latest HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:13:26 AM, on 8/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\basfipm.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\FolderSize\FolderSizeSvc.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\WINDOWS\System32\RoamMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Switching\User\RoamSvc.exe
C:\WINDOWS\system32\ZCfgSvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\ClamWin\bin\ClamTray.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [bascstray] BascsTray.exe
O4 - HKLM\..\Run: [PRONoMgr.exe] C:\Program Files\Intel\NCS\PROSet\PRONoMgr.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ClamWin] "C:\Program Files\ClamWin\bin\ClamTray.exe" --logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} (F-Secure Online Scanner 3.1) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20030530/qtinstall.info.apple.com/abarth/us/win/QuickTimeInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1125541547371
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1173792747484
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://remoteaccess.med.utah.edu/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: Broadcom ASF IP monitoring service v3.0.1 (BAsfIpM) - Broadcom Corp. - C:\WINDOWS\system32\basfipm.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Folder Size (FolderSize) - Brio - C:\Program Files\FolderSize\FolderSizeSvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Adapter Switching (IntelRoam) - Intel Corporation - C:\Program Files\Intel\Switching\User\RoamSvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: OracleMTSRecoveryService - Unknown owner - C:\oracle\ora92\bin\omtsreco.exe (file missing)
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE (file missing)
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: RoamMgr - Intel Corporation - C:\WINDOWS\System32\RoamMgr.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
--
End of file - 8060 bytes
_______
Concerning how the computer is running, I am no longer seeing pop-up windows suddenly appear every few minutes. The computer is less sluggish that it was previously.
Thank you again for the help.
Angelfire777
2007-08-23, 16:54
Congratulations! Your log looks clean!
Configure Windows Xp to hide system files:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading, select Do not show hidden files and folders.
Check the Hide protected operating system files option.
Click Yes to confirm.
Click OK.
_______________________
This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore
Select Create a restore point, and Ok it.
Next, go to Start > Run and type in cleanmgr
Select the More options tab
Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.
Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.
» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http//www.sunbelt-software.com/Kerio-Download.cfm)
MVPS Hosts File
~You can download it from here (http://www.mvps.org/winhelp2002/hosts.zip)
~I highly recommend this hosts file. You can learn more about this here (http://www.mvps.org/winhelp2002/hosts.htm)
Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)
IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.
Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.
Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)
Happy safe surfing!
Thank you very much for your time, effort, and expertise. It is very much appreciated.
Angelfire777
2007-08-24, 16:55
Glad we could be of assistance :bigthumb:
Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.