PDA

View Full Version : Virtumonde Problem!



essy670
2007-08-23, 15:11
Any help would be greatly appreciated.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:20:48 PM, on 23/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\system32\CNAB3RPK.EXE
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SportBusiness-interactive\sportBusiness.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\WINDOWS\system32\osk.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Secunia\PSI (BETA)\PSI.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\Program Files\Panorama\Panorama.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Es\Desktop\HiJackThis_v2\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.sensis.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.z66.org:8000
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [i-comm_{B0434A84-347A-43B8-A457-8CACCAA6DAAF}] "C:\Program Files\SportBusiness-interactive\sportBusiness.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Secunia PSI (BETA).lnk = C:\Program Files\Secunia\PSI (BETA)\PSI.exe
O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/229?135d66f2141d4f519a461f6a1c1712da
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/230?135d66f2141d4f519a461f6a1c1712da
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A622C72-EEB3-4BE9-A1F4-0C2163804586}: NameServer = 203.8.183.1,192.189.54.33
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB4286F5-5E0F-4FB7-858D-BDFAB1E5CD53}: NameServer = 192.189.54.17,203.8.183.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F7FE6A-BB64-49B0-9594-9DA42AC57F7B}: NameServer = 192.189.54.17,203.8.183.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A622C72-EEB3-4BE9-A1F4-0C2163804586}: NameServer = 203.8.183.1,192.189.54.33
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Remote Desktop Sharing - Unknown owner - C:\WINDOWS\mstsc32.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 12760 bytes

pskelley
2007-08-23, 23:06
G'Day and welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Any help would be greatly appreciated.
You have told us absolutely nothing about your problem? Please provide us with information including any synptoms that make you think you should have posted in a "Malware Removal" forum. Post also any error messages you are receiving "word for word".

1) You are using a obsolete version of HJT, remove it fom your computer.
C:\Documents and Settings\Es\Desktop\HiJackThis_v2\HiJackThis_v2.exe

2) Download this self-installer from here:
http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe
follow the prompts, the program will install where it supposed to.

3) Post a new HJT log and the information I requested.

Cheers

essy670
2007-08-25, 06:06
Hi,
Sorry bout the lack of information, I just thought the virus name was sufficient. I have the Virtumonde virus which is detected with Spybot, I keep removing it but it comes back. As it states in the virus description (copying itself into system memory), it can be hard to remove. Though, I'm sure you can help. Thank you. I have no real symptoms, maybe just a lack of speed.

Heres the updated log;

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:02:09 PM, on 25/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\CNAB3RPK.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\bgsvcgen.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\SiteAdvisor\6066\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\SearchIndexer.exe
C:\Program Files\ULI5289\ALi5289.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\TP-LINK\TWCU\TWCU.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SportBusiness-interactive\sportBusiness.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
C:\Program Files\Secunia\PSI (BETA)\PSI.exe
C:\WINDOWS\system32\osk.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Azureus\Azureus.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE
C:\WINDOWS\system32\calc.exe
C:\Program Files\iTunes\iTunes.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SearchProtocolHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,SearchAssistant = http://www.sensis.com.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.ninemsn.com.au/0SEENAU/SAOS01?FORM=TOOLBR
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy.z66.org:8000
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: Copernic Agent - {F2E259E8-0FC8-438C-A6E0-342DD80FA53E} - C:\Program Files\Copernic Agent\CopernicAgentExt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6066\SiteAdv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ALi5289] C:\Program Files\ULI5289\ALi5289.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [TWCU] "C:\Program Files\TP-LINK\TWCU\TWCU.exe" -nogui
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [i-comm_{B0434A84-347A-43B8-A457-8CACCAA6DAAF}] "C:\Program Files\SportBusiness-interactive\sportBusiness.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Secunia PSI (BETA).lnk = C:\Program Files\Secunia\PSI (BETA)\PSI.exe
O4 - Global Startup: Microsoft Office Outlook 2007.lnk = ?
O4 - Global Startup: Mozilla Firefox.lnk = C:\Program Files\Mozilla Firefox\firefox.exe
O4 - Global Startup: Windows Desktop Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O4 - Global Startup: Wireless Configuration Utility HW.51.lnk = C:\Program Files\802.11 Wireless LAN\802.11g Wireless Cardbus & PCI Adapter HW.51 V1.00\WlanCU.exe
O8 - Extra context menu item: &ninemsn Search - res://C:\Program Files\MSN Toolbar Suite\TB\02.05.0000.1082\en-au\msntb.dll/search.htm
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/229?135d66f2141d4f519a461f6a1c1712da
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\MSN Toolbar Suite\TAB\02.05.0001.1119\en-au\msntabres.dll/230?135d66f2141d4f519a461f6a1c1712da
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1A622C72-EEB3-4BE9-A1F4-0C2163804586}: NameServer = 203.8.183.1,192.189.54.33
O17 - HKLM\System\CCS\Services\Tcpip\..\{DB4286F5-5E0F-4FB7-858D-BDFAB1E5CD53}: NameServer = 192.189.54.17,203.8.183.1
O17 - HKLM\System\CCS\Services\Tcpip\..\{F0F7FE6A-BB64-49B0-9594-9DA42AC57F7B}: NameServer = 192.189.54.17,203.8.183.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{1A622C72-EEB3-4BE9-A1F4-0C2163804586}: NameServer = 203.8.183.1,192.189.54.33
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: TP-LINK Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: B's Recorder GOLD Library General Service (bgsvcgen) - B.H.A Corporation - C:\WINDOWS\system32\bgsvcgen.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Remote Desktop Sharing - Unknown owner - C:\WINDOWS\mstsc32.exe
O23 - Service: SiteAdvisor Service - McAfee, Inc. - C:\Program Files\SiteAdvisor\6066\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 13010 bytes

pskelley
2007-08-25, 14:57
G'Day and thanks for the feedback, at times issues with Vundo in Spybot can be false positives, which is why we need to know about error message, the fact that you are receiving a load of popups and where those popups direct you. Often the hackers hide there junk in the HJT log and feedback from the user is all we have to identify it. If you have no symptoms other than something Spybot S&D can't deal with, it may be that you need to update and immunize Spybot, and perhaps run it in safe mode? Let's see what the log has to say.

C:\Program Files\Secunia\PSI (BETA)\PSI.exe <<< something you tried? I am showing that file as this:
http://www.hijackfree.com/en/processdetails/?id=321
Did you purchase this program?

C:\WINDOWS\system32\osk.exe <<< this valid? Is it this program:
http://www.liutilities.com/products/wintaskspro/processlibrary/osk/

I am wondering about this serice, are you aware of it?
O23 - Service: Remote Desktop Sharing - Unknown owner - C:\WINDOWS\mstsc32.exe
for the file: mstsc32.exe not a lot of information is available.
http://www.bullguard.com/forum/8/Mstsc32exe_50477.html
http://forums.about.com/n/pfx/forum.aspx?nav=printDiscussion&webtag=ab-antivirus&tid=2401
If you do not know that items is running on your computer then use one or more of these free online scanners to scan the files and post the results.
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

I need the information I requested before proceeding, in the meantime look at Spybot, read the directions for using Spybot in the "Before you Post" and make sure you update and immunize. Run the program as directed and if you have issues, post them here:
http://forums.spybot.info/forumdisplay.php?f=4 <<< Spybot forum
http://forums.spybot.info/forumdisplay.php?f=16 <<< false positives

Thanks

essy670
2007-08-27, 14:02
G'day, Ok where do I start. I have no symptoms atm, although I would like to go through the rest of your last post. Firstly, Secunia is a FREE personal software inspector (PSI) which monitors your software and alerts you to critical updates. Secondly, OSK.exe is some type of On Screen Keyboard utility to help users with limited mobility (god knowns how I got that)!!! I don't know if its valid but they suggested to be left alone if not causing any problems, what do you think?

http://www.liutilities.com/products/wintaskspro/processlibrary/osk/

Thirdly, after googling, I think mstsc32.exe is Terminal Services Client only for US/Canada residences, and states "Not for Export". Again, god knows how I got it! The only thing I can think of is about a month ago I was disabling some of the unnecessary services in Windows and I can vaguely remember something with the 'Remote Desktop Sharing'....

(sorry if you already know all of this, just trying to help)

I'll post the virus scan results. Spybot has not threats also.

Sorry for the long post.

essy670
2007-08-27, 14:05
Scan Statistics
Total number of scanned objects 98129
Number of viruses found 6
Number of infected objects 28
Number of suspicious objects 0
Duration of the scan process 02:10:18

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.34.Crwl Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.34.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSS.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\MSStmp.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010001.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010002.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010003.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010009.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000A.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000B.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000C.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\0001000D.wsb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010011.wid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\Used0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk1.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.chk2.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SystemIndex.Ntfy71.gthr Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\tmp.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Applications\Windows\Windows.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Ntf3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Search\Data\Temp\usgthrsvc\Perflib_Perfdata_7ec.dat Object is locked skipped
C:\Documents and Settings\Es\Application Data\Microsoft\Outlook\Outlook.NK2 Object is locked skipped
C:\Documents and Settings\Es\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\Es\Application Data\Microsoft\Templates\NormalEmail.dotm Object is locked skipped
C:\Documents and Settings\Es\Application Data\Mozilla\Firefox\Profiles\xmp6bpnd.default\cert8.db Object is locked skipped
C:\Documents and Settings\Es\Application Data\Mozilla\Firefox\Profiles\xmp6bpnd.default\history.dat Object is locked skipped
C:\Documents and Settings\Es\Application Data\Mozilla\Firefox\Profiles\xmp6bpnd.default\key3.db Object is locked skipped
C:\Documents and Settings\Es\Application Data\Mozilla\Firefox\Profiles\xmp6bpnd.default\parent.lock Object is locked skipped
C:\Documents and Settings\Es\Application Data\Mozilla\Firefox\Profiles\xmp6bpnd.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Es\Application Data\Mozilla\Firefox\Profiles\xmp6bpnd.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Es\Application Data\Skype\essy670\call256.dbb Object is locked skipped
C:\Documents and Settings\Es\Application Data\Skype\essy670\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Es\Application Data\Skype\essy670\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Es\Application Data\Skype\essy670\dyncontent\bundle.dat Object is locked skipped
C:\Documents and Settings\Es\Application Data\Skype\essy670\index2.dat Object is locked skipped
C:\Documents and Settings\Es\Application Data\Skype\essy670\profile256.dbb Object is locked skipped
C:\Documents and Settings\Es\Application Data\Skype\essy670\user1024.dbb Object is locked skipped
C:\Documents and Settings\Es\Application Data\Skype\essy670\user16384.dbb Object is locked skipped
C:\Documents and Settings\Es\Application Data\Skype\essy670\user256.dbb Object is locked skipped
C:\Documents and Settings\Es\Application Data\Skype\essy670\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Es\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Microsoft\Desktop Search\Logs\OTFSMonLog.txt Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Microsoft\Outlook\essy670_hotmail1.ost Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Microsoft\Outlook\~archive.pst.tmp Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Microsoft\Outlook\~essy670_hotmail1.ost.tmp Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Microsoft\Outlook\~Outlook.pst.tmp Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Mozilla\Firefox\Profiles\xmp6bpnd.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Mozilla\Firefox\Profiles\xmp6bpnd.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Mozilla\Firefox\Profiles\xmp6bpnd.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Application Data\Mozilla\Firefox\Profiles\xmp6bpnd.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Es\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Es\Local Settings\History\History.IE5\MSHist012007082720070828\index.dat Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Temp\OLC\essy670_hotmail_com.txt Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Temp\sc_trace_SportBusiness-interactive.xml Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Temporary Internet Files\Content.Word\~WRF{70B8D3D3-01A6-45C2-86AA-F34DF9B93874}.tmp Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Temporary Internet Files\Content.Word\~WRS{05349D0D-6FAF-4979-9488-C2562F7F0E9E}.tmp Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Temporary Internet Files\Content.Word\~WRS{1C52CBFC-7013-4BDB-AABA-2375D3E87AF4}.tmp Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Temporary Internet Files\Content.Word\~WRS{4F5FB536-0C10-44F5-BEDC-14337601D87F}.tmp Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Temporary Internet Files\Content.Word\~WRS{D988605D-1FE4-4154-AF17-BCA81ED37F5F}.tmp Object is locked skipped
C:\Documents and Settings\Es\Local Settings\Temporary Internet Files\Content.Word\~WRS{D9B0E098-6920-4B4D-9CEC-C81B64AA075D}.tmp Object is locked skipped
C:\Documents and Settings\Es\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Es\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Es\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP600\A0198428.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP600\A0199603.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP601\A0200778.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP602\A0201696.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP603\A0201820.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP604\A0201967.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP604\A0202071.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP605\A0202142.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP606\A0202229.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP606\A0202230.exe Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP606\A0202231.exe/file9 Infected: Trojan.Win32.Obfuscated.en skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP606\A0202231.exe Inno: infected - 1 skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP608\A0203495.exe/data0003 Infected: Virus.Win32.Virut.i skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP608\A0203495.exe/data0004 Infected: not-a-virus:AdWare.Win32.Virtumonde.ks skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP608\A0203495.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{A373A9C9-1FD2-4C9A-8F13-A0F54C9BC85B}\RP612\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dbxDgrevCheck.dll Infected: not-a-virus:AdWare.Win32.Agent.cb skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\vimc.exe/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\WINDOWS\system32\vimc.exe WiseSFX: infected - 1 skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\Perflib_Perfdata_758.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWSTEYQ.006 Infected: not-a-virus:Monitor.Win32.Ardamax.271 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\temp\avg75free_430a848.exe Object is locked skipped
E:\temp\vistatransp5_5\Vista Transformation Pack 5.5.exe/WISE0039.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5\Vista Transformation Pack 5.5.exe/WISE0058.BIN/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5\Vista Transformation Pack 5.5.exe/WISE0058.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5\Vista Transformation Pack 5.5.exe WiseSFX: infected - 3 skipped
E:\temp\vistatransp5_5.zip/Vista Transformation Pack 5.5.exe/WISE0039.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5.zip/Vista Transformation Pack 5.5.exe/WISE0058.BIN/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5.zip/Vista Transformation Pack 5.5.exe/WISE0058.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5.zip/Vista Transformation Pack 5.5.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5.zip ZIP: infected - 4 skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.

pskelley
2007-08-27, 14:27
No problem with anything you said, if you use the programs or what to keep them fine, I wanted the information to keep from having to scan them to find out what they were. Looking at Kaspersky:

Kaspersky Scan: Number of infected objects 28
Here are free online scanners if you wish to scan any files to make sure they are bad:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/

I will tell you now I have no idea what this stuff is. Kaspersky is rarely wrong but much of this is called risktools and may or may not be a problem, just that the Kaspersky scan sees it as being. You can scan the files to find out.
the stuff in E:\temp may also be something you downloaded on purpose, I do not know. I can say that stuff in a temp folder should be able to be removed. If the stuff is valid, I would create another permanent folder and move it from temp.

C:\WINDOWS\system32\dbxDgrevCheck.dll Infected: not-a-virus:AdWare.Win32.Agent.cb skipped
C:\WINDOWS\system32\vimc.exe/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
C:\WINDOWS\system32\vimc.exe WiseSFX: infected - 1 skipped
C:\WINDOWSTEYQ.006 Infected: not-a-virus:Monitor.Win32.Ardamax.271 skipped

E:\temp\vistatransp5_5\Vista Transformation Pack 5.5.exe/WISE0039.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5\Vista Transformation Pack 5.5.exe/WISE0058.BIN/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5\Vista Transformation Pack 5.5.exe/WISE0058.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5\Vista Transformation Pack 5.5.exe WiseSFX: infected - 3 skipped
E:\temp\vistatransp5_5.zip/Vista Transformation Pack 5.5.exe/WISE0039.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5.zip/Vista Transformation Pack 5.5.exe/WISE0058.BIN/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5.zip/Vista Transformation Pack 5.5.exe/WISE0058.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5.zip/Vista Transformation Pack 5.5.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped
E:\temp\vistatransp5_5.zip ZIP: infected - 4 skipped

Do whatever you wish with the above, but the files below must be cleaned.

C:\System Volume Information\_restore <<< System Restore files (I count 14)

Once you are done above, then restart the computer and do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

If you have any questions, please post them.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

pskelley
2007-09-01, 15:13
As the problem appears to be resolved this topic has been closed.

If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.

Anyone else with similar problems please start a new topic.

Thanks