New member with malware [Archive] - Safer-Networking Forums

View Full Version : New member with malware

digitalb

2007-08-27, 21:32

Hi, i have read the the rule threads, and have the appropriate programs in place.

I have up till now used the guides to help me produce a report or log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:51:26, on 27/08/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MpfAgent.exe
c:\program files\mcafee.com\shared\mghtml.exe
C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Program Files\Internet Explorer\iexplore.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\byxvvus.dll
O2 - BHO: (no name) - {A29C7FB0-DFC2-4149-8930-BBE637DE8C56} - C:\WINDOWS\System32\awvvu.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {C3DEA25E-A515-4B65-8760-AEE03089F1CD} - (no file)
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [Windows Explorer] C:\WINDOWS\System32\explorer.exe
O4 - HKLM\..\Run: [Advanced DHTML Enable] C:\WINDOWS\System32\mubvcgla.exe
O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe
O4 - HKLM\..\Run: [Microsft Security Monitor Process] mssmpp.exe
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [MPFExe] C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe
O4 - HKLM\..\Run: [VirusScan] c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [j2u] C:\WINDOWS\system32\j2u.exe
O4 - HKLM\..\Run: [Else pure remote sign] C:\Documents and Settings\All Users\Application Data\MP3 FILM ELSE PURE\knob boob.exe
O4 - HKLM\..\Run: [hnqajfx] c:\windows\system32\hnqajfx.exe hnqajfx
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunServices: [Microsft Security Monitor Process] mssmpp.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\System32\vedxg6ame4.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [SpyVampire] C:\Program Files\SpyVampire\SpyVampire.exe
O4 - HKCU\..\Run: [j2u] C:\WINDOWS\system32\j2u.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ExitKeep] C:\DOCUME~1\Owner\APPLIC~1\ITCHMA~1\WIPEFRAGGPL.exe
O4 - HKLM\..\Policies\Explorer\Run: [1] C:\WINDOWS\System32\mrcmgr.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\aclspc.dll
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\WINDOWS\system32\aclspc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/yinst20040510.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/06e7d89289fdac37b619/netzip/RdxIE601.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install/installer.exe
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: c:\windows\system32\jkhfccb.dll
O20 - Winlogon Notify: aclspc - C:\WINDOWS\SYSTEM32\aclspc.dll
O20 - Winlogon Notify: awvvu - C:\WINDOWS\System32\awvvu.dll
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll
O20 - Winlogon Notify: byxvvus - C:\WINDOWS\SYSTEM32\byxvvus.dll
O21 - SSODL: LDpswSend - {71EC5123-28DF-324A-D76B-32549AB4C338} - C:\WINDOWS\System32\Ampnlhnq.dll (file missing)
O21 - SSODL: DuxkuAZFj - {EC167D42-46BC-D7E8-0E19-4424BFA14173} - C:\WINDOWS\System32\ralo.dll
O22 - SharedTaskScheduler: Windows Installer Class - {24E31EA9-FCE2-404F-BD80-20543565D946} - C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~~install.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\System32\qwerty12.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LOWC - Unknown owner - C:\DOCUME~1\Owner\LOCALS~1\Temp\LOWC.exe (file missing)
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\PROGRA~1\McAfee.com\PERSON~1\MPFSERVICE.exe
O23 - Service: OPFSVC - Unknown owner - C:\Program Files\Omniquad Total Security\OPF\OPFSVC.exe (file missing)
O23 - Service: Personal Firewall - Unknown owner - C:\Program Files\Omniquad Total Security\OPF\pfsvc.exe (file missing)
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Spooler SubSystem App (SPOOLSV32) - Unknown owner - C:\WINDOWS\system32\drivers\spoolsv32.exe (file missing)

--
End of file - 8956 bytes

digitalb

2007-08-27, 21:42

I will not be able to fit the whole report in, sorry.

KASPERSKY ONLINE SCANNER REPORT
Monday, August 27, 2007 7:20:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 27/08/2007
Kaspersky Anti-Virus database records: 392958

Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 50873
Number of viruses found 82
Number of infected objects 2384
Number of suspicious objects 2
Duration of the scan process 00:35:06

Infected Object Name Virus Name Last Action
C:\3456346345643.exe~ Infected: Email-Worm.Win32.Zhelatin.fm skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8LUZCT6V\counter21[1].htm/Installer.class Infected: Trojan-Downloader.Java.OpenConnection.ao skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\8LUZCT6V\counter21[1].htm ZIP: infected - 1 skipped

C:\Documents and Settings\Administrator\Start Menu\Programs\Startup\system.exe Infected: not-virus:Hoax.Win32.Renos.hz skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\All Users\Application Data\MP3 FILM ELSE PURE\knob boob.exe Infected: Trojan.Win32.Obfuscated.en skipped

C:\Documents and Settings\All Users\Application Data\MP3 FILM ELSE PURE\Vc Ford.exe Infected: Trojan.Win32.Obfuscated.en skipped

C:\Documents and Settings\All Users\Application Data\Rect Sixth Sign Mp3\GLOBAL PEAK WAVE.exe Infected: Trojan.Win32.Obfuscated.en skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/avp.exe Suspicious: Password-protected-EXE skipped

C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: suspicious - 1 skipped

C:\Documents and Settings\All Users\Documents\Settings\bot.dll Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Application Data\itch math\inkjgrgz.exe Infected: Trojan.Win32.Obfuscated.en skipped

C:\Documents and Settings\Owner\Application Data\itch math\license mags error.exe Infected: Trojan.Win32.Obfuscated.en skipped

C:\Documents and Settings\Owner\Application Data\itch math\ufnlohki.exe Infected: Trojan.Win32.Obfuscated.en skipped

C:\Documents and Settings\Owner\Application Data\itch math\WIPEFRAGGPL.exe Infected: Trojan.Win32.Obfuscated.en skipped

C:\Documents and Settings\Owner\Application Data\tmp16.tmp.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\Owner\Application Data\tmp4.tmp.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\Owner\Application Data\tmp47.tmp.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\Owner\Application Data\tmp9.tmp.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\Owner\Application Data\tmpA.tmp.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007082720070828\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temp\1664.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\16agent.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\16sv.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\16win.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\3264.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\32win.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\6432.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\6464.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\64host.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\64win.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\agentlook.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\agentpower.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\agentserver.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\agentsys.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\bis18.exe Infected: Trojan.Win32.Obfuscated.en skipped

C:\Documents and Settings\Owner\Local Settings\Temp\bis19.exe Infected: Trojan.Win32.Obfuscated.en skipped

C:\Documents and Settings\Owner\Local Settings\Temp\host32.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\host64.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\hostmon.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\hostsyn.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\is-8F0HD.tmp\TorrentManager.dll Infected: not-a-virus:AdWare.Win32.Lop.bo skipped

C:\Documents and Settings\Owner\Local Settings\Temp\is-DHMMV.tmp\TorrentManager.dll Infected: not-a-virus:AdWare.Win32.Lop.bo skipped

C:\Documents and Settings\Owner\Local Settings\Temp\look16.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\lookmon.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\looksyn.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\mon64.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\monhost.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\monsys.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\monwin.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\powersys.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\svserver.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\svsyn.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\syn64.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\synhost.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\sys32.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\syssys.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\winserver.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\winsv.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temp\winsys.exe Infected: Trojan-Clicker.Win32.Small.mv skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\lo-1177627868.exe Infected: Email-Worm.Win32.Zhelatin.fm skipped

C:\Program Files\Common Files\WinAntiVirus Pro 2007\is-P8KC0.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped

C:\Program Files\Common Files\WinAntiVirus Pro 2007\wa7pinst.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped

C:\Program Files\setup.exe/stream/data0006 Infected: Trojan-Downloader.Win32.Zlob.cbp skipped

C:\Program Files\setup.exe/stream Infected: Trojan-Downloader.Win32.Zlob.cbp skipped

C:\Program Files\setup.exe NSIS: infected - 2 skipped

C:\Program Files\ucleaner_setup.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.b skipped

C:\qlpdxrv.exe Infected: Trojan-Dropper.Win32.Agent.blo skipped

C:\sysgsqf.exe Infected: Trojan-Dropper.Win32.Agent.bpz skipped

C:\syshotv.exe Infected: Trojan.Win32.Agent.ato skipped

C:\sysoesb.exe Infected: Trojan.Win32.Agent.ato skipped

C:\syst.exe~ Infected: Email-Worm.Win32.Zhelatin.fm skipped

C:\System Volume Information\_restore{F5693F8E-61B1-498E-B349-7FE557B743F6}\RP1\A0001015.exe Infected: Trojan-Dropper.Win32.Agent.blo skipped

C:\System Volume Information\_restore{F5693F8E-61B1-498E-B349-7FE557B743F6}\RP1\A0001016.exe Infected: Email-Worm.Win32.Zhelatin.fm skipped

C:\System Volume Information\_restore{F5693F8E-61B1-498E-B349-7FE557B743F6}\RP1\A0002015.exe Infected: Email-Worm.Win32.Zhelatin.fm skipped

C:\System Volume Information\_restore{F5693F8E-61B1-498E-B349-7FE557B743F6}\RP1\A0002016.exe Infected: not-virus:Hoax.Win32.Renos.hl skipped

C:\System Volume Information\_restore{F5693F8E-61B1-498E-B349-7FE557B743F6}\RP1\A0002017.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped

C:\System Volume Information\_restore{F5693F8E-61B1-498E-B349-7FE557B743F6}\RP1\A0002018.exe Infected: Email-Worm.Win32.Zhelatin.fm skipped

C:\System Volume Information\_restore{F5693F8E-61B1-498E-B349-7FE557B743F6}\RP1\A0002019.exe Infected: Packed.Win32.Tibs.ap skipped

C:\System Volume Information\_restore{F5693F8E-61B1-498E-B349-7FE557B743F6}\RP1\A0002020.exe Infected: Trojan-Downloader.Win32.Agent.bil skipped

C:\System Volume Information\_restore{F5693F8E-61B1-498E-B349-7FE557B743F6}\RP1\A0002021.exe Infected: Trojan-Downloader.Win32.Agent.bil skipped

C:\System Volume Information\_restore{F5693F8E-61B1-498E-B349-7FE557B743F6}\RP1\A0002047.exe Infected: Trojan-Downloader.Win32.Alphabet.g skipped

C:\System Volume Information\_restore{F5693F8E-61B1-498E-B349-7FE557B743F6}\RP1\A0002048.exe Infected: Trojan-Dropper.Win32.Agent.blo skipped

teacup61

2007-09-02, 22:03

Hello digitalb,

Welcome to Safer Networking Forums :)

This log is a mess! :spider: The system is compromised. It would be safest to reformat and reinstall, especially if you have sensitive data stored. If you'd rather clean it, then let's start by running these tools:

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply please.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall.

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks,
tea

tashi

2007-09-10, 19:43

This topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.