View Full Version : virtumonde and astakiller
getitdone
2007-08-31, 00:14
I did try and to get rid of this by reading other threads, but this stickler is a tuffie. So I am asking for help :).
As of right now:
vindo fix scans, removes geeda.dll reboots then when I run vindofix again it finds it again. I have done this three times. ARG! Is this normal? castle cops says it is part of windows update, but I was also reading where it integrates in windows files.
spybot in safemode does not find anything.
Mcafee has come up with vindo and various spyware - today.
Thanks in advance for any help or insights you may have.
I did not run kaspersky. I will if you ask me to. Currently it is not on the network. I would like to make sure it is cleaned first if possible.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:00:55 PM, on 8/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {096909d3-3bc0-49db-9efe-c62c7282e3ea} - C:\WINDOWS\System32\crirs32.dll (file missing)
O2 - BHO: (no name) - {2463D653-854A-4612-A50C-F5A661360D4d} - C:\WINDOWS\system32\qaqpabrk.dll (file missing)
O2 - BHO: (no name) - {2F9C7D0D-1555-4710-B675-97BDB12BD9C7} - C:\WINDOWS\system32\qaqpabrk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6EACC58D-172B-43F1-812D-45F1BC711318} - C:\WINDOWS\system32\geeda.dll (file missing)
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: (no name) - {8757C09B-F4D7-AB82-6033-FA99CDD3C145} - C:\WINDOWS\system32\atlyl.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {ABB3E5D4-546D-4586-8B27-FE5B1E90B005} - C:\WINDOWS\system32\qaqpabrk.dll (file missing)
O2 - BHO: (no name) - {D73ED8B4-470E-4DE0-9BFC-8F7110AADF84} - C:\WINDOWS\system32\qaqpabrk.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Search - ?p=ZNxmk572DTUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Ebates. - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm (HKCU)
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O20 - Winlogon Notify: crirs32 - crirs32.dll (file missing)
O20 - Winlogon Notify: geeda - C:\WINDOWS\system32\geeda.dll (file missing)
O20 - Winlogon Notify: ljjjgff - ljjjgff.dll (file missing)
O20 - Winlogon Notify: opnopol - opnopol.dll (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 8776 bytes
pskelley
2007-08-31, 03:28
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
First, Vundo can be tough to remove, here is some information about the junk for you.
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.revenews.com/wayneporter/archives/adware-spyware-greynets/getting_the_fix_on_winfixer_aol_network_now/
Next, as far as I can see, and the stuff can be hidden, and it will morph, you have killed the infection. Before we do anything else, let's clean good and see what happens.
1) Because Vundofix does not update, please remove it completely from your computer. If we need it again, I will want it downloaded fresh and from the link I provide. Make sure you delete the C:\Vundofix Backups\ folder also.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Start > Control Panel > Add Remove Programs and uninstall EbatesMoeMoneyMaker4 and any other program you know does not belong there.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {096909d3-3bc0-49db-9efe-c62c7282e3ea} - C:\WINDOWS\System32\crirs32.dll (file missing)
O2 - BHO: (no name) - {2463D653-854A-4612-A50C-F5A661360D4d} - C:\WINDOWS\system32\qaqpabrk.dll (file missing)
O2 - BHO: (no name) - {2F9C7D0D-1555-4710-B675-97BDB12BD9C7} - C:\WINDOWS\system32\qaqpabrk.dll (file missing)
O2 - BHO: (no name) - {6EACC58D-172B-43F1-812D-45F1BC711318} - C:\WINDOWS\system32\geeda.dll (file missing)
O2 - BHO: (no name) - {8757C09B-F4D7-AB82-6033-FA99CDD3C145} - C:\WINDOWS\system32\atlyl.dll (file missing)
O2 - BHO: (no name) - {ABB3E5D4-546D-4586-8B27-FE5B1E90B005} - C:\WINDOWS\system32\qaqpabrk.dll (file missing)
O2 - BHO: (no name) - {D73ED8B4-470E-4DE0-9BFC-8F7110AADF84} - C:\WINDOWS\system32\qaqpabrk.dll (file missing)
O8 - Extra context menu item: &Search - ?p=ZNxmk572DTUS
O8 - Extra context menu item: Ebates. - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm
O9 - Extra button: Ebates - {F2B441CC-E026-47fb-BDC3-A07750FA3D2C} - file://C:\Program Files\EbatesMoeMoneyMaker4\ebatessmmm\ebatestmmm\ebmmC0.htm (HKCU) G
O20 - Winlogon Notify: crirs32 - crirs32.dll (file missing)
O20 - Winlogon Notify: geeda - C:\WINDOWS\system32\geeda.dll (file missing)
O20 - Winlogon Notify: ljjjgff - ljjjgff.dll (file missing)
O20 - Winlogon Notify: opnopol - opnopol.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log and some feedback.
Thanks
getitdone
2007-08-31, 10:17
I forgot to mention in the previous post that I already removed sun java 1.4 se.
Thanks for the quick response!
ok
1. removed and deleted
2. k
3. was not listed. it is possible I removed it earlier, although I do not think so. -- I removed lots of other junk.
4. done
5. done
here is the logg
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:01:05 AM, on 8/31/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16512)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\BCMSMMSG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [MMTray] C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [HPHUPD05] C:\Program Files\Hewlett-Packard\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb09.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra 'Tools' menuitem: AOL Toolbar - {4982D40A-C53B-4615-B15B-B5B5E98D167C} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {205FF73B-CA67-11D5-99DD-444553540013} (CInstall Class) - http://adserver.sharewareonline.com/adserver/Install.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
--
End of file - 7354 bytes
pskelley
2007-08-31, 13:24
Thanks for returning your information, your HJT log appers to be clean of malware. Let's ask Kaspersky to take a final look for us.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here along with a new HJT log and any comments you think will help.
Thanks
getitdone
2007-09-01, 01:06
There is a popup comming up for avsystem care, and two other popups. you do NOT want to to post them here, correct I could pm them to you. . . .
I also notice there is a folder on the root of c 'qoobox'.
here is the logg
and BTW I do appreciate your time here.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, August 31, 2007 2:48:07 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 31/08/2007
Kaspersky Anti-Virus database records: 376950
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 100552
Number of viruses found: 7
Number of infected objects: 90
Number of suspicious objects: 7
Duration of the scan process: 02:35:28
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{163C29C3-944E-4E72-9F70-C074361B1BA6}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR5C.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aaf648f912b793a61a2d392e829e444a_1dce0e75-1303-433a-bfc1-6b582bd25551 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Steph\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\History\History.IE5\MSHist012007083120070901\index.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Steph\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Steph\ntuser.dat Object is locked skipped
C:\Documents and Settings\Steph\ntuser.dat.LOG Object is locked skipped
C:\hpcmerr.log Object is locked skipped
C:\Program Files\Common Files\submit2.exe/submithook.dll Infected: Trojan-Downloader.Win32.Agent.az skipped
C:\Program Files\Common Files\submit2.exe Gentee: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ajutjojk.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\asjlboec.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\boykvoee.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\byugljep.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cnfwrppe.dll.vir Suspicious: Packed.Win32.Morphine.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cwsgjsdg.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cyidbllj.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ektvaxyq.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\evsdijeg.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\fbcfxcmr.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\foequcqe.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\gkovjlrr.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hddmhovq.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hlqfgosi.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\huncwjgh.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ifarkjrg.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\jercebaw.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kieoqjnb.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\klumkkfr.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\kqkysphu.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mbvwhsoq.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\njrlmwkp.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\oklabhpx.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ppqggfcb.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\qmbjwpnq.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rlqmtfnd.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rugrxavd.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sqgvvfwa.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\sqnnymlj.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tdnpxfxh.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\tqkhleih.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\upevfild.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\uxypxbkw.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\vcgjhbgc.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wivhtkmr.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\xuaxwnja.exe.vir Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250914.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250917.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250920.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250923.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250927.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250929.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250932.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250934.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250938.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250955.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250957.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250958.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250962.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250965.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250967.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250969.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250980.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250982.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0250984.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1420\A0251001.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251521.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251522.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251523.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251524.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251525.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251526.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251527.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251528.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251529.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251530.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251531.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251532.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251533.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251534.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251535.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251536.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251537.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251538.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251539.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251540.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251541.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251542.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251543.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251544.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251545.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251546.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251547.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251548.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251549.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251550.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251551.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251552.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251553.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251554.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251555.exe Infected: Trojan-Dropper.Win32.Agent.bmk skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1422\A0251556.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1427\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallQ329115$\reg00003 Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{E8004A27-D993-4C0C-82B4-C183423DCE99}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\SYSTEM32\luwthbvi.dll Infected: Trojan-Downloader.Win32.Agent.bac skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_a9J56GLjMIdMzvj Object is locked skipped
C:\WINDOWS\Temp\mcmsc_hh3sZ54J1nI0lMO Object is locked skipped
C:\WINDOWS\Temp\mcmsc_inZlZacHgv1sso4 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_zU5hBI44mlEqXzw Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-09-01, 01:56
I also notice there is a folder on the root of c 'qoobox'.
That's left from combofix, did not mention it because we did not run it that I remember, delete that folder.
Number of infected objects: 90
Number of suspicious objects: 7
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
Open Spybot S&D then click the white case with the red X, delete the contents.
C:\Program Files\Common Files\submit2.exe <<< delete that file
C:\QooBox\ <<< delete that folder
C:\WINDOWS\SYSTEM32\luwthbvi.dll <<< delete that file
When the above is complete, the restart the computer, then do this:
System Restore does not know the good files from the bad. In case bad stuff has gotten into your System Restore files, follow the instructions in this link to get clean System Restore files. Turn it off, reboot then turn it back on:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Scan again with Kaspersky and if you followed the directions you should have a clean scan, I do not need to see a report from a clean scan.
Thanks
getitdone
2007-09-01, 08:24
:)
just a quick note. it looks like a whole lot better. there was one popup. I do not have time right now. I will post Sun after I do some research etc. so keep open - or I guess I could pm too.
It does look like everything else is gone that I was having a problem with.
THANKS!
pskelley
2007-09-04, 13:38
Thanks for the feedback, some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
pskelley
2007-09-08, 13:52
As the problem appears to be resolved this topic has been closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks