mhigg04
2007-10-16, 16:29
I think my computer is sending out spam e-mails. I am on a blacklist for yahoo, msn, hotmail, and some others. I had a big problem with virus/malware and I posted in a different thread. That was taken care of, but the expert said to start a new thread about this. He said to post these logs:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:56 AM, on 2007-10-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.2:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.hch.ad;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/l...rl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HCH.AD
O17 - HKLM\Software\..\Telephony: DomainName = HCH.AD
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HCH.AD
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HCH.AD
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 5146 bytes
KASPERSKY ONLINE SCANNER REPORT
Monday, October 15, 2007 10:05:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/10/2007
Kaspersky Anti-Virus database records: 409577
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 109398
Number of viruses found: 4
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 04:15:11
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Al\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Al\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\driffe\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\driffe\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\malarreau\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\malarreau\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mmhiggins\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\mmhiggins\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\Video ActiveX Access\iesmin.exe.vir Infected: Trojan-Downloader.Win32.Zlob.bzt skipped
C:\qoobox\Quarantine\C\Program Files\Video ActiveX Access\iesunst.exe.vir Infected: Trojan-Downloader.Win32.Zlob.dka skipped
C:\qoobox\Quarantine\C\Program Files\Video ActiveX Access\imsunst.exe.vir Infected: Trojan-Downloader.Win32.Zlob.dka skipped
C:\qoobox\Quarantine\C\Program Files\Video ActiveX Access\trz3.tmp.vir Infected: Trojan-Downloader.Win32.Zlob.cfp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kvfvw.dll.vir Infected: Trojan-Downloader.Win32.Agent.bkd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{93B79AE6-0FE5-497B-93D3-7F8600AD5096}\RP814\A0049657.exe Infected: Trojan-Downloader.Win32.Zlob.bzt skipped
C:\System Volume Information\_restore{93B79AE6-0FE5-497B-93D3-7F8600AD5096}\RP814\A0049658.exe Infected: Trojan-Downloader.Win32.Zlob.dka skipped
C:\System Volume Information\_restore{93B79AE6-0FE5-497B-93D3-7F8600AD5096}\RP814\A0049659.exe Infected: Trojan-Downloader.Win32.Zlob.dka skipped
C:\System Volume Information\_restore{93B79AE6-0FE5-497B-93D3-7F8600AD5096}\RP814\A0049665.dll Infected: Trojan-Downloader.Win32.Agent.bkd skipped
C:\System Volume Information\_restore{93B79AE6-0FE5-497B-93D3-7F8600AD5096}\RP823\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fa998053d8f05286f86623337cfbdf24\BIT3.tmp Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2F22167C-7C7B-484E-A6B4-005E5E7810BE}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_574.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\Peachw\gookidvi\ATTRIB.DDF Object is locked skipped
G:\Peachw\gookidvi\AUDITTR.DAT Object is locked skipped
G:\Peachw\gookidvi\AUDITTR.PTL Object is locked skipped
G:\Peachw\gookidvi\CHART.DAT Object is locked skipped
G:\Peachw\gookidvi\COMPANY.DAT Object is locked skipped
G:\Peachw\gookidvi\COMPANY.PTL Object is locked skipped
G:\Peachw\gookidvi\EVENTLOG.DAT Object is locked skipped
G:\Peachw\gookidvi\EVENTLOG.PTL Object is locked skipped
G:\Peachw\gookidvi\FIELD.DDF Object is locked skipped
G:\Peachw\gookidvi\FILE.DDF Object is locked skipped
G:\Peachw\gookidvi\INDEX.DDF Object is locked skipped
G:\Peachw\gookidvi\PERMISS.DAT Object is locked skipped
G:\Peachw\gookidvi\PROC.DDF Object is locked skipped
G:\Peachw\gookidvi\RELATE.DDF Object is locked skipped
G:\Peachw\gookidvi\RIGHTS.DDF Object is locked skipped
G:\Peachw\gookidvi\ROLES.DAT Object is locked skipped
G:\Peachw\gookidvi\TRIGGER.DDF Object is locked skipped
G:\Peachw\gookidvi\USER.DDF Object is locked skipped
G:\Peachw\gookidvi\USERPREF.DAT Object is locked skipped
G:\Peachw\gookidvi\USERPREF.PTL Object is locked skipped
G:\Peachw\gookidvi\USERROLE.DAT Object is locked skipped
G:\Peachw\gookidvi\VIEW.DDF Object is locked skipped
G:\Peachw\STATUS.DAT Object is locked skipped
G:\Peachw\VIEW.DDF Object is locked skipped
G:\User Folders\Mandy Higgins\Document Templates\~WRL2167.tmp Object is locked skipped
Scan process completed.
On this scan I have since deleted the c:\qoobox files and deleted all system restore points.
I wanted to also include a report from my firewall (a checkpoint VPN-edge 1 X):
No VPN Date Time Protocol Source IP Port Destination IP Port
07827 Oct 16 09:52:27 AM TCP 192.168.2.57 2317 209.84.253.244 80 (HTTP)
07826 Oct 16 09:52:26 AM TCP 192.168.2.57 2315 209.84.253.245 80 (HTTP)
07825 Oct 16 09:52:09 AM TCP 192.168.2.57 2303 209.84.253.244 80 (HTTP)
07824 Oct 16 09:52:08 AM TCP 192.168.2.57 2301 209.84.253.245 80 (HTTP)
07823 Oct 16 09:52:02 AM TCP 192.168.2.57 2298 209.84.253.244 80 (HTTP)
07822 Oct 16 09:52:01 AM TCP 192.168.2.57 2297 209.84.253.245 80 (HTTP)
07821 Oct 16 09:51:55 AM TCP 192.168.2.57 2295 209.84.253.245 80 (HTTP)
07820 Oct 16 09:51:54 AM TCP 192.168.2.57 2294 209.84.253.244 80 (HTTP)
07819 Oct 16 09:51:49 AM TCP 192.168.2.57 2292 209.84.253.245 80 (HTTP)
07818 Oct 16 09:51:48 AM TCP 192.168.2.57 2291 209.84.253.244 80 (HTTP)
07817 Oct 16 09:51:42 AM TCP 192.168.2.57 2289 209.84.253.244 80 (HTTP)
07816 Oct 16 09:51:41 AM TCP 192.168.2.57 2288 209.84.253.245 80 (HTTP)
07815 Oct 16 09:51:36 AM TCP 192.168.2.57 2286 209.84.253.244 80 (HTTP)
07814 Oct 16 09:51:35 AM TCP 192.168.2.57 2285 209.84.253.245 80 (HTTP)
07813 Oct 16 09:51:30 AM TCP 192.168.2.57 2283 209.84.253.244 80 (HTTP)
07812 Oct 16 09:51:29 AM TCP 192.168.2.57 2282 209.84.253.245 80 (HTTP)
07811 Oct 16 09:51:24 AM TCP 192.168.2.57 2280 209.84.253.244 80 (HTTP)
07810 Oct 16 09:51:23 AM TCP 192.168.2.57 2279 209.84.253.245 80 (HTTP)
07809 Oct 16 09:51:22 AM TCP 192.168.2.55 (HCH) 4259 69.25.20.193 443 (HTTPS)
07808 Oct 16 09:51:21 AM TCP 192.168.2.55 (HCH) 4256 69.25.20.193 443 (HTTPS)
07807 Oct 16 09:51:17 AM TCP 192.168.2.57 2277 209.84.253.245 80 (HTTP)
IP address 192.168.2.57 is this computer on my network. I just pasted a little portion of the firewall log, but the idea is the same for pages of report every day. Do you know what this means? Do you know if it is spam?
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:56 AM, on 2007-10-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.10.2:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.hch.ad;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {FD0B6769-6490-4A91-AA0A-B5AE0DC75AC9} (Performance Viewer Activex Control) - https://secure.logmein.com/activex/l...rl.cab?lmi=100
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = HCH.AD
O17 - HKLM\Software\..\Telephony: DomainName = HCH.AD
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = HCH.AD
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = HCH.AD
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
--
End of file - 5146 bytes
KASPERSKY ONLINE SCANNER REPORT
Monday, October 15, 2007 10:05:10 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/10/2007
Kaspersky Anti-Virus database records: 409577
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
F:\
G:\
Scan Statistics:
Total number of scanned objects: 109398
Number of viruses found: 4
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 04:15:11
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Al\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Al\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\driffe\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\driffe\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\jschaffer.HCH\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\malarreau\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\malarreau\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mmhiggins\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\mmhiggins\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\qoobox\Quarantine\C\Program Files\Video ActiveX Access\iesmin.exe.vir Infected: Trojan-Downloader.Win32.Zlob.bzt skipped
C:\qoobox\Quarantine\C\Program Files\Video ActiveX Access\iesunst.exe.vir Infected: Trojan-Downloader.Win32.Zlob.dka skipped
C:\qoobox\Quarantine\C\Program Files\Video ActiveX Access\imsunst.exe.vir Infected: Trojan-Downloader.Win32.Zlob.dka skipped
C:\qoobox\Quarantine\C\Program Files\Video ActiveX Access\trz3.tmp.vir Infected: Trojan-Downloader.Win32.Zlob.cfp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\kvfvw.dll.vir Infected: Trojan-Downloader.Win32.Agent.bkd skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{93B79AE6-0FE5-497B-93D3-7F8600AD5096}\RP814\A0049657.exe Infected: Trojan-Downloader.Win32.Zlob.bzt skipped
C:\System Volume Information\_restore{93B79AE6-0FE5-497B-93D3-7F8600AD5096}\RP814\A0049658.exe Infected: Trojan-Downloader.Win32.Zlob.dka skipped
C:\System Volume Information\_restore{93B79AE6-0FE5-497B-93D3-7F8600AD5096}\RP814\A0049659.exe Infected: Trojan-Downloader.Win32.Zlob.dka skipped
C:\System Volume Information\_restore{93B79AE6-0FE5-497B-93D3-7F8600AD5096}\RP814\A0049665.dll Infected: Trojan-Downloader.Win32.Agent.bkd skipped
C:\System Volume Information\_restore{93B79AE6-0FE5-497B-93D3-7F8600AD5096}\RP823\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\Netlogon.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\fa998053d8f05286f86623337cfbdf24\BIT3.tmp Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2F22167C-7C7B-484E-A6B4-005E5E7810BE}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_574.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
G:\Peachw\gookidvi\ATTRIB.DDF Object is locked skipped
G:\Peachw\gookidvi\AUDITTR.DAT Object is locked skipped
G:\Peachw\gookidvi\AUDITTR.PTL Object is locked skipped
G:\Peachw\gookidvi\CHART.DAT Object is locked skipped
G:\Peachw\gookidvi\COMPANY.DAT Object is locked skipped
G:\Peachw\gookidvi\COMPANY.PTL Object is locked skipped
G:\Peachw\gookidvi\EVENTLOG.DAT Object is locked skipped
G:\Peachw\gookidvi\EVENTLOG.PTL Object is locked skipped
G:\Peachw\gookidvi\FIELD.DDF Object is locked skipped
G:\Peachw\gookidvi\FILE.DDF Object is locked skipped
G:\Peachw\gookidvi\INDEX.DDF Object is locked skipped
G:\Peachw\gookidvi\PERMISS.DAT Object is locked skipped
G:\Peachw\gookidvi\PROC.DDF Object is locked skipped
G:\Peachw\gookidvi\RELATE.DDF Object is locked skipped
G:\Peachw\gookidvi\RIGHTS.DDF Object is locked skipped
G:\Peachw\gookidvi\ROLES.DAT Object is locked skipped
G:\Peachw\gookidvi\TRIGGER.DDF Object is locked skipped
G:\Peachw\gookidvi\USER.DDF Object is locked skipped
G:\Peachw\gookidvi\USERPREF.DAT Object is locked skipped
G:\Peachw\gookidvi\USERPREF.PTL Object is locked skipped
G:\Peachw\gookidvi\USERROLE.DAT Object is locked skipped
G:\Peachw\gookidvi\VIEW.DDF Object is locked skipped
G:\Peachw\STATUS.DAT Object is locked skipped
G:\Peachw\VIEW.DDF Object is locked skipped
G:\User Folders\Mandy Higgins\Document Templates\~WRL2167.tmp Object is locked skipped
Scan process completed.
On this scan I have since deleted the c:\qoobox files and deleted all system restore points.
I wanted to also include a report from my firewall (a checkpoint VPN-edge 1 X):
No VPN Date Time Protocol Source IP Port Destination IP Port
07827 Oct 16 09:52:27 AM TCP 192.168.2.57 2317 209.84.253.244 80 (HTTP)
07826 Oct 16 09:52:26 AM TCP 192.168.2.57 2315 209.84.253.245 80 (HTTP)
07825 Oct 16 09:52:09 AM TCP 192.168.2.57 2303 209.84.253.244 80 (HTTP)
07824 Oct 16 09:52:08 AM TCP 192.168.2.57 2301 209.84.253.245 80 (HTTP)
07823 Oct 16 09:52:02 AM TCP 192.168.2.57 2298 209.84.253.244 80 (HTTP)
07822 Oct 16 09:52:01 AM TCP 192.168.2.57 2297 209.84.253.245 80 (HTTP)
07821 Oct 16 09:51:55 AM TCP 192.168.2.57 2295 209.84.253.245 80 (HTTP)
07820 Oct 16 09:51:54 AM TCP 192.168.2.57 2294 209.84.253.244 80 (HTTP)
07819 Oct 16 09:51:49 AM TCP 192.168.2.57 2292 209.84.253.245 80 (HTTP)
07818 Oct 16 09:51:48 AM TCP 192.168.2.57 2291 209.84.253.244 80 (HTTP)
07817 Oct 16 09:51:42 AM TCP 192.168.2.57 2289 209.84.253.244 80 (HTTP)
07816 Oct 16 09:51:41 AM TCP 192.168.2.57 2288 209.84.253.245 80 (HTTP)
07815 Oct 16 09:51:36 AM TCP 192.168.2.57 2286 209.84.253.244 80 (HTTP)
07814 Oct 16 09:51:35 AM TCP 192.168.2.57 2285 209.84.253.245 80 (HTTP)
07813 Oct 16 09:51:30 AM TCP 192.168.2.57 2283 209.84.253.244 80 (HTTP)
07812 Oct 16 09:51:29 AM TCP 192.168.2.57 2282 209.84.253.245 80 (HTTP)
07811 Oct 16 09:51:24 AM TCP 192.168.2.57 2280 209.84.253.244 80 (HTTP)
07810 Oct 16 09:51:23 AM TCP 192.168.2.57 2279 209.84.253.245 80 (HTTP)
07809 Oct 16 09:51:22 AM TCP 192.168.2.55 (HCH) 4259 69.25.20.193 443 (HTTPS)
07808 Oct 16 09:51:21 AM TCP 192.168.2.55 (HCH) 4256 69.25.20.193 443 (HTTPS)
07807 Oct 16 09:51:17 AM TCP 192.168.2.57 2277 209.84.253.245 80 (HTTP)
IP address 192.168.2.57 is this computer on my network. I just pasted a little portion of the firewall log, but the idea is the same for pages of report every day. Do you know what this means? Do you know if it is spam?