View Full Version : Cannot Load Spybot Search & Destroy
archicat
2007-10-22, 00:03
We are certain to have some malware on our computer. It will not allow us to run Spybot Search & Destroy, or any other solutions.
We continually get a pop-up box saying we have spyware...
I did try to use the link in FAQ to remove a typical blocker, but got the sign that the particular variety designed to be disabled was not found.
Thanks for any help or advise you can offer!!
archicat
2007-10-22, 00:23
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:22:14 PM, on 10/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Gentle Wife\Start Menu\Programs\Startup\system.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\GENTLE~1\LOCALS~1\Temp\svwin.exe
C:\DOCUME~1\GENTLE~1\LOCALS~1\Temp\svwin.exe
C:\DOCUME~1\GENTLE~1\LOCALS~1\Temp\3264.exe
C:\DOCUME~1\GENTLE~1\LOCALS~1\Temp\64mon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\DOCUME~1\GENTLE~1\LOCALS~1\Temp\3232.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\GENTLE~1\LOCALS~1\Temp\winlook.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\printer.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310F3D2907D4E66914B5C1E9E689DB6FC45715EDF7B0F36BB40E2C2832213329D26033AAC
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\System Doctor\dcmon.exe"
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [WinAVX] C:\WINDOWS\system32\WinAvXX.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Startup: system.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rtemehd.html
--
End of file - 5245 bytes
pskelley
2007-10-25, 01:49
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
If you still need help, please review the instructions posted above and at the top of the forum.
I will need to see the Kaspersky scan report, but please do not post it until I ask for it.
You have some nasty infections and I suggest you keep this computer offline except when troubleshooting until I tell you it is clean, the junk will download more.
1) You are running System Configuration Utility (MSConfig) in Selective Startup mode. Return it to normal mode so I can see all programs.
2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
3) Thanks to andymanchesta and anyone else who helped with the fix.
Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log
Include the C:\rapport.txt from Smitfraudfix.
Thanks
archicat
2007-10-27, 02:33
Hello,
I have been unable to download Spybot, or any other security product. When I try to download, the dialogue box simply vanishess after a couple of seconds. It appears we have malware and it continually introduces unwanted favorites and other changes to other sites. Our Control Panel is missing! We often get the security warning.
Please help!
Two topics merged, please respond to your helper, pskelly, here.
Cheers.
archicat
2007-10-27, 05:58
PSKELLEY,
Thanks for helping us with this nasty business. Your recommendations were clear and easy to follow. Reports to follow.
Please let me know what (if anything) to do next. It appears we are still getting unrequested web pages, even when getting online to pursue this thread...
Thank You!
SDFix: Version 1.112
Run by Gentle Wife on Fri 10/26/2007 at 11:23 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Safe Mode:
Checking Services:
Name:
cmdService
runtime
ImagePath:
C:\WINDOWS\R2VudGxlIFdpZmU\command.exe
\??\C:\WINDOWS\System32\drivers\runtime.sys
cmdService - Deleted
runtime - Deleted
Killing PID 936 'printer.exe'
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value
Rebooting...
Service runtime2 - Deleted after Reboot
Normal Mode:
Checking Files:
Trojan Files Found:
"C:\WINDOWS\R2VudGxlIFdpZmU\asappsrv.dll" - Deleted
C:\WINDOWS\R2VudGxlIFdpZmU\lZpRx3U5KIxDtAo.vbs - Deleted
C:\WINDOWS\retadpu1000106.exe.tmp - Deleted
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe - Deleted
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe - Deleted
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe - Deleted
C:\Documents and Settings\Gentle Wife\Start Menu\Programs\Startup\system.exe - Deleted
C:\DOCUME~1\GENTLE~1\LOCALS~1\Temp\uninstall.exe - Deleted
C:\WINDOWS\avp.exe - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\b128.exe - Deleted
C:\WINDOWS\b138.exe - Deleted
C:\WINDOWS\b147.exe - Deleted
C:\WINDOWS\mgrs.exe - Deleted
C:\WINDOWS\system32\1_exception.nls - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\printer.exe - Deleted
C:\WINDOWS\system32\vtr.dll - Deleted
C:\WINDOWS\system32\winavxx.exe - Deleted
C:\WINDOWS\Temp\startdrv.exe - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
C:\WINDOWS\system32\drivers\runtime.sys - Deleted
C:\WINDOWS\system32\drivers\runtime2.sys - Deleted
Could Not Remove C:\WINDOWS\system32\sulimo.dat
Folder C:\Program Files\Temporary - Removed
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
Remaining Services:
------------------
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe"="C:\\Program Files\\Adobe\\Adobe Version Cue CS2\\bin\\VersionCueCS2.exe:*:Enabled:Adobe Version Cue CS2"
"C:\\WINDOWS\\system32\\pyprgjhf.exe"="C:\\WINDOWS\\system32\\pyp"
"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE"="C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE:*:Disabled:Internet Explorer"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"%windir%\\system32\\winav.exe"="%windir%\\system32\\winav.exe:*:Enabled:@xpsp2res.dll,-22019"
Remaining Files:
---------------
C:\WINDOWS\system32\sulimo.dat Found
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes:
Wed 1 Sep 2004 54,384 A..H. --- "C:\Program Files\America Online 9.0\aolphx.exe"
Wed 1 Sep 2004 156,784 A..H. --- "C:\Program Files\America Online 9.0\aoltray.exe"
Wed 1 Sep 2004 31,344 A..H. --- "C:\Program Files\America Online 9.0\RBM.exe"
Tue 18 Sep 2007 88 ..SHR --- "C:\WINDOWS\system32\3C439DD1A0.sys"
Sun 19 Aug 2007 56 ..SHR --- "C:\WINDOWS\system32\A0D19D433C.sys"
Wed 10 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\ayadd.bak1"
Mon 15 Oct 2007 6,935 ..SH. --- "C:\WINDOWS\system32\ayadd.bak2"
Fri 12 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\cdeeg.bak1"
Tue 2 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\ehhkj.bak1"
Sun 7 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\fgjlm.bak1"
Fri 12 Oct 2007 7,045 ..SH. --- "C:\WINDOWS\system32\fgjlm.bak2"
Tue 16 Oct 2007 411,670 ..SH. --- "C:\WINDOWS\system32\gjkmp.bak1"
Fri 26 Oct 2007 453,950 ..SH. --- "C:\WINDOWS\system32\gjkmp.bak2"
Thu 11 Oct 2007 6,505 ..SH. --- "C:\WINDOWS\system32\gjllm.bak1"
Tue 18 Sep 2007 4,184 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Sun 7 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\kjkmp.bak1"
Thu 11 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\kjllm.bak1"
Sat 6 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\llnmp.bak1"
Thu 27 Sep 2007 6,448 ..SH. --- "C:\WINDOWS\system32\mpqss.bak1"
Sun 30 Sep 2007 2,107,505 ..SH. --- "C:\WINDOWS\system32\mpqss.bak2"
Sun 7 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\onnmp.bak1"
Sun 7 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\oqstv.bak1"
Mon 8 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\rtstv.bak1"
Mon 8 Oct 2007 6,618 ..SH. --- "C:\WINDOWS\system32\rtstv.bak2"
Fri 5 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\rtvwa.bak1"
Mon 15 Oct 2007 6,993 ..SH. --- "C:\WINDOWS\system32\rtvwa.bak2"
Tue 2 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\sstwa.bak1"
Thu 4 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\tstwa.bak1"
Sat 6 Oct 2007 1,977,552 ..SH. --- "C:\WINDOWS\system32\tstwa.bak2"
Sat 13 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\vvvwa.bak1"
Tue 9 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\vyadd.bak1"
Wed 3 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\vycdd.bak1"
Wed 10 Oct 2007 6,465 ..SH. --- "C:\WINDOWS\system32\ybadd.bak1"
Mon 15 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\8361ae28fcfac79271825a6b2935fdb6\BITA.tmp"
Thu 19 Jul 2007 8 A..H. --- "C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 19 Jul 2007 8 A..H. --- "C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 19 Jul 2007 8 A..H. --- "C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Wed 25 Jul 2007 8 A..H. --- "C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Thu 19 Jul 2007 8 A..H. --- "C:\Documents and Settings\Gentle Husband\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Thu 19 Jul 2007 8 A..H. --- "C:\Documents and Settings\Gentle Husband\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Thu 19 Jul 2007 8 A..H. --- "C:\Documents and Settings\Gentle Husband\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Thu 19 Jul 2007 8 A..H. --- "C:\Documents and Settings\Gentle Husband\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Finished!
SmitFraudFix v2.242
Scan done at 23:06:37.31, Fri 10/26/2007
Run from C:\Documents and Settings\Gentle Wife\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\pyprgjhf.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\avp.exe
C:\WINDOWS\mgrs.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\DOCUME~1\GENTLE~1\LOCALS~1\Temp\hostagent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
192.168.200.3 download.microsoft.com
192.168.200.3 downloads.microsoft.com
192.168.200.3 go.microsoft.com
192.168.200.3 microsoft.com
192.168.200.3 msdn.microsoft.com
192.168.200.3 office.microsoft.com
192.168.200.3 support.microsoft.com
192.168.200.3 windowsupdate.microsoft.com
192.168.200.3 www.microsoft.com
192.168.200.3 pandasoftware.com
192.168.200.3 www.pandasoftware.com
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\avp.exe FOUND !
C:\WINDOWS\mgrs.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\printer.exe FOUND !
C:\WINDOWS\system32\sulimo.dat FOUND !
C:\WINDOWS\system32\vtr???.dll FOUND !
C:\WINDOWS\system32\WinAvXX.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Gentle Wife
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Gentle Wife\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
C:\DOCUME~1\GENTLE~1\STARTM~1\Programs\Startup\system.exe FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\autorun.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\GENTLE~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="C:\\Program Files\\Common Files\\rtemehd.html"
"SubscribedURL"=""
"FriendlyName"=""
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="C:\\WINDOWS\\system32\\sulimo.dat"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 216.68.4.10
DNS Server Search Order: 216.68.5.10
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CE93C344-4BA3-4A1A-B87B-F29E97E6200F}: DhcpNameServer=216.68.4.10 216.68.5.10
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CE93C344-4BA3-4A1A-B87B-F29E97E6200F}: DhcpNameServer=216.68.4.10 216.68.5.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CE93C344-4BA3-4A1A-B87B-F29E97E6200F}: DhcpNameServer=216.68.4.10 216.68.5.10
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=216.68.4.10 216.68.5.10
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=216.68.4.10 216.68.5.10
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=216.68.4.10 216.68.5.10
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
archicat
2007-10-27, 06:00
PSKELLEY,
The following is the Hijack This Log as addendum to the previous post. Apparently there was too much data to combine them all without being overly fat...
Thanks again!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:46 PM, on 10/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\pyprgjhf.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /min
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\System Doctor\dcmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [50efb9cc] rundll32.exe "C:\WINDOWS\system32\aqjjuwwa.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\sulimo.dat
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\pyprgjhf.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Common Files\rtemehd.html
pskelley
2007-11-01, 16:14
My apologies:sad: I did not get notified when you posted as I should have. If that happens again, PM me to make me aware:
http://forums.spybot.info/private.php?do=newpm&u=233
Smitfraudfix has found that infection so we must deal with it now. I can tell you from experience when you have an corrupted Hosts file like this:
»»»»»»»»»»»»»»»»»»»»»»»» hosts
hosts file corrupted !
The Hosts file in the next report may be excessively long. Please edit it out if it is and make me aware you had to edit it.
http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed
Clean:
Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
Double-click SmitfraudFix.exe
Select 2 and hit Enter to delete infect files.
You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt
Optional:
To restore Trusted and Restricted site zone, select 3 and hit Enter.
You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.
Post the C:\rapport.txt and a new HJT log, tell me if the performance has improved.
Thanks...Phil
archicat
2007-11-02, 16:57
PSKELLEY,
Thanks again for your assistance!
I followed your directions, ran the SmitfraudFix, deleted, cleaned and grabbed the report.
Next, I was able to download Spybot 1.5, which was previously not possible, checked for problems, "fixed" 82 items, ran an immunization, got online...
While the situation appears to be improving, I continue to get pop-ups (ads for Win Anti Spyware), and an occasional message for attempts at re-direction.
Please find the following logs:
SmitFraudFix v2.242
Scan done at 10:43:23.73, Fri 11/02/2007
Run from C:\Documents and Settings\Gentle Wife\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
Problem while deleting C:\WINDOWS\system32\Delete_Me_Dummy_sulimo.dat
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
DNS Server Search Order: 216.68.4.10
DNS Server Search Order: 216.68.5.10
HKLM\SYSTEM\CCS\Services\Tcpip\..\{CE93C344-4BA3-4A1A-B87B-F29E97E6200F}: DhcpNameServer=216.68.4.10 216.68.5.10
HKLM\SYSTEM\CS1\Services\Tcpip\..\{CE93C344-4BA3-4A1A-B87B-F29E97E6200F}: DhcpNameServer=216.68.4.10 216.68.5.10
HKLM\SYSTEM\CS3\Services\Tcpip\..\{CE93C344-4BA3-4A1A-B87B-F29E97E6200F}: DhcpNameServer=216.68.4.10 216.68.5.10
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=216.68.4.10 216.68.5.10
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=216.68.4.10 216.68.5.10
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=216.68.4.10 216.68.5.10
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Reboot
C:\WINDOWS\system32\Delete_Me_Dummy_sulimo.dat Deleted
»»»»»»»»»»»»»»»»»»»»»»»» End
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:45:42 AM, on 11/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\pyprgjhf.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /min
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\System Doctor\dcmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [50efb9cc] rundll32.exe "C:\WINDOWS\system32\grqtpwna.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9205 bytes
What do you think?
Thank you!!!
pskelley
2007-11-02, 17:14
Thanks for the feedback, what do I think? I think the lowlifes read everything we post, they would do anything to block the tools we use to remove their garbage, and have.
I see junk indicating Vundo is there (most of the infection is hidden), but first I need to show you this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_03\ <<< your Java program is ancient, download the newest version and uninstall all old versions in Add Remove programs.
(likely why you are infected)
Hackers use out of date Java (among others) to infect you, see how easy it is:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html
Let's start with Vundofix:
Thanks to Atribune and any others who helped with this fix.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Save that report and HJT log until we finish, now run combofix:
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the reports from Vundofix and combofix along with a new HJT log and any commets you think will help.
Thanks
archicat
2007-11-09, 05:38
RSKelley,
Thanks again for your help, it has been a few days since working on this mess...
Following your directions, I uninstalled Java, downloaded Vundofix, ran vundofix, removed files, reboot...
Upon reboot, we received the message
"CANNOT FIND TEMPORARY INTERNET FILES \CONTENT.IE5\BZTUKLGQ\VUNDOFIX.EXE.
Also: "ERROR LOADING C:\Windows\System32\grqtpwna.dll The specified module could not be found."
Upon restart, internet explorer start page was hijacked...
There is one file vundo could not remove; will upload to upload-malware.
The following are Vundofix and Hijack Logs:
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 11:05:27 PM 11/8/2007
Listing files found while scanning....
C:\windows\system32\awtss.dll
C:\windows\system32\awtst.dll
C:\windows\system32\awvtr.dll
C:\windows\system32\awvvv.dll
C:\windows\system32\ayadd.bak1
C:\windows\system32\ayadd.bak2
C:\windows\system32\ayadd.ini
C:\windows\system32\cdeeg.bak1
C:\windows\system32\cdeeg.ini
C:\windows\system32\ddaby.dll
C:\windows\system32\ddaya.dll
C:\windows\system32\ddayv.dll
C:\windows\system32\ddcyv.dll
C:\windows\system32\efedaww.dll
C:\windows\system32\ehhkj.bak1
C:\windows\system32\ehhkj.ini
C:\windows\system32\fgjlm.bak1
C:\windows\system32\fgjlm.bak2
C:\windows\system32\fgjlm.ini
C:\windows\system32\geedc.dll
C:\windows\system32\gjllm.bak1
C:\windows\system32\gjllm.ini
C:\windows\system32\jkhhe.dll
C:\windows\system32\kjkmp.bak1
C:\windows\system32\kjkmp.ini
C:\windows\system32\kjllm.bak1
C:\windows\system32\kjllm.ini
C:\windows\system32\llnmp.bak1
C:\windows\system32\llnmp.ini
C:\windows\system32\mljgf.dll
C:\windows\system32\mlljg.dll
C:\windows\system32\mlljk.dll
C:\windows\system32\nitkiiku.dll
C:\WINDOWS\system32\nnnnnlj.dll
C:\windows\system32\onnmp.bak1
C:\windows\system32\onnmp.ini
C:\windows\system32\oqstv.bak1
C:\windows\system32\oqstv.ini
C:\windows\system32\pmkjk.dll
C:\windows\system32\pmnll.dll
C:\windows\system32\pmnno.dll
C:\windows\system32\rtstv.bak1
C:\windows\system32\rtstv.bak2
C:\windows\system32\rtstv.ini
C:\windows\system32\rtvwa.bak1
C:\windows\system32\rtvwa.bak2
C:\windows\system32\rtvwa.ini
C:\WINDOWS\system32\ssqpm.dll
C:\windows\system32\sstwa.bak1
C:\windows\system32\sstwa.ini
C:\windows\system32\tstwa.bak1
C:\windows\system32\tstwa.bak2
C:\windows\system32\tstwa.ini
C:\windows\system32\ukiiktin.ini
C:\windows\system32\vtsqo.dll
C:\windows\system32\vtstr.dll
C:\windows\system32\vvvwa.bak1
C:\windows\system32\vvvwa.ini
C:\WINDOWS\system32\vxxtsxvn.dll
C:\windows\system32\vyadd.bak1
C:\windows\system32\vyadd.ini
C:\windows\system32\vycdd.bak1
C:\windows\system32\vycdd.ini
Beginning removal...
Attempting to delete C:\windows\system32\awtss.dll
C:\windows\system32\awtss.dll Has been deleted!
Attempting to delete C:\windows\system32\awtst.dll
C:\windows\system32\awtst.dll Has been deleted!
Attempting to delete C:\windows\system32\awvtr.dll
C:\windows\system32\awvtr.dll Has been deleted!
Attempting to delete C:\windows\system32\awvvv.dll
C:\windows\system32\awvvv.dll Has been deleted!
Attempting to delete C:\windows\system32\ayadd.bak1
C:\windows\system32\ayadd.bak1 Has been deleted!
Attempting to delete C:\windows\system32\ayadd.bak2
C:\windows\system32\ayadd.bak2 Has been deleted!
Attempting to delete C:\windows\system32\ayadd.ini
C:\windows\system32\ayadd.ini Has been deleted!
Attempting to delete C:\windows\system32\cdeeg.bak1
C:\windows\system32\cdeeg.bak1 Has been deleted!
Attempting to delete C:\windows\system32\cdeeg.ini
C:\windows\system32\cdeeg.ini Has been deleted!
Attempting to delete C:\windows\system32\ddaby.dll
C:\windows\system32\ddaby.dll Has been deleted!
Attempting to delete C:\windows\system32\ddaya.dll
C:\windows\system32\ddaya.dll Has been deleted!
Attempting to delete C:\windows\system32\ddayv.dll
C:\windows\system32\ddayv.dll Has been deleted!
Attempting to delete C:\windows\system32\ddcyv.dll
C:\windows\system32\ddcyv.dll Has been deleted!
Attempting to delete C:\windows\system32\efedaww.dll
C:\windows\system32\efedaww.dll Has been deleted!
Attempting to delete C:\windows\system32\ehhkj.bak1
C:\windows\system32\ehhkj.bak1 Has been deleted!
Attempting to delete C:\windows\system32\ehhkj.ini
C:\windows\system32\ehhkj.ini Has been deleted!
Attempting to delete C:\windows\system32\fgjlm.bak1
C:\windows\system32\fgjlm.bak1 Has been deleted!
Attempting to delete C:\windows\system32\fgjlm.bak2
C:\windows\system32\fgjlm.bak2 Has been deleted!
Attempting to delete C:\windows\system32\fgjlm.ini
C:\windows\system32\fgjlm.ini Has been deleted!
Attempting to delete C:\windows\system32\geedc.dll
C:\windows\system32\geedc.dll Has been deleted!
Attempting to delete C:\windows\system32\gjllm.bak1
C:\windows\system32\gjllm.bak1 Has been deleted!
Attempting to delete C:\windows\system32\gjllm.ini
C:\windows\system32\gjllm.ini Has been deleted!
Attempting to delete C:\windows\system32\jkhhe.dll
C:\windows\system32\jkhhe.dll Has been deleted!
Attempting to delete C:\windows\system32\kjkmp.bak1
C:\windows\system32\kjkmp.bak1 Has been deleted!
Attempting to delete C:\windows\system32\kjkmp.ini
C:\windows\system32\kjkmp.ini Has been deleted!
Attempting to delete C:\windows\system32\kjllm.bak1
C:\windows\system32\kjllm.bak1 Has been deleted!
Attempting to delete C:\windows\system32\kjllm.ini
C:\windows\system32\kjllm.ini Has been deleted!
Attempting to delete C:\windows\system32\llnmp.bak1
C:\windows\system32\llnmp.bak1 Has been deleted!
Attempting to delete C:\windows\system32\llnmp.ini
C:\windows\system32\llnmp.ini Has been deleted!
Attempting to delete C:\windows\system32\mljgf.dll
C:\windows\system32\mljgf.dll Has been deleted!
Attempting to delete C:\windows\system32\mlljg.dll
C:\windows\system32\mlljg.dll Has been deleted!
Attempting to delete C:\windows\system32\mlljk.dll
C:\windows\system32\mlljk.dll Has been deleted!
Attempting to delete C:\windows\system32\nitkiiku.dll
C:\windows\system32\nitkiiku.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nnnnnlj.dll
C:\WINDOWS\system32\nnnnnlj.dll Could not be deleted.
Attempting to delete C:\windows\system32\onnmp.bak1
C:\windows\system32\onnmp.bak1 Has been deleted!
Attempting to delete C:\windows\system32\onnmp.ini
C:\windows\system32\onnmp.ini Has been deleted!
Attempting to delete C:\windows\system32\oqstv.bak1
C:\windows\system32\oqstv.bak1 Has been deleted!
Attempting to delete C:\windows\system32\oqstv.ini
C:\windows\system32\oqstv.ini Has been deleted!
Attempting to delete C:\windows\system32\pmkjk.dll
C:\windows\system32\pmkjk.dll Has been deleted!
Attempting to delete C:\windows\system32\pmnll.dll
C:\windows\system32\pmnll.dll Has been deleted!
Attempting to delete C:\windows\system32\pmnno.dll
C:\windows\system32\pmnno.dll Has been deleted!
Attempting to delete C:\windows\system32\rtstv.bak1
C:\windows\system32\rtstv.bak1 Has been deleted!
Attempting to delete C:\windows\system32\rtstv.bak2
C:\windows\system32\rtstv.bak2 Has been deleted!
Attempting to delete C:\windows\system32\rtstv.ini
C:\windows\system32\rtstv.ini Has been deleted!
Attempting to delete C:\windows\system32\rtvwa.bak1
C:\windows\system32\rtvwa.bak1 Has been deleted!
Attempting to delete C:\windows\system32\rtvwa.bak2
C:\windows\system32\rtvwa.bak2 Has been deleted!
Attempting to delete C:\windows\system32\rtvwa.ini
C:\windows\system32\rtvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqpm.dll
C:\WINDOWS\system32\ssqpm.dll Has been deleted!
Attempting to delete C:\windows\system32\sstwa.bak1
C:\windows\system32\sstwa.bak1 Has been deleted!
Attempting to delete C:\windows\system32\sstwa.ini
C:\windows\system32\sstwa.ini Has been deleted!
Attempting to delete C:\windows\system32\tstwa.bak1
C:\windows\system32\tstwa.bak1 Has been deleted!
Attempting to delete C:\windows\system32\tstwa.bak2
C:\windows\system32\tstwa.bak2 Has been deleted!
Attempting to delete C:\windows\system32\tstwa.ini
C:\windows\system32\tstwa.ini Has been deleted!
Attempting to delete C:\windows\system32\ukiiktin.ini
C:\windows\system32\ukiiktin.ini Has been deleted!
Attempting to delete C:\windows\system32\vtsqo.dll
C:\windows\system32\vtsqo.dll Has been deleted!
Attempting to delete C:\windows\system32\vtstr.dll
C:\windows\system32\vtstr.dll Has been deleted!
Attempting to delete C:\windows\system32\vvvwa.bak1
C:\windows\system32\vvvwa.bak1 Has been deleted!
Attempting to delete C:\windows\system32\vvvwa.ini
C:\windows\system32\vvvwa.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\vxxtsxvn.dll
C:\WINDOWS\system32\vxxtsxvn.dll Has been deleted!
Attempting to delete C:\windows\system32\vyadd.bak1
C:\windows\system32\vyadd.bak1 Has been deleted!
Attempting to delete C:\windows\system32\vyadd.ini
C:\windows\system32\vyadd.ini Has been deleted!
Attempting to delete C:\windows\system32\vycdd.bak1
C:\windows\system32\vycdd.bak1 Has been deleted!
Attempting to delete C:\windows\system32\vycdd.ini
C:\windows\system32\vycdd.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.
Scan started at 11:13:30 PM 11/8/2007
Listing files found while scanning....
C:\windows\system32\nnnnnlj.dll
Beginning removal...
Attempting to delete C:\windows\system32\nnnnnlj.dll
C:\windows\system32\nnnnnlj.dll Has been deleted!
Performing Repairs to the registry.
Done!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:22:40 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\pothcxjr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /min
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\System Doctor\dcmon.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [50efb9cc] rundll32.exe "C:\WINDOWS\system32\grqtpwna.dll",b
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Gentle Wife\Local Settings\Temporary Internet Files\Content.IE5\BZTUKLGQ\vundofix.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\pothcxjr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9353 bytes
Will continue with combofix process and send data.
Thank you!
archicat
2007-11-09, 05:51
PSKelley,
I tried to upload the vundo that could not be removed to upload malware, but it is not where indicated.
C:\WINDOWS\System32\nnnnnlj.dll
Not sure what to do here...
archicat
2007-11-09, 06:14
PSKelley,
We ran combofix. During the process, several "requests" to change registry entry keys popped up. I denied them all. After reboot, several more requests popped up and I again denied them...
The following is Combofix Log.
Please advise...
ComboFix 07-11-08.1 - Gentle Wife 2007-11-08 23:55:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.530 [GMT -5:00]
Running from: C:\Documents and Settings\Gentle Wife\Desktop\ComboFix.exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\Gentle Husband\Desktop\Find Spyware Remover.lnk
C:\Documents and Settings\Gentle Husband\Desktop\Free Online Dating.lnk
C:\Documents and Settings\Gentle Husband\Desktop\Go to Casino.lnk
C:\Documents and Settings\Gentle Husband\Start Menu\Programs\Startup\system.exe
C:\Documents and Settings\Gentle Wife\My Documents\YSTEM~1
C:\Program Files\Common Files\qudas.dll
C:\Program Files\Common Files\qudas131.dll
C:\Program Files\Insider
C:\Program Files\mbols~1
C:\Program Files\s2f.exe
C:\Program Files\ucleaner_setup.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\dravic.exe
C:\WINDOWS\mraerea.exe
C:\WINDOWS\smante~1
C:\WINDOWS\system32\bmdmgclj.exe
C:\WINDOWS\system32\bschdbsb.exe
C:\WINDOWS\system32\C2
C:\WINDOWS\system32\dbxtrxad.exe
C:\WINDOWS\system32\ddewhstm.exe
C:\WINDOWS\system32\dlqgaacn.exe
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\eebeqldy.exe
C:\WINDOWS\system32\eeuutltd.exe
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\f02WtR\f02WtR1065.exe
C:\WINDOWS\system32\fgvekkqh.dll
C:\WINDOWS\system32\fygwwcwh.exe
C:\WINDOWS\system32\gjkmp.bak1
C:\WINDOWS\system32\gjkmp.bak2
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\gxgtrhbe.dll
C:\WINDOWS\system32\ipsaybmt.dll
C:\WINDOWS\system32\jogqccsv.dll
C:\WINDOWS\system32\kieeyqoy.exe
C:\WINDOWS\system32\ltnfkjua.dll
C:\WINDOWS\system32\lvfdtnya.dll
C:\WINDOWS\system32\mpqss.bak1
C:\WINDOWS\system32\mpqss.bak2
C:\WINDOWS\system32\mpqss.ini
C:\WINDOWS\system32\nlxqexwp.exe
C:\WINDOWS\system32\oxuiqwhj.dll
C:\WINDOWS\system32\pmhqfdde.exe
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\pothcxjr.exe
C:\WINDOWS\system32\pyprgjhf.exe
C:\WINDOWS\system32\tmbyaspi.ini
C:\WINDOWS\system32\tvxijdfp.dll
C:\WINDOWS\system32\tyhwdrce.dll
C:\WINDOWS\system32\ujfxlued.exe
C:\WINDOWS\system32\ulpbltba.exe
C:\WINDOWS\system32\umrmhors.exe
C:\WINDOWS\system32\vgnijgjj.dll
C:\WINDOWS\system32\vlegvucn.exe
C:\WINDOWS\system32\wcytkhgl.exe
C:\WINDOWS\system32\wtsisvit.exe
C:\WINDOWS\system32\ynqglupt.exe
C:\WINDOWS\system32\Z1
C:\WINDOWS\system32\Z1\mid2dll.exe
C:\WINDOWS\system32\Z2
C:\WINDOWS\system32\Z2\mon33dll.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
C:\WINDOWS\xlavba6.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_RUNTIME
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.
2007-11-08 23:53 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 23:13 80,448 --a------ C:\WINDOWS\system32\amusaeqp.dll
2007-11-08 23:05 <DIR> d-------- C:\VundoFix Backups
2007-11-08 21:45 86,080 --a------ C:\WINDOWS\system32\xfifloif.dll
2007-11-08 21:42 71,232 --a------ C:\WINDOWS\system32\texippft.exe
2007-11-07 21:43 86,080 --a------ C:\WINDOWS\system32\fapiiopq.dll
2007-11-07 21:41 71,232 --a------ C:\WINDOWS\system32\kvqkxxre.exe
2007-11-06 09:38 87,104 --a------ C:\WINDOWS\system32\msxjybde.dll
2007-11-04 16:20 86,080 --a------ C:\WINDOWS\system32\kwdadwur.dll
2007-11-02 09:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-26 22:21 <DIR> d-------- C:\WINDOWS\ERUNT
2007-10-26 22:08 <DIR> d-------- C:\rapport scan
2007-10-26 22:07 4,150 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-26 22:05 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-26 22:05 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-26 22:05 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-26 22:05 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-26 22:05 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-26 18:31 14,848 --a------ C:\Program Files\msc.exe
2007-10-24 14:04 <DIR> d-------- C:\Program Files\E404 Helper
2007-10-21 17:10 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-21 16:06 14,651,472 --a------ C:\SpySweeperRegSetup_EN.exe
2007-10-20 22:29 552 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-10-20 22:04 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-20 22:01 <DIR> d-------- C:\WINDOWS\pss
2007-10-20 21:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2007-10-20 21:47 <DIR> d-------- C:\Program Files\Citrix
2007-10-20 21:47 60,968 --a------ C:\Documents and Settings\Gentle Wife\GoToAssistDownloadHelper.exe
2007-10-09 21:37 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-06 21:28 246 ----a-w C:\Program Files\Common Files\qudas131
2007-09-29 14:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\System Doctor Free
2007-09-29 14:42 --------- d-----w C:\Documents and Settings\Gentle Wife\Application Data\System Doctor Free
2007-09-28 02:07 --------- d-----w C:\Documents and Settings\Gentle Wife\Application Data\AdobeUM
2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\rtemehd.html
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADBF1A2B-DB0C-4760-9859-6137E059E8A2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CBE91208-BCC4-4AFC-B9C4-B0AAD991C021}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-15 14:10]
"Norton Ghost 10.0"="C:\Program Files\Norton Ghost\Agent\GhostTray.exe" [2005-12-07 16:05]
"MSKDetectorExe"="C:\Program Files\McAfee\SpamKiller\MSKDetct.exe" [2005-07-12 19:05]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 19:20]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 10:44]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 10:44]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-10-14 20:49]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-10-14 20:50]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-10-14 20:46]
"EPSON Stylus Photo R800"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.exe" [2003-08-07 02:00]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 14:01]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-10-05 03:12]
"DLA"="C:\WINDOWS\System32\DLA\DLACTRLW.EXE" [2005-09-08 05:20]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-12-13 15:30]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 17:58]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52]
"50efb9cc"="C:\WINDOWS\system32\grqtpwna.dll" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 05:00]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-27 13:32]
"updateMgr"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" [2005-10-24 15:53]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 10:09]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46]
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [2007-07-23 12:29:56]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 18:16:50]
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 03:44:06]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-05-15 14:07:11]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\GoToAssist]
C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll 2007-10-20 21:47 10792 C:\Program Files\Citrix\GoToAssist\480\g2awinlogon.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkjg.dll
R1 V2IMount;V2IMount;C:\WINDOWS\system32\drivers\V2IMount.sys
S3 GoToAssist;GoToAssist;"C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe" Start=service
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 00:02:06
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-09 0:03:16 - machine was rebooted
.
--- E O F ---
Note: Hijack Log to follow
Thanks again for your help! If not for people like you, people like us would be up the creek, so to speak...
archicat
2007-11-09, 06:15
PSKelley,
the Hijack log was ran just after the previous combofix, but it was too much for one post.
Sorry...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:40 AM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {ADBF1A2B-DB0C-4760-9859-6137E059E8A2} - (no file)
O2 - BHO: (no name) - {CBE91208-BCC4-4AFC-B9C4-B0AAD991C021} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [50efb9cc] rundll32.exe "C:\WINDOWS\system32\grqtpwna.dll",b
O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /min
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\System Doctor\dcmon.exe"
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Gentle Wife\Local Settings\Temporary Internet Files\Content.IE5\BZTUKLGQ\vundofix.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9587 bytes
pskelley
2007-11-09, 15:00
Upon reboot, we received the message
"CANNOT FIND TEMPORARY INTERNET FILES \CONTENT.IE5\BZTUKLGQ\VUNDOFIX.EXE.
Looks like Vundo fix was install in TIF? The instructions:
Please download VundoFix.exe to your desktop.
If you did install anywhere beside the Desktop, delete the program, download it again according to the instructions, then run it again to be sure installing it in the wrong place did not effect performance.
Here is where it was installed:
O4 - HKLM\..\RunOnce: [VundoFix] "C:\Documents and Settings\Gentle Wife\Local Settings\Temporary Internet Files\Content.IE5\BZTUKLGQ\vundofix.exe"
Also: "ERROR LOADING C:\Windows\System32\grqtpwna.dll The specified module could not be found."You may get messages, keep posting them, Vundo is complaining you are trying to remove it.
As you can see, Vundofix removed a hugh amount of Vundo files, you were very, very infected.
combofix also remove a load of junk!
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:04:40 AM, on 11/9/2007
See this: http://research.sunbelt-software.com/threatdisplay.aspx?name=SystemDoctor&threatid=44432
Follow the instructions carefully and in the numbered order.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm
4) Start > Control Panel Add Remove programs and uninstall SystemDoctor Free, System Doctor and any other program you know does not belong there.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {ADBF1A2B-DB0C-4760-9859-6137E059E8A2} - (no file)
O2 - BHO: (no name) - {CBE91208-BCC4-4AFC-B9C4-B0AAD991C021} - (no file)
O4 - HKLM\..\Run: [50efb9cc] rundll32.exe "C:\WINDOWS\system32\grqtpwna.dll",b
O4 - HKLM\..\Run: [SystemDoctor Free] C:\Program Files\System Doctor Free\systemdoc.exe /min
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\System Doctor\dcmon.exe"
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program Files\System Doctor Free\ <<< delete that folder
C:\Program Files\Common Files\System Doctor\ <<< delete that folder
C:\WINDOWS\system32\grqtpwna.dll <<< delete that file
(if that file gives you trouble, use this tool and instructions)
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart, post a new HJT log and give me some feedback.
Thanks
archicat
2007-11-09, 16:52
rskelley,
Following your instructions, I got rid of the vundo in temp folder (last night I hit 'run' instead of save to desktop, but also saved to desktop). The 'error loading' note and other messages are no longer a startup issue.
I also had the system perform a basic 'clean up' of the temp folder.
Performed the sequence to make folders visible (twice to be sure...) and saved ATF cleaner to the desktop.
TeaTimer was turned off...
Could not find 'SystemDoctor Free' or 'system doctor' under programs... ran a file search that also came up empty-handed.
Ran hijack, and successfully executed "Fix Checked" on the specified files.
System explore did not find any 'system doctor' files, nor the 'grqtpwna.dll'.
ATF Cleaner appeared to have an abundant harvest...
Please find a new hijack log to follow:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:30:35 AM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\System32\GEARSec.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Norton Ghost 10.0] "C:\Program Files\Norton Ghost\Agent\GhostTray.exe"
O4 - HKLM\..\Run: [MSKDetectorExe] C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R800] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE /P23 "EPSON Stylus Photo R800" /O6 "USB002" /M "Stylus Photo R800"
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" AcPro7_0_7 -reboot 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (User 'Default user')
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: GoToAssist - C:\Program Files\Citrix\GoToAssist\480\G2AWinLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSec.exe
O23 - Service: GoToAssist - Citrix Online, a division of Citrix Systems, Inc. - C:\Program Files\Citrix\GoToAssist\480\g2aservice.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 8772 bytes
Thank you!
pskelley
2007-11-09, 17:26
Thanks for returning your information and the feedback, that's a clean HJT log:bigthumb:
You may keep ATF-Cleaner (nice tool) but delete combofix, the C:\combofix\qoobox\quarantine folder, Vundofix and the C:\vundofix backups\ folder. Then restart the computer and do this:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here. Add any comments you think will help.
Thanks
archicat
2007-11-09, 21:13
rskelley,
Well, it appears we are getting somewhere!
The Kapersky harvest is abundant beyond the capacity of a single post, although some of the data does appears related to the unfortunate Adobe spyware used to protect their popular products...
I had to enable Active X controls, for which I selected "prompt" whenever possible. Please advise which security setting are most approrpriate...
The following is Part 1 of the Kapersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 09, 2007 3:02:25 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/11/2007
Kaspersky Anti-Virus database records: 427322
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 57859
Number of viruses found: 26
Number of infected objects: 134
Number of suspicious objects: 0
Duration of the scan process: 00:32:03
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Gentle Husband\Local Settings\Temp\hsperfdata_Gentle Husband\3204 Object is locked skipped
C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Gentle Wife\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Gentle Wife\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gentle Wife\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gentle Wife\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gentle Wife\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gentle Wife\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Gentle Wife\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\config\configuration\org.eclipse.core.runtime\.manager\.tmp1007.instance Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\ibdata1 Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\ib_logfile0 Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\ib_logfile1 Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhasset.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhassetcacheitem.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhassetversioncacheitem.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhlabel.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhlabeltoversion.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhmessage.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhpqentry.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhpublishlog.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhpublishserver.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhpublishstateitem.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhresult.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhreview.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhreviewcomment.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhrole.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhschemaversion.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhsequence.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhserverglobals.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhsettings.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhsettingssection.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhthumbnail.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhuser.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhuserrole.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhxmpmetadata.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhxmpproperty.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\logs\VersionCue.log Object is locked skipped
C:\Program Files\Common Files\rtemehd.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\Documents and Settings\Gentle Husband\Start Menu\Programs\Startup\system.exe.vir Infected: Trojan.Win32.Qhost.uo skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\Program Files\Common Files\qudas.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\Program Files\Common Files\qudas131.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\Program Files\s2f.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.aa skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\dravic.exe.vir Infected: Trojan.Win32.Pakes.sb skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\mraerea.exe.vir Infected: Trojan.Win32.Small.sh skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\bmdmgclj.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\bschdbsb.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\dbxtrxad.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\ddewhstm.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\dlqgaacn.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\drivers\ip6fw.sys.vir Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\eebeqldy.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\eeuutltd.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\f02WtR\f02WtR1065.exe.vir Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\fygwwcwh.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\kieeyqoy.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\nlxqexwp.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\pmhqfdde.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\pothcxjr.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\pyprgjhf.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\ujfxlued.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\ulpbltba.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\umrmhors.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\vlegvucn.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\wcytkhgl.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\ynqglupt.exe.vir Infected: Trojan.Win32.Agent.bck skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\system32\Z1\mid2dll.exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc1\Quarantine\C\WINDOWS\xlavba6.exe.vir Infected: Trojan-Downloader.Win32.Wixud.g skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc2\pmkjk.dll.bad Infected: Backdoor.Win32.Hupigon.qcs skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc2\pmnno.dll.bad Infected: Backdoor.Win32.Hupigon.qcs skipped
C:\RECYCLER\S-1-5-21-579509309-1160611837-3371579980-1005\Dc2\vtsqo.dll.bad Infected: Backdoor.Win32.Hupigon.qcs skipped
C:\SDFix\backups\backups.zip/backups/autorun.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/avp.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\SDFix\backups\backups.zip/backups/b104.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\SDFix\backups\backups.zip/backups/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\SDFix\backups\backups.zip/backups/b128.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b128.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b128.exe/stream Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b128.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\SDFix\backups\backups.zip/backups/b147.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\SDFix\backups\backups.zip/backups/mgrs.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\SDFix\backups\backups.zip/backups/printer.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/retadpu1000106.exe.tmp Infected: Trojan-Downloader.Win32.Agent.dvd skipped
C:\SDFix\backups\backups.zip/backups/startdrv.exe Infected: Trojan.Win32.Pakes.bmk skipped
C:\SDFix\backups\backups.zip/backups/sulimo.dat Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\SDFix\backups\backups.zip/backups/system.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/uninstall.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\SDFix\backups\backups.zip/backups/vtr.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\SDFix\backups\backups.zip/backups/WinAvXX.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/Yazzle1122OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip ZIP: infected - 22 skipped
C:\SDFix\backups\HOSTS Infected: Trojan.Win32.Qhost.my skipped
CONTINUED ON NEXT POST IN PART 2
archicat
2007-11-09, 21:15
The following is a continuation of the Kapersky Log began on the previous post.
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0001001.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002005.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002006.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002007.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002010.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002012.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002013.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002013.exe/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002013.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002014.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002015.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002015.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002015.exe/stream Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002015.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002016.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002017.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002018.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002020.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002021.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002035.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002036.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002037.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002037.exe/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002037.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002038.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002039.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002039.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002039.exe/stream Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002039.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002040.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002041.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002043.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002044.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002045.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002046.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002048.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002049.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP0\A0002050.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002452.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\A0002457.dll Infected: Trojan.Win32.BHO.hj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0003984.dll Infected: Backdoor.Win32.Hupigon.qcs skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0003986.dll Infected: Backdoor.Win32.Hupigon.qcs skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0003993.dll Infected: Backdoor.Win32.Hupigon.qcs skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004039.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004043.exe Infected: Trojan-Downloader.Win32.Wixud.g skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004045.sys Infected: Trojan-Downloader.Win32.Agent.acl skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004046.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004047.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004048.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004049.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004050.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004051.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004052.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004053.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004054.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004055.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004056.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004057.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004058.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004059.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004060.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004061.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004062.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004063.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004064.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004065.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004066.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004079.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004081.exe Infected: Trojan-Downloader.Win32.VB.bgd skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004082.exe Infected: Trojan-Downloader.Win32.Alphabet.aa skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004085.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004087.exe Infected: Trojan.Win32.Small.sh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004088.exe Infected: Trojan.Win32.Pakes.sb skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0004318.exe Infected: Email-Worm.Win32.Small.n skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{17F21466-1BF5-485D-B4BD-281B277AEB33}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\GB9\wrdrvrdl23.exe Infected: Trojan-Downloader.Win32.Small.fuq skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kwdadwur.dll Infected: Trojan.Win32.BHO.rf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1664 Object is locked skipped
C:\WINDOWS\Temp\ib5 Object is locked skipped
C:\WINDOWS\Temp\ib6 Object is locked skipped
C:\WINDOWS\Temp\ib7 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed
pskelley
2007-11-09, 21:23
KASPERSKY ONLINE SCANNER REPORT
Friday, November 09, 2007 3:02:25 PM
C:\RECYCLER\ <<< empty the Recycle Bin on your Desktop
C:\SDFix\backups\ <<< remove SDFix from your computer the backups will go with the folder
When that is done, restart the computer and clean the System Restore files:
C:\System Volume Information\
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
If you followed the directions the next Kaspersky scan should be clean. I do not need to see a clean scan results.
Thanks
archicat
2007-11-10, 20:20
rskelley,
I followed your advise regarding a Recycle bin purge and sytem restore actions, ran a Kaspersky scan, and found the system to be infected. To be sure, I followed the proceedure again, followed by a consistent result.
Additionally, I tried to follow some of the recommendations for firewalls, anti virus programs, etc., and after installing some Microsoft updates (not SP2) including IE7, the system grew very sluggish, control panel would not open, everything felt 'jumpy' and very slow, so I used a system restore to the point preceeding. Just prior to running the following Kaspersky scan, I verified that the Recycle Bin was emptied, and scrubbed the sytem restore settings per your instructions. Please advise...
The following is the results of the latest:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, November 10, 2007 2:11:28 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/11/2007
Kaspersky Anti-Virus database records: 427873
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 58119
Number of viruses found: 15
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 00:34:03
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Gentle Husband\Local Settings\Temp\hsperfdata_Gentle Husband\3204 Object is locked skipped
C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Gentle Wife\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Gentle Wife\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Gentle Wife\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gentle Wife\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gentle Wife\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gentle Wife\Local Settings\History\History.IE5\MSHist012007111020071111\index.dat Object is locked skipped
C:\Documents and Settings\Gentle Wife\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gentle Wife\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Gentle Wife\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\config\configuration\org.eclipse.core.runtime\.manager\.tmp20694.instance Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\ibdata1 Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\ib_logfile0 Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\ib_logfile1 Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhasset.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhlabel.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhlabeltoversion.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhpqentry.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhserverglobals.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\data\versioncue\bhuser.ibd Object is locked skipped
C:\Program Files\Adobe\Adobe Version Cue CS2\logs\VersionCue.log Object is locked skipped
C:\Program Files\Common Files\rtemehd.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\SDFix\backups\backups.zip/backups/autorun.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/avp.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\SDFix\backups\backups.zip/backups/b104.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\SDFix\backups\backups.zip/backups/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\SDFix\backups\backups.zip/backups/b128.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b128.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b128.exe/stream Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b128.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\SDFix\backups\backups.zip/backups/b147.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\SDFix\backups\backups.zip/backups/mgrs.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\SDFix\backups\backups.zip/backups/printer.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/retadpu1000106.exe.tmp Infected: Trojan-Downloader.Win32.Agent.dvd skipped
C:\SDFix\backups\backups.zip/backups/startdrv.exe Infected: Trojan.Win32.Pakes.bmk skipped
C:\SDFix\backups\backups.zip/backups/sulimo.dat Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\SDFix\backups\backups.zip/backups/system.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/uninstall.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\SDFix\backups\backups.zip/backups/vtr.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\SDFix\backups\backups.zip/backups/WinAvXX.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/Yazzle1122OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip ZIP: infected - 22 skipped
C:\SDFix\backups\HOSTS Infected: Trojan.Win32.Qhost.my skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{8BA68A56-CBC6-4A1B-A835-A6E88B9AA2C9}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\GB9\wrdrvrdl23.exe Infected: Trojan-Downloader.Win32.Small.fuq skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kwdadwur.dll Infected: Trojan.Win32.BHO.rf skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\hsperfdata_SYSTEM\1812 Object is locked skipped
C:\WINDOWS\Temp\ib11 Object is locked skipped
C:\WINDOWS\Temp\ib12 Object is locked skipped
C:\WINDOWS\Temp\ib13 Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
pskelley
2007-11-10, 20:46
My instructions:
C:\SDFix\backups\ <<< remove SDFix from your computer the backups will go with the folderWell, if you deleted the SDFix these would not be there, that is 24 of the items.
C:\SDFix\backups\backups.zip/backups/autorun.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/avp.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\SDFix\backups\backups.zip/backups/b104.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\SDFix\backups\backups.zip/backups/b122.exe Infected: Trojan-Downloader.Win32.Agent.dpn skipped
C:\SDFix\backups\backups.zip/backups/b128.exe/stream/data0002/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b128.exe/stream/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b128.exe/stream Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b128.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip/backups/b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\SDFix\backups\backups.zip/backups/b147.exe Infected: Trojan.Win32.Agent.bnd skipped
C:\SDFix\backups\backups.zip/backups/mgrs.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\SDFix\backups\backups.zip/backups/printer.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/retadpu1000106.exe.tmp Infected: Trojan-Downloader.Win32.Agent.dvd skipped
C:\SDFix\backups\backups.zip/backups/startdrv.exe Infected: Trojan.Win32.Pakes.bmk skipped
C:\SDFix\backups\backups.zip/backups/sulimo.dat Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\SDFix\backups\backups.zip/backups/system.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/uninstall.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\SDFix\backups\backups.zip/backups/vtr.dll Infected: not-virus:Hoax.Win32.Renos.lq skipped
C:\SDFix\backups\backups.zip/backups/WinAvXX.exe Infected: Trojan.Win32.Qhost.uo skipped
C:\SDFix\backups\backups.zip/backups/Yazzle1122OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eh skipped
C:\SDFix\backups\backups.zip ZIP: infected - 22 skipped
C:\SDFix\backups\HOSTS Infected: Trojan.Win32.Qhost.my skipped
Here are the other three, delete those as well:
C:\WINDOWS\system32\GB9\ <<< delete that folder
C:\WINDOWS\system32\kwdadwur.dll <<< delete that file
C:\Program Files\Common Files\rtemehd.html <<< delete that file
and after installing some Microsoft updates (not SP2) including IE7, the system grew very sluggish, control panel would not openIf you continue to have issues here, I would consult Microsoft:
http://support.microsoft.com/
I would have prefered you waited until I told you the computer was clean, but at some point you will have to install windows updates and IE7 will afford you additional protection, considering I have not seen a computer this infected in a while, I would say you need all of the protection you can get.
Once you have a clean Kaspersky, look at at this information, if the computer was this infected, chances are very good maintenance proceedures are poor also.
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
I also suggest you run a free diagnostic here: http://www.pcpitstop.com/pcpitstop/
I would be glad to advise you if you post a link to the Test Results.
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
archicat
2007-11-11, 18:46
Rskelley,
Thanks for your patience and input.
This is a secondary computer in our household that was set up with no anti-virus... My inclination is that with no active protection, every time we turn the system on we are exposed. Per your advise, I will wait you to initiate the installation of recommended security measures.
As my previous message indicated, the system was restored to previous settings, I deleted the backup files missed on a previous hunting expedition, (oops!) and the subsequent Kaspersky log showed only two trojan-type 'exe' files in Windows\System32 that I deleted.
I will read the info you provided regarding maintenance, etc., and have provided a text save of the PCPitstop check. (not sure how to give you a link...) Once again I am very grateful for your help and expertise, and simply want to get to the point where this mischief is under control.
Thanks Again!
PCPitstop Info
Detailed Summary Home Page
Logged in
Kenneth French
Full Tests
Optimize 1.5
Internet Speed
Spyware Scan
AntiVirus
Running Programs
Data Profiler
Driver Alert
Disk Health
Check ActiveX
Vista Readiness
Info Centers
Help & Support
Battling Spyware
Gator / Claria
Privacy & ID Theft
MaxPC Performance
PC Safety
The Pit Blog
PC Market Trends
About Us Forums
Forums Home
Fix My PC
Internet Tests
Viruses & Spyware
Site Feedback
Current Test Results
Summary
Test Details
Hardware List
Installed Software
Software by Category
System Comparisons
Test History
Share Results with
Test Details
TipsIn the tips and the tables, red indicates a serious problem, yellow a
minor problem, and blue a suggestion.
• Sub Optimal Internet Performance
• Reduce System Restore space (Drive C)
• Adjust IE browser cache size
• Install Backup Software
Windows ConfigurationDescription Your Results
Common NameWindows XP Pro SP2
Full VersionWindows XP Pro SP2
First InstallFri Sep 15 2006
Free Resources90%
Fonts Installed274
Windows Scripting Version5.6.0.8820
PCPitstop Version179
CPU Load1%
Running ProgramsMalicious or poorly written running programs are a common
cause of poor performance and system instability. We strongly recommend
that you use an antivirus program like CA Anti-Virus and a spyware scanner
such as PC Pitstop Exterminate on a regular basis. To get control over
your running programs we suggest WinPatrol Plus. Click on a file name to
see more information about it.
Legend: Virus Spyware/Adware Optional Required No
data
designates programs that can safely be disabled to improve computer
performance, PC Pitstop Optimize disables these programs.
NameVendorComplete File Name
Speech Microsoft CorporationC:\WINDOWS\system32\ctfmon.exe
Distiller Tray Icon Adobe Systems Inc.C:\Program Files\Adobe\Adobe
Acrobat 7.0\Distillr\Acrotray.exe
ISUSScheduler InstallShield Software CorporationC:\Program
Files\Common Files\InstallShield\U ... \issch.exe
Digital Line Detect BVRP SoftwareC:\Program Files\Digital Line
Detect\DLG.exe
MusicMatch tray icon Musicmatch, Inc.C:\Program
Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
Intel Hotkeys Intel CorporationC:\WINDOWS\system32\hkcmd.exe
Adobe Version Cue CS2 Adobe Sytems IncorporatedC:\Program
Files\Adobe\Adobe Version Cue CS2\ ... \VersionCueCS2Tray.exe
Version Cue Adobe Systems IncorporatedC:\Program Files\Adobe\Adobe
Version Cue CS2\ ... \VersionCueCS2.exe
Debugger Microsoft CorporationC:\Program Files\Common
Files\Microsoft Shared\VS7DEBUG\MDM.EXE
Dell Support Gteko Ltd.C:\Program Files\DellSupport\DSAgnt.exe
Media Experience C:\Program Files\Dell\Media
Experience\DMXLauncher.exe
GoogleToolbarNotifier Google Inc.C:\Program
Files\Google\GoogleToolbarNotifier ... \GoogleToolbarNotifier.exe
Epson Status Monitor SEIKO EPSON
CORPORATIONC:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2J1.EXE
Media Center Remote Microsoft
CorporationC:\WINDOWS\eHome\ehRecvr.exe
Intel(R) Common User Interface Intel
CorporationC:\WINDOWS\system32\igfxpers.exe
(Various) Microsoft CorporationC:\WINDOWS\system32\dllhost.exe
AOL Connectivity America Online,
Inc.C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
MySQL Daemon C:\Program Files\Adobe\Adobe Version Cue CS2\ ...
\mysqld-nt.exe
Microsoft eHome Microsoft CorporationC:\WINDOWS\ehome\ehtray.exe
Print spooler Microsoft CorporationC:\WINDOWS\system32\spoolsv.exe
Windows Security Center Microsoft
CorporationC:\WINDOWS\system32\wscntfy.exe
Windows Update Microsoft CorporationC:\WINDOWS\system32\wuauclt.exe
DLACTRLW Sonic SolutionsC:\WINDOWS\System32\DLA\DLACTRLW.EXE
Internet Explorer Microsoft CorporationC:\Program Files\internet
explorer\iexplore.exe
Windows Explorer Microsoft CorporationC:\WINDOWS\Explorer.EXE
Microsoft Media Center Microsoft
CorporationC:\WINDOWS\eHome\ehSched.exe
Microsoft Media Center Microsoft
CorporationC:\WINDOWS\eHome\ehmsas.exe
Local Security Authority Microsoft
CorporationC:\WINDOWS\system32\lsass.exe
Service control process Microsoft
CorporationC:\WINDOWS\system32\services.exe
Service host process Microsoft
CorporationC:\WINDOWS\system32\svchost.exe
Performance-Related Windows Settings
The following settings may be helpful in diagnosing general system
performance problems.
Setting nameValue
Video acceleration disabledNo
Paging of kernel disabledNo
Screen saver running during testsNo
NOIDE key found in registryNo
Running 32-bit code on 64-bit WindowsNo
System Restore disabledNo
Large System Cache enabledNo
Has batteriesNo
Hibernate enabledNo
HIBERFIL.SYS presentNo
Hibernate policy in useNo
Sleep/Resume policy in useYes
Running on battery powerNo
Internet Configuration
Run our Free PC Pitstop Optimize 1.5 Scan to check proper registry
settings for your connection type. Optimize tweaks the optimal registry
values to get the most from your Internet connection.
Try our free Optimize 1.5 Scan Now!
Learn More.Description Your Results
Bandwidth Down2801 Kbits/sec
Bandwidth Up225 Kbits/sec
Average Ping54 ms
Ping Loss0%
TCP Receive Window(default)
External IP Address208.102.115.223
Internal IP Address192.168.1.102
BrowserMSIE 6.0; SV1; .NET CLR 1.0.3705; .NET CLR 1.1.4322; Media
Center PC 4.0
IE current cache55 MB
IE max cache128 MB
Packet8 Internet Phone Service
Make unlimited voice calls on your broadband Internet connection for only
$19.99/month! Forget long distance phone bills with Packet8 Voice-over-IP
technology.
Click here for information on how to get startedThe Bandwidth tests
measure the Internet bandwidth between your computer and PC Pitstop's
servers. In general, if your bandwidth result is at least 85% of the rated
connection speed, you're receiving good throughput (though shared
connections may affect this, too).
Average Ping measures the round-trip time for a packet to travel from the
PC being tested to PC Pitstop's web site and back; lower numbers indicate
better performance. Ping times under 150ms are typical of T1, DSL, or
cable modems. Consistent ping times of more than 500ms should only be seen
in connections that span continents (e.g., USA to Europe) and/or are
linked by satellite. Ping losses usually indicate serious Internet
congestion.
Internet performance can be erratic for many different reasons, so you
can't expect to get maximum bandwidth and ping performance every time you
test. You should test several times and at different times of the day to
get the most accurate picture of your connection speed. To repeat only our
Bandwidth test and get more information, plus tips for improving
performance, click here. For additional testing of your browser
configuration and Internet connection, we recommend BrowserTune.
More Internet related Settings
The following settings may be helpful in diagnosing internet performance
problems.
Setting nameValue
Using a proxyNo
HTTP 1.1 through proxy EnabledNo
HTTP 1.1 EnabledYes
Check for newer pages turned offNo
Show PicturesNo
Format docs using my style sheetNo
Content Advisor enabledNo
Check Associations DisableNo
Enable Automatic Image ResizeYes
Enable third-party browser extensionsNo
Enable page transitionsYes
Always use my {colors|fonts|size}No
Security ConfigurationDescription Your Results
IE Restricted Zone PermissionsNone
Security-Related Windows Settings
The following settings may be helpful in diagnosing spyware and browser
hijacks.
Setting nameValue
Explorer: Some drive letters are hiddenNo
Explorer: Hide extensions for known file typesNo
Explorer: Hide protected operating system filesNo
Explorer: Do not show hidden files and foldersNo
Explorer: Do not display contents of system foldersYes
HOSTS location remapped via the RegistryNo
System File Protection disabledNo
Main BoardDescription Your Results
Brand/Model Dell Inc. Dell DV051
Type Desktop
Serial Number HFDQZ91
BIOS Dell Inc. A03 10/08/2005
System Board Dell Inc. 0JC474
ProcessorDescription Your Results
Brand/Model Intel Pentium 4
Nominal Clock Speed 2800 MHz
Measured Clock Speed 2793 MHz
External Clock Speed 800 MHz
CPU Load 1%
Speed Rating 4552 (97% of 12577 similar)
Memory ConfigurationDescription Results
RAM installed1024 MB
Windows RAM1015 MB
Total RAM slots2
Available RAM slots0
Max RAM module size0 MB
Memory Type512+512;DIMM,?18,|Synchronous;T16
Speed Rating6865 MB/s (108% of 12577 similar)
Memory Tip
On virtually any system, memory is the best bang-for-the-buck upgrade,
especially if you currently have 256MB or less. Installing memory is a
snap, it just works and your PC is faster. PC World has put together a
step-by-step guide if you need help.
With prices so low lately I've purchased a lot of memory, and all of it
has been from Crucial. Their prices beat the competition and they
currently have free shipping.
-- Rob Cheng, CEO, PC PitstopUpgrading memory can give your computer extra
performance. Crucial Technology can identify the memory you need at very
competitive prices.
Speed rating is measured in megabytes per second. The percentage indicates
the performance of this system compared to systems in our database with a
similar CPU and clock speed; the number of similar systems is also shown.
For example, a score of 50% would indicate this system had half the
performance of comparable systems; 200% would indicate twice the
performance. A "normal" number is 100% plus or minus about 15%.
The System Management BIOS is reporting that there is 1024 MB of RAM, but
Windows reports that 1015 MB is available. The most common reason for this
discrepancy is that your system uses some system RAM for the video
graphics card or BIOS functions. This case is common in highly-integrated
PCs with video graphics built into the system board, and does not require
any changes on your part.
Drive LettersThese are drive letters associated with hard disk drives.
This list does not include drive letters for floppy disks or other
removable media such as CD-ROM, DVD, Zip or Jaz drives.
DescriptionDrive CDrive D
Partition formatNTFS NTFS
Cluster size4 KB4 KB
Drive labelNo LabelBackup
Size52438 MB19053 MB
Free space35937 MB (69%)18988 MB (100%)
Junk files55 MB (0%)0 MB (0%)
System Restore Space6292 MB (12%) 2286 MB (12%)
Data fragmentation2%Not tested
File fragmentation2%Not tested
Uncached speed48 MB/s (124%)43 MB/s (111%)
Percentages shown for free space, junk files (temporary files, browser
cache, Recycle Bin files), and system restore space represent the size
relative to the total disk capacity. A disk with 50% free space is
half-full (or half-empty, if you're an optimist). PC Pitstop Optimize is
an easy way to keep your hard disk free of unnecessary files.
Our full tests only perform disk health checking on the C drive. We
recommend that you check the health of your other drives using Disk MD.
Data fragmentation measures the percentage of data on the disk that is
contained in fragmented files. File fragmentation is the percentage of
files on the disk that are fragmented. Some disk optimization programs
such as Window's Disk Defragmenter intentionally fragment files to place
them in the best position to ensure quick program loading, so the
fragmentation measures may be non-zero even after running a disk
optimizer. For more details check out Disk MD.
Cached and uncached speed is measured in megabytes per second (MB/s). When
a percentage is shown for cached and uncached speed, it compares the
performance of the drive with those of systems in our database with the
same processor and clock speed. (Our database currently has 12577 similar
systems.) A rating of 200% means a disk is twice the performance of
similar systems, 50% means it's half the performance. Cached disk speed
generally measures the efficiency of the system's processor and memory
system, not the performance of the hard disk. Uncached speed is most
affected by the physical hard disk and the disk interface.
Disk DrivesHere are the physical disk drives that we have detected on your
system:
Drive 0
Drive lettersCD
Removable mediaNo
Brand/ModelSAMSUNG HD080HJ/P
IDE details
Serial number
Revision level
For IDE drives, IDE details show whether the drive has DMA enabled and is
an IDE master (single drive, or master drive in a master/slave pair).
CD/DVD DrivesHere are the CD and DVD drives that we have detected on your
system:
ModelTypeMax Read SpeedMax Write Speed
TSSTcorp CDRWDVD TS-H492CCD-RW8467 KB/s (48X)8467 KB/s (48X)
Video BoardDescription Your Results
Brand/ModelIntel(R) 82915G/GV/910GL Express Chipset Family
Resolution1024x768 pixels
Colors16 million
DirectX version5.03.2600.2180 (xpsp_sp2_rtm.040803-2158)
OpenGL version5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
Acceleration optionsEnabled
Performance146.78 MP/s (70% of 1633 similar)
Get Updated Drivers!
Run PC Pitstop Driver Alert FREE to find your PCs most up-to-date drivers.
more
Better Performance
Improved Stability
Fast and Easy
PC Pitstop's video performance performs a basic test of your system's
graphics capabilities and reports the result in millions of pixels
displayed per second (MP/s). The percentage indicates the performance of
this system compared to systems in our database with a similar CPU, clock
speed, and video board. For example, a score of 50% would indicate this
system had half the performance of comparable systems; 200% would indicate
twice the performance. Determining "normal" performance can be difficult,
there can be wide differences due to video drivers even on the same video
board. (You can use TouchStone's DriverAgent to see if you have the latest
driver.)
MonitorsDescription
MonitorDell 230322Dell 230322
Max. Resolution (HxV)1600 x 1200 pixels1600 x 1200 pixels
Screen Size (HxV)34 x 27 cm34 x 27 cm
Viewable Diagonal Size17.09 inch17.09 inch
Manufacture DateApril 2006April 2006
Serial Number809848148809848148
Home | Our Legal Stuff | Privacy Policy | Press | Our Store | Link to Us
Testimonials | Customer Service | Support PC Pitstop | Printable Page
pskelley
2007-11-11, 20:05
You used to be able to run without a antivirus and with some luck stay fairly clean...not anymore. It is cyber-suicide going online without and antivirus program, firewall and a good spyware program, see this:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html
http://www.channelregister.co.uk/2007/11/07/rogue_antispyware_ads/
The information you posted from PCPitStop does not help, here is the forum where you can post your questions about the test results:
http://pcpitstop.invisionzone.com/index.php?showforum=6 and here is an example of what a link to a test results would look like:
http://www.pcpitstop.com/pcpitstop/Summary.asp?TechExpress=WPBKHWY8HEVS8KPV
Thanks
archicat
2007-11-11, 22:59
rskelley,
Here is the pcpitstop link: http://www.pcpitstop.com/pcpitstop/Summary.asp?conid=18894333
Are we clean enough to install security measures and use this sytem?
Thanks again for all your help!
pskelley
2007-11-11, 23:11
Click on that link and see where it sends you.
Are we clean enough to install security measures and use this sytem?
should be fine but review the information for security measures asap.
Thanks