View Full Version : Virtumonde, smitfraud...lots more.
Yesterday morning my computer went crazy. I have done what is asked. Thanks for any help!!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:21:15 PM, on 10/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\DOCUME~1\Annie\MYDOCU~1\CROSOF~1\scanregw.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O1 - Hosts: 1315771170 google.com
O1 - Hosts: 1315771170 www.google.com
O1 - Hosts: 1315771170 www.altavista.com
O1 - Hosts: 1315771170 altavista.com
O1 - Hosts: 1315771170 www.alltheweb.com
O1 - Hosts: 1315771170 alltheweb.com
O1 - Hosts: 1315771170 search.google.com
O1 - Hosts: 1315771170 search.yahoo.com
O1 - Hosts: 1315771170 search.lycos.com
O1 - Hosts: 1315771170 search.live.com
O1 - Hosts: 1315771170 search.msn.com
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [{48-8D-DB-B2-ZN}] C:\Documents and Settings\Annie\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [Windows Update Check] C:\WINDOWS\system32\syslodr.exe
O4 - HKLM\..\Run: [pshwlglu] rundll32.exe "C:\Program Files\batcfktc\velodqlc.dll",Init
O4 - HKLM\..\Run: [ugcw] "C:\PROGRA~1\COMMON~1\SPYGUA~1\ugcw.exe" -start
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\SpyGuardPro\bm.exe" dm=http://spyguardpro.com; ad=http://spyguardpro.com
O4 - HKLM\..\Run: [SpyGuardPro] C:\Program Files\SpyGuardPro\pgs.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\Annie\MYDOCU~1\CROSOF~1\scanregw.exe" -vt yazb
O4 - HKCU\..\Run: [Dej] "C:\Documents and Settings\Annie\My Documents\?dobe\n?tdde.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - HKCU\..\Run: [ISMPack8] "C:\Program Files\ISM2\ISMPack8.exe"
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\1.bin\mwsoemon.exe
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Annie\Local Settings\Temp\T0CHD001.exe
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 11977 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, October 27, 2007 4:22:01 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/10/2007
Kaspersky Anti-Virus database records: 447219
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 55796
Number of viruses found: 43
Number of infected objects: 131
Number of suspicious objects: 6
Duration of the scan process: 01:20:58
Infected Object Name / Virus Name / Last Action
C:\2b664ce64e8d46a9201\amdk7.sys Object is locked skipped
C:\2b664ce64e8d46a9201\k7qfe.cat Object is locked skipped
C:\2b664ce64e8d46a9201\k7qfe.inf Object is locked skipped
C:\2b664ce64e8d46a9201\symbols\sys\amdk7.pdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip/M3SRCHMN.EXE Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MyWayMyWebSearch.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant1.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip/Yazzle1162OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\vcjaxejy.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\cert8.db Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\history.dat Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\key3.db Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\parent.lock Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Annie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Working\database_D034_E4A3_34E4_8DB2\dfsr.db Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Working\database_D034_E4A3_34E4_8DB2\fsr.log Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Working\database_D034_E4A3_34E4_8DB2\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Working\database_D034_E4A3_34E4_8DB2\tmp.edb Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows Live Contacts\angel_annie_05@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows Live Contacts\angel_annie_05@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\History\History.IE5\MSHist012007102720071028\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Temp\567hJJJkjhIojnhm.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bnq skipped
C:\Documents and Settings\Annie\Local Settings\Temp\567hJJJkjhIojnhm.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Annie\Local Settings\Temp\CEMG555077.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Annie\Local Settings\Temp\CEMG555077.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Annie\Local Settings\Temp\gos1D3.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Annie\Local Settings\Temp\install_en.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Annie\Local Settings\Temp\k11u72.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bnq skipped
C:\Documents and Settings\Annie\Local Settings\Temp\k11u72.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Annie\Local Settings\Temp\MTE3MDk6ODoxNg.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\Annie\Local Settings\Temp\NI.UGA6P_0001_N122M2210\setup.exe Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Annie\Local Settings\Temp\Perflib_Perfdata_85c.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Temp\win1D4.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Annie\Local Settings\Temp\win1D6.tmp.exe Infected: Trojan-Downloader.Win32.VB.bng skipped
C:\Documents and Settings\Annie\Local Settings\Temp\win1DD.tmp.exe Infected: not-virus:Hoax.Win32.Renos.hx skipped
C:\Documents and Settings\Annie\Local Settings\Temp\~DF135F.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Temp\~DF15EA.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Temp\~DF9247.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Temp\~DF9293.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Temp\~uga6psetup.exe/file14 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Annie\Local Settings\Temp\~uga6psetup.exe/file20 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Annie\Local Settings\Temp\~uga6psetup.exe/file34 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Annie\Local Settings\Temp\~uga6psetup.exe/file36 Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\Documents and Settings\Annie\Local Settings\Temp\~uga6psetup.exe Inno: infected - 4 skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\4DIZSOWE\tsitra[1].exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\4DIZSOWE\vasya[1] Infected: Trojan.Win32.Agent.bck skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\4DIZSOWE\xc23[1].exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\79GZ7KJF\Install1300[1].exe Infected: not-virus:Hoax.Win32.Renos.hx skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\79GZ7KJF\Install1300[2].exe Infected: not-virus:Hoax.Win32.Renos.hx skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\79GZ7KJF\upd32_v13[1] Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\CE53LERR\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\CE53LERR\k11u72[1].exe/data0006 Infected: Trojan-Downloader.Win32.VB.bnq skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\CE53LERR\k11u72[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\CE53LERR\xc60[1].exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\GWXMQFEJ\antzom[2].exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\GWXMQFEJ\xc23[1].exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\GWXMQFEJ\xc29[1].exe Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\GWXMQFEJ\xcd23[1].exe Infected: Trojan-Downloader.Win32.VB.bpl skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annie\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Annie\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\batcfktc\velodqlc.dll Infected: Trojan-Downloader.Win32.Zlob.dxz skipped
C:\Program Files\Cakgamdh\nhfjdeqw.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\TTC.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Yahoo!\Messenger\ypager.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP335\A0096792.sys Infected: Rootkit.Win32.Agent.jf skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096818.exe Infected: not-virus:Hoax.Win32.Renos.hx skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096829.scr Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096830.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096839.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096840.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ba skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096841.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096850.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096851.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096852.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096855.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096856.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096857.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.af skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096858.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096859.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096860.SCR Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096861.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096862.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096863.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.a skipped
pleted.
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096864.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096865.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.aq skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096866.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bh skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096868.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096869.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ax skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096871.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.at skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096873.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096874.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096875.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.ad skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096877.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096878.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096879.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096882.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0096884.dll Infected: Trojan-Downloader.Win32.Small.gkg skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0097843.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0097856.sys Infected: Rootkit.Win32.Agent.jf skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0097895.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0097896.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0097909.dll Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP337\A0097921.sys Infected: Rootkit.Win32.Agent.jf skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0098055.sys Infected: Rootkit.Win32.Agent.jf skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103028.exe Infected: not-a-virus:AdWare.Win32.Agent.lv skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103034.sys Infected: Rootkit.Win32.Agent.jf skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103037.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103046.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103050.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103051.exe Infected: not-virus:Hoax.Win32.Renos.hx skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103056.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103057.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103058.dll Infected: Trojan.Win32.Agent.qt skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103059.exe Infected: Trojan.Win32.Agent.bck skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103061.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103063.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103064.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103065.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103066.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103067.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103097.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103097.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103100.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.av skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103100.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103118.dll Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103122.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103125.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103127.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103128.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\A0103133.sys Infected: Rootkit.Win32.Agent.jf skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP338\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\frexup3.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\WINDOWS\frexup3.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINDOWS\frexup3.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINDOWS\frexup3.exe NSIS: infected - 3 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1E80C883-43FC-453E-98F0-C243D9A9C6BE}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
C:\WINDOWS\system32\drvdis.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn1.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn2.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\WINDOWS\system32\fkmdvbtn\fkmdvbtn3.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\kernelw.sys Infected: Rootkit.Win32.Agent.jf skipped
C:\WINDOWS\system32\oTt06e\oTt06e1083.exe Infected: Trojan-Downloader.Win32.VB.bnq skipped
C:\WINDOWS\system32\oTt08e\oTt08e1099.exe Infected: Trojan-Downloader.Win32.VB.bnq skipped
C:\WINDOWS\system32\oyagysio.exe Infected: Trojan.Win32.Agent.bck skipped
C:\WINDOWS\system32\s2\EMDT83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\system32\s2\EMDT83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\v1\bcb49ene.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\WINDOWS\system32\vvgeowbv.exe Infected: not-virus:Hoax.Win32.Renos.kj skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\winowk32.dll Infected: Trojan.Win32.Agent.qt skipped
C:\WINDOWS\Temp\gos7D.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\Temp\win7C.tmp.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\WINDOWS\Temp\win7F.tmp.exe Infected: Trojan-Downloader.Win32.VB.bpl skipped
C:\WINDOWS\Temp\win89.tmp.exe Infected: not-virus:Hoax.Win32.Renos.hx skipped
C:\WINDOWS\Temp\win8F.tmp.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Setup\ALLTEL.exe//VNC/MotVNC.exe/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
D:\Setup\ALLTEL.exe//VNC/MotVNC.exe/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
D:\Setup\ALLTEL.exe//VNC/MotVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
D:\Setup\ALLTEL.exe CabSFX: infected - 3 skipped
Scan process completed.
pskelley
2007-11-01, 14:11
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Thanks for returning the information we requested, I apologize for the wait, the volunteers are very busy as they are at all malware forums.
You have a nasty infection and it's going to take some work to clean it up. Since this junk will download more, I suggest you keep this computer offline except when troubleshooting until I tell you it is clean.
Please follow the directions carefully and in the posted order.
1) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
2) I will assume you did not set the 01 Hosts file like that, stop and make we aware if you did.
3) Download HostsXpert 4.1 from here: http://www.funkytoad.com/content/view/13/31/
Unzip HostsXpert - Hosts File Manager to a convenient folder such as C:\HostsXpert
Click HostsXpert.exe to Run HostsXpert 4.1 - Hosts File Manager from its new home
Click "Make Hosts Writable?" in the upper right corner (If available).
Click Restore Microsoft's Hosts file and then click OK.
Click the X to exit the program.
Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
4) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Thanks
Thank you for helping me:)! I understand having to wait. I bet you guys keep busy. Okay just so you know. I have removed my outdated Norton from my system and now have an up to date McAfee. I will also admit I have been online but won't be unless I am checking this now.
Okay here are my logs!
ComboFix 07-11-01.1** - Annie 2007-11-01 8:49:43.1 - NTFSx86
Running from: C:\Documents and Settings\Annie\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data.\mjsrcrit.dll
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Annie\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Annie\My Documents\CROSOF~1
C:\Documents and Settings\Annie\My Documents\CROSOF~1\??crosoft\
C:\Documents and Settings\Annie\My Documents\DOBE~1
C:\Documents and Settings\Annie\My Documents\DOBE~1\n?tdde.exe
C:\Documents and Settings\Annie\ResErrors.log
C:\Documents and Settings\Annie\Start Menu\Programs\Startup\ta_start.lnk
C:\Documents and Settings\Buzz\Start Menu\Programs\Startup\TA_Start.lnk
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Temp\1cb
C:\Temp\fCOe
C:\temp\tn3
C:\WINDOWS\system32\crlthblj.dll
C:\WINDOWS\system32\d3
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\cell_bg.gif
C:\WINDOWS\system32\drivers\cell_footer.gif
C:\WINDOWS\system32\drivers\cell_header_block.gif
C:\WINDOWS\system32\drivers\cell_header_remove.gif
C:\WINDOWS\system32\drivers\cell_header_scan.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\download_btn.jpg
C:\WINDOWS\system32\drivers\download_now_btn.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_red_bg.gif
C:\WINDOWS\system32\drivers\header_red_free_scan.gif
C:\WINDOWS\system32\drivers\header_red_free_scan_bg.gif
C:\WINDOWS\system32\drivers\header_red_protect_your_pc.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\rating.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\screenshot.jpg
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\shadow_bg.gif
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drvdisr.dll
C:\WINDOWS\system32\f22
C:\WINDOWS\system32\f22\bc1224wv.exe
C:\WINDOWS\system32\fwq.dll
C:\WINDOWS\system32\hbbyaeyn.ini
C:\WINDOWS\system32\jlbhtlrc.ini
C:\WINDOWS\system32\kernelw.sys
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\nusrmgr.exe
C:\WINDOWS\system32\nyeaybbh.dll
C:\WINDOWS\system32\oaqcauo.dll
C:\WINDOWS\system32\oTt06e
C:\WINDOWS\system32\oTt08e
C:\WINDOWS\system32\p8
C:\WINDOWS\system32\p8\stallbb1.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\s2
C:\WINDOWS\system32\ubeoamnw.dll
C:\WINDOWS\system32\uwrermot.dll
C:\WINDOWS\system32\v1
C:\WINDOWS\system32\wnstsicomsv.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_DRIVER
-------\LEGACY_NETWORK_MONITOR
-------\Driver
((((((((((((((((((((((((( Files Created from 2007-10-01 to 2007-11-01 )))))))))))))))))))))))))))))))
.
2007-11-01 08:48 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-01 08:05 <DIR> d-------- C:\Program Files\Tcmvpxcr
2007-10-31 20:54 4,202 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-29 10:23 <DIR> d-------- C:\Program Files\SiteAdvisor
2007-10-29 10:23 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-10-29 10:23 <DIR> d-------- C:\Documents and Settings\Annie\Application Data\SiteAdvisor
2007-10-29 10:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-29 10:21 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-10-29 09:53 171,240 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-10-29 09:53 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-10-29 09:53 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-10-29 09:53 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-10-29 09:53 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-10-29 09:52 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-10-29 09:50 <DIR> d-------- C:\Program Files\McAfee.com
2007-10-29 09:49 <DIR> d-------- C:\Program Files\McAfee
2007-10-29 09:49 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-10-29 09:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-28 08:53 <DIR> d-------- C:\Program Files\Uqoiypdz
2007-10-27 17:20 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-27 16:12 <DIR> d-------- C:\Program Files\zqfotsbw
2007-10-27 14:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-27 14:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-27 14:25 <DIR> d-------- C:\Program Files\Cakgamdh
2007-10-27 11:19 415,058 ---hs---- C:\WINDOWS\system32\tsrqr.bak2
2007-10-27 10:32 <DIR> d-------- C:\WINDOWS\system32\fkmdvbtn
2007-10-26 19:23 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-26 10:30 394 --ah----- C:\aaw7boot.cmd
2007-10-26 09:37 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-26 09:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-26 09:30 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-26 09:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-26 09:13 <DIR> d-------- C:\Documents and Settings\Annie\Application Data\SpyGuardPro
2007-10-26 09:11 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-10-26 09:11 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-26 09:11 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-26 09:11 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-10-26 09:11 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-26 09:05 123,910 --a------ C:\WINDOWS\system32\vvgeowbv.exe
2007-10-26 09:05 21,504 --a------ C:\WINDOWS\system32\aivskurq.dll
2007-10-26 09:04 <DIR> d-------- C:\Program Files\batcfktc
2007-10-26 09:01 294,668 --a------ C:\WINDOWS\frexup3.exe
2007-10-26 08:58 <DIR> d--hs---- C:\WINDOWS\SG93c2Vy
2007-10-26 08:58 <DIR> d-------- C:\Temp
2007-10-14 21:43 <DIR> d--h----- C:\WINDOWS\PIF
2007-10-11 19:13 <DIR> d-------- C:\WINDOWS\Motive
2007-10-11 19:12 <DIR> d-------- C:\Program Files\ALLTEL DSL Check-up Center
2007-10-11 19:10 69,632 --a------ C:\WINDOWS\system32\MCCDevice.dll
2007-10-11 19:10 6,048 --a------ C:\WINDOWS\system32\MCC16.dll
2007-10-11 19:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MotiveSysIDs
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-29 17:09 --------- d-----w C:\Program Files\PacificPoker
2007-10-29 15:11 --------- d-----w C:\Program Files\Symantec
2007-10-29 15:11 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-10-29 14:47 --------- d-----w C:\Program Files\Norton AntiVirus
2007-10-29 14:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-12 01:09 --------- d-----w C:\Program Files\MSN Messenger
2007-10-12 00:10 --------- d-----w C:\Program Files\Common Files\Motive
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14FC14B8-BD29-4764-9F6F-E53CC05C8ECD}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{258914A1-690F-4334-8099-9A71F3807F7D}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
2007-11-01 08:58 106496 --a------ C:\Program Files\Zcelihuh\ilnnsmis.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{326B8F49-0C42-40DE-8B55-ACF4DBDBBEB9}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6A761A99-B1F5-4F9E-8194-2625667B97CD}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{94E6E8C7-5E14-449C-AF9D-5779ADF12FD7}]
C:\WINDOWS\system32\rqrst.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC3CCF2E-462C-45DB-9A6B-1A9BEF4C5E57}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E075BFBE-1957-43A2-8393-2DE02A78268E}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EDE71875-1CDE-4FD0-82FA-BE97A3B19C71}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CARPService"="carpserv.exe" [2003-05-21 16:35 C:\WINDOWS\system32\carpserv.exe]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2003-05-22 16:10]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2003-05-22 17:06]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 11:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-12-12 12:31]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2003-07-17 14:50]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-01-16 13:16]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-01-11 18:27]
"Display Settings"="C:\Program Files\HPQ\Notebook Utilities\hptasks.exe" [2002-08-15 09:26]
"QT4HPOT"="C:\Program Files\HPQ\One-Touch\OneTouch.EXE" [2003-03-13 10:11]
"Dell AIO Printer A960"="C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe" [2003-11-19 09:47]
"Dell AIO Printer A920"="C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe" [2003-06-02 13:25]
"Motive SmartBridge"="C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe" [2004-11-09 10:32]
"plite731"="C:\WINDOWS\plite731.exe" []
"{48-8D-DB-B2-ZN}"="C:\Documents and Settings\Annie\Local Settings\Temp\T0CHD001.exe" [2007-10-26 09:01]
"Windows Update Check"="C:\WINDOWS\system32\syslodr.exe" []
"SpyGuardPro"="C:\Program Files\SpyGuardPro\pgs.exe" []
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 15:30]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6172\SiteAdv.exe" [2007-08-24 16:57]
"grazklsr"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\grazklsr.dll" []
"SC2"="C:\Program Files\SecCenter\scprot4.exe" [2007-11-01 08:58]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-12-08 14:55]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
"Aaou"="C:\DOCUME~1\Annie\MYDOCU~1\CROSOF~1\scanregw.exe" []
"Dej"="C:\Documents and Settings\Annie\My Documents\?dobe\n?tdde.exe" []
"ISMModule8"="C:\Program Files\ISM\ISMModule8.exe" []
"ISMPack8"="C:\Program Files\ISM2\ISMPack8.exe" []
C:\Documents and Settings\Annie\Start Menu\Programs\Startup\
PowerReg Scheduler V3.exe [2007-03-04 16:28:33]
TA_Start.lnk - C:\Documents and Settings\Annie\Local Settings\Temp\T0CHD001.exe [2007-10-26 09:01:49]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Windstream Broadband Check-up Center.lnk - C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe [2007-10-11 19:12:53]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""
R3 CALIAUD;Conexant AMC 3D ENVIRONMENTAL AUDIO;C:\WINDOWS\system32\drivers\caliaud.sys
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys
R3 DKbFltr;Dritek HotKey Keyboard Filter Driver;C:\WINDOWS\system32\Drivers\DKbFltr.SYS
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS
S3 FA312;NETGEAR FA330/FA312/FA311 Fast Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\FA312nd5.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-29 14:51:48 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
"2007-10-29 14:51:46 C:\WINDOWS\Tasks\McQcTask.job"
"2007-11-01 13:58:07 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-01 08:57:43
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????5?3?7?7??????? ?deB???????????????B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-01 9:00:51 - machine was rebooted
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:02:40 AM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {14FC14B8-BD29-4764-9F6F-E53CC05C8ECD} - \
O2 - BHO: (no name) - {258914A1-690F-4334-8099-9A71F3807F7D} - (no file)
O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - C:\Program Files\Zcelihuh\ilnnsmis.dll
O2 - BHO: (no name) - {326B8F49-0C42-40DE-8B55-ACF4DBDBBEB9} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6A761A99-B1F5-4F9E-8194-2625667B97CD} - \
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: (no name) - {94E6E8C7-5E14-449C-AF9D-5779ADF12FD7} - C:\WINDOWS\system32\rqrst.dll (file missing)
O2 - BHO: (no name) - {BC3CCF2E-462C-45DB-9A6B-1A9BEF4C5E57} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O2 - BHO: (no name) - {E075BFBE-1957-43A2-8393-2DE02A78268E} - (no file)
O2 - BHO: (no name) - {EDE71875-1CDE-4FD0-82FA-BE97A3B19C71} - (no file)
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [{48-8D-DB-B2-ZN}] C:\Documents and Settings\Annie\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [Windows Update Check] C:\WINDOWS\system32\syslodr.exe
O4 - HKLM\..\Run: [SpyGuardPro] C:\Program Files\SpyGuardPro\pgs.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [grazklsr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\grazklsr.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\Annie\MYDOCU~1\CROSOF~1\scanregw.exe" -vt yazb
O4 - HKCU\..\Run: [Dej] "C:\Documents and Settings\Annie\My Documents\?dobe\n?tdde.exe"
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - HKCU\..\Run: [ISMPack8] "C:\Program Files\ISM2\ISMPack8.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Annie\Local Settings\Temp\T0CHD001.exe
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: &Search - ?p=ZNfox000
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 13718 bytes
pskelley
2007-11-01, 16:59
Thanks for returning your information and whoa:eek:...combofix removed a load of junk, let's see what HJT can do for us now.
You have a lot of infected System Restore files, until we clean those near the end, please do not use System Restore for any reason.
You also have junk here: C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of the Recovery folder.
Proceed carefully and in the posted order.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Make sure TeaTimer is still disabled!
4) Start > Control Panel > Add Remove programs and uninstall SecCenter, SpyGuardPro, and anything else you know should not be there.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {14FC14B8-BD29-4764-9F6F-E53CC05C8ECD} - \
O2 - BHO: (no name) - {258914A1-690F-4334-8099-9A71F3807F7D} - (no file)
O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - C:\Program Files\Zcelihuh\ilnnsmis.dll
O2 - BHO: (no name) - {326B8F49-0C42-40DE-8B55-ACF4DBDBBEB9} - (no file)
O2 - BHO: (no name) - {6A761A99-B1F5-4F9E-8194-2625667B97CD} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {94E6E8C7-5E14-449C-AF9D-5779ADF12FD7} - C:\WINDOWS\system32\rqrst.dll (file missing)
O2 - BHO: (no name) - {BC3CCF2E-462C-45DB-9A6B-1A9BEF4C5E57} - (no file)
O2 - BHO: (no name) - {E075BFBE-1957-43A2-8393-2DE02A78268E} - (no file)
O2 - BHO: (no name) - {EDE71875-1CDE-4FD0-82FA-BE97A3B19C71} - (no file)
O4 - HKLM\..\Run: [plite731] C:\WINDOWS\plite731.exe
O4 - HKLM\..\Run: [{48-8D-DB-B2-ZN}] C:\Documents and Settings\Annie\Local Settings\Temp\T0CHD001.exe CHD001
O4 - HKLM\..\Run: [Windows Update Check] C:\WINDOWS\system32\syslodr.exe
O4 - HKLM\..\Run: [SpyGuardPro] C:\Program Files\SpyGuardPro\pgs.exe
O4 - HKLM\..\Run: [grazklsr] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\grazklsr.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKCU\..\Run: [Aaou] "C:\DOCUME~1\Annie\MYDOCU~1\CROSOF~1\scanregw.exe" -vt yazb
O4 - HKCU\..\Run: [Dej] "C:\Documents and Settings\Annie\My Documents\?dobe\n?tdde.exe"
O4 - HKCU\..\Run: [ISMModule8] "C:\Program Files\ISM\ISMModule8.exe"
O4 - HKCU\..\Run: [ISMPack8] "C:\Program Files\ISM2\ISMPack8.exe"
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Annie\Local Settings\Temp\T0CHD001.exe
O8 - Extra context menu item: &Search - ?p=ZNfox000
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
O9 - Extra 'Tools' menuitem: MANSION - {CD03D14B-0EF6-4f5a-BB81-1ECAFFC676AF} - C:\Program Files\MANSION\FreePoker\MANSION.exe (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Documents and Settings\Annie\Local Settings\Temp\ <<< delete the CONTENTS of the folder in red
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\ <<< delete the CONTENTS of the folder in red
C:\Program Files\SpyGuardPro\ <<< delete that folder
C:\Program Files\SecCenter\ <<< delete that folder
C:\WINDOWS\plite731.exe <<< delete that file
C:\WINDOWS\system32\syslodr.exe <<< delete that file
C:\Documents and Settings\All Users\Application Data\grazklsr.dll <<< delete that file
C:\DOCUMENT AND SETTINGS~1\Annie\MYDOCUMENTS~1\CROSOF~1\ <<< delete that folder
C:\Documents and Settings\Annie\My Documents\?dobe\ <<< delete that folder
C:\Program Files\ISM\ <<< delete that folder
C:\Program Files\ISM2\ <<< delete that folder
7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart, post a new HJT log and some feedback about performance.
Thanks
Okay I did everything you asked. But....I couldn't find everything you said to delete:oops:!!
Here is what I found...C:\Documents and Settings\All Users\Application Data\grazklsr.dll. Yeah that's it. Also neither program was in my add/delete programs. And I couldn't get the Temporary Internet Files folder to empty completely. It deleted all the cookies but wouldn't delete anything else.
Here are the results though! Oh and it seems to be running pretty good:D:.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:21:07 AM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\WINDOWS\system32\carpserv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Dej] "C:\Documents and Settings\Annie\My Documents\?dobe\n?tdde.exe"
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 11313 bytes
pskelley
2007-11-01, 18:48
Thanks for the feedback, let's see what the HJT log looks like now:
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:21:07 AM, on 11/1/2007
O4 - HKCU\..\Run: [Dej] "C:\Documents and Settings\Annie\My Documents\?dobe\n?tdde.exe"
This one is still there, did you delete that folder? >>
?dobe <<< I can't say what letter wil be in the place of the ? but you can look in the folder to see that file: n?tdde.exe
This is PurityScan/OIN and it must be deleted. You will probably not find it unless you have files and folders unhidden. If you deleted it or if it is gone, then run HJT again and remove that line.
The rest of the HJT log looks good, so let's look at the first Kaspersky scan.
Before we run a new scan, keep in mind much of the junk Kaspersky found the first time will be gone and a bunch is in System Restore. Let's clean Sustem Restore now (we may need to do it again later)
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Restart the computer, run a new Kaspersky scan and post it. It is going to find some stuff, but it should be a lot less now to manually remove.
Thanks
I couldn't find that file so I deleted it off HJT. Here is my newest Log....
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 01, 2007 1:44:10 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/11/2007
Kaspersky Anti-Virus database records: 449741
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 42233
Number of viruses found: 15
Number of infected objects: 27
Number of suspicious objects: 0
Duration of the scan process: 01:13:31
Infected Object Name / Virus Name / Last Action
C:\2b664ce64e8d46a9201\amdk7.sys Object is locked skipped
C:\2b664ce64e8d46a9201\k7qfe.cat Object is locked skipped
C:\2b664ce64e8d46a9201\k7qfe.inf Object is locked skipped
C:\2b664ce64e8d46a9201\symbols\sys\amdk7.pdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\tempIpRules.xdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\RBLDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\cert8.db Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\history.dat Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\key3.db Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\parent.lock Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Annie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Working\database_D034_E4A3_34E4_8DB2\dfsr.db Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Working\database_D034_E4A3_34E4_8DB2\fsr.log Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Working\database_D034_E4A3_34E4_8DB2\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Working\database_D034_E4A3_34E4_8DB2\tmp.edb Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows Live Contacts\angel_annie_05@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows Live Contacts\angel_annie_05@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\History\History.IE5\MSHist012007110120071102\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\Perflib_Perfdata_af4.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\~DF65C1.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\~DF6813.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\~DFE066.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\~DFED7B.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\~DFEE99.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annie\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Annie\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\log\mpbtn.log Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\SmartBridge\SmartBridge.log Object is locked skipped
C:\Program Files\batcfktc\velodqlc.dll Infected: Trojan-Downloader.Win32.Zlob.dxz skipped
C:\Program Files\Cakgamdh\nhfjdeqw.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Tcmvpxcr\hpcwthkf.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071101-104425-487.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Program Files\Uqoiypdz\rryynnln.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Program Files\Yahoo!\Messenger\ypager.log Object is locked skipped
C:\Program Files\Zcelihuh\ilnnsmis.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Program Files\zqfotsbw\pmrczsti.dll Infected: Trojan-Downloader.Win32.Zlob.dxz skipped
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\mjsrcrit.dll.vir Infected: Trojan.Win32.Obfuscated.jx skipped
C:\qoobox\Quarantine\C\Documents and Settings\Annie\My Documents\DOBE~1\nеtdde.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gj skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\f22\bc1224wv.exe.vir Infected: Trojan-Downloader.Win32.Small.gks skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\nusrmgr.exe.vir Infected: Trojan-Dropper.Win32.VB.tg skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\oaqcauo.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\qoobox\Quarantine\catchme2007-11-01_ 85720.55.zip/kernelw.sys Infected: Rootkit.Win32.Agent.jf skipped
C:\qoobox\Quarantine\catchme2007-11-01_ 85720.55.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP1\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\frexup3.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\WINDOWS\frexup3.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINDOWS\frexup3.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINDOWS\frexup3.exe NSIS: infected - 3 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\aivskurq.dll Infected: Trojan-Downloader.Win32.VB.bpt skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\vvgeowbv.exe Infected: not-virus:Hoax.Win32.Renos.kj skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_auqkFojzOZWPtvH Object is locked skipped
C:\WINDOWS\Temp\mcmsc_DcdTZezifJ5REdo Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Fns5JMMJ9PvHbm4 Object is locked skipped
C:\WINDOWS\Temp\sqlite_bUrDNvWYIO3B7cp Object is locked skipped
C:\WINDOWS\Temp\sqlite_KWhEQOdTAzATz9z Object is locked skipped
C:\WINDOWS\Temp\sqlite_R0fuKhBvTUT5Gfj Object is locked skipped
C:\WINDOWS\Temp\sqlite_ZgyRRAMOQxwd84U Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Setup\ALLTEL.exe//VNC/MotVNC.exe/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
D:\Setup\ALLTEL.exe//VNC/MotVNC.exe/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
D:\Setup\ALLTEL.exe//VNC/MotVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
D:\Setup\ALLTEL.exe CabSFX: infected - 3 skipped
Scan process completed.
pskelley
2007-11-01, 21:02
I couldn't find that file so I deleted it off HJT. Here is my newest Log....Thanks for that feedback, next time you post, let me see a HJT log to be sure it's gone.
(make sure all files and folders are still showing)
KASPERSKY ONLINE SCANNER REPORT Thursday, November 01, 2007 1:44:10 PM
Number of infected objects: 27
(delete the files or forders in red)
C:\Program Files\batcfktc\velodqlc.dll Infected: Trojan-Downloader.Win32.Zlob.dxz skipped
C:\Program Files\Cakgamdh\nhfjdeqw.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\MSN Messenger\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Program Files\MSN Messenger\riched20.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\Program Files\Tcmvpxcr\hpcwthkf.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Program Files\Uqoiypdz\rryynnln.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Program Files\Zcelihuh\ilnnsmis.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Program Files\zqfotsbw\pmrczsti.dll Infected: Trojan-Downloader.Win32.Zlob.dxz skipped
C:\qoobox\Quarantine\ <<< delete those folders completely, old combofix folders
(should only be one file, I highlited it in red for deletion)
C:\WINDOWS\frexup3.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\WINDOWS\frexup3.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINDOWS\frexup3.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\WINDOWS\frexup3.exe NSIS: infected - 3 skipped
(I don't know about this item, may be a false positive? Do you know why that stuff is there?)
D:\Setup\ALLTEL.exe//VNC/MotVNC.exe/WISE0008.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
D:\Setup\ALLTEL.exe//VNC/MotVNC.exe/WISE0009.BIN Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
D:\Setup\ALLTEL.exe//VNC/MotVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.b skipped
D:\Setup\ALLTEL.exe CabSFX: infected - 3 skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071101-104425-487.dll Infected: Trojan.Win32.Obfuscated.jx skipped
Open HJT > Open Misc Tools section > Backups > Delete all.
Resatart and scan again, I do not need to see the scan results unless you have questions, but do post the HJT log and any comments you think will help.
Thanks...Phil
Here is the HJT log.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:46:35 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\gearsec.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\WINDOWS\system32\carpserv.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\HPQ\One-Touch\OneTouch.EXE
C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\WINDOWS\system32\ctfmon.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Dell AIO Printer A960\dlbfbmon.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\ALLTEL DSL Check-up Center\bin\mpbtn.exe
C:\Program Files\SiteAdvisor\6172\SAService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.hp.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.03.0000.1005\en-xu\stmain.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.5000.1021\en-us\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Display Settings] C:\Program Files\HPQ\Notebook Utilities\hptasks.exe /s
O4 - HKLM\..\Run: [QT4HPOT] C:\Program Files\HPQ\One-Touch\OneTouch.EXE
O4 - HKLM\..\Run: [Dell AIO Printer A960] "C:\Program Files\Dell AIO Printer A960\dlbfbmgr.exe"
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\ALLTEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6172\SiteAdv.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: PowerReg Scheduler V3.exe
O4 - Global Startup: Windstream Broadband Check-up Center.lnk = C:\Program Files\ALLTEL DSL Check-up Center\bin\matcli.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.hp.com
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {321FB770-1FBE-4BFE-BDC1-6F622D4FA499} - https://activation.alltel.com/wizlet/WINDSTREAM/static/controls/WebflowActiveXInstaller_2-0-0.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {97E71027-0BA2-44F2-97DB-F84D808ED0B6} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab55762.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe (file missing)
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Gear Security Service (GEARSecurity) - GEAR Software - C:\WINDOWS\System32\gearsec.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6172\SAService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 11269 bytes
And here is the other(though I know you don't actually need it). It still says there are viruses and infected objects. Not sure if it should or not(I didn't think it should!). The computer is running really good though.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 01, 2007 3:44:43 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 1/11/2007
Kaspersky Anti-Virus database records: 449803
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 39431
Number of viruses found: 14
Number of infected objects: 23
Number of suspicious objects: 0
Duration of the scan process: 01:12:30
Infected Object Name / Virus Name / Last Action
C:\2b664ce64e8d46a9201\amdk7.sys Object is locked skipped
C:\2b664ce64e8d46a9201\k7qfe.cat Object is locked skipped
C:\2b664ce64e8d46a9201\k7qfe.inf Object is locked skipped
C:\2b664ce64e8d46a9201\symbols\sys\amdk7.pdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\tempIpRules.xdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\RBLDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\cert8.db Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\history.dat Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\key3.db Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\parent.lock Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Annie\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Annie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Working\database_D034_E4A3_34E4_8DB2\dfsr.db Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Working\database_D034_E4A3_34E4_8DB2\fsr.log Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Messenger\angel_annie_05@hotmail.com\SharingMetadata\Working\database_D034_E4A3_34E4_8DB2\tmp.edb Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows Live Contacts\angel_annie_05@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Microsoft\Windows Live Contacts\angel_annie_05@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Application Data\Mozilla\Firefox\Profiles\vtsk4mjd.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\History\History.IE5\MSHist012007110120071102\index.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\Perflib_Perfdata_450.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\~DF3503.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\~DF3DB9.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\~DF4E19.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\~DF6ED2.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\temp\~DF7019.tmp Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Annie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Annie\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Annie\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\log\mpbtn.log Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\ALLTEL DSL Check-up Center\SmartBridge\SmartBridge.log Object is locked skipped
C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071101-104425-487.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\Program Files\Yahoo!\Messenger\ypager.log Object is locked skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc10\pmrczsti.dll Infected: Trojan-Downloader.Win32.Zlob.dxz skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc11\Documents and Settings\All Users\Application Data\mjsrcrit.dll.vir Infected: Trojan.Win32.Obfuscated.jx skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc11\Documents and Settings\Annie\My Documents\DOBE~1\nеtdde.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gj skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc11\WINDOWS\system32\f22\bc1224wv.exe.vir Infected: Trojan-Downloader.Win32.Small.gks skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc11\WINDOWS\system32\nusrmgr.exe.vir Infected: Trojan-Dropper.Win32.VB.tg skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc11\WINDOWS\system32\oaqcauo.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc13.zip/kernelw.sys Infected: Rootkit.Win32.Agent.jf skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc13.zip ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc15.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc15.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc15.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc15.exe NSIS: infected - 3 skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc3\velodqlc.dll Infected: Trojan-Downloader.Win32.Zlob.dxz skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc4\nhfjdeqw.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc5.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc6.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc7\hpcwthkf.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc8\rryynnln.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\RECYCLER\S-1-5-21-1659004503-1708537768-1343024091-1005\Dc9\ilnnsmis.dll Infected: Trojan.Win32.Obfuscated.jx skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3FC40151-1067-4822-A738-8D0C251CBE26}\RP1\change.log Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shdocvw.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\urlmon.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828028$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\helpctr.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\aivskurq.dll Infected: Trojan-Downloader.Win32.VB.bpt skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\vvgeowbv.exe Infected: not-virus:Hoax.Win32.Renos.kj skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_su5EpinPt0Umoe6 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_aZrNeEfJexbghjC Object is locked skipped
C:\WINDOWS\Temp\mcmsc_DyebUcgmpOyprQW Object is locked skipped
C:\WINDOWS\Temp\sqlite_6vsz2GgS0daXr9O Object is locked skipped
C:\WINDOWS\Temp\sqlite_K1s0dGUqLGlehZt Object is locked skipped
C:\WINDOWS\Temp\sqlite_qdmP1PsMikQ50Jy Object is locked skipped
C:\WINDOWS\Temp\sqlite_VwgNhUChYOJAo7q Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-11-02, 00:42
Thanks for the feedback, the HJT log looks fine, let's look at Kaspersky:
1) You must have missed my instructions for cleaning HJT backups:
Open HJT > Open Misc Tools section > Backups > Delete all.
There is a trojan in there that can't harm you but needs to be off your computer.
2) C:\Program Files\Mozilla Firefox\plugins\NPMyWebS.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
This appears to be an infected file, delete the file in red
3) 19 infected items are in your Recycle Bin. Point to the "Recycle Bin" on your Desktop and right click, then click "Empty Recycle Bin", then OK or Yes.
4) C:\WINDOWS\system32\vvgeowbv.exe <<< delete that file
5) C:\WINDOWS\system32\aivskurq.dll <<< delete that file
Don't forget to empty the Recycle Bin again after deleting those new items, or they we be in the next scan in the RB.
If you have any question, do not hesitate to ask, posting some information for you now.
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.