View Full Version : Virtumonde and Many More
krtaylorjr
2007-10-29, 23:55
I have been trying to follow the site, and each response seems to be custom, so i figured i would try to submit my own issue. Same thing as most people, Virtue monde seems to have infected my machine. I have tried a few things already, and installed the recommended Search and Destroy apps, and even some of the other app fixes suggested.
Below is my Hijackthis log, followed by the Kapersky log.
Thanks
-------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:16:58 PM, on 10/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\WINDOWS\system32\cmd.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061228
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [14d9e7d3] rundll32.exe "C:\WINDOWS\system32\xaufrdts.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174777112439
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceLOCAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
--
End of file - 8854 bytes
--------------------------------------------------
krtaylorjr
2007-10-29, 23:57
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, October 29, 2007 3:50:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/10/2007
Kaspersky Anti-Virus database records: 448273
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 242277
Number of viruses found: 6
Number of infected objects: 29
Number of suspicious objects: 2
Duration of the scan process: 03:39:19
Infected Object Name / Virus Name / Last Action
C:\check_LSA7.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/win27C.tmp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-1006u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-501u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\TmPfw_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_1221853184_18629 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_1231355904_18771 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{2AEBCBBA-DB93-4089-8BDA-F1E7D6B15778}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{F406C537-0155-4BC4-B4FE-9EC8A68A9906}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Kenny\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\MSHist012007102920071030\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED/UNNAMED/html Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED/UNNAMED/html Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx Infected: Trojan-Spy.HTML.Fraud.l skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <rxshoppers@anonomousrx.co.mx>][Date Fri, 16 Jun 2006 21:00:37 -0600]/UNNAMED/GET-RX-MEDS-HERE.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <rxshoppers@anonomousrx.co.mx>][Date Fri, 16 Jun 2006 21:00:37 -0600]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <rxshoppers@anonomousrx.co.mx>][Date Fri, 16 Jun 2006 21:00:37 -0600]/UNNAMED/GET-RX-MEDS-HERE.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <rxshoppers@anonomousrx.co.mx>][Date Fri, 16 Jun 2006 21:00:37 -0600]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <M:eds-Phrmacy@blackthorntelecom.com>][Date Wed, 26 Jul 2006 15:21:29 -0800]/UNNAMED/Krtaylor_jr_MEDLINEWEBSITE.HTML Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <M:eds-Phrmacy@blackthorntelecom.com>][Date Wed, 26 Jul 2006 15:21:29 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <M:eds@everythinggreatallthetime.com>][Date Thu, 27 Jul 2006 19:28:24 -0800]/UNNAMED/Low_Cost_Generic_Meds_Go_Here.html Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From <M:eds@everythinggreatallthetime.com>][Date Thu, 27 Jul 2006 19:28:24 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From ":)Pharmacy Here" <ter@eritgetalcal.com>][Date Wed, 26 Jul 2006 11:23:47 -0600]/UNNAMED/GET-YOUR-MEDS-HERE.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From ":)Pharmacy Here" <ter@eritgetalcal.com>][Date Wed, 26 Jul 2006 11:23:47 -0600]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From M:e:d Source <usmail@expeediamail.com>][Date Thu, 27 Jul 2006 14:44:35 -0800]/UNNAMED/UNNAMED/[From "Lauren" <krtalab@hotmail.com>][Date Thu, 27 Jul 2006 14:44:35 -0800]/PLEASE_VISIT_OUR_MEDSITE_HERE.html Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From M:e:d Source <usmail@expeediamail.com>][Date Thu, 27 Jul 2006 14:44:35 -0800]/UNNAMED/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From M:e:d Source <usmail@expeediamail.com>][Date Thu, 27 Jul 2006 14:44:35 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From DiscreteMEDS@secureshopper.ie.com][Date Thu, 27 Jul 2006 12:04:23 -0800]/UNNAMED/Discounted-Meds-CLICK-HERE.htm Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx/[From DiscreteMEDS@secureshopper.ie.com][Date Thu, 27 Jul 2006 12:04:23 -0800]/UNNAMED Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/Hotmail - Deleted Items.dbx Infected: Trojan.JS.Redirector.b skipped
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip ZIP: infected - 25 skipped
C:\Documents and Settings\Kenny\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kenny\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\oracle\ora92\network\agent\blackout.q Object is locked skipped
C:\oracle\ora92\network\agent\ereg.q Object is locked skipped
C:\oracle\ora92\network\agent\evocc1.q Object is locked skipped
C:\oracle\ora92\network\agent\job.q Object is locked skipped
C:\oracle\ora92\network\agent\jstat1.q Object is locked skipped
C:\oracle\ora92\network\agent\reco\service.vps Object is locked skipped
C:\oracle\ora92\network\agent\user.q Object is locked skipped
C:\oracle\ora92\network\log\agntsrvc.log Object is locked skipped
C:\oracle\ora92\network\log\dbsnmp.log Object is locked skipped
C:\oracle\ora92\network\log\OracleOraHome92Agent.nohup Object is locked skipped
C:\oracle\ora92\oramts\trace\OracleMTSRecoveryService(536).trc Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL01.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL02.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL03.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CWMLITE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\DRSYS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\EXAMPLE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\INDX01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\ODM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\REDO03.LOG Object is locked skipped
C:\oracle\oradata\LOCAL\SYSTEM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TEMP01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TOOLS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\UNDOTBS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\USERS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\XDB01.DBF Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\qoobox\Quarantine\C\WINDOWS\mgrs.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drvhag.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\simcard1.dll.vir Infected: Trojan-Spy.Win32.Banker.fke skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP221\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{ABA8082A-7445-45EF-89CB-FAF44313EF1F}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1BE3F6D6-1591-44F6-8BD5-86A28B8AB859}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-11-01, 20:02
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Thanks for following the instructions and posting the correct information. It looks like a hidden Vundo infection and more as you said, if you still want help I will do what I can but it will not be easy, this infection can be hard to remove.
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\ <<< out of date and likely the reason you are infected, at least with Vundo. Dowload the newest version and uninstall all old versions in Add Remove programs.
C:\WINDOWS\system32\xaufrdts.dll <<< that 04 item is a clue Vundo is hidden, return here:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT.exe, call it krtaylorjr.exe or whatever you wish. The next log should show the infection after a restart.
You have problems with how your email is being handled in Outlook Express and infected email is being accepted and stored.
Start here in the Kaspersky scan:
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\Outlook Express.zip/Outlook Express/BostonColorGroup.dbx/[From FlagStar <aw-survey@flagstar.com>][Date Sat, 29 Jul 2006 01:45:01 -0400]/UNNAMED/UNNAMED/UNNAMED/html Infected: Trojan-Spy.HTML.Fraud.l skipped
and look for a long way down, you can see nothing but infected email. You need to navigate to those folders and delete all of that stuff.
I have not used OE email for many years so I am guessing you need to delete all email in the folder in red:
C:\Documents and Settings\Kenny\My Documents\Personal Work Files\Outlook Express\Emails\ <<< and that is just a guess. My suggestion is you delete all email you are storing in OE anywhere.
Please work on that so when you run a new Kaspersky scan we wil not have to look at infected email again.
Follow the above instructions, keep the computer offline except when you are troubleshooting until we have it clean, and post a new HJT log.
Thanks
pskelley
2007-11-11, 16:51
No response in over a week, this topic is closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks
krtaylorjr
2007-11-13, 04:25
I was able to remove my old JRE, and install the latest JRE to version 6 release 3.
I then renamed the HijackThis.exe to krtaylorjr.exe and restarted teh computer.
I deleted the old emails out of the folder as suggested.
I then ran the Kaspersky scan and the results are listed below.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 12, 2007 12:59:23 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/11/2007
Kaspersky Anti-Virus database records: 456891
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 246672
Number of viruses found: 10
Number of infected objects: 28
Number of suspicious objects: 2
Duration of the scan process: 03:41:54
Infected Object Name / Virus Name / Last Action
C:\check_LSA7.txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/win27C.tmp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-1006u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-501u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\TmPfw_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_196608_20649 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_262144_20652 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBE2.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{8B117EB9-88CF-442A-9E4B-AEF31700D2D5}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{A864603E-A4B1-41B8-987F-2868DAFB270F}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Kenny\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\MSHist012007111220071113\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Temporary Internet Files\Content.IE5\B9ZNI49O\pochki20071106[1] Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\Kenny\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kenny\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\oracle\ora92\network\agent\blackout.q Object is locked skipped
C:\oracle\ora92\network\agent\ereg.q Object is locked skipped
C:\oracle\ora92\network\agent\evocc1.q Object is locked skipped
C:\oracle\ora92\network\agent\job.q Object is locked skipped
C:\oracle\ora92\network\agent\jstat1.q Object is locked skipped
C:\oracle\ora92\network\agent\reco\service.vps Object is locked skipped
C:\oracle\ora92\network\agent\user.q Object is locked skipped
C:\oracle\ora92\network\log\agntsrvc.log Object is locked skipped
C:\oracle\ora92\network\log\dbsnmp.log Object is locked skipped
C:\oracle\ora92\network\log\OracleOraHome92Agent.nohup Object is locked skipped
C:\oracle\ora92\oramts\trace\OracleMTSRecoveryService(512).trc Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL01.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL02.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL03.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CWMLITE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\DRSYS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\EXAMPLE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\INDX01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\ODM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\REDO01.LOG Object is locked skipped
C:\oracle\oradata\LOCAL\SYSTEM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TEMP01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TOOLS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\UNDOTBS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\USERS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\XDB01.DBF Object is locked skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\10.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\11.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\12.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\1C.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\1D.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\1F.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\46.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\57.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\6C7.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\7.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F.tmp Infected: Trojan.Win32.Agent.bck skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F0BC.tmp Infected: not-a-virus:Downloader.Win32.WinFixer.ao skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F0C6.tmp Infected: Trojan.Win32.Dialer.qn skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F0C9.tmp/xpdx.sys Infected: Trojan-Clicker.Win32.Costrat.bu skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F0C9.tmp ZIP: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 14\Quarantine\F0C9.tmp CryptFF.b: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\mgrs.exe.vir Infected: Trojan-Downloader.Win32.Alphabet.gen skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drvhag.dll.vir Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP225\A0042399.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP235\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2C3B487D-594B-45F7-A0DC-2E3B1854F029}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{966DB568-0DD1-4D52-AECA-E863FF698C53}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ivfnhwig.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\kraouahg.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\lquvecnh.dll Infected: Trojan.Win32.BHO.rf skipped
C:\WINDOWS\system32\pqyghxsh.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\pwhqihsr.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\rqrqrrp.dll Infected: Trojan-Downloader.Win32.Small.gnc skipped
C:\WINDOWS\system32\uwxprpbt.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\ylfrajpa.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-11-18, 14:50
I apologize, I am not sure what happened here, I am helping a bunch of folks. It looks like you did not respond for around ten days and I closed the topic, then reopened it. I am supposed to be notified when you post and this did not happen. I always respond within 24 hours of a post, so if it happens again, please PM me and make me aware.
http://forums.spybot.info/member.php?find=lastposter&t=20118
Please read the instructions in my post #3, let me know about anything there you could not complete and why.
I will not need another Kaspersky scan until I request it. What I need now is a new HJT log with the executable renamed as in the instructions. Include any malware symptoms you are experiencing and any error messages you receive "word for word".
Thanks...Phil
krtaylorjr
2007-11-18, 15:20
duplicate posts
krtaylorjr
2007-11-18, 15:23
duplicate posts
krtaylorjr
2007-11-18, 15:26
Sorry that i mis-read your response.. below is a piece by piece...
- Read the BEFORE YOU POST successfully
- Removed old JRE versions successfully
- Updated the JRE successfully
- Renamed HijackThis.exe to krtaylorjr.exe
- Executed this morning and the log will be posted below
- Deleted email in question
- Ran the Kaspersky scan again posted the log above.
- Computer is offline except to post and read this forum
- In addition, the current errors i am recieving including everytime i open a browser a secondary browser opens with a random site, the location rotates the latest is
http://www.cyber-defender.com/EDC/landing/10/?affl=IceWaterMedia_p2d&campaign_code=382833&int_page=1
It is also keeping me from posting on this site, it is hanging and will not submit, if you are reading then i would say it worked once.
below is the log from the renamed hijackthis.exe run:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:06:33 AM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\pgcogfmr.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\krtaylorjr.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?rd=nux
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061228
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {232D2677-68EE-4FA1-B988-279EBC8969ED} - C:\WINDOWS\system32\awtqoon.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Flash Module - {68D5BBF9-EED5-4125-B227-55F81540BF4D} - simcard1.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\system32\diwrvkhp.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D5A908DF-A0D4-42E1-B076-3ACDF223855E} - C:\WINDOWS\system32\ddccc.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [14d9e7d3] rundll32.exe "C:\WINDOWS\system32\hvfgdefy.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174777112439
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O20 - Winlogon Notify: awtqoon - C:\WINDOWS\SYSTEM32\awtqoon.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\pgcogfmr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceLOCAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
--
End of file - 10212 bytes
krtaylorjr
2007-11-18, 15:58
I was trying to submit, and the computer is having a hard time with IE. As I stated above, additional windows to random sites are openning, and when I was pressing the submission button it would hold for a few minutes, and give me a page not found error. Sorry. I am on another computer now reading the post.
pskelley
2007-11-18, 16:42
No problem, these remote repairs are not the easiest things to do.
It is also keeping me from posting on this site, it is hanging and will not submit, if you are reading then i would say it worked once.The forum software has been having problems today, that is likely the reason, to cut down on the amount of information we have to look at, I will edit out the posts at: Today, 08:20 and Today, 08:23.
Read and follow the directions carefully:
1) http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
*****Note: It is possible that VundoFix encountered a file it could not remove.*****
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot.
2) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix report, combofix log and a new HJT log
Thanks
krtaylorjr
2007-11-18, 21:56
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:54:35 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\krtaylorjr.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?rd=nux
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061228
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Flash Module - {68D5BBF9-EED5-4125-B227-55F81540BF4D} - simcard1.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [14d9e7d3] rundll32.exe "C:\WINDOWS\system32\jsqldfpw.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174777112439
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceLOCAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
--
End of file - 9809 bytes
krtaylorjr
2007-11-18, 21:59
ComboFix 07-11-08.1 - Kenny 2007-11-18 14:45:33.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1136 [GMT -5:00]
Running from: C:\Documents and Settings\Kenny\Desktop\ComboFix.exe
* Created a new restore point
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.bak2
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\cccdd.ini2
C:\WINDOWS\system32\cccdd.tmp
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\gqaeqctl.dll
C:\WINDOWS\system32\ltcqeaqg.ini
C:\WINDOWS\system32\otmfikaq.dll
C:\WINDOWS\system32\qakifmto.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.
2007-11-18 14:47 85,056 --a------ C:\WINDOWS\system32\jsqldfpw.dll
2007-11-18 14:42 71,232 --a------ C:\WINDOWS\system32\eqrecqgh.exe
2007-11-18 14:21 <DIR> d-------- C:\VundoFix Backups
2007-11-18 14:09 71,232 --a------ C:\WINDOWS\system32\xbvinekx.exe
2007-11-18 10:52 71,232 --a------ C:\WINDOWS\system32\nnawqqhy.exe
2007-11-18 08:04 71,232 --a------ C:\WINDOWS\system32\ucjrteme.exe
2007-11-17 10:19 71,232 --a------ C:\WINDOWS\system32\jjxvftcy.exe
2007-11-16 07:41 71,232 --a------ C:\WINDOWS\system32\pgcogfmr.exe
2007-11-16 07:19 71,232 --a------ C:\WINDOWS\system32\jefugnfx.exe
2007-11-15 12:18 85,056 --a------ C:\WINDOWS\system32\fqsefqaq.dll
2007-11-15 12:15 71,232 --a------ C:\WINDOWS\system32\aprtlspg.exe
2007-11-12 10:12 71,232 --a------ C:\WINDOWS\system32\kraouahg.exe
2007-11-12 08:28 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-12 08:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-11-11 10:13 88,128 --a------ C:\WINDOWS\system32\mnnvwvym.dll
2007-11-11 10:10 71,232 --a------ C:\WINDOWS\system32\uwxprpbt.exe
2007-11-09 16:08 88,128 --a------ C:\WINDOWS\system32\dokgqdih.dll
2007-11-09 16:05 71,232 --a------ C:\WINDOWS\system32\ivfnhwig.exe
2007-11-08 16:07 71,232 --a------ C:\WINDOWS\system32\pwhqihsr.exe
2007-11-07 16:09 86,080 --a------ C:\WINDOWS\system32\cnkfearr.dll
2007-11-07 16:06 71,232 --a------ C:\WINDOWS\system32\pqyghxsh.exe
2007-11-06 16:07 87,104 --a------ C:\WINDOWS\system32\pneurcek.dll
2007-11-06 16:04 71,232 --a------ C:\WINDOWS\system32\ylfrajpa.exe
2007-11-04 14:47 86,080 --a------ C:\WINDOWS\system32\lquvecnh.dll
2007-11-01 16:33 <DIR> d-------- C:\Program Files\iPod
2007-10-25 09:09 <DIR> d-------- C:\temp_dvd
2007-10-25 09:08 <DIR> d-------- C:\Program Files\Dvd-cloner
2007-10-22 13:38 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-22 13:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-10-19 19:23 <DIR> d-------- C:\Program Files\Adsense Helper Object
2007-10-19 16:38 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-10-19 07:19 1 --a------ C:\WINDOWS\system32\rc.dat
2007-10-19 07:19 1 --a------ C:\WINDOWS\system32\ps1.dat
2007-10-19 07:19 1 --a------ C:\WINDOWS\system32\cookie1.dat
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 13:09 --------- d-----w C:\Program Files\Java
2007-11-01 21:33 --------- d-----w C:\Program Files\iTunes
2007-11-01 21:27 --------- d-----w C:\Program Files\Apple Software Update
2007-10-29 21:13 --------- d-----w C:\Program Files\Trend Micro
2007-10-20 18:56 --------- d-----w C:\Program Files\PokerStars
2007-10-20 00:27 --------- d-----w C:\Program Files\Common Files\AOL
2007-10-20 00:27 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-10-20 00:22 --------- d-----w C:\Program Files\WildTangent
2007-10-04 18:57 --------- d-----w C:\Documents and Settings\Kenny\Application Data\GetRightToGo
2007-10-04 18:57 --------- d-----w C:\DOCUME~1\Kenny\APPLIC~1\GetRightToGo
2007-10-04 18:43 --------- d-----w C:\Program Files\Turbine
2007-10-01 18:49 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-10-01 14:51 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\DVD Shrink
2007-09-25 20:34 --------- d-----w C:\Documents and Settings\Kenny\Application Data\Sonic
2007-09-25 20:34 --------- d-----w C:\DOCUME~1\Kenny\APPLIC~1\Sonic
2007-05-08 13:01:09 56 --sh--r C:\WINDOWS\system32\3C806A7AF9.sys
2007-03-01 18:03:01 88 --sh--r C:\WINDOWS\system32\F97A6A803C.sys
.
((((((((((((((((((((((((((((( snapshot@2007-10-22_14.46.29.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-20 10:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-03-13 14:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
+ 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
- 2007-10-11 00:46:50 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
+ 2007-11-16 12:22:23 593,920 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\accicons.exe
- 2007-10-11 00:46:50 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
+ 2007-11-16 12:22:23 12,288 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\cagicon.exe
- 2007-10-11 00:46:50 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
+ 2007-11-16 12:22:23 86,016 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\inficon.exe
- 2007-10-11 00:46:49 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
+ 2007-11-16 12:22:22 135,168 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\misc.exe
- 2007-10-11 00:46:50 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
+ 2007-11-16 12:22:23 11,264 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\mspicons.exe
- 2007-10-11 00:46:50 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
+ 2007-11-16 12:22:23 27,136 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\oisicon.exe
- 2007-10-11 00:46:50 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
+ 2007-11-16 12:22:23 4,096 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\opwicon.exe
- 2007-10-11 00:46:50 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
+ 2007-11-16 12:22:24 794,624 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\outicon.exe
- 2007-10-11 00:46:50 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
+ 2007-11-16 12:22:22 249,856 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pptico.exe
- 2007-10-11 00:46:50 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
+ 2007-11-16 12:22:22 61,440 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\pubs.exe
- 2007-10-11 00:46:50 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
+ 2007-11-16 12:22:24 23,040 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\unbndico.exe
- 2007-10-11 00:46:49 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
+ 2007-11-16 12:22:22 286,720 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\wordicon.exe
- 2007-10-11 00:46:49 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-11-16 12:22:21 409,600 ----a-r C:\WINDOWS\Installer\{90110409-6000-11D3-8CFE-0150048383C9}\xlicons.exe
+ 2007-11-01 21:33:32 102,400 ----a-r C:\WINDOWS\Installer\{B045B608-4A47-4C77-9EAD-06C394503306}\iTunesIco.exe
+ 2007-11-01 21:27:52 27,136 ----a-r C:\WINDOWS\Installer\{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}\AppleSoftwareUpdateIco.exe
+ 2004-08-10 11:00:00 290,816 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\WMDRMNet.dll
+ 2004-08-10 11:00:00 146,432 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmidx.dll
+ 2004-08-10 11:00:00 1,023,488 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmnetmgr.dll
+ 2004-08-10 11:00:00 1,116,160 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmsdmoe2.dll
+ 2004-08-10 11:00:00 936,960 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmspdmoe.dll
+ 2004-08-10 11:00:00 1,508,864 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\WMVADVE.DLL
+ 2004-08-10 11:00:00 2,355,200 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmvcore.dll
+ 2004-08-10 11:00:00 999,424 ----a-w C:\WINDOWS\RegisteredPackages\{AAC1D942-0B38-4E37-9E4E-5B96A9DD2170}$BACKUP$\System\wmvdmoe2.dll
+ 2004-08-10 11:00:00 230,912 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\blackbox.dll
+ 2004-08-10 11:00:00 533,504 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\drmv2clt.dll
+ 2005-04-20 17:32:12 106,496 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\mfplat.dll
+ 2004-08-10 11:00:00 138,240 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\msnetobj.dll
+ 2005-04-20 17:32:12 197,632 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}$BACKUP$\System\wmdrmsdk.dll
+ 2005-08-04 00:29:52 428,544 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\blackbox.dll
+ 2005-08-04 00:29:52 178,936 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmupgds.exe
+ 2005-08-04 00:29:52 579,584 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\drmv2clt.dll
+ 2005-08-04 00:29:52 106,496 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\mfplat.dll
+ 2005-08-04 00:29:52 115,200 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\msnetobj.dll
+ 2005-08-04 00:29:52 180,224 ----a-w C:\WINDOWS\RegisteredPackages\{C5B8FBE9-645E-4484-A7AA-E8DA9A70DD77}\wmdrmsdk.dll
+ 2005-08-16 10:43:16 233,472 ---ha-w C:\WINDOWS\repair\ntuser.dat
+ 2004-08-10 11:00:00 362,496 ----a-w C:\WINDOWS\Resources\Themes\Luna\Shell\Homestead\shellstyle.dll
+ 2004-08-10 11:00:00 362,496 ----a-w C:\WINDOWS\Resources\Themes\Luna\Shell\Metallic\shellstyle.dll
+ 2004-08-10 11:00:00 361,472 ----a-w C:\WINDOWS\Resources\Themes\Luna\Shell\NormalColor\shellstyle.dll
+ 2004-08-10 09:38:56 372,736 ----a-w C:\WINDOWS\Resources\Themes\Royale\Shell\NormalColor\ShellStyle.dll
+ 2004-07-14 21:22:24 45,056 ----a-w C:\WINDOWS\security\templates\SECUREUP.EXE
+ 2004-08-10 11:00:00 3,166,208 ----a-w C:\WINDOWS\srchasst\msgr3en.dll
+ 2004-08-10 11:00:00 58,434 ----a-w C:\WINDOWS\srchasst\srchctls.dll
+ 2004-08-10 11:00:00 725,566 ----a-w C:\WINDOWS\srchasst\srchui.dll
+ 2004-08-10 11:00:00 69,584 ----a-w C:\WINDOWS\system\AVICAP.DLL
+ 2004-08-10 11:00:00 109,456 ----a-w C:\WINDOWS\system\AVIFILE.DLL
+ 2004-08-10 11:00:00 32,816 ----a-w C:\WINDOWS\system\COMMDLG.DLL
+ 2004-08-10 11:00:00 9,936 ----a-w C:\WINDOWS\system\LZEXPAND.DLL
+ 2004-08-10 11:00:00 68,768 ----a-w C:\WINDOWS\system\MMSYSTEM.DLL
+ 2004-08-10 11:00:00 126,912 ----a-w C:\WINDOWS\system\MSVIDEO.DLL
+ 2004-08-10 11:00:00 82,944 ----a-w C:\WINDOWS\system\OLECLI.DLL
+ 2004-08-10 11:00:00 24,064 ----a-w C:\WINDOWS\system\OLESVR.DLL
+ 2004-08-10 11:00:00 5,120 ----a-w C:\WINDOWS\system\SHELL.DLL
+ 2004-08-10 11:00:00 19,200 ----a-w C:\WINDOWS\system\TAPI.DLL
+ 2004-08-10 11:00:00 9,008 ----a-w C:\WINDOWS\system\VER.DLL
+ 2004-08-10 11:00:00 55,632 ----a-w C:\WINDOWS\system32\1033\dwintl.dll
+ 2006-08-16 11:58:05 100,352 ----a-w C:\WINDOWS\system32\6to4svc.dll
+ 2005-11-08 18:38:38 33,792 ----a-r C:\WINDOWS\system32\a3d.dll
+ 2004-08-10 11:00:00 25,600 ----a-w C:\WINDOWS\system32\aaaamon.dll
+ 2005-11-08 18:37:00 26,624 ----a-w C:\WINDOWS\system32\AC3API.DLL
+ 2004-08-10 11:00:00 64,512 ----a-w C:\WINDOWS\system32\acctres.dll
+ 2004-08-10 11:00:00 183,808 ----a-w C:\WINDOWS\system32\accwiz.exe
+ 2004-08-10 11:00:00 129,536 ----a-w C:\WINDOWS\system32\acledit.dll
+ 2004-08-10 11:00:00 114,688 ----a-w C:\WINDOWS\system32\aclui.dll
+ 2004-08-10 11:00:00 194,048 ----a-w C:\WINDOWS\system32\activeds.dll
+ 2004-08-10 11:00:00 4,096 ----a-w C:\WINDOWS\system32\actmovie.exe
+ 2004-08-10 11:00:00 101,888 ----a-w C:\WINDOWS\system32\actxprxy.dll
+ 2004-08-10 11:00:00 61,440 ----a-w C:\WINDOWS\system32\admparse.dll
+ 2004-08-10 11:00:00 26,112 ----a-w C:\WINDOWS\system32\adptif.dll
+ 2004-08-10 11:00:00 175,616 ----a-w C:\WINDOWS\system32\adsldp.dll
+ 2004-08-10 11:00:00 143,360 ----a-w C:\WINDOWS\system32\adsldpc.dll
+ 2004-08-10 11:00:00 68,096 ----a-w C:\WINDOWS\system32\adsmsext.dll
+ 2004-08-10 11:00:00 161,792 ----a-w C:\WINDOWS\system32\adsnds.dll
+ 2004-08-10 11:00:00 263,680 ----a-w C:\WINDOWS\system32\adsnt.dll
+ 2004-08-10 11:00:00 109,568 ----a-w C:\WINDOWS\system32\adsnw.dll
+ 2004-08-10 11:00:00 616,960 ----a-w C:\WINDOWS\system32\advapi32.dll
+ 2004-08-10 11:00:00 99,840 ----a-w C:\WINDOWS\system32\advpack.dll
+ 2004-10-04 21:57:10 929,792 ----a-w C:\WINDOWS\system32\AegisE5.dll
+ 2004-08-10 11:00:00 98,304 ----a-w C:\WINDOWS\system32\ahui.exe
+ 2004-08-10 11:00:00 44,544 ----a-w C:\WINDOWS\system32\alg.exe
+ 2004-08-10 11:00:00 17,408 ----a-w C:\WINDOWS\system32\alrsvc.dll
+ 2004-08-10 11:00:00 70,656 ----a-w C:\WINDOWS\system32\amstream.dll
+ 2004-08-10 11:00:00 9,029 ----a-w C:\WINDOWS\system32\ansi.sys
+ 2004-08-10 11:00:00 102,912 ----a-w C:\WINDOWS\system32\apcups.dll
+ 2004-08-10 11:00:00 12,498 ----a-w C:\WINDOWS\system32\append.exe
+ 2004-08-10 11:00:00 126,976 ----a-w C:\WINDOWS\system32\apphelp.dll
+ 2004-08-10 11:00:00 167,936 ----a-w C:\WINDOWS\system32\appmgmts.dll
+ 2004-08-10 11:00:00 295,936 ----a-w C:\WINDOWS\system32\appmgr.dll
+ 2004-08-10 11:00:00 19,456 ----a-w C:\WINDOWS\system32\arp.exe
+ 2004-08-10 11:00:00 8,192 ----a-w C:\WINDOWS\system32\asferror.dll
+ 2004-08-10 11:00:00 30,208 ----a-w C:\WINDOWS\system32\asr_fmt.exe
+ 2004-08-10 11:00:00 32,256 ----a-w C:\WINDOWS\system32\asr_ldm.exe
+ 2004-08-10 11:00:00 32,768 ----a-w C:\WINDOWS\system32\asr_pfu.exe
+ 2004-08-10 11:00:00 65,024 ----a-w C:\WINDOWS\system32\asycfilt.dll
+ 2004-08-10 11:00:00 25,088 ----a-w C:\WINDOWS\system32\at.exe
+ 2004-08-10 11:00:00 13,312 ----a-w C:\WINDOWS\system32\atkctrs.dll
+ 2004-08-10 11:00:00 58,880 ----a-w C:\WINDOWS\system32\atl.dll
+ 2002-01-05 08:18:20 84,992 ----a-w C:\WINDOWS\system32\atl70.dll
+ 2003-03-19 03:05:50 89,088 ----a-r C:\WINDOWS\system32\atl71.dll
+ 2004-08-10 11:00:00 11,264 ----a-w C:\WINDOWS\system32\atmadm.exe
+ 2004-08-10 11:00:00 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll
+ 2004-08-10 11:00:00 30,208 ----a-w C:\WINDOWS\system32\atmlib.dll
+ 2004-08-10 11:00:00 34,816 ----a-w C:\WINDOWS\system32\atmpvcno.dll
+ 2004-08-10 11:00:00 11,264 ----a-w C:\WINDOWS\system32\atrace.dll
+ 2004-08-10 11:00:00 11,264 ----a-w C:\WINDOWS\system32\attrib.exe
+ 2004-08-10 11:00:00 480,768 ----a-w C:\WINDOWS\system32\audiodev.dll
+ 2004-08-10 11:00:00 42,496 ----a-w C:\WINDOWS\system32\audiosrv.dll
+ 2004-08-10 11:00:00 14,336 ----a-w C:\WINDOWS\system32\auditusr.exe
+ 2005-03-02 18:09:29 56,832 ----a-w C:\WINDOWS\system32\authz.dll
+ 2004-08-10 11:00:00 588,800 ----a-w C:\WINDOWS\system32\autochk.exe
+ 2004-08-10 11:00:00 602,624 ----a-w C:\WINDOWS\system32\autoconv.exe
+ 2004-08-10 11:00:00 80,384 ----a-w C:\WINDOWS\system32\autodisc.dll
+ 2004-08-10 11:00:00 580,608 ----a-w C:\WINDOWS\system32\autofmt.exe
+ 2004-08-10 11:00:00 11,264 ----a-w C:\WINDOWS\system32\autolfn.exe
+ 2004-08-10 11:00:00 69,584 ----a-w C:\WINDOWS\system32\avicap.dll
+ 2004-08-10 11:00:00 64,000 ----a-w C:\WINDOWS\system32\avicap32.dll
+ 2004-08-10 11:00:00 84,992 ----a-w C:\WINDOWS\system32\avifil32.dll
+ 2004-08-10 11:00:00 109,456 ----a-w C:\WINDOWS\system32\avifile.dll
+ 2004-08-10 11:00:00 16,384 ----a-w C:\WINDOWS\system32\avmeter.dll
+ 2004-08-10 11:00:00 227,840 ----a-w C:\WINDOWS\system32\avtapi.dll
+ 2004-08-10 11:00:00 73,216 ----a-w C:\WINDOWS\system32\avwav.dll
+ 2004-08-10 11:00:00 52,736 ----a-w C:\WINDOWS\system32\basesrv.dll
+ 2004-08-10 11:00:00 28,672 ----a-w C:\WINDOWS\system32\batmeter.dll
+ 2004-08-10 11:00:00 8,704 ----a-w C:\WINDOWS\system32\batt.dll
+ 2004-08-10 11:00:00 17,408 ----a-w C:\WINDOWS\system32\bidispl.dll
+ 2004-08-10 11:00:00 8,192 ----a-w C:\WINDOWS\system32\bitsprx2.dll
+ 2004-08-10 11:00:00 7,168 ----a-w C:\WINDOWS\system32\bitsprx3.dll
+ 2006-03-03 12:26:29 429,056 ----a-w C:\WINDOWS\system32\blackbox.dll
+ 2004-08-10 11:00:00 71,680 ----a-w C:\WINDOWS\system32\blastcln.exe
+ 2004-08-10 11:00:00 136,704 ----a-w C:\WINDOWS\system32\bootcfg.exe
+ 2004-08-10 11:00:00 4,608 ----a-w C:\WINDOWS\system32\bootok.exe
+ 2004-08-10 11:00:00 12,288 ----a-w C:\WINDOWS\system32\bootvid.dll
+ 2004-08-10 11:00:00 5,120 ----a-w C:\WINDOWS\system32\bootvrfy.exe
+ 2004-08-10 11:00:00 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
+ 2004-08-10 11:00:00 77,312 ----a-w C:\WINDOWS\system32\browser.dll
+ 2007-08-22 12:55:28 1,022,976 ----a-w C:\WINDOWS\system32\browseui.dll
+ 2004-08-10 11:00:00 78,336 ----a-w C:\WINDOWS\system32\browsewm.dll
+ 2004-08-10 11:00:00 20,992 ----a-w C:\WINDOWS\system32\bthci.dll
+ 2004-08-10 11:00:00 30,208 ----a-w C:\WINDOWS\system32\bthserv.dll
+ 2004-08-10 11:00:00 50,688 ----a-w C:\WINDOWS\system32\btpanui.dll
krtaylorjr
2007-11-18, 22:08
Attempting to attach the Combo fix log it is big enough to fill 8 posts.
Where would the vundo fix log be?
Found the backup files (This the only file that needed to be addressed after restarting):
- C:\windows\system32\awtqoon.dll
Other files included:
- awtqoon.dll.bad
- diwrvkhp.dll.bad
- rqrqrrp.dll.bad
- vtusrqp.dll.bad
- yayawut.dll.bad
pskelley
2007-11-18, 22:58
Thanks for return your information, I have no idea why that combofix log is so large, do you know what all of that junk is in the
snapshot@2007-10-22_14.46.29.26?
Look for the file from Vundofix on your C:\ as VundoFix.txt. Post that as soon as you locate it.
This is tough because of all the information and no Vundofix report to see it it remove any of these files. These are Vundo files created at the time of the infection that have not been deleted yet.
How did you get this computer so infected? I don't want to use combofix to delete these because of that hugh log. Vundofix will delete six at a time like this:
Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the
next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.
Or you can delete them manually one at a time, just be careful. You will need all files and folders visable to see them:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
(delete the files NOT the folder)
C:\WINDOWS\system32\jsqldfpw.dll
C:\WINDOWS\system32\eqrecqgh.exe
C:\WINDOWS\system32\xbvinekx.exe
C:\WINDOWS\system32\nnawqqhy.exe
C:\WINDOWS\system32\ucjrteme.exe
C:\WINDOWS\system32\jjxvftcy.exe
C:\WINDOWS\system32\pgcogfmr.exe
C:\WINDOWS\system32\jefugnfx.exe
C:\WINDOWS\system32\fqsefqaq.dll
C:\WINDOWS\system32\aprtlspg.exe
C:\WINDOWS\system32\kraouahg.exe
C:\WINDOWS\system32\mnnvwvym.dll
C:\WINDOWS\system32\uwxprpbt.exe
C:\WINDOWS\system32\dokgqdih.dll
C:\WINDOWS\system32\ivfnhwig.exe
C:\WINDOWS\system32\pwhqihsr.exe
C:\WINDOWS\system32\cnkfearr.dll
C:\WINDOWS\system32\pqyghxsh.exe
C:\WINDOWS\system32\pneurcek.dll
C:\WINDOWS\system32\ylfrajpa.exe
C:\WINDOWS\system32\lquvecnh.dll
When you have deleted those, restart the computer and run, then post a new Kaspersky scan results to see what is left.
Thanks
krtaylorjr
2007-11-19, 01:47
VundoFix V6.6.2
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 2:21:42 PM 11/18/2007
Listing files found while scanning....
C:\windows\system32\awtqoon.dll
C:\WINDOWS\system32\diwrvkhp.dll
C:\windows\system32\rqrqrrp.dll
C:\windows\system32\vtusrqp.dll
C:\windows\system32\yayawut.dll
Beginning removal...
Attempting to delete C:\windows\system32\awtqoon.dll
C:\windows\system32\awtqoon.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\diwrvkhp.dll
C:\WINDOWS\system32\diwrvkhp.dll Has been deleted!
Attempting to delete C:\windows\system32\rqrqrrp.dll
C:\windows\system32\rqrqrrp.dll Has been deleted!
Attempting to delete C:\windows\system32\vtusrqp.dll
C:\windows\system32\vtusrqp.dll Has been deleted!
Attempting to delete C:\windows\system32\yayawut.dll
C:\windows\system32\yayawut.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Scan started at 2:34:30 PM 11/18/2007
Listing files found while scanning....
C:\windows\system32\awtqoon.dll
Beginning removal...
Attempting to delete C:\windows\system32\awtqoon.dll
C:\windows\system32\awtqoon.dll Has been deleted!
Performing Repairs to the registry.
Done!
krtaylorjr
2007-11-19, 14:26
Below is the kaspersky file which seemed to take forever to run this time. Only two items were detected. As for the rather large combofix, my virus scan was still active and i think it deleted one of the dump files that combo fix installs. That cause more problems later on (and a larger file). I didnt touch anything and noticed after that that file was included inthe virus notifications. I did try to run combofix again and it said it was expired. Is that a one time run app?
Below is the log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, November 19, 2007 7:22:15 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/11/2007
Kaspersky Anti-Virus database records: 461392
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 238342
Number of viruses found: 1
Number of infected objects: 0
Number of suspicious objects: 2
Duration of the scan process: 02:57:14
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/win27C.tmp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-1006u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\pcc_S-1-5-21-1936098046-1786408217-178778969-501u.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Trend Micro\PC-cillin\log\TmPfw_S-1-5-21-1936098046-1786408217-178778969-500.log Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_1245184_20425 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\MSDVRMM_349824892_262144_20428 Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBEB.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\TempSBE\SBEC.tmp Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{20F455B5-BCE9-4F17-A980-54C015C140A9}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\Documents\Recorded TV\TempRec\{C62341B2-FCF9-463A-AB22-FDA113747A81}.TmpSBE Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Kenny\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\History\History.IE5\MSHist012007111820071119\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kenny\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Kenny\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\oracle\ora92\network\agent\blackout.q Object is locked skipped
C:\oracle\ora92\network\agent\ereg.q Object is locked skipped
C:\oracle\ora92\network\agent\evocc1.q Object is locked skipped
C:\oracle\ora92\network\agent\job.q Object is locked skipped
C:\oracle\ora92\network\agent\jstat1.q Object is locked skipped
C:\oracle\ora92\network\agent\reco\service.vps Object is locked skipped
C:\oracle\ora92\network\agent\user.q Object is locked skipped
C:\oracle\ora92\network\log\agntsrvc.log Object is locked skipped
C:\oracle\ora92\network\log\dbsnmp.log Object is locked skipped
C:\oracle\ora92\network\log\OracleOraHome92Agent.nohup Object is locked skipped
C:\oracle\ora92\oramts\trace\OracleMTSRecoveryService(1792).trc Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL01.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL02.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CONTROL03.CTL Object is locked skipped
C:\oracle\oradata\LOCAL\CWMLITE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\DRSYS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\EXAMPLE01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\INDX01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\ODM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\REDO01.LOG Object is locked skipped
C:\oracle\oradata\LOCAL\SYSTEM01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TEMP01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\TOOLS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\UNDOTBS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\USERS01.DBF Object is locked skipped
C:\oracle\oradata\LOCAL\XDB01.DBF Object is locked skipped
C:\Program Files\HP\hpcoretech\hpcmerr.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP241\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{324CB52C-D877-412F-807A-2DC48809EA1D}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-11-19, 15:12
I did try to run combofix again and it said it was expired.
This is an issue with the software that we are waiting patiently for the creator to correct.
This has been an especially bad infection, can you assure me you were able to successfully delete the list of Vundo files I posted. They are not showing in the Kaspersky scan so they should be gone.
KASPERSKY ONLINE SCANNER REPORT Monday, November 19, 2007 7:22:15 AM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/win27C.tmp.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: suspicious - 1 skipped
please empty the Recovery folder in Spybot S&D
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1
Post a new HJT log and let me know about any malware issues. Include any information I requested.
Thanks
krtaylorjr
2007-11-19, 20:17
I was able to successfully delete all the files you mentioned.
I was able to remove all the backed up items from S&D.
I ran HijackThis and the log is included below.
I havent noticed anything yet with malware, seems to have subsided for the time being, but dont know if anything is hidden..
-------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:14:34 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Trend Micro\HijackThis\krtaylorjr.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?rd=nux
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061228
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: Flash Module - {68D5BBF9-EED5-4125-B227-55F81540BF4D} - simcard1.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [14d9e7d3] rundll32.exe "C:\WINDOWS\system32\jsqldfpw.dll",b
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174777112439
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceLOCAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
--
End of file - 9686 bytes
pskelley
2007-11-19, 21:13
Thanks for returning your information and the feedback:bigthumb: we have more to do, please let me know if you have issues with any of these instructions.
Do you know what this is: O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
If not, we will remove it, ignore the instruction do do so if you know.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Disable the Service
Click Start > Run and type services.msc
Scroll down to MySQL and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: Flash Module - {68D5BBF9-EED5-4125-B227-55F81540BF4D} - simcard1.dll (file missing)
O4 - HKLM\..\Run: [14d9e7d3] rundll32.exe "C:\WINDOWS\system32\jsqldfpw.dll",b
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program.exe <<< delete that file
C:\WINDOWS\system32\jsqldfpw.dll <<< delete that file (it is important that we delete this one, if it gives you trouble, do this)
How to use the Delete on Reboot tool
http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
Start Hijackthis
Click on the Config button
Click on the Misc Tools button
Click on the button labeled Delete a file on reboot...
A new window will open asking you to select the file that you would like to delete on reboot. Navigate to the file: C:\WINDOWS\SYSTEM32\jsqldfpw.dll and click on it once, and then click on the Open button.
You will now be asked if you would like to reboot your computer to delete the file. Click on the Yes button if you would like to reboot now.
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post a new HJT log and let me know if all went as instructed.
Thanks
krtaylorjr
2007-11-19, 23:33
I do not know what Program.exe is, and was not able to find it. I do know what mySQL is, but that service was not running nor was I able to start it. In the mean time i did set it to disabled.
I deleted two of the files (ProgramEXE) was not found this time. I did not recieve any issue with deleting that file.
I ran the ATF successfully
I then ran the HJT and the log is as follows:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:30:11 PM, on 11/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
C:\WINDOWS\System32\DLA\DLACTRLW.EXE
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\oracle\ora92\bin\omtsreco.exe
C:\oracle\ora92\bin\agntsrvc.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\NETGEAR\WG111 Configuration Utility\WG111CFG.exe
c:\oracle\ora92\bin\ORACLE.EXE
C:\WINDOWS\system32\cmd.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\oracle\ora92\bin\dbsnmp.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Trend Micro\HijackThis\krtaylorjr.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://cm.my.yahoo.com/?rd=nux
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=6061228
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [CTDVDDET] "C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE"
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMBgMonitor.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01A88BB1-1174-41EC-ACCB-963509EAE56B} (SysProWmi Class) - http://support.dell.com/systemprofiler/SysPro.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1174777112439
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} (Shutterfly Picture Upload Plugin) - http://web1.shutterfly.com/downloads/Uploader.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\ora92\bin\omtsreco.exe
O23 - Service: OracleOraHome92Agent - Oracle Corporation - C:\oracle\ora92\bin\agntsrvc.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92HTTPServer - Unknown owner - C:\oracle\ora92\Apache\Apache\apache.exe (file missing)
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: OracleOraHome92TNSListener - Unknown owner - C:\oracle\ora92\BIN\TNSLSNR.exe (file missing)
O23 - Service: OracleServiceLOCAL - Oracle Corporation - c:\oracle\ora92\bin\ORACLE.EXE
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PDAgent - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDAgent.exe
O23 - Service: PDEngine - Raxco Software, Inc. - C:\Program Files\Raxco\PerfectDisk\PDEngine.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
--
End of file - 9480 bytes
pskelley
2007-11-20, 00:45
Thanks for returning your information and the feedback, this HJT log is clean:bigthumb: How is the computer running now?
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
krtaylorjr
2007-11-21, 06:36
So far things are looking good i am going to monitor for a day or two more and confirm. Thanks so much for your help so far, this has been great.
This topic has been moved to archives. :)
If you need the thread re-opened, please send me a private message (pm) and provide a link to the closed topic.
Applies only to the original poster, anyone else with similar problems please start your own topic.