PDA

View Full Version : Having trouble removing Smitfraud-C and possibly others



gcw12
2007-10-30, 17:59
Hello there,

I'm having trouble removing Smitfraud and according to the Kaspersky Online Scanner, probably some other things as well.

Also, since I was scanning these forums earlier, I did download smitfraudfix v2.244, however I have not cleaned up/fixed anything with it.

Furthermore, before I found out about Spybot, I was trying to track down suspicious items on my own. There were a number of suspicious .dll files in my c:\windows\system32 directory that were created for no apparent reason around the time when I started having spy/malware problems. So, I moved most of these files into a separate directory named "quarantine" on my desktop - you can see their filenames on the kaspersky report below. I say most of those files were moved because I deleted one or two of the .dll files in a desperate move to solve my problems.

In any event, I will post the Kaspersky and HJT logs below. Thank you so much for your help!

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, October 30, 2007 9:59:47 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/10/2007
Kaspersky Anti-Virus database records: 448570
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\
G:\
Z:\

Scan Statistics:
Total number of scanned objects: 542279
Number of viruses found: 12
Number of infected objects: 30
Number of suspicious objects: 0
Duration of the scan process: 06:28:57

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Gerald Wang\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Desktop\quarantine\fccabba.dll Infected: Trojan-Downloader.Win32.Agent.epy skipped
C:\Documents and Settings\Gerald Wang\Desktop\quarantine\ldcore.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\Documents and Settings\Gerald Wang\Desktop\quarantine\vtuuvwv.dll Infected: Trojan-Downloader.Win32.Agent.epy skipped
C:\Documents and Settings\Gerald Wang\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Gerald Wang\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Gerald Wang\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Gerald Wang\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Identities\{715CEABA-B505-495D-857D-7D48199326A6}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Identities\{715CEABA-B505-495D-857D-7D48199326A6}\Microsoft\Outlook Express\Gcw12 - Inbox.dbx Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Identities\{715CEABA-B505-495D-857D-7D48199326A6}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Temp\wr-1-77.exe Infected: Trojan-Downloader.Win32.Small.gks skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Temporary Internet Files\Content.IE5\3H77R1EJ\in[1].htm Infected: Exploit.HTML.IESlice.aj skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Temporary Internet Files\Content.IE5\7QRNXR9U\in[1].htm Infected: Trojan-Clicker.Win32.Agent.lw skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Gerald Wang\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\RECYCLER\S-1-5-21-390228671-1531695939-3868554017-1003\Dc64.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\RECYCLER\S-1-5-21-390228671-1531695939-3868554017-1003\Dc64.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\RECYCLER\S-1-5-21-390228671-1531695939-3868554017-1003\Dc64.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\RECYCLER\S-1-5-21-390228671-1531695939-3868554017-1003\Dc64.exe NSIS: infected - 3 skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010002.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP35\A0005174.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.sw skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP35\A0005174.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP35\A0005177.exe Infected: not-a-virus:AdWare.Win32.Agent.sw skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP35\A0005179.dll Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005292.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005364.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005365.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005395.exe Infected: not-a-virus:AdWare.Win32.Agent.lv skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005398.exe Infected: not-a-virus:AdWare.Win32.Agent.lv skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005402.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005402.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005402.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005402.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP37\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{BDFB07BD-493D-4625-BFD8-A9004354662D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
C:\WINDOWS\system32\e2\caws83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\system32\e2\caws83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\x22\c124wvr.exe Infected: Trojan-Downloader.Win32.Small.gks skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4d8.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000002-00000000-00000001-00001102-00000004-10071102}.CDF Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Z:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

gcw12
2007-10-30, 18:01
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:47:17 AM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {278C5D0A-CBB4-495A-B5FC-4DC1279E85FE} - C:\Program Files\Common Files\hoteC:\WINDOWS\system32\e2\caws83122.exe.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B9E4C6B-A2D8-4B7D-A948-EAF9D46AF4C6} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {86882CA4-BE70-4BCE-AEA5-CF40EB8E0BC3} - C:\WINDOWS\system32\urqqpop.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166228072906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193296657000
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O20 - Winlogon Notify: urqqpop - urqqpop.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 7715 bytes

pskelley
2007-11-01, 20:42
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Thanks for following the instructions and posting the correct information. This looks like a Vundo infection, not Smitfraud, but let's take a look with Smitfraudfix to be sure that infection is not there as well. First, your version of Smitfraudfix is out of date, delete it completely and download: SmitFraudFix v2.246
From here: http://siri.geekstogo.com/SmitfraudFix.php and then follow these directions.

Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

Since you looked at the Kaspersky report, you will have seen these:
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP35\A0005174.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.sw skipped
There are more and those are infected System Restore files. We will clean those later, but do not use System Restore or the junk will get back on your computer.

I am not sure how much Vundo is left with the way you moved files from the System32 folder, let's do this.

1) see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2\ <<< your Java program is VERY out of date and no doubt the reason you are infected. Download the newest version of Java and then uninstall all old versions in Add Remove Programs.

2) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm

3) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

4) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

5) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {278C5D0A-CBB4-495A-B5FC-4DC1279E85FE} - C:\Program Files\Common Files\hoteC:\WINDOWS\system32\e2\caws83122.exe.dll (file missing)
O2 - BHO: (no name) - {6B9E4C6B-A2D8-4B7D-A948-EAF9D46AF4C6} - C:\WINDOWS\system32\gebyw.dll (file missing)
O2 - BHO: (no name) - {86882CA4-BE70-4BCE-AEA5-CF40EB8E0BC3} - C:\WINDOWS\system32\urqqpop.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O20 - Winlogon Notify: urqqpop - urqqpop.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Documents and Settings\Gerald Wang\Desktop\quarantine\ <<< delete the contents of that folder in red

C:\Documents and Settings\Gerald Wang\Local Settings\Temp\ <<< delete the contents of that folder in red

C:\Documents and Settings\Gerald Wang\Local Settings\Temporary Internet Files\ <<< delete the contents of that folder in red

C:\RECYCLER\ <<< empty the Recycle Bin on your Desktop

C:\WINDOWS\system32\e2\ <<< delete that folder

C:\WINDOWS\system32\x22\ <<< delete that folder

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post the C:\rapport.txt from Smitfraudfix and a new HJT log. Tell how the computer is performing now. Add any comments you think will help.

Thanks

gcw12
2007-11-01, 21:02
Thank you so much for responding to my help request pskelley!

I am reading your message and following the instructions now.

With regard to uninstalling the old version of Java, I don't see an entry for it in the Add-Remove Programs under the Control Panel. I do see that I have a c:\program files\java\j2re1.4.2\ directory tree. Shall I delete that or is there a better way to uninstall the old version of Java?

pskelley
2007-11-01, 21:06
Best way is Add Remove programs, please work through the instructions and post anything you could not complete when you post. I'll look at your unistall List to see what's there at that point.

Thanks

gcw12
2007-11-01, 21:39
Terrific, your advice seems to have helped my problem with IE windows popping up! Before, the main problem was that I would have a new IE window opening (containing advertisements) intermittently - it seemed to open every time i would click on a new link. In any case, this behavior appears to have stopped now.

One step I was unable to complete was the uninstallation of the old version of Java. It is still on my computer, and I do not know how to uninstall it because it is not listed in the Add/Remove Programs window. Also, I only downloaded (not installed) the latest java version since you did not explicitly say to install it. The file name is jdk-6u3-windows-i586-p.exe.

All the other steps on your instructions I was able to complete.

Finally, and I just wanted to note that after I ran ATF-Cleaner, even though the ..\Local Settings\Temporary Internet Files\ folder appeared to have no files, when I checked the Properties of the folder, it indicated that there were 2 files, I believe (Totaling around 2 mb). I thought this was strange since I have the folder settings set to display all hidden and system files.

I will post the c:\rapport.txt and new HJT log now. Thanks again!

gcw12
2007-11-01, 21:41
SmitFraudFix v2.246

Scan done at 15:39:50.40, Thu 11/01/2007
Run from C:\Documents and Settings\Gerald Wang\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Gerald Wang


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Gerald Wang\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\GERALD~1\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: 3Com EtherLink XL 10/100 PCI For Complete PC Management NIC (3C905C-TX) - Packet Scheduler Miniport
DNS Server Search Order: 207.69.188.185
DNS Server Search Order: 207.69.188.186
DNS Server Search Order: 207.69.188.187

HKLM\SYSTEM\CCS\Services\Tcpip\..\{73852387-382A-4F2A-AFC8-C2EBCB32D1AA}: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187
HKLM\SYSTEM\CS1\Services\Tcpip\..\{73852387-382A-4F2A-AFC8-C2EBCB32D1AA}: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187
HKLM\SYSTEM\CS2\Services\Tcpip\..\{73852387-382A-4F2A-AFC8-C2EBCB32D1AA}: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=207.69.188.185 207.69.188.186 207.69.188.187


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


******************************************

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:40:47 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\dvd43\dvd43_tray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [dvd43] C:\Program Files\dvd43\dvd43_tray.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab55579.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab55579.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab55579.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1166228072906
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193296657000
O16 - DPF: {A4110378-789B-455F-AE86-3A1BFC402853} (ZPA_SHVL Object) - http://zone.msn.com/bingame/zpagames/zpa_shvl.cab55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab56649.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/StProxy.cab55579.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS

--
End of file - 6622 bytes

pskelley
2007-11-01, 22:28
Thanks for the feedback, I am not quite sure what to do with the old version of Java, you may need to contact Java support concerning that issue. Install the newest version, and let me see your uninstall list like this:

Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

The Smitfraudfix report is clean, remove that program completely from your computer.

Kaspersky will tell us if any malware is hiding in the Temp or TIF files. First I would like a look at the scan results from AVG Anti-Spyware 7.5. Update the program and run a complete system scan, make sure you delete or at least quarantine anything it locates and save the scan report to post.

Your HJT log looks good:bigthumb: post the uninstall list and the AVG Anti-Spyware scan results.

Thanks

gcw12
2007-11-02, 02:05
Thanks again for all your help - you guys do great work here.

With regard to uninstalling the old Java, I think I know what the problem is. First, I goofed and realized the old java is on the add/remove interface. When I tried to uninstall, windows indicated that it needs the location for an old .msi file for the old java. I don't have this file, so I am unable to uninstall it.

I believe the problem is that I got this computer from my workplace, which was giving away older computers. I believe they probably installed the old version of java off some network location which I don't have access to currently - I suppose I will have to figure out how to get rid of this old version of java somehow.

In any case, here are the AVG report and the uninstall lists. AVG caught some red items in the system restore information like you said.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 8:00:07 PM 11/1/2007

+ Scan result:



C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP37\A0005862.exe -> Backdoor.DSNX.05.a : Cleaned.
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP37\A0005927.sys -> Rootkit.Agent.eq : Cleaned.
C:\Documents and Settings\Gerald Wang\Cookies\gerald_wang@2o7[2].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Gerald Wang\Cookies\gerald_wang@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Gerald Wang\Cookies\gerald_wang@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Gerald Wang\Cookies\gerald_wang@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Gerald Wang\Cookies\gerald_wang@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Gerald Wang\Cookies\gerald_wang@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Gerald Wang\Cookies\gerald_wang@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Gerald Wang\Cookies\gerald_wang@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.


::Report end

*******************************
Uninstall list:

ACDSee 32
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 8.1.1
Apple Software Update
avast! Antivirus
AVG Anti-Spyware 7.5
Creative Audio Console
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
DVD43 v3.9.0
Easy CD-DA Extractor 4.6.1
HijackThis 2.0.2
InterVideo WinDVD 4
Java 2 Runtime Environment, SE v1.4.2
Java(TM) 6 Update 3
Java(TM) SE Development Kit 6 Update 3
Kaspersky Online Scanner
Microsoft .NET Framework 2.0
Microsoft .NET Framework 3.0
Microsoft .NET Framework 3.0
Microsoft Base Smart Card Cryptographic Service Provider Package
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft User-Mode Driver Framework Feature Pack 1.0
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
NVIDIA Drivers
QuickTime
Shareaza version 2.2.5.0
Sound Blaster Audigy 2
Spy Sweeper
Spybot - Search & Destroy
Winamp
Windows Communication Foundation
Windows Imaging Component
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows Presentation Foundation
Windows Workflow Foundation
Windows XP Service Pack 2

pskelley
2007-11-02, 02:22
Thanks for that feedback, you can see that old Java in your uninstall list:
Java 2 Runtime Environment, SE v1.4.2Let me show you have easily hackers can exploit that old program:
http://www.theregister.com/2007/05/11/google_malware_map/
http://redtape.msnbc.com/2007/05/the_next_net_th.html

When I tried to uninstall, windows indicated that it needs the location for an old .msi file for the old java.
Try running System File Checker, it may replace that file for you.
http://dwightblackburn.com/winxp/
If that does not work, you may be able to download that file, but I need the exact name to search for it or the exact error message you are receiving "word for word"
http://www.google.com/search?hl=en&q=.msi+file&btnG=Search

We may be able to delete the old program but I would prefer to exhaust all other ways first.

Time for a Kaspersky scan to make sure nothing else is hiding, post those results unless they are clean.

Thanks

gcw12
2007-11-02, 02:31
I did some serious digging around at the Sun Java site, and found the .msi file that I needed! :) Removed the old Java using the windows add/remove interface and I think it should be gone now.

Let me follow your instructions, and I will post the results shortly. Thank you!

gcw12
2007-11-02, 16:15
Looks like there may still be some stuff lurking around.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 02, 2007 10:12:23 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/11/2007
Kaspersky Anti-Virus database records: 449967
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\
G:\
Z:\

Scan Statistics:
Total number of scanned objects: 541937
Number of viruses found: 15
Number of infected objects: 43
Number of suspicious objects: 0
Duration of the scan process: 06:37:25

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Gerald Wang\Application Data\Mozilla\Firefox\Profiles\t8v3wlm1.default\cert8.db Object is locked skipped
C:\Documents and Settings\Gerald Wang\Application Data\Mozilla\Firefox\Profiles\t8v3wlm1.default\history.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Application Data\Mozilla\Firefox\Profiles\t8v3wlm1.default\key3.db Object is locked skipped
C:\Documents and Settings\Gerald Wang\Application Data\Mozilla\Firefox\Profiles\t8v3wlm1.default\parent.lock Object is locked skipped
C:\Documents and Settings\Gerald Wang\Application Data\Mozilla\Firefox\Profiles\t8v3wlm1.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Gerald Wang\Application Data\Mozilla\Firefox\Profiles\t8v3wlm1.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Gerald Wang\Application Data\Mozilla\Firefox\Profiles\t8v3wlm1.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Gerald Wang\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Identities\{715CEABA-B505-495D-857D-7D48199326A6}\Microsoft\Outlook Express\Gcw12 - Inbox.dbx/[From <service@paypal.com>][Date Sat, 20 Mar 2004 03:31:04 -0500]/html Infected: Trojan-Spy.HTML.Paylap.g skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Identities\{715CEABA-B505-495D-857D-7D48199326A6}\Microsoft\Outlook Express\Gcw12 - Inbox.dbx Mail MS Outlook 5: infected - 1 skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Mozilla\Firefox\Profiles\t8v3wlm1.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Mozilla\Firefox\Profiles\t8v3wlm1.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Mozilla\Firefox\Profiles\t8v3wlm1.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Mozilla\Firefox\Profiles\t8v3wlm1.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\History\History.IE5\MSHist012007110120071102\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Gerald Wang\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\RECYCLER\S-1-5-21-390228671-1531695939-3868554017-1003\Dc1\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-390228671-1531695939-3868554017-1003\Dc2.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-390228671-1531695939-3868554017-1003\Dc2.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\RECYCLER\S-1-5-21-390228671-1531695939-3868554017-1003\Dc2.exe RarSFX: infected - 2 skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010001.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.001 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.001 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP35\A0005174.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.sw skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP35\A0005174.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP35\A0005177.exe Infected: not-a-virus:AdWare.Win32.Agent.sw skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP35\A0005179.dll Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005292.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005364.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005365.exe Infected: Trojan-Downloader.Win32.Agent.enr skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005376.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005377.exe Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005395.exe Infected: not-a-virus:AdWare.Win32.Agent.lv skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005398.exe Infected: not-a-virus:AdWare.Win32.Agent.lv skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005402.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005402.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005402.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005402.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005403.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP36\A0005447.dll Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006056.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006056.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006056.exe/stream Infected: not-a-virus:AdWare.Win32.AdBand.a skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006056.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006057.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006057.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006057.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006059.dll Infected: Trojan-Downloader.Win32.Agent.epy skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006060.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006061.dll Infected: Trojan-Downloader.Win32.Agent.epy skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006068.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006081.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006081.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006082.exe Infected: Trojan-Downloader.Win32.Small.gks skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006083.exe Infected: Trojan-Downloader.Win32.Small.gks skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006084.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP39\A0006084.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP49\change.log Object is locked skipped
C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\WINDOWS\system32\Mz08r\Mz08r1099.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4c8.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000002-00000000-00000001-00001102-00000004-10071102}.CDF Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP49\change.log Object is locked skipped
Z:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

pskelley
2007-11-02, 16:26
KASPERSKY ONLINE SCANNER REPORT Friday, November 02, 2007 10:12:23 AM

Hi Gerald, let's have a look:

You still show infected email, you really need to clean all stored email!
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Identities\{715CEABA-B505-495D-857D-7D48199326A6}\Microsoft\Outlook Express\Gcw12 - Inbox.dbx/[From <service@paypal.com>][Date Sat, 20 Mar 2004 03:31:04 -0500]/html Infected: Trojan-Spy.HTML.Paylap.g skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Identities\{715CEABA-B505-495D-857D-7D48199326A6}\Microsoft\Outlook Express\Gcw12 - Inbox.dbx Mail MS Outlook 5: infected - 1 skipped

C:\RECYCLER\ <<< this is the Recycle Bin on your Desktop, right click it and choose "Empty Recycle Bin" then YES

C:\WINDOWS\system32\Mz02r\ <<< delete that folder

C:\WINDOWS\system32\Mz08r\ <<< delete that folder

Empty the Recycle Bin again, then restart the computer. The rest are in infected System Restore files, see this:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run a new scan which should be clean if you followed instructions.

Thanks

gcw12
2007-11-02, 18:05
Hello again - I think we are getting close :)
Looks like there is just one entry left in the windows directory?

Here is the latest Kaspersky log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, November 02, 2007 12:03:13 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/11/2007
Kaspersky Anti-Virus database records: 450444
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 49166
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 00:46:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Gerald Wang\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\History\History.IE5\MSHist012007110220071103\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Gerald Wang\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Gerald Wang\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010002.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{33FD9BA1-06C8-43B5-B9DE-01EB2D187D1E}\RP1\change.log Object is locked skipped
C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{A17F7415-A47C-44CB-B5A6-EC0278918995}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4cc.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000002-00000000-00000001-00001102-00000004-10071102}.CDF Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

pskelley
2007-11-02, 18:17
KASPERSKY ONLINE SCANNER REPORT
Friday, November 02, 2007 12:03:13 PM

C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
delete the file in red
Thanks

gcw12
2007-11-03, 06:12
Okay deleted! Thanks again so much for your help!!

pskelley
2007-11-03, 13:46
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.