PDA

View Full Version : Multiple Infections


dngerus00
2007-11-07, 19:39
My bosses computer barely runs and is full of spyware. I keep getting a window stating "The operation has been cancelled due to restrictions on your computer".

Your help is greatly appreciated.....Here are the logs.

Tuesday, October 30, 2007 3:30:11 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/10/2007
Kaspersky Anti-Virus database records: 448912


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics
Total number of scanned objects 56754
Number of viruses found 14
Number of infected objects 29
Number of suspicious objects 0
Duration of the scan process 00:34:22

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped

C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped

C:\Documents and Settings\Jarod\Application Data\Spyware Terminator\info.htm Object is locked skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped

C:\syscfyi.exe Infected: Trojan-Dropper.Win32.Agent.bgh skipped

C:\sysezzn.exe Infected: Trojan-Dropper.Win32.Agent.bgh skipped

C:\syslqcc.exe Infected: Trojan-Dropper.Win32.Agent.bgh skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP386\A0013515.dll Infected: not-a-virus:FraudTool.Win32.WinAntiVirus.2006 skipped

C:\System Volume Information\_restore{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP418\A0015146.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped

C:\System Volume Information\_restore{400587B0-8271-42FB-9D8B-7E2D9247E9C7}\RP418\A0015159.sys Infected: not-a-virus:FraudTool.Win32.BestSeller.a skipped

C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP47\A0005447.exe Infected: Trojan-Downloader.Win32.Agent.djj skipped

C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP48\A0006444.exe Infected: Trojan-Spy.Win32.Zbot.h skipped

C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP48\A0006445.dll Infected: not-a-virus:AdWare.Win32.AdBand.c skipped

C:\syswmeq.exe Infected: Trojan-Dropper.Win32.Agent.bgh skipped

C:\WINDOWS\Debug\oakley.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{49F6AE41-AF2B-487E-88AF-425282D78E12}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\system32\clcl16.exe Infected: Trojan.Win32.Agent.cks skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\gmnspbnw.dll Infected: Trojan.Win32.BHO.hj skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\nqvleoch.dll Infected: Trojan.Win32.BHO.hj skipped

C:\WINDOWS\system32\Q2\mon33dll.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped

C:\WINDOWS\system32\Q2\mon33dll.exe/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.c skipped

C:\WINDOWS\system32\Q2\mon33dll.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.jn skipped

C:\WINDOWS\system32\Q2\mon33dll.exe/stream Infected: not-a-virus:AdWare.Win32.Agent.jn skipped

C:\WINDOWS\system32\Q2\mon33dll.exe NSIS: infected - 4 skipped

C:\WINDOWS\system32\ratwlkty.dll Infected: Trojan.Win32.BHO.hj skipped

C:\WINDOWS\system32\rdswktev.dll Infected: Trojan.Win32.BHO.hj skipped

C:\WINDOWS\system32\sqnuavji.dll Infected: Trojan.Win32.BHO.hj skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wifkrxfd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.acx skipped

C:\WINDOWS\system32\wyqqxmlg.dll Infected: Trojan.Win32.BHO.hj skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

C:\WINDOWS\xlavba3.exe Infected: Trojan-Downloader.Win32.Wixud.g skipped

C:\WINDOWS\xlavra2.exe Infected: Trojan-Downloader.Win32.Agent.dyn skipped

Scan process completed.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:38:21 PM, on 11/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode with network support

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193154754250
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

--
End of file - 3235 bytes


Thanks for your help! You guys are wonderful!!! :crowned:
pskelley
2007-11-07, 23:40
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Thanks for returning the correct information, we have issues before we can start. You are infected, this will take some work and time. I need to make sure you have read and understand this:
Note:
When the infected computer in question is a company machine in the workplace, and you are an employee.
Your organization must give their permission for assistance to be received in the removal of malware. The intention of this forum is not to replace a company's IT department.
More than one machine could be at stake, possibly even the server. If sensitive material has been compromised by an infection, the company could be held liable.
Please inform your IT department or Supervisor when a workplace computer has been infected, immediately.
Thank you for your understanding.

1) You are running MSConfig in Selective Startup mode. Here is a tutorial:
http://www.netsquirrel.com/msconfig/msconfig_xp.html
Return MSConfig to Normal mode and create a HJT log so I can see everything running, then you may return to Selective Startup to save your resources.

2) Boot mode: Safe mode with network support <<< you posted this HJT log in safe mode, post logs in normal mode unless I request otherwise.

3) Can you tell me why only Service Pack #1 is installed on this computer? DO NOT update it until I am sure you are clean.

4) Thanks to andymanchesta and anyone else who helped with the fix.

Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Thanks
dngerus00
2007-11-08, 00:12
I am not sure why only service Pack #1 is installed. The computer was recently upgraded to Windows XP Professional.

Here are the new logs:


SDFix: Version 1.114

Run by Jarod on Wed 11/07/2007 at 05:01 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\sdfix\SDFix

Safe Mode:
Checking Services:

Name:
Microsoft Internet Explorer

Path:
C:\WINDOWS\System32\_svchost.exe -A

Microsoft Internet Explorer - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Resetting AppInit_DLLs value


Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Desktop\WinAntiSpyware 2007.lnk - Deleted
C:\wintemp.log - Deleted
C:\WINDOWS\System32KBRunOnce2.tm_ - Deleted
C:\WINDOWS\System32KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\KBRunOnce2.t__ - Deleted
C:\WINDOWS\system32\n.ini - Deleted
C:\WINDOWS\system32\RunOnce3.t__ - Deleted
C:\WINDOWS\system32\RunOnce3.tmp - Deleted
C:\WINDOWS\system32\sulimo.dat - Deleted
C:\WINDOWS\xlavba3.exe - Deleted
C:\WINDOWS\system32\drivers\asc3550u.sys - Deleted


Folder C:\Documents and Settings\All Users.WINDOWS\Documents\Settings - Removed

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 17:04:53
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

Remaining Files:
---------------

File Backups: - C:\sdfix\SDFix\backups\backups.zip

Files with Hidden Attributes:

Mon 1 Oct 2007 1,980,546 A.SH. --- "C:\WINDOWS\system32\gfhkj.tmp"
Mon 1 Oct 2007 1,979,005 ..SH. --- "C:\WINDOWS\system32\gfhkj.bak1"
Mon 22 Oct 2007 614,016 ..SH. --- "C:\WINDOWS\system32\gfhkj.bak2"
Fri 10 Aug 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\6f0fd10fc234123bcdf54ebca4b84cbd\BIT1C.tmp"
Fri 10 Aug 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\c23140ab2b4cffaee396a230df8b1229\BIT1D.tmp"

Finished!



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:10:21 PM, on 11/7/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [dnse] "C:\Program Files\Common Files\Update\dnse.exe" -c -product=was
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193154754250
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 3978 bytes
dngerus00
2007-11-08, 00:13
triplicate posts
dngerus00
2007-11-08, 00:13
triplicate post
pskelley
2007-11-08, 01:06
I will start by removing two of the three posts you made since they are triplicate. When you upload, click only once.

You have no antivirus program running on this computer. Here are three free good programs, choose ONLY one, install, update and run a complete system scan. Let me know abut anything it finds and cannot delete or quarantine.
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/

When that is completed, then follow these instructions.

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks
dngerus00
2007-11-08, 18:43
Here are my latest logs you requested. Thanks!

ComboFix 07-11-08.1 - Jarod 2007-11-08 11:34:21.1 - NTFSx86
Running from: C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\All Users.WINDOWS\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users.WINDOWS\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users.WINDOWS\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users.WINDOWS\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Backup\Application Data\DriveCleaner
C:\Documents and Settings\Backup\Application Data\DriveCleaner\Logs\update.log
C:\Documents and Settings\Backup\err.log
C:\Documents and Settings\Backup\ResErrors.log
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\Application Data.\n.ini
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\Application Data\n.ini
C:\Documents and Settings\Jarod\Application Data\DriveCleaner 2006 Free
C:\Documents and Settings\Jarod\Application Data\DriveCleaner 2006 Free\Logs\update.log
C:\Documents and Settings\Jarod\Application Data\DriveCleaner Free
C:\Documents and Settings\Jarod\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Jarod\Application Data\DriveCleaner
C:\Documents and Settings\Jarod\Application Data\DriveCleaner\activator_info.txt
C:\Documents and Settings\Jarod\Application Data\DriveCleaner\Logs\Activate.log
C:\Documents and Settings\Jarod\Application Data\DriveCleaner\Logs\update.log
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007\activator_info.txt
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007\AVScheduler.dat
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007\avtasks.dat
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007\history.db
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007\Logs\Activate.log
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007\Logs\incmp.log
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007\Logs\trfilter.log
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007\Logs\update.log
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007\Logs\wa7Support.log
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007\Logs\winav.log
C:\Documents and Settings\Jarod\Application Data\WinAntiVirus Pro 2007\PGE.dat
C:\Documents and Settings\Jarod\err.log
C:\Documents and Settings\Jarod\ResErrors.log
C:\Program Files\ISM
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\_000102_.tmp.dll
C:\WINDOWS\system32\A1
C:\WINDOWS\system32\f02WtR
C:\WINDOWS\system32\gfhkj.bak1
C:\WINDOWS\system32\gfhkj.bak2
C:\WINDOWS\system32\gfhkj.ini
C:\WINDOWS\system32\gfhkj.ini2
C:\WINDOWS\system32\gfhkj.tmp
C:\WINDOWS\system32\H2
C:\WINDOWS\system32\Q2
C:\WINDOWS\system32\wifkrxfd.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_ASC3550U
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\LEGACY_SMTPDRV
-------\LEGACY_SYMAVC32


((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.

2007-11-08 11:32 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-08 10:21 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-11-08 10:18 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-11-08 10:18 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-11-08 10:18 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-11-08 10:18 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-11-08 10:18 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-11-08 10:17 <DIR> d-------- C:\Program Files\Alwil Software
2007-11-08 10:17 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-11-07 17:00 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-07 11:57 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-10-30 15:43 <DIR> d-------- C:\Program Files\Panda Security
2007-10-30 15:32 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-10-30 14:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-30 14:42 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-10-29 16:21 <DIR> d-------- C:\Drawings
2007-10-29 15:19 <DIR> d-------- C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\.housecall6.6
2007-10-29 15:13 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-23 09:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-23 09:31 199,684 --a------ C:\Pass2.cmd
2007-10-23 09:31 718 --a------ C:\WINDOWS\system32\tmp.reg
2007-10-23 09:27 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-10-23 09:27 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-10-23 09:27 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-10-23 09:27 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-10-23 09:27 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-10-23 08:57 <DIR> d-------- C:\New Folder
2007-10-23 08:55 <DIR> d-------- C:\Program Files\CoffeeCup Software
2007-10-23 08:55 <DIR> d-------- C:\My Zip Files
2007-10-22 15:39 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-22 15:39 <DIR> d-------- C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Application Data\SUPERAntiSpyware.com
2007-10-22 15:39 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\SUPERAntiSpyware.com
2007-10-11 11:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-11 11:10 16,384 --a------ C:\WINDOWS\xlavra2.exe
2007-10-11 11:04 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2007-10-11 11:01 <DIR> d-------- C:\Documents and Settings\Backup.AJ-71DGB8DRX842\Application Data\Sunbelt Software
2007-10-11 10:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 23:04 54,584 ----a-w C:\WINDOWS\system32\drivers\sbapifs.sys
2007-11-07 18:30 --------- d-----w C:\Program Files\DriveCleaner
2007-10-29 21:41 --------- d-----w C:\Program Files\Common Files\Update
2007-10-29 21:18 --------- d-----w C:\Program Files\Java
2007-10-22 21:39 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-10-03 21:13 --------- d-----w C:\Program Files\Sunbelt Software
2007-10-03 21:13 --------- d-----w C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Application Data\Sunbelt Software
2007-10-03 19:50 --------- d--h--w C:\Program Files\Common Files\Authentium Shared
2007-09-24 14:08 425,480 ----a-w C:\syslqcc.exe
2007-09-24 14:08 425,480 ----a-w C:\sysezzn.exe
2007-09-21 16:13 425,480 ----a-w C:\syswmeq.exe
2007-09-20 21:23 425,480 ----a-w C:\syscfyi.exe
2007-09-19 15:11 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\WinZip
2007-09-17 18:27 --------- d-----w C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Application Data\Autodesk
2007-09-17 18:27 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Autodesk
2007-09-17 18:26 --------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-09-17 18:26 --------- d-----w C:\Program Files\Autodesk
2007-09-17 18:25 --------- d-----w C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Application Data\Downloaded Installations
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"HPWQTOOLBOX"="C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe" [2005-06-03 04:18]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2005-02-08 10:32]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoWindowsUpdate"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)


.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-08 11:37:13
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-08 11:38:06 - machine was rebooted
.
--- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:43:15 AM, on 11/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe
C:\WINDOWS\System32\hkcmd.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [HPWQTOOLBOX] C:\Program Files\Hewlett-Packard\HP Deskjet 9800 Series\Toolbox\HPWQTBX.exe "-i"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1193154754250
O16 - DPF: {8436FE12-31DB-48BF-83BF-FE682F9160B4} (NanoInstaller Class) - http://www.nanoscan.com/cabs/nanoinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

--
End of file - 4239 bytes
pskelley
2007-11-08, 18:57
Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 11:43:15 AM, on 11/8/2007
This HJT log is clean:bigthumb: I see this program, do you own it? If it is just a trial, uninstall it, it is a good program it uses a lot of resources. I will suggest a replacement (free) before we finish.
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe

Run a new Kaspersky scan, make sure the setting are like this:

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. Tell me how the computer is running now.

Thanks
dngerus00
2007-11-08, 21:44
The computer is running much better now. :2thumb: I uninstalled SuperAntiSpyware and ran Kaspersky again. Here is the log


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 08, 2007 2:38:44 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/11/2007
Kaspersky Anti-Virus database records: 426768
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\

Scan Statistics:
Total number of scanned objects: 56456
Number of viruses found: 6
Number of infected objects: 16
Number of suspicious objects: 2
Duration of the scan process: 00:36:33

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE2.zip/koos.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\PWSLDPinchIE2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Jarod\Application Data\Spyware Terminator\info.htm Object is locked skipped
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\History\History.IE5\MSHist012007110820071109\index.dat Object is locked skipped
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\Temp\Perflib_Perfdata_4ac.dat Object is locked skipped
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\Temp\~DFCB17.tmp Object is locked skipped
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Jarod.AJ-71DGB8DRX842\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\sdfix\SDFix\backups\backups.zip/backups/xlavba3.exe Infected: Trojan-Downloader.Win32.Wixud.g skipped
C:\sdfix\SDFix\backups\backups.zip ZIP: infected - 1 skipped
C:\syscfyi.exe Infected: Trojan-Dropper.Win32.Agent.bgh skipped
C:\sysezzn.exe Infected: Trojan-Dropper.Win32.Agent.bgh skipped
C:\syslqcc.exe Infected: Trojan-Dropper.Win32.Agent.bgh skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP91\A0023494.exe Infected: Trojan.Win32.Agent.cks skipped
C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP91\A0023517.exe Infected: Trojan-Downloader.Win32.Wixud.g skipped
C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP91\A0023525.exe Infected: Trojan-Downloader.Win32.Wixud.g skipped
C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP93\A0023623.dll Infected: Trojan.Win32.BHO.hj skipped
C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP93\A0023624.dll Infected: Trojan.Win32.BHO.hj skipped
C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP93\A0023626.dll Infected: Trojan.Win32.BHO.hj skipped
C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP93\A0023627.dll Infected: Trojan.Win32.BHO.hj skipped
C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP93\A0023628.dll Infected: Trojan.Win32.BHO.hj skipped
C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP93\A0023629.dll Infected: Trojan.Win32.BHO.hj skipped
C:\System Volume Information\_restore{E81AFB17-12EF-4B59-87CA-EE04ADD99F7A}\RP95\change.log Object is locked skipped
C:\syswmeq.exe Infected: Trojan-Dropper.Win32.Agent.bgh skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5a8.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\xlavra2.exe Infected: Trojan-Downloader.Win32.Agent.dyn skipped

Scan process completed.
pskelley
2007-11-08, 22:12
Sounds good:bigthumb: I'll have closing information that should help even more.

As soon as I tell you you are clean, you need to get Service Pack 2 on this computer. Understand Microsoft will not even let you download critical updates until you have it.
You can purchase a CD (Might be free still) http://www.microsoft.com/windowsxp/sp2/default.mspx
or install online if you wish.

As soon as it is installed and running well, you should install Internet Explorer 7
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

I suggest you give this a try as a Spyware program that runs in realtime:
http://www.microsoft.com/athome/security/spyware/software/default.mspx

Closing information will porovide more information from experts in the malware/security field.

KASPERSKY ONLINE SCANNER REPORT Thursday, November 08, 2007 2:38:44 PM
Number of infected objects: 16
Number of suspicious objects: 2

two suspicious are in the Spybot S&D "Recovery" folder:
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of that folder in red

C:\sdfix\ <<< remove SDFix completely from your computer

You will need to have all files and folder visible or you won't see this junk:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Delete these files in red
C:\syscfyi.exe
C:\sysezzn.exe
C:\syslqcc.exe
C:\WINDOWS\xlavra2.exe

Restart the computer and then follow these instructions to clean your System Restore files:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Restart and run a new Kaspersky scan. I do not need to see a clean scan, let me know all is well so I can post closing information.

Thanks...Phil
dngerus00
2007-11-08, 23:36
I ran Kaspersky again and it came back clean! I can't thank you enough for helping me. I certainly could not of done it without you! :bighug:
pskelley
2007-11-08, 23:41
Music to my ears:bigthumb: Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Your boss should give you a raise and make you the head of the new IT department:eek:

You are clean and you should get after Service Pack 2 as soon as possible. There are likely to be a lot of updates waiting for that install.

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.