View Full Version : A couple of viruses found...
I recently ran the Kapersky online scan and it detected several viruses and infected files. I ended up getting the trial version of the the Kapersky internet protection and ran a full scan and had the program fix the problems. A subsequent Spybot run has revealed no problems. However, I again ran the Kapersky online scan and it still revealed 2 viruses and 10 infected files. My question is how do I get rid of these?
I read through the Malware removal suggestion post and have followed all of the directions.
I have a Hijackthis log, the latest Kapersky log, and a combofix log.
Thanks in advance.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:05:25 PM, on 11/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [5417482f] rundll32.exe "C:\WINDOWS\system32\qjrdrgyk.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
--
End of file - 3279 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 07, 2007 4:45:54 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 7/11/2007
Kaspersky Anti-Virus database records: 453487
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 100710
Number of viruses found: 2
Number of infected objects: 10
Number of suspicious objects: 0
Duration of the scan process: 01:09:25
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0024_AdBlocker_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0024_AdBlocker_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\002b_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\002d_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\plraoosk.default\cert8.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\plraoosk.default\flashgot.log Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\plraoosk.default\history.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\plraoosk.default\key3.db Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\plraoosk.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\plraoosk.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\plraoosk.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\plraoosk.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\plraoosk.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Mozilla\Firefox\Profiles\plraoosk.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007110720071108\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP2\A0000023.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bn skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP2\A0000029.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bn skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP2\A0000030.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bn skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP2\A0000043.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bn skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP2\A0000044.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.bn skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP2\A0000055.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP2\A0000055.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP2\A0000055.exe RarSFX: infected - 2 skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP2\A0000071.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP2\A0000496.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.bn skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP8\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\cch~370f5cb4b478.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~370f5ce12e58.htp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-11-11, 01:22
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Thanks for posting the correct information, if you still need help we will start like this.
All of the items in the Kaspersky scan are infected System Restore files which we will clean before you finish. They cannot get back on your computer unless you do a System Restore, so do not.
I am seeing evidence of a Vundo infection and do not know if the infection is hidden. Let's investigate like this.
Right click a blank spot on the Desktop and create a new folder, call it HJT. Rename HiJackThis.exe, call it looper.exe or whatever, then move it into that HJT folder along with the log in notepad that is there. Backups for safety will also store there.
It will look like this: C:\Documents and Settings\Owner\Desktop\HJT\looper.exe
If Vundo is hiding, the next HJT log after a reboot should show it.
Post the combofix log and a new HJT log.
Thanks
Thanks for replying. Yes, I've read the rules.
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:55 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HJT\looper.exe
O2 - BHO: (no name) - {134E2CE7-A68C-4637-897F-CF4205412A41} - (no file)
O2 - BHO: {f6e98e98-d9a1-89c9-fbf4-4ebb7703a4a2} - {2a4a3077-bbe4-4fbf-9c98-1a9d89e89e6f} - C:\WINDOWS\system32\sidrynms.dll
O2 - BHO: (no name) - {3B0F84BD-A9AD-4A39-882D-6DEB07C201A4} - (no file)
O2 - BHO: (no name) - {48B2A1DE-6706-47D2-9F2F-E661058355EC} - (no file)
O2 - BHO: (no name) - {4F529B6C-0DA9-454F-BD05-048D8CFBA341} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\byxvvts.dll
O2 - BHO: (no name) - {B8FD002F-CF51-4009-8A21-A015CA9128F5} - (no file)
O2 - BHO: (no name) - {C0D603AB-4EBC-4631-A9F3-E79DEC645981} - (no file)
O2 - BHO: (no name) - {C595F5B6-9801-4165-BA1E-43FD68E8AC89} - (no file)
O2 - BHO: (no name) - {DF349920-BAD4-4FD9-8207-1D85BC6ED382} - C:\WINDOWS\system32\ssqro.dll
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [5417482f] rundll32.exe "C:\WINDOWS\system32\qjrdrgyk.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: byxvvts - C:\WINDOWS\SYSTEM32\byxvvts.dll
O20 - Winlogon Notify: llxskwna - llxskwna.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
--
End of file - 4357 bytes
and here is the combofix log:
ComboFix 07-11-07.3 - Owner 2007-11-12 13:06:44.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.144 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\ssqro.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.
2007-11-07 09:43 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-11-07 09:43 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-11-07 09:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-07 09:42 8,712,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-07 09:42 35,872 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-07 09:41 <DIR> d-------- C:\KAV
2007-11-07 01:36 79,936 --a------ C:\WINDOWS\system32\sidrynms.dll
2007-11-07 01:33 86,080 --a------ C:\WINDOWS\system32\ycavvtap.dll
2007-11-07 01:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 01:22 79,936 --a------ C:\WINDOWS\system32\xhrmaqlk.dll
2007-11-07 01:20 <DIR> d-------- C:\VundoFix Backups
2007-11-07 01:19 86,080 --a------ C:\WINDOWS\system32\iqslfnve.dll
2007-11-07 00:12 79,936 --a------ C:\WINDOWS\system32\urbpyjdq.dll
2007-11-06 22:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-06 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-06 22:03 81,472 --a------ C:\WINDOWS\system32\nrqhktuw.dll
2007-11-06 21:10 81,472 --a------ C:\WINDOWS\system32\ahargfis.dll
2007-11-06 21:07 87,104 --a------ C:\WINDOWS\system32\vheyocon.dll
2007-11-06 19:39 81,472 --a------ C:\WINDOWS\system32\tswihdmj.dll
2007-11-06 19:17 81,472 --a------ C:\WINDOWS\system32\kibpwowx.dll
2007-11-06 18:21 164 --a------ C:\install.dat
2007-11-06 18:20 81,472 --a------ C:\WINDOWS\system32\mnpeojmi.dll
2007-11-06 18:06 1,508 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-06 17:59 81,472 --a------ C:\WINDOWS\system32\uoxbkwbc.dll
2007-11-06 17:53 71,232 --a------ C:\WINDOWS\system32\ygnsemyh.exe
2007-11-06 13:53 81,472 --a------ C:\WINDOWS\system32\vxenlsyv.dll
2007-11-06 13:44 145,984 --a------ C:\WINDOWS\system32\gclprlsu.dll
2007-11-05 13:52 83,008 --a------ C:\WINDOWS\system32\pugkptxf.dll
2007-11-05 01:35 36,352 --a------ C:\WINDOWS\system32\byxvvts.dll
2007-10-30 08:43 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-10-30 08:43 <DIR> d-------- C:\Temp\mZOr
2007-10-22 03:08 16,358 --a------ C:\WINDOWS\system32\instdump.zip
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 18:23 4,412 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-12 18:23 117,428 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-12 04:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2007-11-12 01:37 --------- d-----w C:\Program Files\Lx_cats
2007-11-07 19:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-07 06:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 04:57 --------- d-----w C:\Program Files\Common Files\Real
2007-11-06 04:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-10-22 08:19 --------- d-----w C:\Program Files\GRAPE GBW32 v4.0
2007-10-22 08:18 --------- d-----w C:\Program Files\BitTorrent
2007-10-04 23:44 --------- d-----w C:\Program Files\iTunes
2007-10-04 23:43 --------- d-----w C:\Program Files\iPod
2007-09-26 02:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\Promethean
2007-09-19 12:41 --------- d-----w C:\Program Files\Apple Software Update
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-02-28 04:09 6,800 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((( snapshot_2007-11-07_18.32.22.65 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-07 14:23:03 1,257,472 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
+ 2007-11-08 22:03:56 1,265,664 ----a-w C:\WINDOWS\assembly\GAC\System.Web\1.0.5000.0__b03f5f7f11d50a3a\System.Web.dll
- 2007-11-07 14:23:07 1,224,704 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2007-11-08 22:03:58 1,232,896 ----a-w C:\WINDOWS\assembly\GAC\System\1.0.5000.0__b77a5c561934e089\System.dll
+ 2007-11-08 22:04:18 61,440 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\CustomMarshalers\1.0.5000.0__b03f5f7f11d50a3a_1669b663\CustomMarshalers.dll
+ 2007-11-08 22:06:57 3,391,488 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\mscorlib\1.0.5000.0__b77a5c561934e089_32082f61\mscorlib.dll
+ 2007-11-08 22:06:27 1,470,464 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Design\1.0.5000.0__b03f5f7f11d50a3a_cdbf5e69\System.Design.dll
+ 2007-11-08 22:04:21 90,112 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing.Design\1.0.5000.0__b03f5f7f11d50a3a_49a10cad\System.Drawing.Design.dll
+ 2007-11-08 22:06:49 835,584 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Drawing\1.0.5000.0__b03f5f7f11d50a3a_98b99f43\System.Drawing.dll
+ 2007-11-08 22:04:33 3,018,752 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Windows.Forms\1.0.5000.0__b77a5c561934e089_59c7c667\System.Windows.Forms.dll
+ 2007-11-08 22:04:47 2,088,960 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System.Xml\1.0.5000.0__b77a5c561934e089_bf67e60b\System.Xml.dll
+ 2007-11-08 22:04:13 1,966,080 ----a-w C:\WINDOWS\assembly\NativeImages1_v1.1.4322\System\1.0.5000.0__b77a5c561934e089_0c8443a8\System.dll
- 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
+ 2007-04-14 02:30:52 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll
- 2004-07-15 06:49:22 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
+ 2007-04-14 02:30:52 32,768 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_wp.exe
- 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
+ 2007-04-14 01:57:52 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\CORPerfMonExt.dll
- 2003-02-21 02:09:14 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
+ 2007-04-14 01:57:58 86,016 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorie.dll
- 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
+ 2007-04-14 01:56:30 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorjit.dll
- 2004-07-15 05:33:04 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
+ 2007-04-14 01:58:00 102,400 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorld.dll
- 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
+ 2007-04-14 01:50:46 2,142,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorlib.dll
- 2003-02-21 02:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
+ 2007-04-14 01:58:02 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsn.dll
- 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
+ 2007-04-14 01:57:00 2,523,136 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorsvr.dll
- 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
+ 2007-04-14 01:57:28 2,514,944 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll
- 2004-08-10 21:20:00 106,496 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2007-01-15 21:11:26 73,728 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\netfxupdate.exe
+ 2004-07-15 06:49:16 258,048 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3096\_aspnet_isapi.dll
+ 2004-07-15 05:32:22 81,920 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3096\_CORPerfMonExt.dll
+ 2004-07-15 05:24:30 282,624 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3096\_fusion.dll
+ 2004-07-15 05:25:06 315,392 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3096\_mscorjit.dll
+ 2004-07-15 19:29:02 2,138,112 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3096\_mscorlib.dll
+ 2003-02-21 02:09:18 77,824 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3096\_mscorsn.dll
+ 2004-07-15 05:26:52 2,510,848 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3096\_mscorsvr.dll
+ 2004-07-15 05:28:34 2,502,656 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3096\_mscorwks.dll
+ 2003-02-21 11:42:22 348,160 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3096\_msvcr71.dll
+ 2004-07-15 05:34:50 94,208 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\SHADOW3096\_PerfCounter.dll
- 2004-07-15 19:31:16 1,224,704 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
+ 2007-04-14 02:35:38 1,232,896 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.dll
- 2004-07-15 19:29:00 1,257,472 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
+ 2007-04-14 02:35:46 1,265,664 ----a-w C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\System.Web.dll
- 2004-07-15 05:24:50 155,648 ----a-w C:\WINDOWS\system32\mscoree.dll
+ 2006-12-22 17:28:14 271,360 ----a-w C:\WINDOWS\system32\mscoree.dll
+ 2006-12-22 18:02:36 6,144 ----a-w C:\WINDOWS\system32\mui\0409\mscorees.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{134E2CE7-A68C-4637-897F-CF4205412A41}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2a4a3077-bbe4-4fbf-9c98-1a9d89e89e6f}]
2007-11-07 01:36 79936 --a------ C:\WINDOWS\system32\sidrynms.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B0F84BD-A9AD-4A39-882D-6DEB07C201A4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48B2A1DE-6706-47D2-9F2F-E661058355EC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F529B6C-0DA9-454F-BD05-048D8CFBA341}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-05 01:35 36352 --a------ C:\WINDOWS\system32\byxvvts.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8FD002F-CF51-4009-8A21-A015CA9128F5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0D603AB-4EBC-4631-A9F3-E79DEC645981}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C595F5B6-9801-4165-BA1E-43FD68E8AC89}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 11:30]
"5417482f"="C:\WINDOWS\system32\qjrdrgyk.dll" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\byxvvts.dll [2007-11-05 01:35 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvvts]
byxvvts.dll 2007-11-05 01:35 36352 C:\WINDOWS\system32\byxvvts.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\llxskwna]
llxskwna.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqro.dll
R0 IFP700;iRiver Internet Audio Player IFP-700;C:\WINDOWS\system32\drivers\ifp700.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb6fa1df-7785-11dc-807e-0011115ccae9}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 22:39:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-12 17:39:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 13:25:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-12 13:28:16 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-07 18:36
C:\ComboFix3.txt ... 2007-11-07 01:45
.
--- E O F ---
pskelley
2007-11-12, 20:43
Thanks for returning your information. I notice combofix had a problem:
Unable to gain System Privileges
and could not do the job for us it should have. Were you signed in as administrator? If not, do so and run combofix again and post a new log.
I don't need to see it if it is the same.
I can see what looks like Vundo files it could not delete as a result. We will have to locate and delete them manually unless Vundofix kills them, let's see what happens.
TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm
Thanks to Atribune and any others who helped with this fix.
Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com
Thanks
I was signed in as the administrator (no other users set up). I ran combofix again.
Here is the log:
ComboFix 07-11-07.3 - Owner 2007-11-12 15:42:48.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.268 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\srqss.ini2
C:\WINDOWS\system32\ssqrs.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-12 to 2007-11-12 )))))))))))))))))))))))))))))))
.
2007-11-07 09:43 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-11-07 09:43 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-11-07 09:42 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-07 09:42 8,780,832 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-07 09:42 40,736 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-07 09:41 <DIR> d-------- C:\KAV
2007-11-07 01:36 79,936 --a------ C:\WINDOWS\system32\sidrynms.dll
2007-11-07 01:33 86,080 --a------ C:\WINDOWS\system32\ycavvtap.dll
2007-11-07 01:27 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 01:22 79,936 --a------ C:\WINDOWS\system32\xhrmaqlk.dll
2007-11-07 01:20 <DIR> d-------- C:\VundoFix Backups
2007-11-07 01:19 86,080 --a------ C:\WINDOWS\system32\iqslfnve.dll
2007-11-07 00:12 79,936 --a------ C:\WINDOWS\system32\urbpyjdq.dll
2007-11-06 22:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-06 22:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-06 22:03 81,472 --a------ C:\WINDOWS\system32\nrqhktuw.dll
2007-11-06 21:10 81,472 --a------ C:\WINDOWS\system32\ahargfis.dll
2007-11-06 21:07 87,104 --a------ C:\WINDOWS\system32\vheyocon.dll
2007-11-06 19:39 81,472 --a------ C:\WINDOWS\system32\tswihdmj.dll
2007-11-06 19:17 81,472 --a------ C:\WINDOWS\system32\kibpwowx.dll
2007-11-06 18:21 164 --a------ C:\install.dat
2007-11-06 18:20 81,472 --a------ C:\WINDOWS\system32\mnpeojmi.dll
2007-11-06 18:06 1,508 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-06 17:59 81,472 --a------ C:\WINDOWS\system32\uoxbkwbc.dll
2007-11-06 17:53 71,232 --a------ C:\WINDOWS\system32\ygnsemyh.exe
2007-11-06 13:53 81,472 --a------ C:\WINDOWS\system32\vxenlsyv.dll
2007-11-06 13:44 145,984 --a------ C:\WINDOWS\system32\gclprlsu.dll
2007-11-05 13:52 83,008 --a------ C:\WINDOWS\system32\pugkptxf.dll
2007-11-05 01:35 36,352 --a------ C:\WINDOWS\system32\byxvvts.dll
2007-10-30 08:43 <DIR> d-------- C:\WINDOWS\system32\Mz02r
2007-10-30 08:43 <DIR> d-------- C:\Temp\mZOr
2007-10-22 03:08 16,358 --a------ C:\WINDOWS\system32\instdump.zip
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-12 20:51 4,844 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-12 20:51 118,628 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-12 04:05 --------- d-----w C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2007-11-12 01:37 --------- d-----w C:\Program Files\Lx_cats
2007-11-07 19:40 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-07 19:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-07 06:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 04:57 --------- d-----w C:\Program Files\Common Files\Real
2007-11-06 04:27 --------- d-----w C:\Documents and Settings\Owner\Application Data\U3
2007-10-22 08:19 --------- d-----w C:\Program Files\GRAPE GBW32 v4.0
2007-10-22 08:18 --------- d-----w C:\Program Files\BitTorrent
2007-10-04 23:44 --------- d-----w C:\Program Files\iTunes
2007-10-04 23:43 --------- d-----w C:\Program Files\iPod
2007-09-26 02:12 --------- d-----w C:\Documents and Settings\Owner\Application Data\Promethean
2007-09-19 12:41 --------- d-----w C:\Program Files\Apple Software Update
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-02-28 04:09 6,800 ----a-w C:\Documents and Settings\Owner\Application Data\wklnhst.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{134E2CE7-A68C-4637-897F-CF4205412A41}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B962F07-DD94-419C-AE36-5690A528F302}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2a4a3077-bbe4-4fbf-9c98-1a9d89e89e6f}]
2007-11-07 01:36 79936 --a------ C:\WINDOWS\system32\sidrynms.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3B0F84BD-A9AD-4A39-882D-6DEB07C201A4}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48B2A1DE-6706-47D2-9F2F-E661058355EC}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4F529B6C-0DA9-454F-BD05-048D8CFBA341}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{634BBAB7-3F60-4426-944F-A62B9007F67F}]
2007-11-05 01:35 36352 --a------ C:\WINDOWS\system32\byxvvts.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B8FD002F-CF51-4009-8A21-A015CA9128F5}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0D603AB-4EBC-4631-A9F3-E79DEC645981}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C595F5B6-9801-4165-BA1E-43FD68E8AC89}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LXBTCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll" [2004-03-17 11:30]
"5417482f"="C:\WINDOWS\system32\qjrdrgyk.dll" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{634BBAB7-3F60-4426-944F-A62B9007F67F}"= C:\WINDOWS\system32\byxvvts.dll [2007-11-05 01:35 36352]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxvvts]
byxvvts.dll 2007-11-05 01:35 36352 C:\WINDOWS\system32\byxvvts.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\llxskwna]
llxskwna.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqrs.dll
R0 IFP700;iRiver Internet Audio Player IFP-700;C:\WINDOWS\system32\drivers\ifp700.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys
S3 USB_RNDIS_XP;Westell WireSpeed Dual Connect Modem;C:\WINDOWS\system32\DRIVERS\usb8023.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\J]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{cb6fa1df-7785-11dc-807e-0011115ccae9}]
\Shell\AutoRun\command - J:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2007-11-08 22:39:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-12 20:39:18 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 15:53:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-12 15:55:52 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-12 13:28
C:\ComboFix3.txt ... 2007-11-07 18:36
.
--- E O F ---
I also ran Vundofix, but it didn't find anything.
pskelley
2007-11-12, 23:09
Let's see now, you posted a second combofix log when I asked you not to:
and could not do the job for us it should have. Were you signed in as administrator? If not, do so and run combofix again and post a new log.
I don't need to see it if it is the same.
and You did not post the Vundofix report when I asked you to.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread
We are not doing to well here, I am not sure I will be able to help you.
Well, PSKelley, I only posted it because it looked different to me. Pardon me for not realizing there was a vundofix log even though it didn't find anything.
Here it is.
VundoFix V6.5.11
Checking Java version...
Scan started at 1:20:43 AM 11/7/2007
Listing files found while scanning....
C:\WINDOWS\system32\llxskwna.dll
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Scan started at 2:43:50 PM 11/7/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 12:59:53 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.11
Checking Java version...
Scan started at 5:02:35 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Here is the new HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:24:22 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Owner\Desktop\HJT\looper.exe
O2 - BHO: (no name) - {134E2CE7-A68C-4637-897F-CF4205412A41} - (no file)
O2 - BHO: (no name) - {1B962F07-DD94-419C-AE36-5690A528F302} - (no file)
O2 - BHO: (no name) - {292CABC4-A2F5-44D8-A276-4D2DF7BDAB89} - C:\WINDOWS\system32\jkhff.dll
O2 - BHO: {f6e98e98-d9a1-89c9-fbf4-4ebb7703a4a2} - {2a4a3077-bbe4-4fbf-9c98-1a9d89e89e6f} - C:\WINDOWS\system32\sidrynms.dll
O2 - BHO: (no name) - {3B0F84BD-A9AD-4A39-882D-6DEB07C201A4} - (no file)
O2 - BHO: (no name) - {48B2A1DE-6706-47D2-9F2F-E661058355EC} - (no file)
O2 - BHO: (no name) - {4F529B6C-0DA9-454F-BD05-048D8CFBA341} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\byxvvts.dll
O2 - BHO: (no name) - {B8FD002F-CF51-4009-8A21-A015CA9128F5} - (no file)
O2 - BHO: (no name) - {C0D603AB-4EBC-4631-A9F3-E79DEC645981} - (no file)
O2 - BHO: (no name) - {C595F5B6-9801-4165-BA1E-43FD68E8AC89} - (no file)
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [5417482f] rundll32.exe "C:\WINDOWS\system32\qjrdrgyk.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: byxvvts - C:\WINDOWS\SYSTEM32\byxvvts.dll
O20 - Winlogon Notify: llxskwna - llxskwna.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
--
End of file - 4322 bytes
pskelley
2007-11-12, 23:56
You have a Vundo infection, I have been at the 12 hours today and will stop until morning. You could see Vundofix starting to identify files:
Listing files found while scanning....
C:\WINDOWS\system32\llxskwna.dll <<< here.
I have seen it take several runs and as many as six to fix the junk. Run Vundofix several more times and see what happens. Post the report. I can see problem with this removal because combofix would not run on your computer.
Post the report and a new HJT log, we may have to add them to the fix manually to see what happens.
Keep this computer offline except when you are working on the problem.
OK, thanks for your time and have a good evening.
You have a Vundo infection, I have been at the 12 hours today and will stop until morning. You could see Vundofix starting to identify files:
Listing files found while scanning....
C:\WINDOWS\system32\llxskwna.dll <<< here.
I have seen it take several runs and as many as six to fix the junk. Run Vundofix several more times and see what happens. Post the report. I can see problem with this removal because combofix would not run on your computer.
Post the report and a new HJT log, we may have to add them to the fix manually to see what happens.
Keep this computer offline except when you are working on the problem.
I've run Vundofix several more times. Here are the latest Vundo and HJT logs:
VundoFix V6.5.11
Checking Java version...
Scan started at 1:20:43 AM 11/7/2007
Listing files found while scanning....
C:\WINDOWS\system32\llxskwna.dll
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Scan started at 2:43:50 PM 11/7/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 12:59:53 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.11
Checking Java version...
Scan started at 5:02:35 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 6:02:20 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 6:03:37 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 7:16:09 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 7:55:13 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 7:58:35 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 8:02:32 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:59:02 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HJT\looper.exe
O2 - BHO: (no name) - {134E2CE7-A68C-4637-897F-CF4205412A41} - (no file)
O2 - BHO: (no name) - {18CB3725-C6CA-4D7C-8680-69D71E3B3E26} - C:\WINDOWS\system32\mllji.dll
O2 - BHO: (no name) - {1B962F07-DD94-419C-AE36-5690A528F302} - (no file)
O2 - BHO: {f6e98e98-d9a1-89c9-fbf4-4ebb7703a4a2} - {2a4a3077-bbe4-4fbf-9c98-1a9d89e89e6f} - C:\WINDOWS\system32\sidrynms.dll
O2 - BHO: (no name) - {3B0F84BD-A9AD-4A39-882D-6DEB07C201A4} - (no file)
O2 - BHO: (no name) - {48B2A1DE-6706-47D2-9F2F-E661058355EC} - (no file)
O2 - BHO: (no name) - {4F529B6C-0DA9-454F-BD05-048D8CFBA341} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\byxvvts.dll
O2 - BHO: (no name) - {B8FD002F-CF51-4009-8A21-A015CA9128F5} - (no file)
O2 - BHO: (no name) - {C0D603AB-4EBC-4631-A9F3-E79DEC645981} - (no file)
O2 - BHO: (no name) - {C595F5B6-9801-4165-BA1E-43FD68E8AC89} - (no file)
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [5417482f] rundll32.exe "C:\WINDOWS\system32\qjrdrgyk.dll",b
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: byxvvts - C:\WINDOWS\SYSTEM32\byxvvts.dll
O20 - Winlogon Notify: llxskwna - llxskwna.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
--
End of file - 4266 bytes
pskelley
2007-11-13, 23:56
Make sure you are not taking this computer online, the junk will download more. Since we cannot use combofix, we will try to do it manually, please read the directions and follow them carefully. Follow the instructions in the numbered order.
Please do not quote all of the directions.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open Vundofix by Doubleclicking on it, then point your mouse to the white box
above the buttons and right click, then click on Add More Files. When the
next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.
Here are the files you must add, I believe you can only add six at a time, so do it until they are all added.
I count twenty, since six can be added at a time, it will take four times to get them all. I want to see the Vundofix report from this.
C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\sidrynms.dll
C:\WINDOWS\system32\byxvvts.dll
C:\WINDOWS\system32\qjrdrgyk.dll
C:\WINDOWS\system32\ycavvtap.dll
C:\WINDOWS\system32\xhrmaqlk.dll
C:\WINDOWS\system32\iqslfnve.dll
C:\WINDOWS\system32\urbpyjdq.dll
C:\WINDOWS\system32\nrqhktuw.dll
C:\WINDOWS\system32\ahargfis.dll
C:\WINDOWS\system32\vheyocon.dll
C:\WINDOWS\system32\tswihdmj.dll
C:\WINDOWS\system32\kibpwowx.dll
C:\WINDOWS\system32\mnpeojmi.dll
C:\WINDOWS\system32\uoxbkwbc.dll
C:\WINDOWS\system32\ygnsemyh.exe
C:\WINDOWS\system32\vxenlsyv.dll
C:\WINDOWS\system32\gclprlsu.dll
C:\WINDOWS\system32\pugkptxf.dll
C:\WINDOWS\system32\byxvvts.dll
4) ) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {134E2CE7-A68C-4637-897F-CF4205412A41} - (no file)
O2 - BHO: (no name) - {18CB3725-C6CA-4D7C-8680-69D71E3B3E26} - C:\WINDOWS\system32\mllji.dll
O2 - BHO: (no name) - {1B962F07-DD94-419C-AE36-5690A528F302} - (no file)
O2 - BHO: {f6e98e98-d9a1-89c9-fbf4-4ebb7703a4a2} - {2a4a3077-bbe4-4fbf-9c98-1a9d89e89e6f} - C:\WINDOWS\system32\sidrynms.dll
O2 - BHO: (no name) - {3B0F84BD-A9AD-4A39-882D-6DEB07C201A4} - (no file)
O2 - BHO: (no name) - {48B2A1DE-6706-47D2-9F2F-E661058355EC} - (no file)
O2 - BHO: (no name) - {4F529B6C-0DA9-454F-BD05-048D8CFBA341} - (no file)
O2 - BHO: (no name) - {634BBAB7-3F60-4426-944F-A62B9007F67F} - C:\WINDOWS\system32\byxvvts.dll
O2 - BHO: (no name) - {B8FD002F-CF51-4009-8A21-A015CA9128F5} - (no file)
O2 - BHO: (no name) - {C0D603AB-4EBC-4631-A9F3-E79DEC645981} - (no file)
O2 - BHO: (no name) - {C595F5B6-9801-4165-BA1E-43FD68E8AC89} - (no file)
O4 - HKLM\..\Run: [5417482f] rundll32.exe "C:\WINDOWS\system32\qjrdrgyk.dll",b
O20 - Winlogon Notify: byxvvts - C:\WINDOWS\SYSTEM32\byxvvts.dll
O20 - Winlogon Notify: llxskwna - llxskwna.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) ) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\qjrdrgyk.dll <<< delete that file if there
C:\install.dat <<< delete that file
C:\WINDOWS\system32\tmp.reg <<< delete that file
C:\WINDOWS\system32\
Mz02r <<< delete that file
C:\Temp\mZOr <<< delete the contents of the folder in red
4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post the Vundofix report, a new HJT log and any comments you think will help.
Thanks
OK, I followed all of your instructions.
Here is the Vundofix and HJT logs. I noticed that Vundofix wasn't able to delete one of the files.
VundoFix V6.5.11
Checking Java version...
Scan started at 1:20:43 AM 11/7/2007
Listing files found while scanning....
C:\WINDOWS\system32\llxskwna.dll
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V6.5.11
Checking Java version...
Scan started at 2:43:50 PM 11/7/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 12:59:53 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.11
Checking Java version...
Scan started at 5:02:35 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 6:02:20 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 6:03:37 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 7:16:09 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 7:55:13 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 7:58:35 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.11
Checking Java version...
Scan started at 8:02:32 PM 11/12/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ahargfis.dll
C:\WINDOWS\system32\ahargfis.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\byxvvts.dll
C:\WINDOWS\system32\byxvvts.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\byxvvts.dll
C:\WINDOWS\system32\byxvvts.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\gclprlsu.dll
C:\WINDOWS\system32\gclprlsu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\iqslfnve.dll
C:\WINDOWS\system32\iqslfnve.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kibpwowx.dll
C:\WINDOWS\system32\kibpwowx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mllji.dll
C:\WINDOWS\system32\mllji.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mnpeojmi.dll
C:\WINDOWS\system32\mnpeojmi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\nrqhktuw.dll
C:\WINDOWS\system32\nrqhktuw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pugkptxf.dll
C:\WINDOWS\system32\pugkptxf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sidrynms.dll
C:\WINDOWS\system32\sidrynms.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tswihdmj.dll
C:\WINDOWS\system32\tswihdmj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\uoxbkwbc.dll
C:\WINDOWS\system32\uoxbkwbc.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\urbpyjdq.dll
C:\WINDOWS\system32\urbpyjdq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vheyocon.dll
C:\WINDOWS\system32\vheyocon.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vxenlsyv.dll
C:\WINDOWS\system32\vxenlsyv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xhrmaqlk.dll
C:\WINDOWS\system32\xhrmaqlk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ycavvtap.dll
C:\WINDOWS\system32\ycavvtap.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ygnsemyh.exe
C:\WINDOWS\system32\ygnsemyh.exe Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\byxvvts.dll
C:\WINDOWS\system32\byxvvts.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\byxvvts.dll
C:\WINDOWS\system32\byxvvts.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:49:31 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HJT\looper.exe
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [LXBTCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBTtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Unknown owner - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: lxbt_device - Lexmark International, Inc. - C:\WINDOWS\system32\lxbtcoms.exe
--
End of file - 3116 bytes
pskelley
2007-11-14, 14:28
Thanks and good job, we are making progress. I see others are having that issue with combofix and I am watching to see how it is resolved. No doubt it is something the malware is causing.
You HJT log is scanning clean this morning:bigthumb: Kaspersky will show us if any bad files are left. First, remove Vundofix and combofix from your computer, be sure to delete the C:\vundofix backups\ folder and the C:\qoobox\quarantine folder. I see you have the online scan onboard:
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
Please run it according to these settings:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here along with any comments you think will help.
Thanks
Thanks for taking the time to do this.
Here's the Kapersky scan results. I keep getting an alert from the Kapersky virus scan about "starluckinstaller". Maybe this is the one identified in the online scan.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 14, 2007 1:28:20 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 14/11/2007
Kaspersky Anti-Virus database records: 430471
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 101930
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 01:11:59
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0333_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0335_AdBlocker_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0335_AdBlocker_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0338_popupchk_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0338_popupchk_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\033b_Web_Monitoring_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\033b_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007111420071115\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP18\A0002331.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP18\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0E4D565D-CED1-48D5-AE99-3B591BF9D3D5}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\cch~4bb6d8369e80.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~4bb6d8c5eed0.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~4e229c20b898.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~4e229c5e88b0.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~4e3acf27e8b0.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~4e3acf49b7e8.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~4e3bd7c2d978.htp Object is locked skipped
C:\WINDOWS\TEMP\cch~4e3bd7e56d58.htp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-11-14, 19:40
This is the only one left and it is an infected System Restore file. It may very well be the one your resident Kaspersky is seeing. Follow these directions:
C:\System Volume Information\_restore{C5941BA0-7954-431B-BB37-2E1ABEED1085}\RP18\A0002331.exe Infected: Trojan.Win32.Obfuscated.kp skipped
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Same instructions:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Let me know if that does it, I have valuable closing information to help you stay clean.
Thanks...Phil
That did it. I can't thank you enough. Is there any way I can repay you for your time?
pskelley
2007-11-14, 21:55
We are all volunteers and your thanks is what I work for:bigthumb:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.