PDA

View Full Version : Please, need help to remove win32.BHO.df



BKaRussel
2007-11-14, 01:25
Hi there,

first of all thanks for a great site!:) I'm having trouble getting rid of, what I believe to be, win32.BHO.df and the guys who write these viruses deserve to get a good whipping, I think... I followed all the steps in the "before you post a log"-thread. Please find enclosed only the latest HJT-log as the Kaspersky log was too long to fit also.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:13:11, on 2007-11-14
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\brsvc01a.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\brss01a.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program\D-Tools\daemon.exe
E:\Program\iTunes\iTunesHelper.exe
D:\Program\QuickTime\qttask.exe
D:\Program\Delade filer\Real\Update_OB\realsched.exe
D:\Program\Java\jre1.5.0_06\bin\jusched.exe
D:\Program\SiteAdvisor\6172\SiteAdv.exe
D:\Program\RCrawler\RCrawler.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program\I8kfanGUI\i8kfangui.exe
D:\Program\Delade filer\McAfee\HackerWatch\HWAPI.exe
D:\Program\McAfee\MSC\mcmscsvc.exe
d:\program\delade filer\mcafee\mna\mcnasvc.exe
D:\Program\McAfee\VIRUSS~1\mcods.exe
D:\Program\McAfee\MSC\mcpromgr.exe
d:\program\DELADE~1\mcafee\redirsvc\redirsvc.exe
D:\Program\McAfee\VIRUSS~1\mcshield.exe
D:\Program\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program\SiteAdvisor\6172\SAService.exe
D:\WINDOWS\System32\svchost.exe
E:\Program\iPod\bin\iPodService.exe
d:\program\mcafee.com\agent\mcagent.exe
D:\Program\Mozilla Firefox\firefox.exe
D:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.se
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://login1.telia.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE_Window_Title
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://proxy1.telia.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://login1.telia.com;http://10.0.0.6;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - D:\Program\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - d:\program\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: {aa944e60-3db5-5048-ab64-575a7c501d1c} - {c1d105c7-a575-46ba-8405-5bd306e449aa} - (no file)
O2 - BHO: (no name) - {E9055462-50AB-45D5-83AB-CED04B16F4EE} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - D:\Program\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [10559b55] rundll32.exe "D:\WINDOWS\system32\yqoicxet.dll",b
O4 - HKLM\..\Run: [SiteAdvisor] D:\Program\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Registry Crawler] D:\Program\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [i8kfangui] D:\Program\I8kfanGUI\i8kfangui.exe /startup
O4 - HKCU\..\Run: [Skype] "D:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = E:\Program\Microsoft Office\Office\OSA9.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://kw.bar.need2find.com/KW/menusearch.html?p=KW
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://login1.telia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/193fa8de02758109a114/netzip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.3 [ENU]) - https://eredovisning.postgirot.se/ddrint/work/iedpwenu.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DA7ADA3-5E01-4971-A1CE-ACC716829455}: NameServer = 82.144.41.8 62.220.18.8
O20 - AppInit_DLLs: D:\WINDOWS\system32\__c00FBBE4.dat
O20 - Winlogon Notify: !SASWinLogon - D:\Program\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vvxihtdy - vvxihtdy.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - D:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - D:\Program\DELADE~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - D:\Program\Delade filer\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - D:\Program\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\Program\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program\delade filer\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\Program\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - D:\Program\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - d:\program\DELADE~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\Program\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\Program\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program\McAfee\MPF\MPFSrv.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - D:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - D:\Program\WinPcap\rpcapd.exe
O23 - Service: SiteAdvisor Service - Unknown owner - D:\Program\SiteAdvisor\6172\SAService.exe

--
End of file - 10242 bytes

pskelley
2007-11-16, 15:50
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
I think it's a Vundo infection, I will need a Kaspersky scan at some point but will want a new one, so wait until I ask.

If you have run any tools you did not mention, please make me aware.

Let's allow combofix a look first:

Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Thanks

BKaRussel
2007-11-17, 13:18
Hi, thanks for taking your time to help me:). I downloaded combofix. Here's the log for combofix, please see the next reply for the Hijack log.

ComboFix 07-11-08.1 - Martin 2007-11-16 20:38:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1053.18.108 [GMT 1:00]
Running from: D:\Documents and Settings\Martin\Skrivbord\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

D:\Documents and Settings\Martin\Favoriter\Online Security Guide.lnk
D:\WINDOWS\cookies.ini
D:\WINDOWS\system32\drivers\npf.sys
D:\WINDOWS\system32\packet.dll
D:\WINDOWS\system32\pthreadVC.dll
D:\WINDOWS\system32\wpcap.dll
D:\WINDOWS\system32\vvxihtdy.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_IPRIP
-------\LEGACY_NPF
-------\Iprip
-------\nm
-------\NPF


((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.

2007-11-16 20:33 51,200 --a------ D:\WINDOWS\NirCmd.exe
2007-11-13 12:48 <KAT> d-------- D:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-13 12:47 <KAT> d-------- D:\WINDOWS\system32\Kaspersky Lab
2007-11-13 12:29 <KAT> d-------- D:\Program\Trend Micro
2007-11-13 10:09 <KAT> d-------- D:\Documents and Settings\Martin\Application Data\Skype
2007-11-13 02:49 <KAT> d-------- D:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-13 02:48 <KAT> d-------- D:\Program\SUPERAntiSpyware
2007-11-13 02:48 <KAT> d-------- D:\Documents and Settings\Martin\Application Data\SUPERAntiSpyware.com
2007-11-13 02:41 <KAT> d-------- D:\Program\RCrawler
2007-11-13 02:25 <KAT> d-------- D:\Documents and Settings\Martin\Application Data\SiteAdvisor
2007-11-12 15:54 <KAT> d-------- D:\Program\Windows Live Safety Center
2007-11-12 15:37 <KAT> d-------- D:\Program\Delade filer\Wise Installation Wizard
2007-11-09 17:56 <KAT> d-------- D:\WINDOWS\ERUNT
2007-11-06 14:34 <KAT> d-------- D:\Program\SiteAdvisor
2007-11-06 14:34 <KAT> d-------- D:\Documents and Settings\LocalService\Skrivbord
2007-11-06 14:34 <KAT> d-------- D:\Documents and Settings\LocalService\Application Data\SiteAdvisor
2007-11-06 14:34 <KAT> d-------- D:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-11-06 14:30 37,480 --a------ D:\WINDOWS\system32\drivers\mfesmfk.sys
2007-11-06 14:30 32,008 --a------ D:\WINDOWS\system32\drivers\mferkdk.sys
2007-11-06 14:29 171,240 --a------ D:\WINDOWS\system32\drivers\mfehidk.sys
2007-11-06 14:29 71,496 --a------ D:\WINDOWS\system32\drivers\mfeavfk.sys
2007-11-06 14:29 34,184 --a------ D:\WINDOWS\system32\drivers\mfebopk.sys
2007-11-06 14:28 109,608 --a------ D:\WINDOWS\system32\drivers\Mpfp.sys
2007-11-06 14:25 <KAT> d-------- D:\Program\McAfee.com
2007-11-06 14:23 <KAT> d-------- D:\Program\McAfee
2007-11-06 14:23 <KAT> d-------- D:\Program\Delade filer\McAfee
2007-11-06 14:03 <KAT> d-------- D:\Documents and Settings\All Users\Application Data\McAfee
2007-11-05 16:14 85,568 --a------ D:\WINDOWS\system32\yqoicxet.dll
2007-11-05 16:03 138,388 ---hs---- D:\WINDOWS\system32\vuvut.bak2
2007-10-31 16:44 6,465 ---hs---- D:\WINDOWS\system32\vuvut.bak1
2007-10-31 14:43 <KAT> d-------- D:\Documents and Settings\All Users\Application Data\Eset

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-10 21:50 --------- d-----w D:\Documents and Settings\Martin\Application Data\AdobeUM
2007-11-05 15:55 --------- d-----w D:\Program\mozilla.org
2007-11-05 14:48 --------- d-----w D:\Documents and Settings\Martin\Application Data\iid
2007-10-19 16:45 --------- d-----w D:\Program\Java
2007-10-19 16:42 --------- d--h--w D:\Program\InstallShield Installation Information
2007-09-24 11:57 --------- d-----w D:\Documents and Settings\Martin\Application Data\gtk-2.0
2007-08-21 06:18 683,520 ----a-w D:\WINDOWS\system32\inetcomm.dll
2007-01-17 15:47 28,672 -c--a-w D:\Documents and Settings\Martin\atwbxdet.dll
2004-08-13 16:18 995,383 -c----w D:\Documents and Settings\Temp\mfc42.dll
2004-08-13 16:18 94,208 -c----w D:\Documents and Settings\Temp\snmp_pp.dll
2004-08-13 16:18 86,016 -c----w D:\Documents and Settings\Temp\sdisdk.dll
2004-08-13 16:18 82,000 -c----w D:\Documents and Settings\Temp\sdidiscovery.dll
2004-08-13 16:18 81,920 -c----w D:\Documents and Settings\Temp\hpjnds50.dll
2004-08-13 16:18 794,624 -c----w D:\Documents and Settings\Temp\hpntwkwiz_it.dll
2004-08-13 16:18 794,624 -c----w D:\Documents and Settings\Temp\hpntwkwiz_fr.dll
2004-08-13 16:18 794,624 -c----w D:\Documents and Settings\Temp\hpntwkwiz_es.dll
2004-08-13 16:18 794,624 -c----w D:\Documents and Settings\Temp\hpntwkwiz_el.dll
2004-08-13 16:18 794,624 -c----w D:\Documents and Settings\Temp\hpntwkwiz_de.dll
2004-08-13 16:18 790,528 -c----w D:\Documents and Settings\Temp\hpntwkwiz_pt.dll
2004-08-13 16:18 790,528 -c----w D:\Documents and Settings\Temp\hpntwkwiz_nl.dll
2004-08-13 16:18 786,432 -c----w D:\Documents and Settings\Temp\hpntwkwiz_en.dll
2004-08-13 16:18 782,336 -c----w D:\Documents and Settings\Temp\hpntwkwiz_ar.dll
2004-08-13 16:18 70,656 -c----w D:\Documents and Settings\Temp\msvcirt.dll
2004-08-13 16:18 69,632 -c----w D:\Documents and Settings\Temp\hpjsnm2.dll
2004-08-13 16:18 50,688 -c----w D:\Documents and Settings\Temp\wsnmp32.dll
2004-08-13 16:18 467,028 -c----w D:\Documents and Settings\Temp\sdiingredients.dll
2004-08-13 16:18 458,752 -c----w D:\Documents and Settings\Temp\tls704d.dll
2004-08-13 16:18 454,732 -c----w D:\Documents and Settings\Temp\hpzjpp01.dll
2004-08-13 16:18 40,960 -c----w D:\Documents and Settings\Temp\hpjnet3.dll
2004-08-13 16:18 32,851 -c----w D:\Documents and Settings\Temp\hpjsira.exe
2004-08-13 16:18 32,768 -c----w D:\Documents and Settings\Temp\sdifirewall.dll
2004-08-13 16:18 290,892 -c----w D:\Documents and Settings\Temp\hpzjut02.dll
2004-08-13 16:18 282,720 -c----w D:\Documents and Settings\Temp\sdiingredientsagents.dll
2004-08-13 16:18 28,740 -c----w D:\Documents and Settings\Temp\sdilog.dll
2004-08-13 16:18 28,672 -c----w D:\Documents and Settings\Temp\sdiencryption.dll
2004-08-13 16:18 28,672 -c----w D:\Documents and Settings\Temp\hpzjfw01.dll
2004-08-13 16:18 266,293 -c----w D:\Documents and Settings\Temp\msvcrt.dll
2004-08-13 16:18 200,704 -c----w D:\Documents and Settings\Temp\hpjpds2.dll
2004-08-13 16:18 200,704 -c----w D:\Documents and Settings\Temp\hpjcmn3.dll
2004-08-13 16:18 20,565 -c----w D:\Documents and Settings\Temp\hpjsiadp.dll
2004-08-13 16:18 188,506 -c----w D:\Documents and Settings\Temp\sdicommunications.dll
2004-08-13 16:18 180,300 -c----w D:\Documents and Settings\Temp\sdinetware.dll
2004-08-13 16:18 18,103 -c----w D:\Documents and Settings\Temp\hpjmpr50.sys
2004-08-13 16:18 172,032 -c----w D:\Documents and Settings\Temp\hpntwkwiz.dll
2004-08-13 16:18 17,872 -c----w D:\Documents and Settings\Temp\hpjmpr40.sys
2004-08-13 16:18 17,048 -c----w D:\Documents and Settings\Temp\hpjndis5.sys
2004-08-13 16:18 16,752 -c----w D:\Documents and Settings\Temp\hpjndis4.sys
2004-08-13 16:18 155,648 -c----w D:\Documents and Settings\Temp\hpjpts3.dll
2004-08-13 16:18 147,456 -c----w D:\Documents and Settings\Temp\hpjcrp1.dll
2004-08-13 16:18 118,784 -c----w D:\Documents and Settings\Temp\hpbntkrs.dll
2004-08-13 16:18 110,592 -c----w D:\Documents and Settings\Temp\cfgtoipx.exe
2004-08-13 16:18 110,592 -c----w D:\Documents and Settings\Temp\cfgtoip.exe
2004-08-13 16:18 102,400 -c----w D:\Documents and Settings\Temp\openssldll.dll
2004-05-14 18:28 39,320 -c--a-w D:\Documents and Settings\Martin\Application Data\GDIPFONTCACHEV1.DAT
2004-02-05 13:55 2,322,059 -c----w D:\Documents and Settings\WU_Wizard\hpsu_setup.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c1d105c7-a575-46ba-8405-5bd306e449aa}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9055462-50AB-45D5-83AB-CED04B16F4EE}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DAEMON Tools-1033"="D:\Program\D-Tools\daemon.exe" [2003-10-02 01:20]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 D:\WINDOWS\system32\Ati2mdxx.exe]
"iTunesHelper"="E:\Program\iTunes\iTunesHelper.exe" [2005-10-06 18:03]
"QuickTime Task"="D:\Program\QuickTime\qttask.exe" [2005-11-29 19:27]
"TkBellExe"="D:\Program\Delade filer\Real\Update_OB\realsched.exe" [2006-04-04 20:08]
"SunJavaUpdateSched"="D:\Program\Java\jre1.5.0_06\bin\jusched.exe" [2005-11-10 13:03]
"10559b55"="D:\WINDOWS\system32\yqoicxet.dll" [2007-11-05 16:14]
"SiteAdvisor"="D:\Program\SiteAdvisor\6172\SiteAdv.exe" [2007-02-09 03:39]
"UserFaultCheck"="D:\WINDOWS\system32\dumprep 0 -u" []
"Registry Crawler"="D:\Program\RCrawler\RCrawler.exe" [2004-02-03 09:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:34]
"MsnMsgr"="D:\Program\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:55]
"i8kfangui"="D:\Program\I8kfanGUI\i8kfangui.exe" [2004-01-24 15:26]
"Skype"="D:\Program\Skype\Phone\Skype.exe" [2006-10-13 17:20]

D:\Documents and Settings\All Users\Start-meny\Program\Autostart\
Microsoft Office.lnk - E:\Program\Microsoft Office\Office\OSA9.EXE [1999-02-17 20:05:56]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"=0 (0x0)
"Btn_Forward"=0 (0x0)
"Btn_Stop"=0 (0x0)
"Btn_Refresh"=0 (0x0)
"Btn_Home"=0 (0x0)
"Btn_Search"=0 (0x0)
"Btn_History"=0 (0x0)
"Btn_Favorites"=0 (0x0)
"Btn_Folders"=0 (0x0)
"Btn_Fullscreen"=0 (0x0)
"Btn_Tools"=0 (0x0)
"Btn_MailNews"=0 (0x0)
"Btn_Size"=0 (0x0)
"Btn_Print"=0 (0x0)
"Btn_Edit"=0 (0x0)
"Btn_Discussions"=0 (0x0)
"Btn_Cut"=0 (0x0)
"Btn_Copy"=0 (0x0)
"Btn_Paste"=0 (0x0)
"Btn_Encoding"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\Program\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\Program\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\Program\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vvxihtdy]
vvxihtdy.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MCODS]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start-meny^Program^Autostart^Acrobat Assistant.lnk]
path=D:\Documents and Settings\All Users\Start-meny\Program\Autostart\Acrobat Assistant.lnk
backup=D:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\D:^Documents and Settings^All Users^Start-meny^Program^Autostart^Microsoft Office.lnk]
path=D:\Documents and Settings\All Users\Start-meny\Program\Autostart\Microsoft Office.lnk
backup=D:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
Ati2mdxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
D:\Program\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"D:\Program\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)
"RelaxService"=2 (0x2)

R0 pnpshark;pnpshark;D:\WINDOWS\system32\DRIVERS\pnpshark.sys
R0 st3shark;st3shark;D:\WINDOWS\system32\DRIVERS\st3shark.sys
R1 fanio;FanIO driver;\??\D:\WINDOWS\System32\drivers\fanio.sys
R3 maestro;ESS Maestro 3-ljuddrivrutin (WDM);D:\WINDOWS\system32\drivers\es198x.sys
S3 fixustor;fixustor;D:\WINDOWS\system32\drivers\fixustor.sys
S3 GT680x;GrandTechICNameNT;D:\WINDOWS\system32\Drivers\gt680x.sys
S3 NuVision;Hauppauge WinTV USB (PAL B/G);D:\WINDOWS\system32\DRIVERS\NUVision.sys
S3 p2pgasvc;Autentisering för grupper i peer-nätverk;D:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2pimsvc;Identitetshanteraren för peer-nätverk;D:\WINDOWS\System32\svchost.exe -k p2psvc
S3 p2psvc;Peer-nätverk;D:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer-namnmatchningsprotokoll;D:\WINDOWS\System32\svchost.exe -k p2psvc
S3 PRISM_ICB;SMC2835W 2.4 GHz 54 Mbps Wireless Cardbus Adapter;D:\WINDOWS\system32\DRIVERS\smc2835w.sys
S4 RelaxService;RelaX;E:\Xbox\Relax_v075\relax.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-11-06 13:27:28 D:\WINDOWS\Tasks\McDefragTask.job"
- d:\program\mcafee\mqc\QcConsol.exe
"2007-11-06 13:27:26 D:\WINDOWS\Tasks\McQcTask.job"
- d:\program\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 20:54:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-16 20:57:58 - machine was rebooted
.
--- E O F ---

BKaRussel
2007-11-17, 13:20
...and here's the Hijack log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:14:03, on 2007-11-16
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\System32\brss01a.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program\D-Tools\daemon.exe
E:\Program\iTunes\iTunesHelper.exe
D:\Program\QuickTime\qttask.exe
D:\Program\Delade filer\Real\Update_OB\realsched.exe
D:\Program\Java\jre1.5.0_06\bin\jusched.exe
D:\Program\SiteAdvisor\6172\SiteAdv.exe
D:\Program\RCrawler\RCrawler.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program\MSN Messenger\MsnMsgr.Exe
D:\Program\I8kfanGUI\i8kfangui.exe
D:\Program\Skype\Phone\Skype.exe
D:\Program\Delade filer\McAfee\HackerWatch\HWAPI.exe
D:\Program\McAfee\MSC\mcmscsvc.exe
d:\program\delade filer\mcafee\mna\mcnasvc.exe
D:\Program\McAfee\VIRUSS~1\mcods.exe
D:\Program\McAfee\MSC\mcpromgr.exe
d:\program\DELADE~1\mcafee\redirsvc\redirsvc.exe
D:\Program\McAfee\VIRUSS~1\mcshield.exe
D:\Program\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program\SiteAdvisor\6172\SAService.exe
D:\WINDOWS\System32\svchost.exe
E:\Program\iPod\bin\iPodService.exe
d:\program\mcafee.com\agent\mcagent.exe
D:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.se
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://login1.telia.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=http://proxy1.telia.com:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://login1.telia.com;http://10.0.0.6;<local>
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - D:\Program\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - d:\program\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: {aa944e60-3db5-5048-ab64-575a7c501d1c} - {c1d105c7-a575-46ba-8405-5bd306e449aa} - (no file)
O2 - BHO: (no name) - {E9055462-50AB-45D5-83AB-CED04B16F4EE} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - D:\Program\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TkBellExe] "D:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program\Java\jre1.5.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [10559b55] rundll32.exe "D:\WINDOWS\system32\yqoicxet.dll",b
O4 - HKLM\..\Run: [SiteAdvisor] D:\Program\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Registry Crawler] D:\Program\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [i8kfangui] D:\Program\I8kfanGUI\i8kfangui.exe /startup
O4 - HKCU\..\Run: [Skype] "D:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = E:\Program\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Search - http://kw.bar.need2find.com/KW/menusearch.html?p=KW
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java-konsol - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://login1.telia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/193fa8de02758109a114/netzip/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.3 [ENU]) - https://eredovisning.postgirot.se/ddrint/work/iedpwenu.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O20 - Winlogon Notify: !SASWinLogon - D:\Program\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: vvxihtdy - vvxihtdy.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - D:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - D:\Program\DELADE~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - D:\Program\Delade filer\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - D:\Program\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\Program\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program\delade filer\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\Program\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - D:\Program\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - d:\program\DELADE~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\Program\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\Program\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program\McAfee\MPF\MPFSrv.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - D:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - D:\Program\WinPcap\rpcapd.exe
O23 - Service: SiteAdvisor Service - Unknown owner - D:\Program\SiteAdvisor\6172\SAService.exe

--
End of file - 9825 bytes

pskelley
2007-11-17, 14:38
Thanks for returning your information, here are some facts about this junk: Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn

Ask me, this is just like B&E and I can't understand why it is taking so long to put these people in jail? They are using this infection to steal passwords now also.

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

(wait until you finish to post reports and logs)

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: {aa944e60-3db5-5048-ab64-575a7c501d1c} - {c1d105c7-a575-46ba-8405-5bd306e449aa} - (no file)
O2 - BHO: (no name) - {E9055462-50AB-45D5-83AB-CED04B16F4EE} - (no file)
O4 - HKLM\..\Run: [10559b55] rundll32.exe "D:\WINDOWS\system32\yqoicxet.dll",b
O8 - Extra context menu item: &Search - http://kw.bar.need2find.com/KW/menusearch.html?p=KW
O9 - Extra button: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Coral Eurobet Poker - {050AC5CD-E1E1-41ab-8CE0-61B56EFA7FA1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - D:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Unibet Poker - {C53BFCFC-7A54-4627-AEBA-2CD4871FCA97} - D:\WINDOWS\System32\shdocvw.dll
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/193fa8de...p/RdxIE601.cab
O20 - Winlogon Notify: vvxihtdy - vvxihtdy.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) RIGHT Click on Start then click on Explore. Locate and delete these items:

D:\WINDOWS\system32\yqoicxet.dllD:\WINDOWS\system32\vuvut.bak2
D:\WINDOWS\system32\vuvut.bak1

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart the computer and post a new HJT log and give me some feedback.

Thanks

See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
D:\Program\Java\jre1.5.0_06\ <<< Java is out of date and likely the reason you are infected. Download the newest version and uninstall all old versions in Add Remove programs.

BKaRussel
2007-11-17, 17:25
Hi and thanks for your swift reply. You're right...those virus authors are criminals and I think the spam people are too. Sometimes I wonder what's wrong with these people, they should go see Dr. Phil.

I followed all the steps. However, I downloaded VundoFix.exe and let it scan. It ran for about an hour but didn't find any files so I didn't get a VundoFix-log to attach in the reply. Here's the latest HighJackthis-log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:04:31, on 2007-11-17
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\System32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\System32\brsvc01a.exe
D:\WINDOWS\System32\brss01a.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
D:\Program\D-Tools\daemon.exe
E:\Program\iTunes\iTunesHelper.exe
D:\Program\Delade filer\Real\Update_OB\realsched.exe
D:\Program\SiteAdvisor\6172\SiteAdv.exe
D:\Program\RCrawler\RCrawler.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program\MSN Messenger\MsnMsgr.Exe
D:\Program\I8kfanGUI\i8kfangui.exe
D:\Program\Delade filer\McAfee\HackerWatch\HWAPI.exe
D:\Program\McAfee\MSC\mcmscsvc.exe
d:\program\delade filer\mcafee\mna\mcnasvc.exe
D:\Program\McAfee\VIRUSS~1\mcods.exe
D:\Program\McAfee\MSC\mcpromgr.exe
d:\program\DELADE~1\mcafee\redirsvc\redirsvc.exe
D:\Program\McAfee\VIRUSS~1\mcshield.exe
D:\Program\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\System32\tcpsvcs.exe
D:\Program\SiteAdvisor\6172\SAService.exe
D:\WINDOWS\System32\svchost.exe
d:\program\mcafee\VIRUSS~1\mcvsshld.exe
E:\Program\iPod\bin\iPodService.exe
D:\WINDOWS\system32\wuauclt.exe
d:\program\mcafee.com\agent\mcagent.exe
D:\Program\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.se
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://login1.telia.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Länkar
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - D:\Program\SiteAdvisor\6172\SiteAdv.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - D:\Program\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - d:\program\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - D:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - D:\Program\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - D:\Program\SiteAdvisor\6172\SiteAdv.dll
O4 - HKLM\..\Run: [DAEMON Tools-1033] "D:\Program\D-Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [iTunesHelper] "E:\Program\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "D:\Program\Delade filer\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SiteAdvisor] D:\Program\SiteAdvisor\6172\SiteAdv.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [Registry Crawler] D:\Program\RCrawler\RCrawler.exe -TRAYONLY
O4 - HKCU\..\Run: [CTFMON.EXE] D:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "D:\Program\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [i8kfangui] D:\Program\I8kfanGUI\i8kfangui.exe /startup
O4 - HKCU\..\Run: [Skype] "D:\Program\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'LOKAL TJÄNST')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] D:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = E:\Program\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xportera till Microsoft Excel - res://D:\Program\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://login1.telia.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab
O16 - DPF: {90A29DA5-D020-4B18-8660-6689520C7CD7} (DmiReader Class) - http://support.euro.dell.com/global/apps/systemprofiler/PROFILER.CAB
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {DF261D07-7E99-11D4-B2C7-009027A1F18A} (DDI Print Control Class v1.3 [ENU]) - https://eredovisning.postgirot.se/ddrint/work/iedpwenu.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2DA7ADA3-5E01-4971-A1CE-ACC716829455}: NameServer = 82.144.41.8 62.220.18.8
O20 - Winlogon Notify: !SASWinLogon - D:\Program\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - Unknown owner - D:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - D:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - D:\Program\DELADE~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - D:\Program\Delade filer\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - E:\Program\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - D:\Program\Delade filer\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - D:\Program\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\Program\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program\delade filer\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\Program\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - D:\Program\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - d:\program\DELADE~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\Program\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\Program\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program\McAfee\MPF\MPFSrv.exe
O23 - Service: Norman API-hooking helper (NipSvc) - Unknown owner - D:\VIRUSfighter\Nvc\BIN\nipsvc.exe (file missing)
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - D:\Program\WinPcap\rpcapd.exe
O23 - Service: SiteAdvisor Service - Unknown owner - D:\Program\SiteAdvisor\6172\SAService.exe

--
End of file - 7978 bytes

pskelley
2007-11-17, 17:36
That's not a good sign, sure you downloaded the new version: Vundofix V6.6.2?

The HJT log looks clean, are you having any malware issues? Let's look at a Kaspersky scan now, use these settings please:

Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner

Next Click on Launch Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks

BKaRussel
2007-11-18, 13:34
Hi, I did a over-night scan with Kaspersky and it found Password-protected-EXE, Trojan.Win32.Agent.avy and Virtumonde :sad:. Here's the Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, November 18, 2007 12:17:45 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/11/2007
Kaspersky Anti-Virus database records: 432273
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 90093
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 2
Duration of the scan process: 04:57:31

Infected Object Name / Virus Name / Last Action
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{0AB49A80-FD67-46F2-9BF7-D9B3023113BC}\RP941\change.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{2DB43808-297A-4ED1-832D-4012E8D052EB}.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{47FC8EC7-2D90-4E7C-93E5-155BAE8973B7}.log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR6.tmp Object is locked skipped
D:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet13.zip/asmend.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet13.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/opnopmj.dll Infected: Trojan.Win32.Agent.avy skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: infected - 1 skipped
D:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\LocalService\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
D:\Documents and Settings\Martin\Cookies\index.dat Object is locked skipped
D:\Documents and Settings\Martin\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\Martin\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\Martin\Lokala inställningar\Temp\~DFA588.tmp Object is locked skipped
D:\Documents and Settings\Martin\Lokala inställningar\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Martin\Lokala inställningar\Tidigare\History.IE5\index.dat Object is locked skipped
D:\Documents and Settings\Martin\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\Martin\NTUSER.DAT.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
D:\Documents and Settings\NetworkService\Lokala inställningar\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
D:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
D:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{0AB49A80-FD67-46F2-9BF7-D9B3023113BC}\RP941\change.log Object is locked skipped
D:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
D:\WINDOWS\SchedLgU.Txt Object is locked skipped
D:\WINDOWS\SoftwareDistribution\EventCache\{AF4F2CD5-A66A-47C9-8D21-5481C5CD795C}.bin Object is locked skipped
D:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
D:\WINDOWS\Sti_Trace.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
D:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
D:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\default Object is locked skipped
D:\WINDOWS\system32\config\default.LOG Object is locked skipped
D:\WINDOWS\system32\config\Internet.evt Object is locked skipped
D:\WINDOWS\system32\config\SAM Object is locked skipped
D:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
D:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\SECURITY Object is locked skipped
D:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
D:\WINDOWS\system32\config\software Object is locked skipped
D:\WINDOWS\system32\config\software.LOG Object is locked skipped
D:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
D:\WINDOWS\system32\config\system Object is locked skipped
D:\WINDOWS\system32\config\system.LOG Object is locked skipped
D:\WINDOWS\system32\h323log.txt Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
D:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
D:\WINDOWS\Temp\mcafee_a1kZDmKJJ881cUF Object is locked skipped
D:\WINDOWS\Temp\mcmsc_MtzN9UxchFbhjnR Object is locked skipped
D:\WINDOWS\Temp\mcmsc_oMZNc3HPo1pw3m6 Object is locked skipped
D:\WINDOWS\Temp\mcmsc_tBbai6nmgQoNLYh Object is locked skipped
D:\WINDOWS\Temp\mcmsc_vexdrTcbiSDYqnd Object is locked skipped
D:\WINDOWS\Temp\mcmsc_VTUgXssBC9elGnO Object is locked skipped
D:\WINDOWS\wiadebug.log Object is locked skipped
D:\WINDOWS\wiaservc.log Object is locked skipped
D:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\_restore{0AB49A80-FD67-46F2-9BF7-D9B3023113BC}\RP941\change.log Object is locked skipped

Scan process completed.

pskelley
2007-11-18, 14:34
KASPERSKY ONLINE SCANNER REPORT Sunday, November 18, 2007 12:17:45 PM

Number of infected objects: 2

Clean out the Spybot S&D Recovery folder in red:
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet13.zip/asmend.exe Suspicious: Password-protected-EXE skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Altnet13.zip ZIP: suspicious - 1 skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/opnopmj.dll Infected: Trojan.Win32.Agent.avy skipped
D:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: infected - 1 skipped

Remove all tools we downloaded, the exception is ATF-Cleaner, you may keep it if you wish.

http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

BKaRussel
2007-11-19, 00:50
Hi there, first of all thanks for all the help you've provided. I followed the steps and removed all the anti virus programs you told me to download. I rebooted and after that I did a scan with Spybot. Unfortunately, it found three entries for Virtumonde. That was all it found so win32.bho.df seems to be gone:). I pressed the fix problems button and the entries were removed. When I tried to immunize with Spybot it got hung up and stopped responding and this happened several times every time I tried to immunize. According to Spybot there are 146 threats I'm not immune against. Should I uninstall Spybot and download and install a new version of it?

pskelley
2007-11-19, 00:59
Thanks for the feedback, understand I am a volunteer, I do not work for Spybot S&D. I suggest you ask about Spybot issues here:
http://forums.spybot.info/forumdisplay.php?f=4
It may be they are registry leftovers, but as far as I know, if Spybot S&D locates them, it should remove them.

I am personally still running V1.4, but if you are having problems, I would start by upgrading to V1.5 to see if that fixes your issues. Once thing for sure, you want to be fully immunized against all threats. Here are a few tutorials if it helps:
http://spyware-free.us/tutorials/spybot/
http://www.bleepingcomputer.com/forums/tutorial43.html
http://www.safer-networking.org/en/tutorial/index.html

Thanks

BKaRussel
2007-11-20, 00:54
Hi again! I downloaded the new version of Spybot. It also found 3 instances of Virtumonde, I fixed those and immunized which worked like a charm. I uninstalled McAfee and now have AVG. After rebooting I did another scan with Spybot...it found no immediate threats!:bigthumb: My computer seems to be healthy again:) Thank you so much for your help. Where should I donate so I'll know you'll get something of the donation? Take care, and thanks again:). Regards, BKaRussel

pskelley
2007-11-20, 01:05
Thanks for that feedback, I recently dropped McAfee, I liked VSO and would have kept it, but they insisted I download a hugh program like Norton, so I took away my CC# and wiped them off my computer when the subscription ran out.
We are all volunteers and your thanks is more than enough payment. I posted a link to donations for the forum in my post #9. I am sure it cost plenty to keep a website like this running if you wish to help.

Safe surfing...Phil:bigthumb: