View Full Version : Vundo Infection
loanboss
2007-11-14, 02:12
What I have done to try to self fix.
1. Ran Spybot S&D 1.5
2. Ran Ad Aware SE
3 Ran full scan CA Antivirus
4. Removed old version of Java 1.4.01. (has been removed but I have not installed jre-6u3 so machine has no Java Presently)
5. Ran VundoFix.exe
6. Ran Symantic Vundo Removal Tool
7. Ran Combofix
8. Cleared Prefetch
9. Cleared all temp files and index.dat files Under command prompt logon
10. When CA antivirus runs it says it finds no virus but during scan it pops up a window saying it found a virus and deleted it.
11. Machine installed BHO toolbar and tried to open several hundred IE windows before Java was removed
and machine would reinstall virus as DLL in system folder and fake security toolbar after each reboot even after running all scrubbrers listed above.
Please Help, Thank You Mark
Kaspersky log part 1
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 13, 2007 3:30:29 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/11/2007
Kaspersky Anti-Virus database records: 457645
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
Scan Statistics:
Total number of scanned objects: 318735
Number of viruses found: 52
Number of infected objects: 222
Number of suspicious objects: 3
Duration of the scan process: 04:19:50
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users.WINDOWS\Application Data\Bluebeam Software\Brewery\V45\Printer Support\BBPDFPortMon.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\004137f3b2973be2b4495f6ff0567162_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\06f4cc38239afc093815da46149d07ce_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\146278ce98c1b1ddb01bdbada8c10a22_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\1898c61ec6aaa1c2f261abf1cf4e44b2_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\2b540020b3f61a5b65c5df42aca8c18b_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\2fc76b2ad79960cdd75bedcdd2ccf647_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\3646238f14e4d61dc23d9f8813fda7b6_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\3dbe0df78e98f3f52cd824df41681bd4_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\3f6458d69e426858bfe62b1924936a55_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\4552b0b796d1ce07303a83ef677a53e5_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\4cb5957dc58b5adf41d9493b48a962df_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\50d176d9d4033ee17d653bc80e3d2c9d_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\55a6e0ef1e50535e94d1f04663d950f9_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\5673e956e59cbe8b28f5f15954dbb826_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\589f3d4c8ffd0c55c81f26ef49a2fe01_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\70d9fbb498cb9f52296ffec71bf2ebd2_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\74744b72cfb024cc479fa57a95f35a95_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\76587a117d78f98b3abc86fb2f40daf4_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\7d9ec97a8e0fb5e286c481a32ed7e563_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\850fa58e6cd36d27b9aa114b28d2e771_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\8bdcd7428d242fb2b7cda3bbccc53b84_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\a0dbb5fa5eef1231d4900cc9606a847d_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\a22cc4cf343408bea9d2353788cf92f5_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\a704651421013dbef3164244139fd1e8_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\a9182eccd56a22eeb9ab455eeb970310_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\b1c56d2e7402a8399dcbdefd1f8a737f_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\c0334d06422e8d22d2a643c417588d4a_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\ce44bcd38ba5dd53d6f6bb010a1ea9da_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\cf314ccadce1705effa18573528c69e5_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\d6633bf09e6b53fa817d94412db01c34_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\d90ef69710c83d86dadac446d9a22276_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\de7261215b5bbcd81bad7f7e41e0a83d_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\e22b800121a01b758bf6674f20665ab8_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\e5edc8f2f860a933858e6345f30141ad_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\eaf0d4f66ecef8b91d3b88dfe6624508_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Crypto\RSA\MachineKeys\f35e29a41e7e67bfa6f1b978e9599044_85affd7a-f0a7-43e4-9e2d-7c471ed64590 Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip/cbxyyaw.dll Infected: Trojan-Downloader.Win32.Small.ddy skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Cain and Able Password Cracker\cain25b47.exe/WISE0018.BIN Infected: not-a-virus:PSWTool.Win32.Cain.c skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Cain and Able Password Cracker\cain25b47.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.b skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Cain and Able Password Cracker\cain25b47.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.b skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Cain and Able Password Cracker\cain25b47.exe WiseSFX: infected - 3 skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Keyfinder\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Keyfinder\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Keyfinder\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Keyfinder\keyfinder.exe RarSFX: infected - 3 skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Keyfinder\kf141.zip/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Keyfinder\kf141.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Keyfinder\kf141.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Keyfinder\kf141.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Keyfinder\kf141.zip ZIP: infected - 4 skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\Old\setupneonapster.exe/data0007 Infected: not-a-virus:AdWare.Win32.180Solutions.m skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\Old\setupneonapster.exe/data0008 Infected: not-a-virus:AdWare.Win32.EZula.d skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\Old\setupneonapster.exe Inno: infected - 2 skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0006/UCMIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0006/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0006 Infected: not-a-virus:AdWare.Win32.Ucmore skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0007/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.v skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0007/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0008 Suspicious: not-a-virus:AdWare.Win32.GigatechSuperBar skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0009 Infected: not-a-virus:AdWare.Win32.180Solutions.m skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0010 Infected: not-a-virus:AdWare.Win32.EZula.d skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0011/data0115 Infected: not-a-virus:AdWare.Win32.TopMoxie.d skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0011 Infected: not-a-virus:AdWare.Win32.TopMoxie.d skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe/data0012 Infected: not-a-virus:AdWare.Win32.IGetNet skipped
C:\Documents and Settings\All Users.WINDOWS\Documents\Utilities\Neo Napster 3.1\setupneonapster.exe Inno: infected - 11, suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\userco1\Application Data\CallingID\CallingID.ldb Object is locked skipped
C:\Documents and Settings\userco1\Application Data\CallingID\CallingID.mdb Object is locked skipped
C:\Documents and Settings\userco1\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\userco1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\userco1\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\userco1\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\userco1\Local Settings\History\History.IE5\MSHist012007111320071114\index.dat Object is locked skipped
C:\Documents and Settings\userco1\Local Settings\Temp\JET196D.tmp Object is locked skipped
C:\Documents and Settings\userco1\Local Settings\Temp\~DF85D6.tmp Object is locked skipped
C:\Documents and Settings\userco1\Local Settings\Temp\~DFAD1C.tmp Object is locked skipped
C:\Documents and Settings\userco1\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\userco1\ntuser.dat Object is locked skipped
C:\Documents and Settings\userco1\NTUSER.DAT.LOG Object is locked skipped
C:\Program Files\Cain\Cain.exe Infected: not-a-virus:PSWTool.Win32.Cain.c skipped
C:\Program Files\Ektron\EktronWindowsService20\log\bdebd0a2-dcce-4b99-8f7a-1e972efd1970test.log Object is locked skipped
C:\Program Files\Ektron\EktronWindowsService20\log\test.log Object is locked skipped
C:\Program Files\GetPaid2Search Toolbar\getpaid2search.dll Infected: not-a-virus:AdWare.Win32.Mostofate.y skipped
C:\Program Files\GetPaid2Search Toolbar\tbhelper.dll Infected: not-a-virus:AdWare.Win32.Mostofate.y skipped
C:\Program Files\MzRam\Cpu_Power.exe Infected: Trojan.Win32.Small.sx skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\sysdl132.exe.vir Infected: Trojan-Downloader.Win32.BHO.bo skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\XunLeiBHO_001.dll.vir Infected: not-a-virus:AdWare.Win32.BHO.aj skipped
C:\qoobox\Quarantine\catchme2007-11-12_ 44104.09.zip/cbxyyaw.dll Infected: Trojan-Downloader.Win32.Small.ddy skipped
C:\qoobox\Quarantine\catchme2007-11-12_ 44104.09.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{C5911632-D810-4F33-9A05-BBA1DCEB2216}\RP1\A0000008.dll Infected: not-a-virus:AdWare.Win32.BHO.aj skipped
C:\System Volume Information\_restore{C5911632-D810-4F33-9A05-BBA1DCEB2216}\RP1\A0000009.exe Infected: Trojan-Downloader.Win32.BHO.bo skipped
C:\System Volume Information\_restore{C5911632-D810-4F33-9A05-BBA1DCEB2216}\RP1\A0000018.dll Infected: Trojan-Downloader.Win32.Small.ddy skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{21E88291-564D-4738-B75A-45876A3F0B93}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\system32\config\EktronL2.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jmlekmfc.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\MsDtc\MSDTC.LOG Object is locked skipped
C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log Object is locked skipped
C:\WINDOWS\system32\trhwryqn.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\Temp\Perflib_Perfdata_614.dat Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_8d0.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
loanboss
2007-11-14, 02:17
Please Help, Thank You Mark (Continued)
Kaspersky log part 2
E:\Backups P4\Utilities\Cain and Able Password Cracker\cain25b47.exe/WISE0018.BIN Infected: not-a-virus:PSWTool.Win32.Cain.c skipped
E:\Backups P4\Utilities\Cain and Able Password Cracker\cain25b47.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.b skipped
E:\Backups P4\Utilities\Cain and Able Password Cracker\cain25b47.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.b skipped
E:\Backups P4\Utilities\Cain and Able Password Cracker\cain25b47.exe WiseSFX: infected - 3 skipped
E:\Backups P4\Utilities\Keyfinder\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Backups P4\Utilities\Keyfinder\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Backups P4\Utilities\Keyfinder\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Backups P4\Utilities\Keyfinder\keyfinder.exe RarSFX: infected - 3 skipped
E:\Backups P4\Utilities\Keyfinder\kf141.zip/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Backups P4\Utilities\Keyfinder\kf141.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Backups P4\Utilities\Keyfinder\kf141.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Backups P4\Utilities\Keyfinder\kf141.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\Backups P4\Utilities\Keyfinder\kf141.zip ZIP: infected - 4 skipped
E:\Backups P4\Utilities\Neo Napster 3.1\Old\setupneonapster.exe/data0007 Infected: not-a-virus:AdWare.Win32.180Solutions.m skipped
E:\Backups P4\Utilities\Neo Napster 3.1\Old\setupneonapster.exe/data0008 Infected: not-a-virus:AdWare.Win32.EZula.d skipped
E:\Backups P4\Utilities\Neo Napster 3.1\Old\setupneonapster.exe Inno: infected - 2 skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0006/UCMIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0006/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0006 Infected: not-a-virus:AdWare.Win32.Ucmore skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0007/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.v skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0007/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0008 Suspicious: not-a-virus:AdWare.Win32.GigatechSuperBar skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0009 Infected: not-a-virus:AdWare.Win32.180Solutions.m skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0010 Infected: not-a-virus:AdWare.Win32.EZula.d skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0011/data0115 Infected: not-a-virus:AdWare.Win32.TopMoxie.d skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0011 Infected: not-a-virus:AdWare.Win32.TopMoxie.d skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe/data0012 Infected: not-a-virus:AdWare.Win32.IGetNet skipped
E:\Backups P4\Utilities\Neo Napster 3.1\setupneonapster.exe Inno: infected - 11, suspicious - 1 skipped
E:\New Folder A-L\Activity monitor 15 day trial\activmon.zip/amagent35.exe/data0004 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.37 skipped
E:\New Folder A-L\Activity monitor 15 day trial\activmon.zip/amagent35.exe/data0006 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.35 skipped
E:\New Folder A-L\Activity monitor 15 day trial\activmon.zip/amagent35.exe Infected: not-a-virus:Monitor.Win32.ActivityMonitor.35 skipped
E:\New Folder A-L\Activity monitor 15 day trial\activmon.zip/amonitor35f.exe/data0002 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.35 skipped
E:\New Folder A-L\Activity monitor 15 day trial\activmon.zip/amonitor35f.exe/data0024/data0004 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.37 skipped
E:\New Folder A-L\Activity monitor 15 day trial\activmon.zip/amonitor35f.exe/data0024/data0006 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.35 skipped
E:\New Folder A-L\Activity monitor 15 day trial\activmon.zip/amonitor35f.exe/data0024 Infected: not-a-virus:Monitor.Win32.ActivityMonitor.35 skipped
E:\New Folder A-L\Activity monitor 15 day trial\activmon.zip/amonitor35f.exe Infected: not-a-virus:Monitor.Win32.ActivityMonitor.35 skipped
E:\New Folder A-L\Activity monitor 15 day trial\activmon.zip ZIP: infected - 8 skipped
E:\New Folder A-L\AudioGalexy\AGSetup0608.exe/fsg-ag.exe Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
E:\New Folder A-L\AudioGalexy\AGSetup0608.exe Vise: infected - 1 skipped
E:\New Folder A-L\Cain and Able Password Cracker\cain25b47.exe/WISE0018.BIN Infected: not-a-virus:PSWTool.Win32.Cain.c skipped
E:\New Folder A-L\Cain and Able Password Cracker\cain25b47.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.b skipped
E:\New Folder A-L\Cain and Able Password Cracker\cain25b47.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.b skipped
E:\New Folder A-L\Cain and Able Password Cracker\cain25b47.exe WiseSFX: infected - 3 skipped
E:\New Folder A-L\drug wars\dw21.exe/WISE0056.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
E:\New Folder A-L\drug wars\dw21.exe WiseSFX: infected - 1 skipped
E:\New Folder A-L\Get Paid To Search\getpaid2search.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.y skipped
E:\New Folder A-L\Get Paid To Search\getpaid2search.exe/stream/data0007 Infected: not-a-virus:AdWare.Win32.Mostofate.y skipped
E:\New Folder A-L\Get Paid To Search\getpaid2search.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.y skipped
E:\New Folder A-L\Get Paid To Search\getpaid2search.exe NSIS: infected - 3 skipped
E:\New Folder A-L\get right\getrt45a.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
E:\New Folder A-L\get right\getrt45a.exe WiseSFX: infected - 1 skipped
E:\New Folder A-L\get right\getrt45c.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
E:\New Folder A-L\get right\getrt45c.exe WiseSFX: infected - 1 skipped
E:\New Folder A-L\get right\getrt45d.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
E:\New Folder A-L\get right\getrt45d.exe WiseSFX: infected - 1 skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0007 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0008/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.av skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0008/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0009/data0002 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0009 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0011/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0011 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0014 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0015 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0021/bdeinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0021 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0022/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0022 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0025/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0025 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0026/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0026 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0029/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0029 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0030/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0030 Infected: Trojan.Win32.Krepper.y skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0032/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0032/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe/data0032 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
E:\New Folder A-L\KaZaA Media Desktop p2p Software\kmd151_en.exe Inno: infected - 28 skipped
E:\New Folder A-L\Keyfinder-Microsoft XP\keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\New Folder A-L\Keyfinder-Microsoft XP\keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\New Folder A-L\Keyfinder-Microsoft XP\keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\New Folder A-L\Keyfinder-Microsoft XP\keyfinder.exe RarSFX: infected - 3 skipped
E:\New Folder A-L\Keyfinder-Microsoft XP\kf141.zip/keyfinder.exe/data.rar/xpkey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\New Folder A-L\Keyfinder-Microsoft XP\kf141.zip/keyfinder.exe/data.rar/officekey.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\New Folder A-L\Keyfinder-Microsoft XP\kf141.zip/keyfinder.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\New Folder A-L\Keyfinder-Microsoft XP\kf141.zip/keyfinder.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\New Folder A-L\Keyfinder-Microsoft XP\kf141.zip ZIP: infected - 4 skipped
E:\New Folder M-Z\Mobil Unlock Software\samsung_unlocker_by_cerberos.zip/Samsung_unlocker_by_cerberos_v1.5.001_bugfixed_FREE.exe Infected: HackTool.Win32.VB.aj skipped
E:\New Folder M-Z\Mobil Unlock Software\samsung_unlocker_by_cerberos.zip ZIP: infected - 1 skipped
E:\New Folder M-Z\MusicCity Morpheus 1.3\Morph20.exe/WISE0014.BIN/WISE0013.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.a skipped
E:\New Folder M-Z\MusicCity Morpheus 1.3\Morph20.exe/WISE0014.BIN Infected: not-a-virus:AdWare.Win32.WurldMedia.a skipped
E:\New Folder M-Z\MusicCity Morpheus 1.3\Morph20.exe WiseSFX: infected - 2 skipped
E:\New Folder M-Z\Neo Napster 3.1\Old\setupneonapster.exe/data0007 Infected: not-a-virus:AdWare.Win32.180Solutions.m skipped
E:\New Folder M-Z\Neo Napster 3.1\Old\setupneonapster.exe/data0008 Infected: not-a-virus:AdWare.Win32.EZula.d skipped
E:\New Folder M-Z\Neo Napster 3.1\Old\setupneonapster.exe Inno: infected - 2 skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0006/UCMIE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore.a skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0006/IUCMORE.DLL Infected: not-a-virus:AdWare.Win32.Ucmore skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0006 Infected: not-a-virus:AdWare.Win32.Ucmore skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0007/data0002 Infected: not-a-virus:AdWare.Win32.BargainBuddy.v skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0007/data0003 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0007 Infected: not-a-virus:AdWare.Win32.BargainBuddy.a skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0008 Suspicious: not-a-virus:AdWare.Win32.GigatechSuperBar skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0009 Infected: not-a-virus:AdWare.Win32.180Solutions.m skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0010 Infected: not-a-virus:AdWare.Win32.EZula.d skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0011/data0115 Infected: not-a-virus:AdWare.Win32.TopMoxie.d skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0011 Infected: not-a-virus:AdWare.Win32.TopMoxie.d skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe/data0012 Infected: not-a-virus:AdWare.Win32.IGetNet skipped
E:\New Folder M-Z\Neo Napster 3.1\setupneonapster.exe Inno: infected - 11, suspicious - 1 skipped
E:\New Folder M-Z\NeoWorx\SpyAgent4Trial.exe/SpyAgent4.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.40001 skipped
E:\New Folder M-Z\NeoWorx\SpyAgent4Trial.exe/SystemSA32.dll Infected: not-a-virus:Monitor.Win32.SpyAgent.40001 skipped
E:\New Folder M-Z\NeoWorx\SpyAgent4Trial.exe/Deploy.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.43302 skipped
E:\New Folder M-Z\NeoWorx\SpyAgent4Trial.exe/SpyRename.exe Infected: not-a-virus:Monitor.Win32.SpyAgent.40001 skipped
E:\New Folder M-Z\NeoWorx\SpyAgent4Trial.exe Vise: infected - 4 skipped
E:\New Folder M-Z\Rock XP4\RockXP4.exe/data.rar/pwdump2/pwdump2.exe Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
E:\New Folder M-Z\Rock XP4\RockXP4.exe/data.rar/pwdump2/samdump.dll Infected: not-a-virus:PSWTool.Win32.PWDump.2 skipped
E:\New Folder M-Z\Rock XP4\RockXP4.exe/data.rar/RockXP4_.exe Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\New Folder M-Z\Rock XP4\RockXP4.exe/data.rar Infected: not-a-virus:PSWTool.Win32.RAS.a skipped
E:\New Folder M-Z\Rock XP4\RockXP4.exe RarSFX: infected - 4 skipped
E:\New Folder M-Z\Screen Savers\Living Wilderness 1.0\wildswCNET.exe/WISE0030.BIN/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.av skipped
E:\New Folder M-Z\Screen Savers\Living Wilderness 1.0\wildswCNET.exe/WISE0030.BIN/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
E:\New Folder M-Z\Screen Savers\Living Wilderness 1.0\wildswCNET.exe/WISE0030.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
E:\New Folder M-Z\Screen Savers\Living Wilderness 1.0\wildswCNET.exe WiseSFX: infected - 3 skipped
E:\New Folder M-Z\Screen Savers\Rainbows\sinstaller2.exe/data0002 Infected: not-a-virus:AdWare.Win32.Comet.ac skipped
E:\New Folder M-Z\Screen Savers\Rainbows\sinstaller2.exe NSIS: infected - 1 skipped
E:\New Folder M-Z\Ultra Virtual desktop\UVFDInstaller.exe/data0005 Infected: not-a-virus:AdWare.Win32.Sahat.as skipped
E:\New Folder M-Z\Ultra Virtual desktop\UVFDInstaller.exe/data0006 Infected: not-a-virus:AdWare.Win32.Sahat.as skipped
E:\New Folder M-Z\Ultra Virtual desktop\UVFDInstaller.exe NSIS: infected - 2 skipped
E:\New Folder M-Z\Utilities Four\Cain and Able Password Cracker\cain25b47.exe/WISE0018.BIN Infected: not-a-virus:PSWTool.Win32.Cain.c skipped
E:\New Folder M-Z\Utilities Four\Cain and Able Password Cracker\cain25b47.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.b skipped
E:\New Folder M-Z\Utilities Four\Cain and Able Password Cracker\cain25b47.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.b skipped
E:\New Folder M-Z\Utilities Four\Cain and Able Password Cracker\cain25b47.exe WiseSFX: infected - 3 skipped
E:\New Folder M-Z\Warez\WarezP2P_TDL.exe/stream/data0040 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
E:\New Folder M-Z\Warez\WarezP2P_TDL.exe/stream/data0041 Infected: Packed.Win32.PolyCrypt.d skipped
E:\New Folder M-Z\Warez\WarezP2P_TDL.exe/stream Infected: Packed.Win32.PolyCrypt.d skipped
E:\New Folder M-Z\Warez\WarezP2P_TDL.exe NSIS: infected - 3 skipped
E:\New Folder M-Z\WebCelerator-DO NOT USE-LOCKS UP\webcelerator_setup-rng.exe/msbb.exe Infected: not-a-virus:AdWare.Win32.180Solutions skipped
E:\New Folder M-Z\WebCelerator-DO NOT USE-LOCKS UP\webcelerator_setup-rng.exe/TTstub.exe Infected: not-a-virus:AdWare.Win32.EZula.bc skipped
E:\New Folder M-Z\WebCelerator-DO NOT USE-LOCKS UP\webcelerator_setup-rng.exe/HbInst.exe Infected: not-a-virus:AdWare.Win32.Hotbar.ab skipped
E:\New Folder M-Z\WebCelerator-DO NOT USE-LOCKS UP\webcelerator_setup-rng.exe ZIP: infected - 3 skipped
E:\New Folder M-Z\webshots installer\webspace.exe/WISE0030.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
E:\New Folder M-Z\webshots installer\webspace.exe WiseSFX: infected - 1 skipped
E:\New Folder M-Z\webshots installer\webup.exe/WISE0028.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
E:\New Folder M-Z\webshots installer\webup.exe WiseSFX: infected - 1 skipped
loanboss
2007-11-14, 02:20
Please Help, Thank You Mark (Continued)
Kaspersky log part 3
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\setup.exe/stream/data0001 Infected: Backdoor.Win32.VB.apv skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\setup.exe/stream/data0003 Infected: Backdoor.Win32.VB.apv skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\setup.exe/stream Infected: Backdoor.Win32.VB.apv skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\setup.exe NSIS: infected - 3 skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\Ws_ftp Professional 2006\setup.exe/stream/data0001 Infected: Backdoor.Win32.VB.apv skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\Ws_ftp Professional 2006\setup.exe/stream/data0003 Infected: Backdoor.Win32.VB.apv skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\Ws_ftp Professional 2006\setup.exe/stream Infected: Backdoor.Win32.VB.apv skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\Ws_ftp Professional 2006\setup.exe NSIS: infected - 3 skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\Ws_ftp Professional 2006.rar/Ws_ftp Professional 2006/setup.exe/stream/data0001 Infected: Backdoor.Win32.VB.apv skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\Ws_ftp Professional 2006.rar/Ws_ftp Professional 2006/setup.exe/stream/data0003 Infected: Backdoor.Win32.VB.apv skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\Ws_ftp Professional 2006.rar/Ws_ftp Professional 2006/setup.exe/stream Infected: Backdoor.Win32.VB.apv skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\Ws_ftp Professional 2006.rar/Ws_ftp Professional 2006/setup.exe Infected: Backdoor.Win32.VB.apv skipped
E:\New Folder M-Z\Ws_ftp Professional 2006\This Copy May Have A Virus\Ws_ftp Professional 2006.rar RAR: infected - 4 skipped
E:\New Folder M-Z\Zipitfast 2.0\zipset2.exe/data Infected: not-a-virus:AdWare.Win32.ShowBehind.a skipped
E:\New Folder M-Z\Zipitfast 2.0\zipset2.exe SetupFactory: infected - 1 skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\COMPUTERS\486drive\486 C-drive\c on 486 (486)\Program Files\Yahoo!\Companion\ycomp5_0_2_7.dll Infected: not-a-virus:AdWare.Win32.Yahoo skipped
F:\Flash\Exposé\exposesetup-1-0-90.exe/exposesetup-1-0-90.msi/Cabs.w1.cab/libssl32097.dll Infected: not-a-virus:NetTool.Win32.STunnel.404 skipped
F:\Flash\Exposé\exposesetup-1-0-90.exe/exposesetup-1-0-90.msi/Cabs.w1.cab Infected: not-a-virus:NetTool.Win32.STunnel.404 skipped
F:\Flash\Exposé\exposesetup-1-0-90.exe/exposesetup-1-0-90.msi Infected: not-a-virus:NetTool.Win32.STunnel.404 skipped
F:\Flash\Exposé\exposesetup-1-0-90.exe 7-Zip: infected - 3 skipped
F:\My Videos\MISCELLANEOUS VIDEOS\New Folder\Reporter_Gets_a_Surprise_explosion_in_the_Face_encrypted.wmv Infected: Trojan-Downloader.WMA.Wimad.h skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
F:\Utilities\Cain and Able Password Cracker\cain25b47.exe/WISE0018.BIN Infected: not-a-virus:PSWTool.Win32.Cain.c skipped
F:\Utilities\Cain and Able Password Cracker\cain25b47.exe/WISE0023.BIN Infected: not-a-virus:PSWTool.Win32.Cain.b skipped
F:\Utilities\Cain and Able Password Cracker\cain25b47.exe/WISE0025.BIN Infected: not-a-virus:PSWTool.Win32.Cain.b skipped
F:\Utilities\Cain and Able Password Cracker\cain25b47.exe WiseSFX: infected - 3 skipped
F:\Utilities\get right\getrt45a.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
F:\Utilities\get right\getrt45a.exe WiseSFX: infected - 1 skipped
F:\Utilities\get right\getrt45c.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
F:\Utilities\get right\getrt45c.exe WiseSFX: infected - 1 skipped
F:\Utilities\get right\getrt45d.exe/WISE0087.BIN Infected: not-a-virus:AdWare.Win32.Gator.1050 skipped
F:\Utilities\get right\getrt45d.exe WiseSFX: infected - 1 skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:03:59 PM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ektron\Plugins\Service\ExtensionService.exe
C:\Program Files\Ektron\EktronWindowsService20\Ektron.ASM.EktronServices20.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reuters.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRA~1\E-BOOK~1\FLIPVI~1\fplaunch.dll
O2 - BHO: PaltalkWebLogin - {502C3BA4-2C3E-4317-BC29-C0445E82B1F9} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: {83964761-7f80-c31a-8d44-91edadc8002f} - {f2008cda-de19-44d8-a13c-08f716746938} - C:\WINDOWS\system32\sxrjyplo.dll (file missing)
O2 - BHO: CallingID for IE - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CallingID\CallingIDIE.dll
O3 - Toolbar: CallingID - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CallingID\CallingIDIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ektron Explorer - {D4CA7B06-ADAB-4E61-BF0C-BEBAA21243F5} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O3 - Toolbar: Public_Domain - {60297340-0E84-49F7-A8BE-C33E263C29E5} - C:\PROGRA~1\PUBLIC~1\PUBLIC~1.DLL
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1004336348-1788223648-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1004336348-1788223648-839522115-1003\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" (User '?')
O4 - HKUS\S-1-5-21-1004336348-1788223648-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Content Management - {0DAFD3A5-512F-4ae8-8EE7-21C66ACA534E} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O9 - Extra 'Tools' menuitem: Content Management - {0DAFD3A5-512F-4ae8-8EE7-21C66ACA534E} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\WINDOWS\system32\shdocvw.dll (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/securityadvisor/virusinfo/webscan.cab
O21 - SSODL: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - (no file)
O22 - SharedTaskScheduler: gimmicks - {40dcff6e-af8d-4183-8ebe-a82270ac449e} - (no file)
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Ektron Extensibility Server (EktronExtensibilityServer) - Ektron, Inc. - C:\Program Files\Ektron\Plugins\Service\ExtensionService.exe
O23 - Service: Ektron Windows Services 2.0 (EktronWindowsServices20) - Unknown owner - C:\Program Files\Ektron\EktronWindowsService20\Ektron.ASM.EktronServices20.exe
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Unknown owner - C:\Program Files\GhostSurf 2005\DeleteSvc.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 12636 bytes
loanboss
2007-11-18, 23:53
This file has had no responce for 5 days so I ran smithfraud scan and Panda online. See new HJT run as showme.exe and panda scan results. Computer still shows adware in system areas.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:36:43 PM, on 11/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ektron\Plugins\Service\ExtensionService.exe
C:\Program Files\Ektron\EktronWindowsService20\Ektron.ASM.EktronServices20.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CallingID\CallingIDGlobal.exe
C:\WINDOWS\system32\wisptis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\userco1\Desktop\showme.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRA~1\E-BOOK~1\FLIPVI~1\fplaunch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CallingID for IE - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CallingID\CallingIDIE.dll
O3 - Toolbar: CallingID - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CallingID\CallingIDIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ektron Explorer - {D4CA7B06-ADAB-4E61-BF0C-BEBAA21243F5} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O3 - Toolbar: Public_Domain - {60297340-0E84-49F7-A8BE-C33E263C29E5} - C:\PROGRA~1\PUBLIC~1\PUBLIC~1.DLL
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1004336348-1788223648-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1004336348-1788223648-839522115-1003\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" (User '?')
O4 - HKUS\S-1-5-21-1004336348-1788223648-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Content Management - {0DAFD3A5-512F-4ae8-8EE7-21C66ACA534E} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O9 - Extra 'Tools' menuitem: Content Management - {0DAFD3A5-512F-4ae8-8EE7-21C66ACA534E} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Ektron Extensibility Server (EktronExtensibilityServer) - Ektron, Inc. - C:\Program Files\Ektron\Plugins\Service\ExtensionService.exe
O23 - Service: Ektron Windows Services 2.0 (EktronWindowsServices20) - Unknown owner - C:\Program Files\Ektron\EktronWindowsService20\Ektron.ASM.EktronServices20.exe
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Unknown owner - C:\Program Files\GhostSurf 2005\DeleteSvc.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 11696 bytes
Panda Online Scanner
Incident Status Location
Adware:adware/superspider Not disinfected c:\windows\system32\services
Adware:adware/igetnet Not disinfected c:\windows\system\rules.dat
Adware:adware/xmllib Not disinfected c:\windows\winini.exe
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\userco1\Cookies\userco1@atdmt[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\userco1\Desktop\SmitfraudFix\Process.exe
Potentially unwanted tool:Application/SuperFast Not disinfected C:\Documents and Settings\userco1\Desktop\SmitfraudFix\restart.exe
Hacktool:HackTool/Cain Not disinfected C:\Program Files\Cain\Cain.exe
Hi
1. Download this file -
combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply with a fresh hjt log.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall
loanboss
2007-11-28, 06:57
ComboFix 07-11-19.4 - userco1 2007-11-27 22:36:01.11 - NTFSx86
Running from: C:\Documents and Settings\userco1\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.
2007-11-26 08:26 <DIR> d-------- C:\SWSetup
2007-11-25 23:18 <DIR> d-------- C:\Program Files\LSoft Technologies
2007-11-25 23:18 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2007-11-18 23:48 <DIR> d-------- C:\Program Files\Alex Feinman
2007-11-18 13:50 <DIR> d-------- C:\Program Files\ACW
2007-11-15 20:46 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-11-15 20:46 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-11-15 14:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-15 14:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\CA
2007-11-13 10:12 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-11-13 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-11 09:49 <DIR> d-------- C:\VundoFix Backups
2007-11-11 07:56 584,425 --ahs---- C:\WINDOWS\system32\cmvevwmq.ini
2007-11-11 07:55 88,128 --a------ C:\WINDOWS\system32\qmwvevmc.dll
2007-11-10 23:37 <DIR> d-------- C:\Documents and Settings\Administrator.USERCO\Application Data\Ipswitch
2007-11-09 15:43 <DIR> d-------- C:\Documents and Settings\userco1\Application Data\Shepherd 10-18-07
2007-11-09 14:35 <DIR> d-------- C:\Program Files\Voicent
2007-11-08 13:59 <DIR> d-------- C:\Program Files\Terminal Services Client MSI
2007-11-08 10:59 <DIR> d-------- C:\Program Files\Snapshot Viewer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 04:35 --------- d-----w C:\Documents and Settings\userco1\Application Data\CallingID
2007-11-27 15:07 --------- d-----w C:\Program Files\LogMeIn
2007-11-21 07:12 --------- d-----w C:\Program Files\America Online 8.0
2007-11-18 19:14 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-18 19:00 --------- d-----w C:\Program Files\eFax Messenger 4.2
2007-11-18 18:56 --------- d-----w C:\Program Files\CallingID
2007-11-17 19:52 --------- d-----w C:\Program Files\PowerISO
2007-11-16 23:20 3,894 ----a-w C:\WINDOWS\system32\tmp.reg
2007-11-10 21:15 --------- d-----w C:\Documents and Settings\userco1\Application Data\Auto Dialer Pro
2007-11-10 21:01 --------- d-----w C:\Program Files\Ektron
2007-11-10 20:54 85,056 ----a-w C:\WINDOWS\system32\uxgqwmgw.dll
2007-11-05 16:43 --------- d-----w C:\Program Files\Replay Converter
2007-10-31 18:27 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\CallingID
2007-10-26 15:04 --------- d-----w C:\Program Files\Replay Media Catcher
2007-10-26 15:03 737,280 -c--a-w C:\WINDOWS\iun6002.exe
2007-10-26 15:03 3,655,488 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-10-26 15:03 --------- d-----w C:\Documents and Settings\userco1\Application Data\GetRightToGo
2007-10-26 15:02 411,248 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-10-26 15:02 --------- d-----w C:\Program Files\FLV Player
2007-10-23 00:31 --------- d-----w C:\Program Files\Mp3Doctor
2007-10-23 00:02 53,248 ----a-w C:\WINDOWS\SIUnInst.exe
2007-10-22 20:33 --------- d-----w C:\Program Files\Sayz Me
2007-10-22 16:28 --------- d-----w C:\Program Files\Simpleology
2007-10-21 02:41 --------- d-----w C:\Program Files\FaxTalk Communicator
2007-10-19 16:20 --------- d-----w C:\Program Files\Common Files\L&H
2007-10-19 16:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 16:16 --------- d-----w C:\Program Files\Microsoft Reader
2007-10-18 23:00 --------- d-----w C:\Program Files\Auto Dialer Pro
2007-10-18 19:35 --------- d-----w C:\Documents and Settings\userco1\Application Data\dialpro_test
2007-10-18 19:32 --------- d-----w C:\Documents and Settings\userco1\Application Data\phoneex_test
2007-10-17 23:06 71,680 ----a-w C:\WINDOWS\ST5UNST.EXE
2007-10-17 16:46 4,535 ----a-w C:\WINDOWS\BWRESTOR.REG
2007-10-17 16:46 4,091 ----a-w C:\WINDOWS\BWCHANGE.REG
2007-10-17 16:42 27,648 ----a-w C:\WINDOWS\system32\bwprnmon.dll
2007-10-17 15:35 --------- d-----w C:\Program Files\CONEXANT
2007-10-16 21:39 --------- d-----w C:\Documents and Settings\userco1\Application Data\phonepro_test
2007-10-16 20:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Thought Communications
2007-10-16 08:59 --------- d-----w C:\Program Files\WhatsRunning
2007-10-08 23:34 --------- d-----w C:\Program Files\Duplicate File Finder
2007-10-03 20:12 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-03 19:33 --------- d-----w C:\Documents and Settings\userco1\Application Data\eFax Messenger
2007-10-03 19:33 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\eFax Messenger 4.2 Setup
2007-03-26 17:54 5,632 -csha-w C:\Program Files\Thumbs.db
2006-07-19 12:53 0 -csha-r C:\Program Files\gamespy arcade
2006-05-18 01:30 49 -c--a-w C:\Documents and Settings\userco1\info.dat
2006-05-17 23:40 2,100 -c--a-w C:\Documents and Settings\userco1\drizzle.dat
2006-02-05 04:45 85 -c--a-w C:\Program Files\FixBmalE.log
2006-01-18 23:42 172,216 -c--a-w C:\Program Files\FixBmalE.exe
2006-01-06 23:19 3,540,480 -c--a-w C:\Program Files\copernicagentbasic.exe
2001-09-17 23:00 82,206 -c--a-w C:\Program Files\installScreen.jpg
2001-09-06 22:02 91,469 -c--a-w C:\Program Files\installScreen2.jpg
2007-03-09 07:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((( snapshot_2007-11-27_22.08.38.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 15:59:08 250,733 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-28 04:32:24 250,736 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-28 04:28:20 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_6ec.dat
+ 2007-11-28 04:28:43 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a60.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{60297340-0E84-49F7-A8BE-C33E263C29E5}"= C:\PROGRA~1\PUBLIC~1\PUBLIC~1.DLL [2007-03-02 09:55 987136]
[HKEY_CLASSES_ROOT\clsid\{60297340-0e84-49f7-a8be-c33e263c29e5}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 11:40]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [2002-03-19 18:30]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 18:23 C:\WINDOWS\StartupMonitor.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 17:41]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 01:20]
"RegistryMechanic"="" []
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-29 21:35]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-02 13:50]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-11-26 06:42]
"LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2004-05-06 14:57]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2004-06-23 20:28]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 13:03]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 16:52]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 14:36]
"CallControl 4.5"="C:\Program Files\FaxTalk Communicator\FTCtrl32.exe" [2004-03-23 14:43]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 14:22 63040 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 21:34 24576 C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 22:41:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-27 22:43:19
C:\ComboFix2.txt ... 2007-11-15 17:55
.
--- E O F ---
loanboss
2007-11-28, 06:58
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:48:55 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ektron\Plugins\Service\ExtensionService.exe
C:\Program Files\Ektron\EktronWindowsService20\Ektron.ASM.EktronServices20.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reuters.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRA~1\E-BOOK~1\FLIPVI~1\fplaunch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CallingID for IE - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CallingID\CallingIDIE.dll
O3 - Toolbar: CallingID - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CallingID\CallingIDIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ektron Explorer - {D4CA7B06-ADAB-4E61-BF0C-BEBAA21243F5} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O3 - Toolbar: Public_Domain - {60297340-0E84-49F7-A8BE-C33E263C29E5} - C:\PROGRA~1\PUBLIC~1\PUBLIC~1.DLL
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-21-1004336348-1788223648-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1004336348-1788223648-839522115-1003\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" (User '?')
O4 - HKUS\S-1-5-21-1004336348-1788223648-839522115-1003\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User '?')
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Content Management - {0DAFD3A5-512F-4ae8-8EE7-21C66ACA534E} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O9 - Extra 'Tools' menuitem: Content Management - {0DAFD3A5-512F-4ae8-8EE7-21C66ACA534E} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Ektron Extensibility Server (EktronExtensibilityServer) - Ektron, Inc. - C:\Program Files\Ektron\Plugins\Service\ExtensionService.exe
O23 - Service: Ektron Windows Services 2.0 (EktronWindowsServices20) - Unknown owner - C:\Program Files\Ektron\EktronWindowsService20\Ektron.ASM.EktronServices20.exe
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Unknown owner - C:\Program Files\GhostSurf 2005\DeleteSvc.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 11846 bytes
Hi
Disable Spybot's TeaTimer (you may re-enable it when system is clean)
Run Spybot-S&D in Advanced Mode
If it is not already set to do this, go to the Mode menu
select
Advanced Mode
On the left hand side, click on Tools
Then click on the Resident icon in the list
Uncheck
Resident TeaTimer
and OK any prompts.
Restart your computer
Start hjt, click do a system scan only, check:
R1 - HKCU\Software\Microsoft\Internet Explorer,SearchURL = about:blank
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - (no file)
Close browsers and other windows. Click fix checked.
Open notepad and copy/paste the text in the quotebox below into it:
File::
C:\WINDOWS\system32\cmvevwmq.ini
C:\WINDOWS\system32\qmwvevmc.dll
C:\WINDOWS\system32\uxgqwmgw.dll
Folder::
C:\VundoFix Backups
Save this as
CFScript
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
Refering to the picture above, drag CFScript into ComboFix.exe.
* Go here ( http://www.eset.eu/online-scanner) to run an online scannner from ESET.
Note: You will need to use Internet explorer for this scan
Tick the box next to YES, I accept the Terms of Use.
Click Start
When asked, allow the activex control to install
Click Start
Make sure that the option Remove found threats and the option Scan unwanted applications is checkmarked.
Click Scan
Wait for the scan to finish
Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
Copy and paste that log as a reply to this topic, laong with a new HijackThis log and ComboFix log & a description of any remaining problems
loanboss
2007-11-29, 05:02
Do I need to turn off restore to clear the information ESET Found
Thank you for all the help
Mark
ESET Log
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2691 (20071128)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=86316cc808f94c49860a394d10b8fcf8
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2007-11-28 09:06:36
# local_time=2007-11-28 03:06:36 (-0600, Central Standard Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1285482
# found=4
# scan_time=16702
C:\RECYCLER\S-1-5-21-1004336348-1788223648-839522115-500\Dc22.lnk Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
C:\RECYCLER\S-1-5-21-1004336348-1788223648-839522115-500\Dc23.lnk Win32/Adware.SecToolbar application (unable to clean - deleted) 00000000000000000000000000000000
G:\In Question\Neo Napster\setupneonapster.exe a variant of Win32/Adware.SAHAgent application (deleted) 00000000000000000000000000000000
G:\In Question\Neo Napster\setupneonapster.exe »WISE »bdmkl1001.exe a variant of Win32/Adware.SAHAgent application (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
Combofix log
ComboFix 07-11-19.4 - userco1 2007-11-28 9:49:20.12 - NTFSx86
Running from: C:\Documents and Settings\userco1\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\userco1\Desktop\CFScript.txt
FILE
C:\WINDOWS\system32\cmvevwmq.ini
C:\WINDOWS\system32\qmwvevmc.dll
C:\WINDOWS\system32\uxgqwmgw.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\VundoFix Backups
C:\WINDOWS\system32\cmvevwmq.ini
C:\WINDOWS\system32\qmwvevmc.dll
C:\WINDOWS\system32\uxgqwmgw.dll
.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.
2007-11-26 08:26 <DIR> d-------- C:\SWSetup
2007-11-25 23:18 <DIR> d-------- C:\Program Files\LSoft Technologies
2007-11-25 23:18 <DIR> d-a------ C:\Documents and Settings\All Users.WINDOWS\Application Data\TEMP
2007-11-18 23:48 <DIR> d-------- C:\Program Files\Alex Feinman
2007-11-18 13:50 <DIR> d-------- C:\Program Files\ACW
2007-11-15 20:46 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-11-15 14:32 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Spybot - Search & Destroy
2007-11-15 14:08 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\CA
2007-11-13 10:12 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-13 10:12 <DIR> d-------- C:\Documents and Settings\All Users.WINDOWS\Application Data\Kaspersky Lab
2007-11-13 10:01 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-10 23:37 <DIR> d-------- C:\Documents and Settings\Administrator.USERCO\Application Data\Ipswitch
2007-11-09 15:43 <DIR> d-------- C:\Documents and Settings\userco1\Application Data\Shepherd 10-18-07
2007-11-09 14:35 <DIR> d-------- C:\Program Files\Voicent
2007-11-08 13:59 <DIR> d-------- C:\Program Files\Terminal Services Client MSI
2007-11-08 10:59 <DIR> d-------- C:\Program Files\Snapshot Viewer
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 15:30 --------- d-----w C:\Documents and Settings\userco1\Application Data\CallingID
2007-11-28 13:51 --------- d-----w C:\Program Files\LogMeIn
2007-11-21 07:12 --------- d-----w C:\Program Files\America Online 8.0
2007-11-18 19:14 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-11-18 19:00 --------- d-----w C:\Program Files\eFax Messenger 4.2
2007-11-18 18:56 --------- d-----w C:\Program Files\CallingID
2007-11-17 19:52 --------- d-----w C:\Program Files\PowerISO
2007-11-16 23:20 3,894 ----a-w C:\WINDOWS\system32\tmp.reg
2007-11-10 21:15 --------- d-----w C:\Documents and Settings\userco1\Application Data\Auto Dialer Pro
2007-11-10 21:01 --------- d-----w C:\Program Files\Ektron
2007-11-05 16:43 --------- d-----w C:\Program Files\Replay Converter
2007-10-31 18:27 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\CallingID
2007-10-26 15:04 --------- d-----w C:\Program Files\Replay Media Catcher
2007-10-26 15:03 737,280 -c--a-w C:\WINDOWS\iun6002.exe
2007-10-26 15:03 3,655,488 ----a-w C:\Program Files\FLV PlayerRCATSetup.exe
2007-10-26 15:03 --------- d-----w C:\Documents and Settings\userco1\Application Data\GetRightToGo
2007-10-26 15:02 411,248 ----a-w C:\Program Files\FLV PlayerRCSetup.exe
2007-10-26 15:02 --------- d-----w C:\Program Files\FLV Player
2007-10-23 00:31 --------- d-----w C:\Program Files\Mp3Doctor
2007-10-23 00:02 53,248 ----a-w C:\WINDOWS\SIUnInst.exe
2007-10-22 20:33 --------- d-----w C:\Program Files\Sayz Me
2007-10-22 16:28 --------- d-----w C:\Program Files\Simpleology
2007-10-21 02:41 --------- d-----w C:\Program Files\FaxTalk Communicator
2007-10-19 16:20 --------- d-----w C:\Program Files\Common Files\L&H
2007-10-19 16:16 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-19 16:16 --------- d-----w C:\Program Files\Microsoft Reader
2007-10-18 23:00 --------- d-----w C:\Program Files\Auto Dialer Pro
2007-10-18 19:35 --------- d-----w C:\Documents and Settings\userco1\Application Data\dialpro_test
2007-10-18 19:32 --------- d-----w C:\Documents and Settings\userco1\Application Data\phoneex_test
2007-10-17 23:06 71,680 ----a-w C:\WINDOWS\ST5UNST.EXE
2007-10-17 16:46 4,535 ----a-w C:\WINDOWS\BWRESTOR.REG
2007-10-17 16:46 4,091 ----a-w C:\WINDOWS\BWCHANGE.REG
2007-10-17 16:42 27,648 ----a-w C:\WINDOWS\system32\bwprnmon.dll
2007-10-17 15:35 --------- d-----w C:\Program Files\CONEXANT
2007-10-16 21:39 --------- d-----w C:\Documents and Settings\userco1\Application Data\phonepro_test
2007-10-16 20:06 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\Thought Communications
2007-10-16 08:59 --------- d-----w C:\Program Files\WhatsRunning
2007-10-08 23:34 --------- d-----w C:\Program Files\Duplicate File Finder
2007-10-03 20:12 --------- d-----w C:\Program Files\Hewlett-Packard
2007-10-03 19:33 --------- d-----w C:\Documents and Settings\userco1\Application Data\eFax Messenger
2007-10-03 19:33 --------- d-----w C:\Documents and Settings\All Users.WINDOWS\Application Data\eFax Messenger 4.2 Setup
2007-03-26 17:54 5,632 -csha-w C:\Program Files\Thumbs.db
2006-07-19 12:53 0 -csha-r C:\Program Files\gamespy arcade
2006-05-18 01:30 49 -c--a-w C:\Documents and Settings\userco1\info.dat
2006-05-17 23:40 2,100 -c--a-w C:\Documents and Settings\userco1\drizzle.dat
2006-02-05 04:45 85 -c--a-w C:\Program Files\FixBmalE.log
2006-01-18 23:42 172,216 -c--a-w C:\Program Files\FixBmalE.exe
2006-01-06 23:19 3,540,480 -c--a-w C:\Program Files\copernicagentbasic.exe
2001-09-17 23:00 82,206 -c--a-w C:\Program Files\installScreen.jpg
2001-09-06 22:02 91,469 -c--a-w C:\Program Files\installScreen2.jpg
2007-03-09 07:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.
((((((((((((((((((((((((((((( snapshot_2007-11-27_22.08.38.03 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-27 15:59:08 250,733 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-28 15:57:24 250,733 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-28 15:57:14 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_7b8.dat
+ 2007-11-28 15:57:38 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a80.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{60297340-0E84-49F7-A8BE-C33E263C29E5}"= C:\PROGRA~1\PUBLIC~1\PUBLIC~1.DLL [2007-03-02 09:55 987136]
[HKEY_CLASSES_ROOT\clsid\{60297340-0e84-49f7-a8be-c33e263c29e5}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2003-04-29 11:40]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CoolSwitch"="C:\WINDOWS\System32\taskswitch.exe" [2002-03-19 18:30]
"Run StartupMonitor"="StartupMonitor.exe" [2000-05-20 18:23 C:\WINDOWS\StartupMonitor.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 17:41]
"Samsung Common SM"="C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" [2005-07-03 01:20]
"RegistryMechanic"="" []
"cctray"="C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe" [2007-08-29 21:35]
"CAVRID"="C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe" [2007-05-02 13:50]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-11-26 06:42]
"LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2004-05-06 14:57]
"AudioDeck"="C:\Program Files\VIAudioi\SBADeck\ADeck.exe" [2004-06-23 20:28]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 13:03]
"DiskeeperSystray"="C:\Program Files\Executive Software\Diskeeper\DkIcon.exe" [2005-07-26 16:52]
"eFax 4.2"="C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" [2006-07-14 14:36]
"CallControl 4.5"="C:\Program Files\FaxTalk Communicator\FTCtrl32.exe" [2004-03-23 14:43]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveTrack"= 1 (0x1)
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-05-25 14:22 63040 C:\WINDOWS\system32\LMIinit.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll 2001-12-20 21:34 24576 C:\PROGRA~1\OBJECT~1\WINDOW~1\fastload.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\I]
\Shell\AutoRun\command - I:\LaunchU3.exe -a
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 10:00:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-28 10:03:29 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 22:43
C:\ComboFix3.txt ... 2007-11-15 17:55
.
--- E O F ---
loanboss
2007-11-29, 05:03
New HJT Log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:44:02 PM, on 11/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Ektron\Plugins\Service\ExtensionService.exe
C:\Program Files\Ektron\EktronWindowsService20\Ektron.ASM.EktronServices20.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\taskswitch.exe
C:\WINDOWS\StartupMonitor.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe
C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe
C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
C:\Program Files\CallingID\CallingIDGlobal.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wisptis.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = Download Directory
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.reuters.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - C:\PROGRA~1\E-BOOK~1\FLIPVI~1\fplaunch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: CallingID for IE - {FBF2401B-7447-4727-BE5D-C19B2075CA84} - C:\Program Files\CallingID\CallingIDIE.dll
O3 - Toolbar: CallingID - {10134636-E7AF-4AC5-A1DC-C7C44BB97D81} - C:\Program Files\CallingID\CallingIDIE.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Ektron Explorer - {D4CA7B06-ADAB-4E61-BF0C-BEBAA21243F5} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O3 - Toolbar: Public_Domain - {60297340-0E84-49F7-A8BE-C33E263C29E5} - C:\PROGRA~1\PUBLIC~1\PUBLIC~1.DLL
O4 - HKLM\..\Run: [CoolSwitch] C:\WINDOWS\System32\taskswitch.exe
O4 - HKLM\..\Run: [Run StartupMonitor] StartupMonitor.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [Samsung Common SM] "C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe" /autorun
O4 - HKLM\..\Run: [cctray] "C:\Program Files\CA\CA Internet Security Suite\cctray\cctray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\CAVRID.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [eFax 4.2] "C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R
O4 - HKLM\..\Run: [CallControl 4.5] C:\Program Files\FaxTalk Communicator\FTCtrl32.exe /autoload
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKUS\S-1-5-21-1004336348-1788223648-839522115-1003\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-1004336348-1788223648-839522115-1003\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" (User '?')
O8 - Extra context menu item: &NeoTrace It! - C:\PROGRA~1\NEOTRA~1\NTXcontext.htm
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download all videos using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Content Management - {0DAFD3A5-512F-4ae8-8EE7-21C66ACA534E} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O9 - Extra 'Tools' menuitem: Content Management - {0DAFD3A5-512F-4ae8-8EE7-21C66ACA534E} - C:\Program Files\Ektron\Ektron Explorer\Ektbartb.dll
O9 - Extra button: MktBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra 'Tools' menuitem: MarketBrowser - {17A27031-71FC-11d4-815C-005004D0F1FA} - C:\Program Files\MarketBrowser\lmt\MarketBrowser_Launch.xpy
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\PROGRA~1\NEOTRA~1\NTXtoolbar.htm (HKCU)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} -
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: CaCCProvSP - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\ccprovsp.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\ISafe.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: Ektron Extensibility Server (EktronExtensibilityServer) - Ektron, Inc. - C:\Program Files\Ektron\Plugins\Service\ExtensionService.exe
O23 - Service: Ektron Windows Services 2.0 (EktronWindowsServices20) - Unknown owner - C:\Program Files\Ektron\EktronWindowsService20\Ektron.ASM.EktronServices20.exe
O23 - Service: FLEXnet Licensing Service - Unknown owner - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\Alex Feinman\ISO Recorder\ImapiHelper.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite 2005.SR2a\RpcSandraSrv.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Tenebril antispyware satellite (TNBRLDS) - Unknown owner - C:\Program Files\GhostSurf 2005\DeleteSvc.exe (file missing)
O23 - Service: VET Message Service (VETMSGNT) - CA, Inc. - C:\Program Files\CA\CA Internet Security Suite\CA Anti-Virus\VetMsg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
--
End of file - 11730 bytes
Do I need to turn off restore to clear the information ESET Found
ESET deleted those already (however, we'll create a clean system restore points in instructions below). Clean recycler bin (for all user accounts) though. Delete also c:\qoobox & c:\combofix folders and combofix.exe file on your desktop.
Well congrats, it appears your system is all clean Are you still noticing any problems? If not, it's time to secure your system to prevent against further intrusions.
THESE STEPS ARE VERY IMPORTANT
Let's reset system restore
Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing those files. This is the only way to clean these files: You will lose all previous restore points which are likely to be infected. Please note you need Administrator Access to do clean the restore points.
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Reboot.
3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
NOTE: only do this ONCE,NOT on a regular basis
UPDATING WINDOWS AND INTERNET EXPLORER
IMPORTANT: You Need to Update Windows and Internet Explorer to protect your computer from the malware that is around on the Internet. Please go to the windows update site (http://windowsupdate.microsoft.com/) to get the critical updates.
If you are running Microsoft Office, or any portion thereof, go to the Microsoft's Office Update site and make sure you have at least all the critical updates installed (Free) Microsoft Office Update.
Make your Internet Explorer more secure
This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt
Change the Download unsigned ActiveX controls to Disable
Change the Initialize and script ActiveX controls not marked as safe to Disable
Change the Installation of desktop items to Prompt
Change the Launching programs and files in an IFRAME to Prompt
Change the Navigate sub-frames across different domains to Prompt
When all these settings have been made, click on the OK button.
If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.
The following are recommended third party programs that are designed to keep your computer clean. A link as well as a brief description is included with each item.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Download Adaware
Adaware is a free program. It scans for known spyware on your computer. These scans should be run at least once every two weeks. For more information, see this tutorial (http://www.bleepingcomputer.com/forums/index.php?showtutorial=48)
The program is available for download here (http://www.download.com/Ad-Aware-SE-Personal-Edition/3000-8022_4-10319876.html?tag=lst-0-1)
Download SpywareBlaster
Spyware blaster is a program that stops known malicious activex controls from installing on your computer. It works by changing settings in your registry. It makes
kill bits
in the registry, so that certain activex controls can't install.
If you don't know what activex controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
You can download SpywareBlaster here here (http://majorgeeks.com/downloadget.php?id=2859&file=11&evp=61b0e8ad41924a03c37615f4682b4cef)
SpywareBlaster tutorial (http://www.bleepingcomputer.com/forums/tutorial49.html)
Download iespyad
It puts many bad webpages on your restricted zones list. This means that you can still view the
bad
webpages, but the webpages cannot do certain things (such as use javascripts and cookies).
If you need help understanding how it works, there is a tutorial here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
Download it here (http://www.spywarewarrior.com/uiuc/res/ie-spyad.exe)
hosts file:
Every version of windows has a hosts file as part of them. In a very basic sense, they are used to locate webpages. We can customize a hosts file so that it blocks certain webpages. However, it can slow down certain computers. This is why using a hosts file is optional!!
Download it here (http://www.mvps.org/winhelp2002/hosts.htm). Make sure you read the instructions on how to install the hosts file. There is a good tutorial here (http://www.bleepingcomputer.com/forums/tutorial51.html)
If you decide to download the hosts file, the slowdown problems can usually be avoided by following these steps:
Click the start button (at the lower left hand corner of your screen) Click run In the dialog box, type services.msc hit enter, then locate dns client Highlight it, then double-click it. On the dropdown box, change the setting from automatic to manual. Click ok
Just a final reminder for you. I am trying to stress these two points.
UPDATE UPDATE UPDATE!!! Make sure you do this about every 1-2 weeks.
Make sure all of your security programs are up to date.
Run the spybot and adaware regularly. (Once or twice a week minimum.)
Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.
Once again, please post and tell me how things are going with your system... problems etc.
Have a great day,
Blade :cool:
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)
If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.
Everyone else please begin a New Topic.