View Full Version : Virtumonde and Smitfruad infection
Capt.Craig
2007-11-17, 01:58
Thank you guys in advance. It's getting out of control
HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:45:58 PM, on 11/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mrofinu72.exe
C:\Program Files\InstallShield Installation Information\mefenega77798.exe
C:\DOCUME~1\USERNA~1\APPLIC~1\TSKS~1\smss.exe
C:\Documents and Settings\(SomeUserName)\My Documents\s?curity\t?skmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\QdrModule\QdrModule9.exe
C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\(SomeUserName)\Application Data\Microsoft\Windows\capvt.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLHostManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLServiceHost.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q306&bd=presario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmail.ufl.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:80
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
O2 - BHO: (no name) - {E38BFD4C-348D-692B-8B5C-38E670870BEB} - C:\WINDOWS\system32\abiyswj.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S169.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S2B0.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S266.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A284661A64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5170E744AB97
O4 - HKLM\..\Run: [mefenega] C:\Program Files\InstallShield Installation Information\mefenega77798.exe
O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\USERNA~1\APPLIC~1\TSKS~1\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Plbru] "C:\Documents and Settings\(SomeUserName)\My Documents\s?curity\t?skmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\(SomeUserName)\Application Data\Microsoft\Windows\capvt.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Java\rterege.html
--
End of file - 8247 bytes
Kaspersky on next post
Capt.Craig
2007-11-17, 02:01
Kaspersky
Friday, November 16, 2007 5:14:50 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/11/2007
Kaspersky Anti-Virus database records: 460571
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 88044
Number of viruses found 41
Number of infected objects 98
Number of suspicious objects 4
Duration of the scan process 01:35:10
Infected Object Name Virus Name Last Action
C:\417C.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\417C.tmp NSIS: infected - 1 skipped
C:\4186.tmp Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\63.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\63.tmp NSIS: infected - 1 skipped
C:\64.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\64.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\64.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\64.tmp NSIS: infected - 3 skipped
C:\66.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Documents and Settings\All Users\Application Data\AOL\browser\history.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip/retadpu11.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinAgentqt.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip/Yazzle1552OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Aim\pegajowo\RuskinRaider03\cert8.db Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Aim\pegajowo\RuskinRaider03\key3.db Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Microsoft\Windows\capvt.exe Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\WinTouch.exe Infected: Trojan-Downloader.Win32.Agent.fct skipped
C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\WTUninstaller.exe Infected: Trojan-Downloader.Win32.Agent.buo skipped
C:\Documents and Settings\(SomeUserName)\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\History\History.IE5\MSHist012007111620071117\index.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\bndupd4.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.AdBand.c skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\bndupd4.exe/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\bndupd4.exe/stream Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\bndupd4.exe NSIS: infected - 3 skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\camg-77798.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\camg-77798.exe NSIS: infected - 1 skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\cmdinst.exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\cmdinst.exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\cmdinst.exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\cmdinst.exe Inno: infected - 3 skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\MBDownloader_876923.exe Infected: not-a-virus:AdWare.Win32.NetNucleus.b skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\mit422.tmp/NNBar_VCSetup_876923_LOG_IES_NoDMY_AFF.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\mit422.tmp CAB: infected - 1 skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\mit422.tmp.cab/NNBar_VCSetup_876923_LOG_IES_NoDMY_AFF.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\mit422.tmp.cab CAB: infected - 1 skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\NNBar_VCSetup_876923_LOG_IES_NoDMY_AFF.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.p skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe WiseSFX: infected - 4 skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0009.BIN Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0010.BIN Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0011.BIN Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe/WISE0012.BIN Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe WiseSFX: infected - 4 skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\~DFF6FD.tmp Object is locked skipped
C:\Documents and Settings\(SomeUserName)\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\(SomeUserName)\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Temporary Internet Files\Content.IE5\EZ2LADCH\c1f5cc94a30f082054f3a00e6655462d[1].zip/b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\Documents and Settings\(SomeUserName)\Temporary Internet Files\Content.IE5\EZ2LADCH\c1f5cc94a30f082054f3a00e6655462d[1].zip ZIP: infected - 1 skipped
C:\Documents and Settings\(SomeUserName)\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\iiru\iirua.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\Program Files\Common Files\iiru\iirua.lck Object is locked skipped
C:\Program Files\Common Files\iiru\iirul.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\Program Files\Common Files\iiru\iirup.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\Program Files\InstallShield Installation Information\mefenega77798.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP193\A0040190.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP193\A0040192.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP198\A0040387.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ft skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP205\A0040475.exe Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP206\A0040525.dll Infected: not-a-virus:AdWare.Win32.AdBand.c skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP206\A0040526.exe Infected: not-a-virus:Downloader.Win32.Agent.q skipped
Let me know how I can help
Capt.Craig
2007-11-17, 02:01
the rest of the Kaspersky
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP207\A0040602.dll Infected: not-a-virus:AdWare.Win32.PurityScan.fs skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP207\A0040603.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP207\A0040603.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP207\A0040603.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP223\A0043596.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP223\A0043596.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP223\A0043596.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP226\A0044739.dll Infected: not-a-virus:AdWare.Win32.PurityScan.fs skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP227\A0044766.dll Infected: not-a-virus:AdWare.Win32.PurityScan.fs skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP230\A0044966.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP235\A0047136.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gh skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP236\A0047187.exe Infected: not-a-virus:AdWare.Win32.Agent.jn skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP237\A0047204.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gk skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP237\A0047205.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP237\A0047205.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP237\A0047205.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP246\A0048381.exe Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP246\A0048386.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gk skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP246\A0048474.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP246\A0048474.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP246\A0048474.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP246\A0048477.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP246\A0048478.dll Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP246\A0048480.dll Infected: not-a-virus:AdWare.Win32.AdBand.c skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP246\A0048482.exe Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP246\A0048484.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jn skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP246\A0048484.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP248\A0048573.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP248\A0048575.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP248\A0048576.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP248\A0048578.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP249\A0048646.exe Infected: Trojan-Downloader.Win32.Agent.fak skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP249\A0048647.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP249\A0048648.exe Infected: Trojan.Win32.Agent.crf skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP250\A0048698.exe Infected: not-a-virus:AdWare.Win32.Agent.tj skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP250\A0048725.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP250\A0049088.exe Infected: Trojan-Downloader.Win32.Adload.ni skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP250\change.log Object is locked skipped
C:\WINDOWS\b103.exe Infected: not-a-virus:AdWare.Win32.Rond.d skipped
C:\WINDOWS\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b104.exe NSIS: infected - 3 skipped
C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\WINDOWS\b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\WINDOWS\b143.exe Infected: Trojan-Downloader.Win32.Agent.epl skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\abiyswj.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP250\change.log Object is locked skipped
Scan process completed.
pskelley
2007-11-23, 14:45
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Sorry for the wait, the volunteers have more than they can handle right now. You are very infected and you have a Vundo infection which can be very hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help, an option would be to reformat.
If you wish to continue, please read the directions again, especially this one:
Note: In notepad under Format, uncheck "Word Wrap" Produce all HJT logs like this, single spaced.
single-spaced - (of type or print) not having a blank space between lines.It may be some items in the logs are doing this, just be sure you have it turned off.
1) see this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_06\ <<< update Java and uninsall all old versions in Add Remove programs.
2) You also have PurityScan/OIN, post an uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)
3) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT, call it Capt.Craig.exe. After a restart we should get a better look at the hidden malware.
4) Let's look for Smitfraud: http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.
Search:
Double-click SmitfraudFix.exe
Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt
Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm
Post the C:\rapport.txt, the uninstall list a new HJT log and any comments you think will help.
Thanks
Capt.Craig
2007-11-23, 22:20
RAPPORT
SmitFraudFix v2.253
Scan done at 14:38:43.70, Fri 11/23/2007
Run from C:\Documents and Settings\(SomeUserName)\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A3AB1AF2-CB73-4424-822F-EC1FBE438DA4}: DhcpNameServer=205.152.132.23 205.152.37.23
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A3AB1AF2-CB73-4424-822F-EC1FBE438DA4}: DhcpNameServer=205.152.132.23 205.152.37.23
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A3AB1AF2-CB73-4424-822F-EC1FBE438DA4}: DhcpNameServer=205.152.132.23 205.152.37.23
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=205.152.132.23 205.152.37.23
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=205.152.132.23 205.152.37.23
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=205.152.132.23 205.152.37.23
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
UNINSTALL_LIST
5 Card Slingo from Hewlett-Packard Laptops (remove only)
Adobe Flash Player ActiveX
Adobe Reader 6.0.1
AOL Explorer
AOL Instant Messenger
Apple Software Update
Command and Conquer Europe V1.0
Conexant HD Audio
Crystal Maze from Hewlett-Packard Laptops (remove only)
Customer Experience Enhancement
Deer Hunter 2004 - Legendary Hunting
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
Easy Internet Sign-up
EPSON Printer Software
EPSON Scan
Flip Words from Hewlett-Packard Laptops (remove only)
Google Earth
HDAUDIO Soft Data Fax Modem with SmartCP
HijackThis 2.0.2
HP DVD Play 2.1
HP Game Console and games
HP Help and Support
HP Imaging Device Functions 6.0
HP Memories Disc
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
HP Photo and Imaging 2.0 - hp psc 1200 series
HP Photosmart Premier Software 6.0
hp psc 1200 series
HP Quick Launch Buttons 6.00 E2
HP Rhapsody
HP Software Update
HP User Guides 0019
HP User Guides--System Recovery
HP Wireless Assistant 2.00 E1
Insaniquarium Deluxe from Hewlett-Packard Laptops (remove only)
Intel(R) Graphics Media Accelerator Driver
Intel(R) PRO Network Connections Drivers
Internet Speed Monitor
iTunes
Java(TM) 6 Update 3
Kaspersky Online Scanner
Macromedia Flash Player 8
Mah Jong Quest from Hewlett-Packard Laptops (remove only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Money 2006
Microsoft Office Standard Edition 2003
Microsoft Works
Mozilla Firefox (2.0.0.2)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
muvee autoProducer 4.5
Netscape Browser (remove only)
NetWaiting
Office 2003 Trial Assistant
Quicken 2006
QuickTime
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Skype 2.5
SmartAudio
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Spybot - Search & Destroy 1.4
Synaptics Pointing Device Driver
Texas Instruments PCIxx21/x515/xx12 drivers.
TourSetup
Tradewinds from Hewlett-Packard Laptops (remove only)
Viewpoint Manager (Remove Only)
Viewpoint Media Player
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
WinRAR archiver
Wireless Home Network Setup
Yahoo! Toolbar
HJT LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:17:25 PM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\mrofinu72.exe
C:\Program Files\InstallShield Installation Information\mefenega77798.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\DOCUME~1\CRAIGB~1\APPLIC~1\TSKS~1\smss.exe
C:\Documents and Settings\(SomeUserName)\My Documents\s?curity\t?skmgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\QdrModule\QdrModule9.exe
C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\(SomeUserName)\Application Data\Microsoft\Windows\capvt.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLServiceHost.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Capt.Craig.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:80
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
O2 - BHO: (no name) - {E38BFD4C-348D-692B-8B5C-38E670870BEB} - C:\WINDOWS\system32\abiyswj.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S169.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series (Copy 1)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S2B0.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [EPSON Stylus CX6000 Series (Copy 2)] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU "C:\WINDOWS\TEMP\E_S266.tmp" /EF "HKLM"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu72.exe 61A847B5BBF72815308B2B27128065E9C084320161C4661227A755E9C2933154389A284661A64DB7C8F0287E55E246220D9E728F9FC17D446BC57D5170E744AB97
O4 - HKLM\..\Run: [mefenega] C:\Program Files\InstallShield Installation Information\mefenega77798.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\CRAIGB~1\APPLIC~1\TSKS~1\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Plbru] "C:\Documents and Settings\(SomeUserName)\My Documents\s?curity\t?skmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\(SomeUserName)\Application Data\Microsoft\Windows\capvt.exe
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Java\rterege.html
--
End of file - 8023 bytes
pskelley
2007-11-23, 22:40
Thanks, no evidence of Smitfraud in that scan, you may delete that tool from your computer.
Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Thanks
Capt.Craig
2007-11-24, 03:01
Ok, ran combofix, however when it ended, it said it was producing a report and said not to run any programs. I let it sit for an hour and nothing happened. I closed the window and tried again several times and had the same thing happen. I looked in the combofix folder at C:/Combofix and did see a notpad item named "combofix". I am not sure if this is the true report but I posted it. Let me know what you think.
Report from "Combofix" notepad:
ComboFix 07-11-19.3 - (SomeUserName) 2007-11-23 17:42:49.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1256.962.1033.18.211 [GMT -5:00]
Running from: C:\Documents and Settings\(SomeUserName)\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\(SomeUserName)\Application Data\TSKS~1
C:\Documents and Settings\(SomeUserName)\Application Data\TSKS~1\smss.exe
C:\Documents and Settings\(SomeUserName)\Application Data\TSKS~1\T?sks\
C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\(SomeUserName)\My Documents\DOBE~1
C:\Documents and Settings\(SomeUserName)\My Documents\SCURIT~1
C:\Documents and Settings\(SomeUserName)\My Documents\SCURIT~1\t?skmgr.exe
C:\Documents and Settings\(SomeUserName)\My Documents\SMBOLS~1
C:\Documents and Settings\(SomeUserName)\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\(SomeUserName)\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\(SomeUserName)\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\(SomeUserName)\Start Menu\Programs\Outerinfo
C:\Documents and Settings\(SomeUserName)\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\(SomeUserName)\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\asks~1
C:\Program Files\Common Files\iiru
C:\Program Files\Common Files\iiru\iirua.exe
C:\Program Files\Common Files\iiru\iirua.lck
C:\Program Files\Common Files\iiru\iirud\class-barrel
C:\Program Files\Common Files\iiru\iirud\iiruc.dll
C:\Program Files\Common Files\iiru\iirud\vocabulary
C:\Program Files\Common Files\iiru\iiruh
C:\Program Files\Common Files\iiru\iirul.exe
C:\Program Files\Common Files\iiru\iirul.lck
C:\Program Files\Common Files\iiru\iirum.lck
C:\Program Files\Common Files\iiru\iirup.exe
C:\Program Files\Common Files\sstem~1
C:\Program Files\Common Files\sstem3~1
C:\Program Files\Java\rterege.html
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack9.exe
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\sstem~1
C:\Program Files\Temporary
C:\WINDOWS\b103.exe
C:\WINDOWS\b104.exe
C:\WINDOWS\b111.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b143.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\dobe~1
C:\WINDOWS\iiru
C:\WINDOWS\iiru\iiru.dat
C:\WINDOWS\iiru\wu
C:\WINDOWS\stem32~1
C:\WINDOWS\system32\abiyswj.dll
C:\WINDOWS\system32\icqmlib.exe
C:\WINDOWS\system32\icroso~1
C:\WINDOWS\system32\iepref32.dll
C:\WINDOWS\system32\ierplc.dll
C:\WINDOWS\system32\ips.dll
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\laprxy.dllexe
C:\WINDOWS\system32\ocxapi.dll
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\wnsapiisv32.exe
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_LANMANDRV
-------\lanmandrv
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.
HJT report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:54, on 2007-11-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QdrModule\QdrModule9.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLServiceHost.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Capt.Craig.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:80
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mefenega] C:\Program Files\InstallShield Installation Information\mefenega77798.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\CRAIGB~1\APPLIC~1\TSKS~1\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Plbru] "C:\Documents and Settings\(SomeUserName)\My Documents\s?curity\t?skmgr.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 6376 bytes
pskelley
2007-11-24, 14:42
Thanks for returning your information and the feedback, that is the information I need but it appears you did not post it all? The log will be longer than that. If you just cut it off, post the part you did not post. If need be, run combofix again, seeing that total log may be important as it scans for rootkits and more. Remember to always click Edit then Select All in Notepad. That will highlite all of the information.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
files combofix was not sure of that may or may not be bad will show in the area of the log.
I'll continue on with the cleanup while I wait for the combofix log.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Start > Control Panel > Add Remove programs and uninstall QdrModule if there.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: BndShell3 BHO Class - {875A1348-7674-42aa-ADAC-B4F36A004A2D} - C:\Program Files\QdrDrive\QdrDrive8.dll (file missing)
O2 - BHO: BndShell3 BHO Class - {8ABA9A9C-8791-4d61-8D5B-BCC9448EA573} - C:\Program Files\ISM\BndDrive7.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8B27CC68-110C-46a9-80D3-F3107DE6EB98} - C:\Program Files\ISM\BndDrive3.dll (file missing)
O4 - HKLM\..\Run: [mefenega] C:\Program Files\InstallShield Installation Information\mefenega77798.exe
O4 - HKCU\..\Run: [Tbsa] "C:\DOCUME~1\USERNA~1\APPLIC~1\TSKS~1\smss.exe" -vt yazb
O4 - HKCU\..\Run: [Plbru] "C:\Documents and Settings\(SomeUserName)\My Documents\s?curity\t?skmgr.exe"
O4 - HKCU\..\Run: [QdrModule9] "C:\Program Files\QdrModule\QdrModule9.exe"
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
(may be a little tricky, they use the wild cards to try to confuse us, but I am sure you can figure it out)
C:\DOCUME~1\USERNA~1\APPLICATIONDATA~1\TSKS~1\ <<< delete that folder
C:\Documents and Settings\(SomeUserName)\My Documents\s?curity\ <<< delete that folder
C:\Program Files\QdrModule\ <<< delete that file
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post a new HJT log and the missing combofix infomation. Provide feedback about the performance.
Thanks
Capt.Craig
2007-11-24, 19:58
I am still working on getting a full combo fix log, but it continues to not give me a log. The notepad info I sent is the full notepad and it seems that it is not a finished report. How long does it take to produce the log? I have let it sit for an hour when it says it is producing a report, and it just doesn't seem like anything is happening. Should I try deleting combofix and its folder and redownloading it?
1) hidden files made visible
2) ATF cleaner downloaded
3) QDR was not listed on add/remove program list
4) scanned with HJT and fixed all 7 lines
5) After the HJT, I searched for the files you listed, but I was not able to find:
C:\DOCUME~1\CRAIGB~1\APPLICATIONDATA~1\TSKS~1\
or
C:\Documents and Settings\Craig Bonfield\My Documents\s?curity\
They were no files with that name under the file path.
I found and removed:
C:\Program Files\QdrModule\
6) I didn't run the ATF cleaner yet since I have still not gotten a full combofix report and I haven't found the 2 files listed above. I wasn't sure if running it without taking care of the other stuff would cause us to miss files in the cleaning process.
Any more suggestions reguarding combofix? i will keep trying
Thanks
pskelley
2007-11-24, 20:05
Thanks for the feedback, you asked:
Should I try deleting combofix and its folder and redownloading it? Yes...try that, if that does not work, just remove combofix completely, make sure to delete th C:\qoobox\quarantine\ folder if one is there.
After you try that, then run ATF-Cleaner and post a new HJT log so I can see where we are. Please let me know how the computer is running.
Thanks...Phil
Capt.Craig
2007-11-24, 21:08
ok, finally got a combofix log after deleteing the qoobox/quarantine folder and redownloading:
1) combo fix log:
ComboFix 07-11-19.3 - (SomeUserName) 2007-11-24 12:51:58.9 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1256.962.1033.18.253 [GMT -5:00]
Running from: C:\Documents and Settings\(SomeUserName)\Desktop\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.
2007-11-23 14:32 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-19 17:22 32,768 --a------ C:\WINDOWS\b148.exe.bin
2007-11-16 17:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Intuit
2007-11-16 15:11 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-16 15:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-16 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-13 23:33 <DIR> d--hs---- C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ
2007-11-11 00:04 35,840 -ra------ C:\WINDOWS\mrofinu72.exe
2007-11-01 10:47 <DIR> d-------- C:\Program Files\EPSON
2007-11-01 10:47 <DIR> d-------- C:\epson
2007-10-25 20:35 <DIR> d-------- C:\Documents and Settings\(SomeUserName)\Application Data\Leadertech
2007-10-25 20:24 <DIR> d-------- C:\Program Files\Atari
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 15:55 --------- d-----w C:\Program Files\Java
2007-11-14 11:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-14 04:39 10 ----a-w C:\Program Files\.autoreg
2007-10-15 18:10 --------- d-----w C:\Documents and Settings\(SomeUserName)\Application Data\Skype
2007-10-09 21:29 --------- d-----w C:\Documents and Settings\(SomeUserName)\Application Data\Talkback
2007-10-09 21:28 --------- d-----w C:\Program Files\DivX
2007-09-20 14:27 478 ----a-w C:\Documents and Settings\(SomeUserName)\Application Data\wklnhst.dat
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\asappsrv.dll
2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\command.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\kaL1uqw0kA6RtA55v3k.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 16:00]
"AIM"="C:\Program Files\AIM\aim.exe" [2006-08-01 14:35]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"hpWirelessAssistant"="C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe" [2006-02-14 21:49]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 07:17]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 07:13]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 07:17]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-04 00:46]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2006-04-11 23:54]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-17 01:11]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-08-11 18:30]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-08-11 18:30]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2006-03-07 15:38]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2006-02-22 10:03]
"RecGuard"="C:\Windows\SMINST\RecGuard.exe" [2005-10-11 12:23]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 10:58]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Photosmart Premier Fast Start.lnk - C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe [2005-09-24 12:39:30]
hpoddt01.exe.lnk - C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe [2002-12-02 12:56:10]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 1000 series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 1000 series.lnk
backup=C:\WINDOWS\pss\hp psc 1000 series.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^(SomeUserName)^Start Menu^Programs^StartUp^Vongo Tray.lnk]
path=C:\Documents and Settings\(SomeUserName)\Start Menu\Programs\StartUp\Vongo Tray.lnk
backup=C:\WINDOWS\pss\Vongo Tray.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\High Definition Audio Property Page Shortcut]
CHDAudPropShortcut.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
2005-08-02 14:33 159832 --a------ C:\Program Files\Common Files\AOL\1156897658\ee\AOLHostManager.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Insider]
C:\Program Files\Insider\Insider.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule4]
C:\Program Files\ISM\ISMModule4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMModule8]
C:\Program Files\ISM\ISMModule8.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 01:36 256576 --a------ C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
C:\Program Files\QdrPack\QdrPack9.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Viewpoint Manager Service"=2 (0x2)
"LightScribeService"=2 (0x2)
"IDriverT"=3 (0x3)
"cmdService"=2 (0x2)
"ose"=3 (0x3)
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4d7329ba-6c03-11db-b200-0014a5b110e8}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{abe3725e-7afc-11db-b210-0014a5b110e8}]
\Shell\Auto\command - sxs.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-08-29 10:21:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-01 19:46:01 C:\WINDOWS\Tasks\FRU Task #Hewlett-Packard#hp psc 1200 series#1188391559.job"
- C:\Program Files\HP\Digital Imaging\Bin\hpqfrucl.exe4-I
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 12:53:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe?????? ???@???????????????@? ????_??????(?@???????@
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-24 12:54:27
.
--- E O F ---
2) Ran ATF cleaner
3) New HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:59:17 PM, on 11/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLHostManager.exe
C:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
C:\Program Files\Common Files\AOL\1156897658\ee\AOLServiceHost.exe
C:\PROGRA~1\HPQ\Shared\HPQTOA~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Capt.Craig.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.1.1.2:80
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\hpq\HP Wireless Assistant\HP Wireless Assistant.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [RecGuard] C:\Windows\SMINST\RecGuard.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - .DEFAULT User Startup: Vongo Tray.lnk = C:\Program Files\Vongo\Tray.exe (User 'Default user')
O4 - Global Startup: HP Photosmart Premier Fast Start.lnk = C:\Program Files\Hp\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q306&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
--
End of file - 5595 bytes
My Computer is running well. I was getting fairly constant pop-ups from "outerinfo" and "internet service monitor" but since I fixed the 7 files in the HJT log I have not gotten any. I have noticed an internet explorer icon that has been appearing on my desktop. I am not sure if it is used by combofix, but when I delete it it comes back. It basically makes this: http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome my homepage. Could be nothing, but it is odd. I appriciate all the help.
pskelley
2007-11-24, 21:40
Thanks for posting that combofix log, and it is helpful, shows infections are still there that were in the first Kaspersky scan.
(some of this may be gone, this is a doublecheck)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete everything in that recovery folder
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1
C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\ <<< delete that folder if there
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\ <<< delete the contents of that folder. (a few old files may not delete, they are not a problem, all infections would be recent)
C:\Documents and Settings\(SomeUserName)\Temporary Internet Files\ <<< delete the contents of that TIF folder. (a few old files may not delete, they are not a problem, all infections would be recent)
C:\Program Files\Common Files\iiru\ <<< delete that folder and contents if there.
C:\Program Files\InstallShield Installation Information\mefenega77798.exe <<< delete that file if there.
C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\ <<< delete that folder and contents if there.
Delete combo fix, C:\qoobox\quarantine and any other tool we used. If we used ATF-Cleaner you may keep it.
Please empty the Recycle Bin on your Desktop and restart your computer.
Now let's clean the System Restore files:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Run a new Kaspersky scan using these setting:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here. If you have no questions about the results, there is no need to post it. Let me know how the computer is running now.
Thanks
Capt.Craig
2007-11-25, 00:54
OK...here are the results:
1) Spybot recovery cleaned
2)C:\Documents and Settings\(SomeUserName)\Application Data\WinTouch\ <<< Not found
3)C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\ <<< one file inside, won't delete
4)C:\Documents and Settings\(SomeUserName)\Temporary Internet Files\ <<< All files deleted
5)C:\Program Files\Common Files\iiru\ <<< Folder not found :(
6)C:\Program Files\InstallShield Installation Information\mefenega77798.exe <<< found and deleted
7)C:\WINDOWS\Q3JhaWcgQm9uZmllbGQ\ <<< found and deleted
8)Delete combo fix, C:\qoobox\quarantine and any other tool we used <<< Done
9)empty the Recycle Bin <<< Done
10) System restore complete
11) Kaspersky Online Results....
Saturday, November 24, 2007 4:42:12 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 24/11/2007
Kaspersky Anti-Virus database records: 436036
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 61642
Number of viruses found 6
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 01:17:44
Infected Object Name Virus Name Last Action
C:\417C.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\417C.tmp NSIS: infected - 1 skipped
C:\4186.tmp Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\63.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\63.tmp NSIS: infected - 1 skipped
C:\66.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Documents and Settings\All Users\Application Data\AOL\browser\history.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Aim\pegajowo\RuskinRaider03\cert8.db Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Aim\pegajowo\RuskinRaider03\key3.db Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Microsoft\Windows\capvt.exe Infected: Trojan-Downloader.Win32.Agent.fcp skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-74ed3802/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\22\10453ed6-74ed3802 ZIP: infected - 1 skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-2ba14357/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\47\bd7ce2f-2ba14357 ZIP: infected - 1 skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-4c7e5a39/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-4c7e5a39 ZIP: infected - 1 skipped
C:\Documents and Settings\(SomeUserName)\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\History\History.IE5\MSHist012007112420071125\index.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\~DF70D3.tmp Object is locked skipped
C:\Documents and Settings\(SomeUserName)\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\(SomeUserName)\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP257\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu72.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{7762DA66-24C0-4CEC-B8F1-CFD560FB47B2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
The Computer is running fine, and I have no obvious problems, but the kaspersky appears to show a few things are still hanging around. Let me know what you think.
Thanks for all your help
pskelley
2007-11-25, 01:06
Thanks for returning your information and the feedback, I expected a few, combofix is close to a miracle but it can't find everything.
Kaspersky Online Scan: Saturday, November 24, 2007 4:42:12 PM
Number of infected objects 14
Delete the files in red:
C:\417C.tmp
C:\4186.tmp
C:\63.tmp
C:\66.tmp
C:\WINDOWS\mrofinu72.exe C:\Documents and Settings\(SomeUserName)\Application Data\Microsoft\Windows\capvt.exe
Clean out the Java cache:
C:\Documents and Settings\(SomeUserName)\Application Data\Sun\Java\Deployment\cache\
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml
I think that's it, don't post a clean Kaspersky scan, just let me know. I have valuable closing information for you at that point.
Thanks...Phil
Capt.Craig
2007-11-25, 03:15
All files you listed in the last post were deleted
Ran another Kaspersky scan and it shows that there are still some infected files hanging around:
Saturday, November 24, 2007 7:08:51 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/11/2007
Kaspersky Anti-Virus database records: 436049
Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
Scan Statistics
Total number of scanned objects 62121
Number of viruses found 6
Number of infected objects 14
Number of suspicious objects 0
Duration of the scan process 01:09:46
Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\AOL\browser\history.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\History\History.IE5\MSHist012007112420071125\index.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\ApplicationHistory\hpqimzone.exe.3204510e.ini.inuse Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\propertiesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Local Settings\Temp\~DF70D3.tmp Object is locked skipped
C:\Documents and Settings\(SomeUserName)\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\(SomeUserName)\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\(SomeUserName)\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc2.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc2.tmp NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc3.tmp Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc4.tmp/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc4.tmp NSIS: infected - 1 skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc5.tmp Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc6.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc7.exe Infected: Trojan-Downloader.Win32.Agent.fcp skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\22\10453ed6-74ed3802/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\22\10453ed6-74ed3802 ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\47\bd7ce2f-2ba14357/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\47\bd7ce2f-2ba14357 ZIP: infected - 1 skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\52\1c9644b4-4c7e5a39/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\RECYCLER\S-1-5-21-862724559-2666831590-1564909012-1006\Dc8.0\52\1c9644b4-4c7e5a39 ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{6D05FAB2-7A62-4A96-A638-2F0B6A273527}\RP257\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{7762DA66-24C0-4CEC-B8F1-CFD560FB47B2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Let me know what you think.
Thanks,
Capt. Craig
pskelley
2007-11-25, 03:25
Kaspersky Online Scanner >>> Number of infected objects 14
Please empty the Recycle Bin on your Desktop and restart your computer
C:\RECYCLER\ <<< Recycle Bin: http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/windows_waste_empty_bskt.mspx?mfr=true
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.