View Full Version : Please help with Outerinfo
Followed the instructions, everything was removed during safe mode S&D. Outerinfo popups still continue. Thank you in advance for your help.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:27 AM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\NetMeeting\mefereh77798.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\DOCUME~1\Shawn\MYDOCU~1\SKS~1\logonui.exe
C:\Documents and Settings\Shawn\Application Data\?ssembly\r?ndll32.exe
C:\Program Files\Insider\Insider.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mymail.rit.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27767020-BB95-9333-B598-B66EFC9C96B7} - C:\WINDOWS\system32\ozuklvfh.dll
O2 - BHO: (no name) - {33D3BF68-7617-4975-BA46-83A2A604A4E3} - C:\Program Files\Internet Explorer\mewocykov83122.dll
O2 - BHO: 0 - {4A29D965-E87A-4A98-2885-CFAE8B79C1D2} - C:\Program Files\Common Files\qujav.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B729991-E1EC-4CB3-90C0-033B74928E66} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B823A847-BCF5-46B4-84D6-F8D34ED4C766} - \
O2 - BHO: (no name) - {e84ee827-4c05-430c-8c5e-4f2faff8e43e} - C:\WINDOWS\system32\fdmywge.dll
O2 - BHO: (no name) - {E8D0F521-8F19-4E62-AB91-A48082E0ED52} - C:\WINDOWS\system32\ewnjpkxm.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [mefereh] C:\Program Files\NetMeeting\mefereh77798.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA9278] command /c del "C:\WINDOWS\system32\drivers\core.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6960] cmd /c del "C:\WINDOWS\system32\drivers\core.sys"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.5\webbuying.exe
O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\Shawn\MYDOCU~1\SKS~1\logonui.exe" --ru -vt yazb
O4 - HKCU\..\Run: [Nsf] "C:\Documents and Settings\Shawn\Application Data\?ssembly\r?ndll32.exe"
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Shawn\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Shawn\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe
O9 - Extra button: Golden Riviera Poker - {85BFB6E0-96F9-4424-8819-1D67E9F78D33} - C:\Program Files\goldenrivieraMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O20 - Winlogon Notify: sstqr - C:\WINDOWS\system32\sstqr.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11926 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, November 20, 2007 5:24:22 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 20/11/2007
Kaspersky Anti-Virus database records: 462398
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 217115
Number of viruses found: 27
Number of infected objects: 62
Number of suspicious objects: 4
Duration of the scan process: 03:17:28
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00000002.ps1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00000002.ps2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\00010005.ci Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\cicat.fid Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\cicat.hsh Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiCL0001.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiP10000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiP20000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiPT0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiSL0001.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiSP0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiST0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\CiVP0000.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\INDEX.000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\propstor.bk1 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\VISIO\catalog.wci\propstor.bk2 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip/MTE3MTk6ODoxNg.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.5/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-11-20_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Aim\ebxzrvsf\spw26yankees\cert8.db Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Aim\ebxzrvsf\spw26yankees\key3.db Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\cert8.db Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\history.dat Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\key3.db Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\parent.lock Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\6.0\36\37984024-7e2c5fbc/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\6.0\36\37984024-7e2c5fbc/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\6.0\36\37984024-7e2c5fbc/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\6.0\36\37984024-7e2c5fbc ZIP: infected - 3 skipped
C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-637995f5-3e19d279.zip/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-637995f5-3e19d279.zip/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-637995f5-3e19d279.zip/Baaaaa.class Infected: Trojan.Java.ClassLoader.ao skipped
C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\crtdcghcn.jar-637995f5-3e19d279.zip ZIP: infected - 3 skipped
C:\Documents and Settings\Shawn\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\History\History.IE5\MSHist012007112020071121\index.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\camg-77798.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\camg-77798.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\MBDownloader_876923.exe Infected: not-a-virus:AdWare.Win32.NetNucleus.b skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\OIN9D3.tmp.exe Infected: Trojan-Downloader.Win32.PurityScan.eu skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\OIN9D6.tmp.exe Infected: Trojan-Downloader.Win32.PurityScan.eu skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\Perflib_Perfdata_370.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\Perflib_Perfdata_68c.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\~ef8b72\~efe2.tmp Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\~efe22d\~efe2.tmp Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shawn\My Documents\Таsks\logonui.exe Infected: Trojan-Downloader.Win32.PurityScan.eu skipped
C:\Documents and Settings\Shawn\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Shawn\ntuser.dat.LOG Object is locked skipped
C:\Inetpub\catalog.wci\00000002.ps1 Object is locked skipped
C:\Inetpub\catalog.wci\00000002.ps2 Object is locked skipped
C:\Inetpub\catalog.wci\00010002.ci Object is locked skipped
C:\Inetpub\catalog.wci\cicat.fid Object is locked skipped
C:\Inetpub\catalog.wci\cicat.hsh Object is locked skipped
C:\Inetpub\catalog.wci\CiCL0001.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiP10000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiP20000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiPT0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiSL0001.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiSP0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiST0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\CiVP0000.000 Object is locked skipped
C:\Inetpub\catalog.wci\INDEX.000 Object is locked skipped
C:\Inetpub\catalog.wci\propstor.bk1 Object is locked skipped
C:\Inetpub\catalog.wci\propstor.bk2 Object is locked skipped
C:\Program Files\Common Files\qujav.dll Infected: Trojan.Win32.BHO.ab skipped
C:\Program Files\Common Files\rterek.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\Internet Explorer\mewocykov4444.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\Internet Explorer\mewocykov83122.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Program Files\NetMeeting\mefereh77798.exe Infected: not-a-virus:AdWare.Win32.TTC.c skipped
C:\Program Files\No-IP\DUC - Shawn.log Object is locked skipped
C:\Program Files\TightVNC-unstable\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 skipped
C:\Program Files\TightVNC-unstable\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC-based.j skipped
C:\Program Files\TightVNC-unstable\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.1370 skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010002.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162131.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162367.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162370.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wi skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162371.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162371.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162372.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162373.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162374.exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162374.exe/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162374.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162375.exe Infected: not-a-virus:AdWare.Win32.Agent.tb skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162376.exe Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162377.exe Infected: Trojan-Downloader.Win32.PurityScan.eu skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP809\A0162649.dll Infected: Trojan.Win32.Pakes.akr skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP809\A0162650.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wi skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP810\change.log Object is locked skipped
C:\temp\ftp.txt Infected: Trojan-Downloader.BAT.Ftp.ca skipped
C:\WINDOWS\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\WINDOWS\b104.exe NSIS: infected - 3 skipped
C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\WINDOWS\b138.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\i.bat Infected: Trojan-Downloader.BAT.Ftp.ca skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\SPWLAPTOP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F76601BA-62C0-4F9E-A5B0-287BE51153FB}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\a1\rarndrll2.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\fdmywge.dll Infected: not-a-virus:AdWare.Win32.Agent.ta skipped
C:\WINDOWS\system32\g2\caws83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\system32\g2\caws83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hakbqwxp.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\Mz16r\Mz16r2291.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\WINDOWS\system32\ope9D2.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\WINDOWS\system32\ope9D4.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\WINDOWS\system32\ope9D4.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\r2\wr31drs.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\WINDOWS\system32\rqrppqo.dll Infected: Trojan.Win32.Pakes.sv skipped
C:\WINDOWS\system32\svjhpfru.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_4a4.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT07bc8.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT07bcb.TMP Object is locked skipped
C:\WINDOWS\tk58.exe Infected: Trojan.Win32.BHO.ab skipped
C:\WINDOWS\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\TTC-4444.exe NSIS: infected - 1 skipped
C:\WINDOWS\U2hhd24\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\U2hhd24\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\xampp\apache\logs\access.log Object is locked skipped
C:\xampp\apache\logs\error.log Object is locked skipped
C:\xampp\apache\logs\sslerror.log Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\ibc_players.MYD Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\ibc_players.MYI Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\ibc_rookie_draft_pool.MYD Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\ibc_rookie_draft_pool.MYI Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\ibc_rookie_draft_queue.MYD Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\ibc_rookie_draft_queue.MYI Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\ibc_transactions.MYD Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\ibc_transactions.MYI Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\phpbb_config.MYD Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\phpbb_config.MYI Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\phpbb_sessions.MYD Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\phpbb_sessions.MYI Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\phpbb_themes.MYD Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\phpbb_themes.MYI Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\phpbb_users.MYD Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\phpbb_users.MYI Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\phpbb_user_group.MYD Object is locked skipped
C:\xampp\mysql\data\ibcleague_com\phpbb_user_group.MYI Object is locked skipped
C:\xampp\mysql\data\SPWlaptop.err Object is locked skipped
Scan process completed.
pskelley
2007-11-23, 14:37
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You have a PurityScan/OIN infection but that is by far not the worse. You have a Vundo infection which can be very hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help, an option would be to reformat.
If you wish to continue, keep this computer offline except when troubleshooting, the junk wil download more.
If you have any of these tools, delete them and download them new from the links I provide.
1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)
2) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot.
Vundofix.txt will be on the C:\
3) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix.txt, combofix log, uninstall list and a new HJT log.
Thanks
Thank you for your help so far pskelley.
I have read that topic and had read it before posting as well.
The 4 requested logs are attached.
pskelley
2007-11-23, 18:00
http://forums.spybot.info/showthread.php?t=288
Well...I would say you need to read it again?
Please do not attach or link to infected files!
If a helper requests files they will give you a link to upload them.
All logs should be copy/pasted into topic and not attached unless requested by helper in that format.
Well gosh, now I just look stupid :oops: I thought I read something about attaching a zip if copy/paste would end up taking over 2 posts, but I can't find that so I guess I imagined it.
Uninstall List:
Absolute Poker
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 8
Adobe Shockwave Player
Adobe SVG Viewer 3.0
AIMutation (remove only)
AOL Instant Messenger
ATI Control Panel
ATI Display Driver
BEAT THE MARKET
bet365poker
CDBurnerXP Pro 3
Compaq Presario r4000 User Guides
Conexant AC-Link Audio
Craxtion4
Data Fax SoftModem with SmartCP
DC++ 0.691
Diamond Mind Baseball version 9
D-Link AirPlus Xtreme G Adapter
DMB Encyclopedia 9b patch
DMB Encyclopedia version 9
DMB version 9a patch
DMB version 9b patch
DMB version 9c patch
EmpirePoker
GamesGrid Poker
Golden Riviera Poker
HijackThis 2.0.2
HollywoodPoker.com (remove only)
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
HP Document Viewer 5.3
HP Help and Support
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Integrated Module with Bluetooth wireless technology
HP PSC & OfficeJet 5.3.A
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
InterPoker
InterVideo WinDVD
Ipswitch WS_FTP Professional 2006
ISO Recorder
iTunes
J2SE Development Kit 5.0 Update 11
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
JD Secure 3.1
Kaspersky Online Scanner
K-Lite Codec Pack 2.77 Basic
LiveUpdate 3.2 (Symantec Corporation)
Logitech Harmony Remote Software 7
Macromedia Director MX 2004
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Money 2005
Microsoft Office Converter Pack
Microsoft Office OneNote 2003
Microsoft Office Visio Professional 2003
Microsoft Office XP Professional
Microsoft Script Debugger
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Works
MLB.TV Mosaic
Mozilla Firefox (2.0.0.9)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
muvee autoProducer 4.0 - SE
MySQL Server 5.0
NHL 2001
No-IP.com DUC (remove only)
Norton Ghost
Paradise Poker
PartyPoker
Personal License Update Wizard for Windows Media Player
Poker Tracker Version 2.10.02b
Poker World
PokerPlex
PokerStars
PowerISO
Quick Launch Buttons 5.10 B3
QuickTime
Remote Control USB Driver
River Belle Poker
Royal Vegas Poker
ScreenStream
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Sportsbook.com Poker
Spybot - Search & Destroy
SQLite ODBC Driver
Steam(TM)
SunPoker.com
Swarmcast
Swarmcast for MLB-TV-Mosaic
Synaptics Pointing Device Driver
totalbet poker
UltimateBet
UltraEdit-32
UserGuides
William Hill Poker
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
WinRAR archiver
WinSCP 4.0.4
Yahoo! Widgets
ZoneAlarm
VundoFix V6.6.2
Checking Java version...
Java version is 1.5.0.11
Scan started at 10:41:20 AM 11/23/2007
Listing files found while scanning....
C:\windows\system32\rqrppqo.dll
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.tmp
C:\WINDOWS\system32\sstqr.dll
Beginning removal...
Attempting to delete C:\windows\system32\rqrppqo.dll
C:\windows\system32\rqrppqo.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqtss.bak2
C:\WINDOWS\system32\rqtss.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rqtss.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\rqtss.tmp
C:\WINDOWS\system32\rqtss.tmp Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.6.2
Checking Java version...
Java version is 1.5.0.11
Scan started at 11:01:48 AM 11/23/2007
Listing files found while scanning....
C:\WINDOWS\system32\sstqr.dll
Beginning removal...
Performing Repairs to the registry.
Done!
ComboFix 07-11-19.3 - Shawn 2007-11-23 11:32:16.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.109 [GMT -5:00]
Running from: C:\Documents and Settings\Shawn\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Shawn\Application Data\SSEMBL~1
C:\Documents and Settings\Shawn\Application Data\SSEMBL~1\r?ndll32.exe
C:\Documents and Settings\Shawn\Application Data\WinTouch
C:\Documents and Settings\Shawn\My Documents\SKS~1
C:\Documents and Settings\Shawn\My Documents\SKS~1\??sks\
C:\Documents and Settings\Shawn\My Documents\SKS~1\logonui.exe
C:\Program Files\Common Files\qujav.dll
C:\Program Files\Insider
C:\Program Files\Insider\Insider.exe
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\outerinfo.ico
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\outerinfo\Thumbs.db
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\tn3
C:\WINDOWS\b104.exe
C:\WINDOWS\b111.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\b138.exe
C:\WINDOWS\b147.exe
C:\WINDOWS\hosts
C:\WINDOWS\system32\a1
C:\WINDOWS\system32\a1\rarndrll2.exe
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\ewnjpkxm.dll
C:\WINDOWS\system32\fdmywge.dll
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\g2\caws83122.exe
C:\WINDOWS\system32\h1
C:\WINDOWS\system32\ozuklvfh.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\r2
C:\WINDOWS\system32\r2\wr31drs.exe
C:\WINDOWS\system32\v8
C:\WINDOWS\system32\v8\taldrvr11.exe
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\nm
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.
2007-11-23 10:41 <DIR> d-------- C:\VundoFix Backups
2007-11-20 13:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-18 10:21 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-17 10:52 215,144 -ra------ C:\WINDOWS\patchw32.dll
2007-11-17 10:47 215,144 -ra------ C:\WINDOWS\pw32a.dll
2007-11-17 10:34 71,188 --a------ C:\WINDOWS\system32\hakbqwxp.exe
2007-11-17 10:34 353 --ahs---- C:\WINDOWS\system32\klkkj.ini
2007-11-17 10:32 132,320 --a------ C:\WINDOWS\system32\drivers\symsnap.sys
2007-11-17 10:32 128,104 --a------ C:\WINDOWS\system32\drivers\WimFltr.sys
2007-11-17 10:32 37,864 --a------ C:\WINDOWS\system32\drivers\v2imount.sys
2007-11-17 10:32 14,072 --a------ C:\WINDOWS\system32\drivers\vproeventmonitor.sys
2007-11-17 10:23 <DIR> d--hs---- C:\WINDOWS\U2hhd24
2007-11-17 10:23 35,840 --a------ C:\WINDOWS\mrofinu312.exe
2007-11-17 10:23 35,840 --a------ C:\WINDOWS\mrofinu1000106.exe
2007-11-17 10:22 <DIR> d-------- C:\temp\mZOr
2007-11-17 10:22 <DIR> d-------- C:\Program Files\PowerISO
2007-11-17 10:22 352,410 --a------ C:\WINDOWS\ope9CB.exe
2007-11-17 10:22 0 --a------ C:\WINDOWS\system32\ope9D1.tmp
2007-11-09 11:33 <DIR> d-------- C:\Documents and Settings\Shawn\Application Data\U3
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 16:47 19,451,936 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-23 16:44 230,048 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-23 16:28 246 ----a-w C:\Program Files\Common Files\qujav
2007-11-19 18:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-17 15:58 --------- d-----w C:\Documents and Settings\Shawn\Application Data\Symantec
2007-11-17 15:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-17 15:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-11-17 15:29 --------- d-----w C:\Program Files\Norton Ghost
2007-11-17 15:22 --------- d-----w C:\Documents and Settings\Shawn\Application Data\uTorrent
2007-11-04 02:08 --------- d-----w C:\Documents and Settings\Shawn\Application Data\Microgaming
2007-10-21 17:28 --------- d--h--w C:\Program Files\Zero G Registry
2007-10-21 17:22 --------- d-----w C:\Program Files\Workspace Macro Pro 6.5
2007-10-21 17:22 --------- d-----w C:\Program Files\Automation Anywhere 4.0
2007-10-09 20:41 --------- d-----w C:\Program Files\Swarmcast
2007-10-01 22:30 --------- d-----w C:\Program Files\No-IP
2007-10-01 22:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2007-10-01 21:30 --------- d-----w C:\Program Files\NCH Software
2007-10-01 21:30 --------- d-----w C:\Documents and Settings\Shawn\Application Data\NCH Software
2007-10-01 21:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Software
2007-09-25 16:32 --------- d-----w C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-09-12 01:30 65,360 -c--a-w C:\Documents and Settings\Shawn\Application Data\GDIPFONTCACHEV1.DAT
2007-09-06 20:14 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2007-07-28 09:06 135 ----a-w C:\Program Files\Common Files\rterek.html
2005-10-23 20:23 0 -c----w C:\Documents and Settings\Shawn\Application Data\wklnhst.dat
2005-08-02 21:46 187,904 --sha-r C:\WINDOWS\U2hhd24\asappsrv.dll
2005-08-02 21:58 293,888 --sha-r C:\WINDOWS\U2hhd24\command.exe
2005-07-29 21:24 472 --sha-r C:\WINDOWS\U2hhd24\oZ11xZb.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27767020-BB95-9333-B598-B66EFC9C96B7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33D3BF68-7617-4975-BA46-83A2A604A4E3}]
2007-08-02 08:43 282624 --a------ C:\Program Files\Internet Explorer\mewocykov83122.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4A29D965-E87A-4A98-2885-CFAE8B79C1D2}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6B729991-E1EC-4CB3-90C0-033B74928E66}]
C:\WINDOWS\system32\sstqr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B823A847-BCF5-46B4-84D6-F8D34ED4C766}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e84ee827-4c05-430c-8c5e-4f2faff8e43e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E8D0F521-8F19-4E62-AB91-A48082E0ED52}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
"AIM"="C:\Program Files\AIM\aim.exe" [2005-08-05 14:08]
"C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe"="1&1 EasyLogin HIDE" []
"Snte"="C:\DOCUME~1\Shawn\MYDOCU~1\SKS~1\logonui.exe" []
"Nsf"="C:\Documents and Settings\Shawn\Application Data\?ssembly\r?ndll32.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-03-22 23:05]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2005-02-02 07:12]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2005-02-02 07:11]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-12-03 15:24]
"ShStatEXE"="C:\Program Files\Network Associates\VirusScan\SHSTAT.exe" [2004-09-22 19:00]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2004-08-06 02:50]
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 15:14]
"Norton Ghost 12.0"="C:\Program Files\Norton Ghost\Agent\VProTray.exe" [2007-10-05 12:33]
"mefereh"="C:\Program Files\NetMeeting\mefereh77798.exe" [2007-08-07 15:30]
C:\Documents and Settings\Shawn\Start Menu\Programs\Startup\
No-IP DUC.lnk - C:\Program Files\No-IP\DUC20.exe [2007-10-01 17:30:18]
PowerReg Scheduler.exe [2007-09-01 13:24:05]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sstqr]
C:\WINDOWS\system32\sstqr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Synchronizer.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Synchronizer.lnk
backup=C:\WINDOWS\pss\Adobe Reader Synchronizer.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BTTray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\BTTray.lnk
backup=C:\WINDOWS\pss\BTTray.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Digital Imaging Monitor.lnk
backup=C:\WINDOWS\pss\HP Digital Imaging Monitor.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office OneNote 2003 Quick Launch.lnk
backup=C:\WINDOWS\pss\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Shawn^Start Menu^Programs^Startup^Webshots.lnk]
path=C:\Documents and Settings\Shawn\Start Menu\Programs\Startup\Webshots.lnk
backup=C:\WINDOWS\pss\Webshots.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cpqset]
2005-02-17 16:01 233534 --------- C:\Program Files\HPQ\Default Settings\cpqset.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2005-05-11 22:12 49152 --------- C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-10-30 09:36 256576 --------- C:\Program Files\iTunes\iTunesHelper.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LSBWatcher]
c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MNS]
C:\Program Files\Mobile Net Switch\MNS.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
2003-10-07 08:48 147514 --------- C:\Program Files\Common Files\Network Associates\TalkBack\tbmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Norton Ghost 10.0]
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NWEReboot]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zune Launcher]
C:\Program Files\Zune\ZuneLauncher.exe
R1 NaiAvTdi1;NaiAvTdi1;C:\WINDOWS\system32\drivers\mvstdi5x.sys
R2 v2imount;Symantec V2i Mount Driver;C:\WINDOWS\system32\DRIVERS\v2imount.sys
R3 HSFHWATI;HSFHWATI;C:\WINDOWS\system32\DRIVERS\HSFHWATI.sys
S3 ICAM3NT5;Intel USB Video Camera III;C:\WINDOWS\system32\Drivers\Icam3.sys
S3 UltraMonMirror;UltraMonMirror;C:\WINDOWS\system32\DRIVERS\UltraMonMirror.sys
S3 WimFltr;WimFltr;C:\WINDOWS\system32\DRIVERS\wimfltr.sys
S3 xbreader;MaxDrive XBox Driver (xbreader.sys);C:\WINDOWS\system32\Drivers\xbreader.sys
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89c0f80e-15ae-11da-aa24-00904bf40e21}]
\Shell\AutoRun\command - F:\JDSecure\Windows\JDSecure31.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{89c0f80f-15ae-11da-aa24-00904bf40e21}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{9c036955-d5f0-11da-aaa1-00904bf40e21}]
\Shell\AutoRun\command - E:\PortableFirefox\PortableFirefox.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c92bbc61-ded1-11da-aaa2-000fb0745ca3}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{deb960f0-5a6d-11db-aae2-00904bf40e21}]
\Shell\AutoRun\command - E:\JDSecure\Windows\JDSecure31.exe
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-23 11:49:40
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C:\\Program Files\\1&1\\1&1 EasyLogin\\EasyLogin.exe"="\"1&1 EasyLogin\" HIDE"
.
Completion time: 2007-11-23 11:51:11
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:53:28 AM, on 11/23/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\Program Files\NetMeeting\mefereh77798.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mymail.rit.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {33D3BF68-7617-4975-BA46-83A2A604A4E3} - C:\Program Files\Internet Explorer\mewocykov83122.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6B729991-E1EC-4CB3-90C0-033B74928E66} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {B823A847-BCF5-46B4-84D6-F8D34ED4C766} - \
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [mefereh] C:\Program Files\NetMeeting\mefereh77798.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA9278] command /c del "C:\WINDOWS\system32\drivers\core.sys"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6960] cmd /c del "C:\WINDOWS\system32\drivers\core.sys"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\Shawn\MYDOCU~1\SKS~1\logonui.exe" --ru -vt yazb
O4 - HKCU\..\Run: [Nsf] "C:\Documents and Settings\Shawn\Application Data\?ssembly\r?ndll32.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Startup: PowerReg Scheduler.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Shawn\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\Shawn\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe
O9 - Extra button: River Belle Poker - {83F8B625-1B04-4c35-8BA1-6DB4D7EDBADF} - C:\Program Files\riverbelleMPP\MPPoker.exe
O9 - Extra button: Golden Riviera Poker - {85BFB6E0-96F9-4424-8819-1D67E9F78D33} - C:\Program Files\goldenrivieraMPP\MPPoker.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O20 - Winlogon Notify: sstqr - C:\WINDOWS\system32\sstqr.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 11031 bytes
pskelley
2007-11-23, 20:38
Thanks for returning your information, looking at the uninstall list for security issues.
Uninstall List:
J2SE Development Kit 5.0 Update 11
J2SE Runtime Environment 5.0 Update 11
Java(TM) 6 Update 2
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
Download the newest version of Java and uninstall all old versions in Add Remove programs.
I see someone likes Poker...I really see nothing like OIN, etc I was looking for. You should look to be sure you know all programs you have installed.
Some questions first, I normally remove all downloaded program files dealing with poker and betting because these "free" games are often bundled with adware. I will leave them in your log, you can check and remove them if you wish. My suggestion from a security standpoint is to either play online or purchase the game so you can read the eula before you install it. Free rarely is.
This one, I need to know if you use Netmeeting:
C:\Program Files\NetMeeting\mefereh77798.exe <<< there is little doubt that file is bad, but the folder may need to go also. The hackers call their junk what they wish, you should look in that folder and if it was all installed at the time of this infection, probably Files Created from 2007-10-23 to 2007-11-23 then you should delete the complete folder. I will ask you to make that call.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {33D3BF68-7617-4975-BA46-83A2A604A4E3} - C:\Program Files\Internet Explorer\mewocykov83122.dll
O2 - BHO: (no name) - {6B729991-E1EC-4CB3-90C0-033B74928E66} - C:\WINDOWS\system32\sstqr.dll (file missing)
O2 - BHO: (no name) - {B823A847-BCF5-46B4-84D6-F8D34ED4C766} - \
O4 - HKLM\..\Run: [mefereh] C:\Program Files\NetMeeting\mefereh77798.exe
O4 - HKLM\..\RunOnce: [SpybotDeletingA9278] command /c del "C:\WINDOWS\system32\drivers\core.sys" G
O4 - HKLM\..\RunOnce: [SpybotDeletingC6960] cmd /c del "C:\WINDOWS\system32\drivers\core.sys"
O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\Shawn\MYDOCU~1\SKS~1\logonui.exe" --ru -vt yazb
O4 - HKCU\..\Run: [Nsf] "C:\Documents and Settings\Shawn\Application Data\?ssembly\r?ndll32.exe"
O4 - Startup: PowerReg Scheduler.exe
O20 - Winlogon Notify: sstqr - C:\WINDOWS\system32\sstqr.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\Program Files\NetMeeting\mefereh77798.exe <<< delete at least that file (the folder if you find it is bad, which I believe it is)
C:\DOCUME~1\Shawn\MYDOCUMENTS & SETTINGS~1\SKS~1\ <<< delete that folder
C:\Documents and Settings\Shawn\Application Data\?ssembly\ <<< delete that folder
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of that "Recovery" folder
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1 <<< see this
C:\Documents and Settings\Shawn\Application Data\Sun\Java\Deployment\cache\ <<< Java cache is infected, delete the contents
See this >>> http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml
C:\Documents and Settings\Shawn\Local Settings\Temp\ <<< delete the contents of that Temp folder
C:\temp\ <<< delete the ontents of that temp folder
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart the computer and post a new HJT log along with some feedback.
Thanks
First for some feedback/questions:
1. Do I uninstall using HijackThis or Windows Control Panel?
2. Those are poker clients for online, however they will be removed as I no longer play.
3. I don't use the mefereh...exe file, it was modified 8/7/2007 and all the other files are in 2004 so I am only going to remove that single file.
Again, thank you very much for your time.
pskelley
2007-11-24, 13:16
Thanks for the questions and feedback.
1) Always use Add Remove programs to uninstall them.
2) Wise move, unless you carefully read each eula before installing, there is no way to know what goodies were bundled with them.
3) That will work, you state of date of 8/7/2007 for that file >> mefereh77798.exe but it looks to me this infection occured on 11/17/2007? I could not get Google to identify that file which is usually an indicator of it being bad. If you wish, in the future use one or more of these free scaners to find out what the file is:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
That file should be in your Recycle Bin if you wish to check it.
When you complete those instructions, post the HJT log so I can make sure you got it all. I will still need to see a last Kaspersky scan, but don't run it until I ask for it. There are backups and quarantines that need to be removed first or they will show as infections in the scan.
Thanks...Phil
Just wanted to let you know, I haven't forgotten or stopped responding, just out of town. I'll try to have the scans up later this week, sorry to delay you finishing off this thread.
Okay I'm back in the game, sorry for the delay.
This is the list of programs I uninstalled:
Absolute Poker
EmpirePoker
GamesGrid Poker
Golden Riviera Poker
HollywoodPoker.com (remove only)
InterPoker
J2SE Development Kit 5.0 Update 11
J2SE Runtime Environment 5.0 Update 11
Java (TM) 6 Update 2
MLB.TV Mosaic
Paradise Poker
PartyPoker
Poker Tracker Version 2.10.02b
Poker World
PokerPlex
PokerStars
River Belle Poker
Royal Vegas Poker
Sportsbook.com Poker
SunPoker.com
Swarmcast
Swarmcast for MLB-TV-Mosaic
totalbet poker
UltimateBet
William Hill Poker
Regarding step 4,
O4 - HKLM\..\RunOnce: [SpybotDeletingA9278] command /c del "C:\WINDOWS\system32\drivers\core.sys" G
and
O4 - HKLM\..\RunOnce: [SpybotDeletingC6960] cmd /c del "C:\WINDOWS\system32\drivers\core.sys" were no longer listed.
Regarding Step 5, I was unable to locate
C:\DOCUME~1\Shawn\MYDOCUMENTS & SETTINGS~1\SKS~1\
or
C:\Documents and Settings\Shawn\Application Data\?ssembly\ to delete them.
Also, in C:\Documents and Settings\Shawn\Local Settings\Temp\ I could not delete 4 files starting with Perflib_Perfdata_(3 characters).dat despite several restarts. I looked them up and they seem to be something for XP, so they may be okay.
HTJ log to follow.
Other than those hitches, everything went fine.
Thanks for your help, looking forward to hearing back from you.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:12:25 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mymail.rit.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {27767020-BB95-9333-B598-B66EFC9C96B7} - (no file)
O2 - BHO: (no name) - {4A29D965-E87A-4A98-2885-CFAE8B79C1D2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {e84ee827-4c05-430c-8c5e-4f2faff8e43e} - (no file)
O2 - BHO: (no name) - {E8D0F521-8F19-4E62-AB91-A48082E0ED52} - (no file)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 9227 bytes
By the way, I notice that some of these steps were for IE specifically it seemed. Is there anything I should do because I use Firefox?
pskelley
2007-12-05, 02:40
Thanks for returning your information and the feedback, you asked:
By the way, I notice that some of these steps were for IE specifically it seemed. Is there anything I should do because I use Firefox?Are you having any problems with Firefox? Since more folks use IE, guess which browser they go after. It has nothing to do with which browser is best, but where are the numbers.
ATF-Cleaner will clean Firefox also, when you open the cleaner, change it to Firefox at the top.
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
I notice you have the Java Scheduler running, do as you wish, but you can see it is not working right, you just updated to:
C:\Program Files\Java\jre1.6.0_03\
What I do is uncheck it (turn it off) and update manually, I check once a month.
Make sure TeaTimer is turned off, it will block changes we must make.
A little more cleaning to do, Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {27767020-BB95-9333-B598-B66EFC9C96B7} - (no file)
O2 - BHO: (no name) - {4A29D965-E87A-4A98-2885-CFAE8B79C1D2} - (no file)
O2 - BHO: (no name) - {e84ee827-4c05-430c-8c5e-4f2faff8e43e} - (no file)
O2 - BHO: (no name) - {E8D0F521-8F19-4E62-AB91-A48082E0ED52} - (no file)
O9 - Extra button: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: EmpirePoker - {77E68763-4284-41d6-B7E7-B6E1F053A9E7} - C:\Program Files\EmpirePokerMaster\EmpirePoker\RunEPoker.exe (file missing)
O9 - Extra button: bet365 Poker - {B1BA4A3F-1C95-497b-9F82-F8DA4A5C89DD} - C:\Program Files\bet365MPP\MPPoker.exe
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\Program Files\PartyGaming\PartyCasino\RunCasino.exe (file missing)
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: Royal Vegas Poker - {FA4904B4-1FAF-4afd-886C-C19D2297BA62} - C:\Program Files\royalvegasMPP\MPPoker.exe (file missing)
O16 - DPF: {CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA} -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} -
Close all programs but HJT and all browser windows, then click on "Fix Checked"
Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Post a new HJT log, let me know how the computer is running. If all is running well, then it's time to look at a Kaspersky scan. There will be some infected files because we have not cleaned the infected System Restore files yet.
Please use these settings:
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks
No problems with Firefox, just wanted to make sure that you didn't think I was an IE user and attacked the problem that way.
System seems to be running great, even seems to have a quicker bootup than before.
Hopefully the last HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:20 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\acs.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\LxrJD31s.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Norton Ghost\Agent\VProTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\D-Link AirPlus Xtreme G\AirPlus.exe
C:\Program Files\No-IP\DUC20.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://mymail.rit.edu/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "C:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [C:\Program Files\1&1\1&1 EasyLogin\EasyLogin.exe] "1&1 EasyLogin" HIDE
O4 - HKCU\..\Run: [Insider] C:\Program Files\Insider\Insider.exe
O4 - Startup: No-IP DUC.lnk = C:\Program Files\No-IP\DUC20.exe
O4 - Global Startup: D-Link AirPlus Xtreme G Configuration Utility.lnk = ?
O4 - Global Startup: D-Link REG Utility.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q305&bd=presario&pf=laptop
O16 - DPF: ActiveGS.cab - http://www.virtualapple.com/activegs.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://supportcenter.rr.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {49232000-16E4-426C-A231-62846947304B} (SysData Class) - http://ipgweb.cce.hp.com/rdqnbk/downloads/sysinfo.cab
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Imapi Helper - Alex Feinman - C:\Program Files\ISO Recorder\ImapiHelper.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Unknown owner - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Lexar JD31 (LxrJD31s) - Unknown owner - C:\WINDOWS\SYSTEM32\LxrJD31s.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 7316 bytes
I'm a little confused by the Java description, but it seems to be upgraded to 6.03 now, so maybe that fixed itself.
Can I remove things I know I don't want to startup...for instance: ActivesGS.cab and Lexar JD 31?
I'll wait to hear back from you before doing a Kaspersky.
pskelley
2007-12-05, 09:43
Thanks for the feedback, that's good to hear I was trying to make you aware that the Java Scheduler, which we all know is buggy and most of us turn it off to save resources, is showing one thing when you know you are up to date. You may do as you wish, but I just want you to know it is using resources and can't be trusted.
See this: http://www.netsquirrel.com/msconfig/msconfig_xp.html
You may turn off any programs you wish security programs.
I understand you still are running Norton Ghost along with Network Associates (McAfee) but I see this:
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
http://www.processlibrary.com/directory/files/aluschedulersvc
any reason why it is running?
Kaspersky is a good scan and if anything is hiding from us, it will show us. I will make the scan optional, but suggested. You may update and run your resident antivirus program, but it is always good to get a second opinion.
Thanks...Phil
In msconfig, the following entry scares me, as I did not install it:
Insider, command: C:\Program Files\Insider\Insider.exe
As for the Symantec, Norton Ghost is made by Symantec, so that must be why it's running. I shut it down, but presumably it will just return on restart.
Going to begin running Kaspersky now.
pskelley
2007-12-05, 19:21
C:\Program Files\Insider\Insider.exe <<< http://www.google.com/search?hl=en&q=Insider.exe&btnG=Google+Search
I can find anything good about that item. Open the folder and see what is in it. Here are scans you can use if needed:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
You can delete that folder if you are sure it is not needed.
Please let me look at an uninstall list:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)
If possible I would like to see if Kaspersky indicates that item is bad during the scan.
Thanks
Hm...I cannot find that Insider folder now (even looking for hidden folders), so the msconfig must have been leftover from something I had installed (ESPN Insider is a possibility).
Uninstall list:
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Photoshop 7.0
Adobe Reader 8
Adobe Shockwave Player
Adobe SVG Viewer 3.0
AIMutation (remove only)
AOL Instant Messenger
ATI Control Panel
ATI Display Driver
BEAT THE MARKET
CDBurnerXP Pro 3
Compaq Presario r4000 User Guides
Conexant AC-Link Audio
Craxtion4
Data Fax SoftModem with SmartCP
DC++ 0.691
Diamond Mind Baseball version 9
D-Link AirPlus Xtreme G Adapter
DMB Encyclopedia 9b patch
DMB Encyclopedia version 9
DMB version 9a patch
DMB version 9b patch
DMB version 9c patch
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB926239)
HP Document Viewer 5.3
HP Help and Support
HP Image Zone 5.3
HP Imaging Device Functions 5.3
HP Integrated Module with Bluetooth wireless technology
HP PSC & OfficeJet 5.3.A
HP Software Update
HP Solution Center & Imaging Support Tools 5.3
InterVideo WinDVD
Ipswitch WS_FTP Professional 2006
ISO Recorder
iTunes
Java(TM) 6 Update 3
JD Secure 3.1
Kaspersky Online Scanner
K-Lite Codec Pack 2.77 Basic
LiveUpdate 3.2 (Symantec Corporation)
Logitech Harmony Remote Software 7
Macromedia Director MX 2004
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Device Emulator version 1.0 - ENU
Microsoft Document Explorer 2005
Microsoft Document Explorer 2005
Microsoft Money 2005
Microsoft Office Converter Pack
Microsoft Office OneNote 2003
Microsoft Office Visio Professional 2003
Microsoft Office XP Professional
Microsoft Script Debugger
Microsoft SQL Server 2005 Mobile [ENU] Developer Tools
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Microsoft Visual J# 2.0 Redistributable Package
Microsoft Visual Studio 2005 Professional Edition - ENU
Microsoft Works
Mozilla Firefox (2.0.0.11)
MSN Music Assistant
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
muvee autoProducer 4.0 - SE
MySQL Server 5.0
NHL 2001
No-IP.com DUC (remove only)
Norton Ghost
Personal License Update Wizard for Windows Media Player
PowerISO
Quick Launch Buttons 5.10 B3
QuickTime
Remote Control USB Driver
ScreenStream
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB929969)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931768)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933566)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB937143)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB943460)
Sonic Audio Module
Sonic Copy Module
Sonic Data Module
Sonic Express Labeler
Sonic MyDVD Plus
Sonic Update Manager
Spybot - Search & Destroy
SQLite ODBC Driver
Steam(TM)
Synaptics Pointing Device Driver
UltraEdit-32
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
UserGuides
Windows Driver Package - Advanced Micro Devices (AmdK8) Processor (05/27/2006 1.3.2.0)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB884575
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885464
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885855
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB892559
Windows XP Hotfix - KB893086
WinRAR archiver
WinSCP 4.0.4
Yahoo! Widgets
ZoneAlarm
Kaspersky to follow.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 05, 2007 3:13:33 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/12/2007
Kaspersky Anti-Virus database records: 443261
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 204587
Number of viruses found: 17
Number of infected objects: 42
Number of suspicious objects: 0
Duration of the scan process: 02:47:56
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0310\values Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Aim\ebxzrvsf\spw26yankees\cert8.db Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Aim\ebxzrvsf\spw26yankees\key3.db Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Ipswitch\WS_FTP\Logs\1plus120071205123805_1064.rtf Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Ipswitch\WS_FTP\Logs\1plus120071205123806_1664.rtf Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Ipswitch\WS_FTP\requests.dat Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Ipswitch\WS_FTP\TransferHistory.dat Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\cert8.db Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\history.dat Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\key3.db Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\parent.lock Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Shawn\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\webappsstore.sqlite Object is locked skipped
C:\Documents and Settings\Shawn\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Application Data\Mozilla\Firefox\Profiles\uz5vavww.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\History\History.IE5\MSHist012007120520071206\index.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\Perflib_Perfdata_4f4.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\Perflib_Perfdata_b88.dat Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\~DFE10B.tmp Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\~efa053\~efe2.tmp Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Temp\~efb6aa\~efe2.tmp Object is locked skipped
C:\Documents and Settings\Shawn\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Shawn\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Shawn\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\rterek.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\No-IP\DUC - Shawn.log Object is locked skipped
C:\qoobox\Quarantine\C\Documents and Settings\Shawn\My Documents\SKS~1\logonui.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.eu skipped
C:\qoobox\Quarantine\C\Program Files\Common Files\qujav.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\qoobox\Quarantine\C\WINDOWS\b104.exe.vir NSIS: infected - 2 skipped
C:\qoobox\Quarantine\C\WINDOWS\b111.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjv skipped
C:\qoobox\Quarantine\C\WINDOWS\b122.exe.vir Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\qoobox\Quarantine\C\WINDOWS\b138.exe.vir Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\qoobox\Quarantine\C\WINDOWS\b147.exe.vir Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\a1\rarndrll2.exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\r2\wr31drs.exe.vir Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\qoobox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\tracking.log Object is locked skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162373.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162374.exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162374.exe/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162374.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP808\A0162377.exe Infected: Trojan-Downloader.Win32.PurityScan.eu skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP809\A0162649.dll Infected: Trojan.Win32.Pakes.akr skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP811\A0164244.sys Infected: Rootkit.Win32.Agent.mb skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP813\A0165260.dll Infected: Trojan.Win32.Pakes.sv skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP814\A0165397.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP814\A0165397.exe/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP814\A0165397.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP814\A0165398.exe Infected: Trojan-Downloader.Win32.Agent.fjv skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP814\A0165399.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP814\A0165400.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP814\A0165401.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP814\A0165403.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP814\A0165410.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP814\A0165412.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP814\A0165414.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP823\change.log Object is locked skipped
C:\VundoFix Backups\rqrppqo.dll.bad Infected: Trojan.Win32.Pakes.sv skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\i.bat Infected: Trojan-Downloader.BAT.Ftp.ca skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\SPWLAPTOP.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\WINDOWS\mrofinu312.exe Infected: Trojan-Downloader.Win32.Agent.fhv skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{1CFA2616-D664-4DC9-8F9C-4B4042163C27}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hakbqwxp.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\Mz16r\Mz16r2291.exe Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\WINDOWS\system32\ope9D2.exe Infected: Trojan-Downloader.Win32.Small.gll skipped
C:\WINDOWS\system32\ope9D4.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bqc skipped
C:\WINDOWS\system32\ope9D4.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\svjhpfru.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_1d0.dat Object is locked skipped
C:\WINDOWS\Temp\ZLT01863.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT0186d.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\xampp\apache\logs\access.log Object is locked skipped
C:\xampp\apache\logs\error.log Object is locked skipped
C:\xampp\apache\logs\sslerror.log Object is locked skipped
C:\xampp\mysql\data\SPWlaptop.err Object is locked skipped
Scan process completed.
pskelley
2007-12-05, 21:45
Thanks for returning your information and the feedback, Kaspersky should show us anything left as far as malware.
Did you miss this?
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)
My eye are about shot from looking though information I don't need to see.
Uninstall list: <<< I look for malware and security issues, it's a good chance for you to see stuff you no longer need.
I do not know all of your programs, as far as I can see there are no issues there.
KASPERSKY ONLINE SCANNER REPORT Wednesday, December 05, 2007 3:13:33 PM
Number of infected objects: 42
Delete the files and folder in red
C:\Program Files\Common Files\rterek.html
C:\WINDOWS\i.bat
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu312.exe
C:\WINDOWS\system32\hakbqwxp.exe
C:\WINDOWS\system32\Mz16r\
C:\WINDOWS\system32\ope9D2.exe
C:\WINDOWS\system32\ope9D4.exe
C:\WINDOWS\system32\svjhpfru.exe
If you have any problems, boot to safe mode and remove them or use this tool:
How to use the Delete on Reboot tool http://www.bleepingcomputer.com/tutorials/tutorial42.html#delreb
C:\qoobox\Quarantine\ <<< delete that folder
C:\VundoFix Backups\ <<< delete that folder
Once you get successfully to this point, restart your computer and clean the System Restore files:
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Run a new Kaspersky scan to see if we got it all, do not post a clean scan resport.
Thanks
Did you miss this?
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)
My eye are about shot from looking though information I don't need to see.
Sorry, I saw "may" and figured better to leave it in just in case.
Was able to delete all those files/folders and Kaspersky came up clean!
Is there anything else? If not, thank you VERY MUCH for your time, effort and help.
Shawn
pskelley
2007-12-08, 01:15
Sounds good, how about having Happy Holidays:santa:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
Thanks very much Phil.
Shawn