View Full Version : .Mydor variant and others?
compagent
2007-11-28, 01:40
First off, thank you for providing these forums for users to come in and get more reliable, professional help that may never be available to us otherwise.
My virus software first picked up an infected file last night. I believe the source is a carrier on some game mods I downloaded yesterday afternoon.
After the discovery, I did the following:
- Updated all virus softare
- Ran a complete scan using PC-Cillin Internet Security 2007
- Ran Spybot S&D v1.5
Both scans found things, and most were removed, with the exception of a .Mydor virus.
- Rebooted to Safe-Mode and ran Spybot S&D again
- Rebooted Normally to pop-ups caused by virus/malware (asking to download said program to clear it, its the only way)
- Reran complete PC-Cillin scan to find some previously deleted infections had returned.
Then this morning, I ran updates for both programs and did the above again. Things are 'better' in that my computer is usable (performance improvement), and less random pop-ups, but there is still this .Mydor with possibly a few other things that I am unsure of.
Here are the KASPERSKY scan results:
Tuesday, November 27, 2007 7:16:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/11/2007
Kaspersky Anti-Virus database records: 467150
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 146567
Number of viruses found 14
Number of infected objects 35
Number of suspicious objects 0
Duration of the scan process 01:46:35
Infected Object Name Virus Name Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/winoyb32.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Bryan\Application Data\CiscoCAA\event.log Object is locked skipped
C:\Documents and Settings\Bryan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Bryan\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Bryan\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Bryan\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Temp\~DF59F4.tmp Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Temporary Internet Files\Content.IE5\9YBAI89Q\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\Documents and Settings\Bryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Temporary Internet Files\Content.IE5\M1V9US18\pochki20071106[1] Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\Bryan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Bryan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\DAP\Offers\spo3.exe/WISE0010.BIN Infected: not-a-virus:AdTool.Win32.MyWebSearch.bk skipped
C:\Program Files\DAP\Offers\spo3.exe WiseSFX: infected - 1 skipped
C:\Program Files\DAP\Offers\spo3.exe WiseSFX Dropper: infected - 1 skipped
C:\Program Files\DAP\Offers\VA21_DAPSO_US.exe/WISE0009.BIN Infected: not-a-virus:AdTool.Win32.MyWebSearch.bk skipped
C:\Program Files\DAP\Offers\VA21_DAPSO_US.exe WiseSFX: infected - 1 skipped
C:\Program Files\DAP\Offers\VA21_DAPSO_US.exe WiseSFX Dropper: infected - 1 skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\61D.tmp Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\Program Files\Trend Micro\Internet Security 2007\Quarantine\648.tmp Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP144\A0029472.dll Object is locked skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP144\A0029473.exe Object is locked skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP160\A0031370.exe Infected: Trojan-Dropper.Win32.Agent.csv skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP160\A0032413.sys Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP160\A0032414.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP160\A0032415.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP161\A0032451.dll Infected: not-a-virus:AdTool.Win32.WhenU.r skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP161\A0032460.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP161\A0034469.sys Infected: Rootkit.Win32.Agent.jp skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP161\A0035500.exe Infected: Trojan-Downloader.Win32.Injecter.ai skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP162\A0035551.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP162\A0035582.exe Infected: Trojan-Downloader.Win32.Injecter.ai skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP162\A0035587.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP162\A0035594.exe Object is locked skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP162\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\fccyvut.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arm skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ivuaphbk.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\jkkllkj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arm skipped
C:\WINDOWS\system32\ljjkihh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arm skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\pokbmkdn.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\WINDOWS\system32\sioeftjh.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\WINDOWS\system32\srafltaq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wqvadbre.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\system32\xpdx.sys Infected: Trojan.Win32.Agent.cxs skipped
C:\WINDOWS\Temp\$_2341233.TMP Object is locked skipped
C:\WINDOWS\Temp\$_2341234.TMP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_198.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP162\change.log Object is locked skipped
Scan process completed.
compagent
2007-11-28, 01:43
HJT Report:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:42:24 PM, on 11/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\sioeftjh.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCMAIN.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PccHCMS.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\pokbmkdn.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ec1fbec8] rundll32.exe "C:\WINDOWS\system32\srafltaq.dll",b
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA7470] command /c del "C:\WINDOWS\Temp\$_2341233.TMP"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1566] cmd /c del "C:\WINDOWS\Temp\$_2341233.TMP"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [SpybotDeletingB1725] command /c del "C:\WINDOWS\Temp\$_2341233.TMP"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4331] cmd /c del "C:\WINDOWS\Temp\$_2341233.TMP"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://www.ashland.edu:2490/lib/ashland/support/plugins/ebraryRdr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187046451059
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189295176984
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\sioeftjh.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
--
End of file - 9588 bytes
pskelley
2007-11-29, 18:38
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You have a Vundo infection which can be very hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. Your System Restore files are infected, but that can't get on your computer unless you do a System Restore, so do not.
If you wish to proceed, please read and follow the directions carefully.
1) System Configuration Utility (MSConfig) is in Selective Startup mode, please return it to Normal mode until we finish.
2) C:\Program Files\Viewpoint\Common\ViewpointService.exe
For your information, Viewpoint is installed by aol probably without your knowledge. I suggest you uninstall this resource waster in Add Remove programs.
http://www.greatis.com/appdata/u/v/viewmgr.exe.htm
http://www.spywareinfo.com/newsletter/archives/2005/nov4.php#viewpoint
http://www.clickz.com/news/article.php/3561546
3) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\
2) Thanks tosUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix.txt, combofix log and a new HJT log
Thanks
compagent
2007-11-30, 08:01
Thank you for your help pskelley
I followed your instructions.
- I reset msconfig back to normal mode
- I uninstalled Viewpoint Media Player
- I followed all Vundofix instructions
- I ran Spybot S&D again to check findings on startup.
Vundofix.txt is here. Combofix.txt and HJT log are in following post.
VundoFix V6.6.2
Checking Java version...
Scan started at 1:04:06 AM 11/30/2007
Listing files found while scanning....
C:\windows\system32\ivuaphbk.dll
C:\WINDOWS\system32\pokbmkdn.dll
C:\windows\system32\pokbmkdn.dllbox
Beginning removal...
Attempting to delete C:\windows\system32\ivuaphbk.dll
C:\windows\system32\ivuaphbk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pokbmkdn.dll
C:\WINDOWS\system32\pokbmkdn.dll Has been deleted!
Attempting to delete C:\windows\system32\pokbmkdn.dllbox
C:\windows\system32\pokbmkdn.dllbox Has been deleted!
Performing Repairs to the registry.
Done!
compagent
2007-11-30, 08:03
ComboFix 07-11-19.4C - Bryan 2007-11-30 1:43:41.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1288 [GMT -5:00]
Running from: C:\Documents and Settings\Bryan\My Documents\My Completed Downloads\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\DOCUME~1\ALLUSE~1\STARTM~1\Live Safety Center.lnk
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.lnk
C:\DOCUME~1\Bryan\Desktop\Live Safety Center.lnk
C:\DOCUME~1\Bryan\Desktop\Online Security Guide.lnk
C:\DOCUME~1\Bryan\FAVORI~1\Online Security Guide.lnk
C:\Documents and Settings\Bryan\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Bryan\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Bryan\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Guest\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Guest\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Guest\Favorites\Online Security Guide.lnk
C:\Program Files\Common Files\microsoft shared\web folders\ibm00001.dll
C:\Program Files\Common Files\microsoft shared\web folders\ibm00002.dll
C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\accdd.ini
C:\WINDOWS\system32\accdd.ini2
C:\WINDOWS\system32\ddcca.dll
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\pokbmkdn.dllbox
C:\WINDOWS\system32\winsys.exe
C:\WINDOWS\system32\xpdx.sys
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NTMLSVC
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\nm
-------\NtmlSvc
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.
2007-11-30 01:04 <DIR> d-------- C:\VundoFix Backups
2007-11-29 13:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\QuickTime
2007-11-29 13:32 <DIR> d-------- C:\WINDOWS\system32\QuickTime
2007-11-29 13:32 388 --a------ C:\WINDOWS\system32\QuickTime.qtp
2007-11-29 11:01 85,056 --a------ C:\WINDOWS\system32\qrnythci.dll
2007-11-29 11:01 294 --ahs---- C:\WINDOWS\system32\ichtynrq.ini
2007-11-29 10:55 77,888 --a------ C:\WINDOWS\system32\hevvlgfp.dll
2007-11-29 00:31 <DIR> dr-h----- C:\Documents and Settings\Bryan\Application Data\SecuROM
2007-11-29 00:31 <DIR> dr-h----- C:\DOCUME~1\Bryan\APPLIC~1\SecuROM
2007-11-29 00:25 <DIR> d-------- C:\Program Files\Sierra Entertainment
2007-11-28 10:57 81,984 --a------ C:\WINDOWS\system32\oayklipw.dll
2007-11-28 10:51 85,056 --a------ C:\WINDOWS\system32\gdycvgow.dll
2007-11-28 10:51 594 --ahs---- C:\WINDOWS\system32\wogvcydg.ini
2007-11-27 10:59 <DIR> d-------- C:\Documents and Settings\Bryan\.housecall6.6
2007-11-27 10:51 78,912 --a------ C:\WINDOWS\system32\ephhwyce.dll
2007-11-27 10:48 534 --ahs---- C:\WINDOWS\system32\qatlfars.ini
2007-11-27 10:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-27 10:13 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-11-27 09:02 684,377 --a------ C:\WINDOWS\unins000.exe
2007-11-27 09:02 3,447 --a------ C:\WINDOWS\unins000.dat
2007-11-27 05:21 3,070 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-27 04:19 <DIR> d--h----- C:\WINDOWS\PIF
2007-11-27 04:16 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\FaxCtr
2007-11-26 22:50 80,960 --a------ C:\WINDOWS\system32\tsnpiwve.dll
2007-11-26 22:47 474 --ahs---- C:\WINDOWS\system32\erbdavqw.ini
2007-11-25 22:41 37,376 --a------ C:\WINDOWS\system32\fccyvut.dll
2007-11-25 22:39 37,376 --a------ C:\WINDOWS\system32\jkkllkj.dll
2007-11-25 22:38 37,376 --a------ C:\WINDOWS\system32\ljjkihh.dll
2007-11-25 22:31 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-11-25 22:26 <DIR> d-------- C:\Documents and Settings\Bryan\Application Data\FaxCtr
2007-11-25 22:26 <DIR> d-------- C:\DOCUME~1\Bryan\APPLIC~1\FaxCtr
2007-11-25 22:08 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-11-25 18:19 <DIR> d-------- C:\Program Files\lx_cats
2007-11-25 18:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FaxCtr
2007-11-25 18:19 339,968 --a------ C:\WINDOWS\system32\IMGMAN32.DLL
2007-11-25 18:19 98,345 --a------ C:\WINDOWS\system32\IMHOST32.DLL
2007-11-25 18:19 98,304 --a------ C:\WINDOWS\system32\IM31XPNG.DEL
2007-11-25 18:19 69,632 --a------ C:\WINDOWS\system32\IM31XTIF.DEL
2007-11-25 18:19 49,152 --a------ C:\WINDOWS\system32\IM31IMG.DIL
2007-11-25 18:19 45,056 --a------ C:\WINDOWS\system32\LXPRMON.DLL
2007-11-25 18:19 32,768 --a------ C:\WINDOWS\system32\LXPMONUI.DLL
2007-11-25 18:19 12,288 --a------ C:\WINDOWS\system32\LXPMONRC.DLL
2007-11-25 18:18 <DIR> d-------- C:\Program Files\Lexmark Fax Solutions
2007-11-25 18:18 <DIR> d-------- C:\Program Files\Lexmark 3400 Series
2007-11-25 18:18 <DIR> d-------- C:\Program Files\Abbyy FineReader 6.0 Sprint
2007-11-25 18:18 323,584 --a------ C:\WINDOWS\system32\lxcyhcp.dll
2007-11-25 18:18 274,432 --a------ C:\WINDOWS\system32\lxcyinst.dll
2007-11-25 18:17 344,064 -ra------ C:\WINDOWS\system32\lxcycoin.dll
2007-11-25 18:17 33,277 --a------ C:\WINDOWS\system32\LexFiles.ulf
2007-11-25 18:17 1,834 -ra------ C:\WINDOWS\system32\lxcy.loc
2007-11-25 18:16 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-11-25 18:16 87,040 --a--c--- C:\WINDOWS\system32\dllcache\wiafbdrv.dll
2007-11-25 18:16 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2007-11-25 18:16 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2007-11-25 18:16 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-11-25 18:16 15,104 --a--c--- C:\WINDOWS\system32\dllcache\usbscan.sys
2007-11-16 19:58 <DIR> d-------- C:\Program Files\UI Central
2007-11-16 13:50 <DIR> d-------- C:\Program Files\Common Files\Blizzard Entertainment
2007-11-15 11:32 <DIR> d-------- C:\Documents and Settings\Bryan\.DownloadManager
2007-11-10 15:19 315,392 --a------ C:\WINDOWS\HideWin.exe
2007-11-10 14:59 <DIR> d-------- C:\WINDOWS\NV35404004.TMP
2007-11-06 16:44 <DIR> d---s---- C:\Program Files\Xfire
2007-11-06 16:44 <DIR> d-------- C:\Documents and Settings\Bryan\Application Data\Xfire
2007-11-06 16:44 <DIR> d-------- C:\DOCUME~1\Bryan\APPLIC~1\Xfire
2007-11-06 16:40 <DIR> d-------- C:\Program Files\Funcom
2007-11-04 21:31 <DIR> d-------- C:\Documents and Settings\Bryan\Application Data\Codemasters
2007-11-04 21:31 <DIR> d-------- C:\DOCUME~1\Bryan\APPLIC~1\Codemasters
2007-11-04 21:29 <DIR> d-------- C:\WINDOWS\system32\AGEIA
2007-11-04 21:29 <DIR> d-------- C:\Program Files\AGEIA Technologies
2007-11-04 16:06 <DIR> d-------- C:\Program Files\Diablo
2007-11-04 16:06 118,784 --a------ C:\WINDOWS\DiabUnin.exe
2007-11-04 16:06 5,646 --a------ C:\WINDOWS\DiabUnin.dat
2007-11-04 16:06 2,829 --a------ C:\WINDOWS\DiabUnin.pif
2007-11-03 22:30 <DIR> d-------- C:\Documents and Settings\Bryan\Application Data\Bioshock
2007-11-03 22:30 <DIR> d-------- C:\DOCUME~1\Bryan\APPLIC~1\Bioshock
2007-11-01 22:19 98,304 --a------ C:\WINDOWS\system32CmdLineExt.dll
2007-10-31 12:39 1,126,072 --a------ C:\WINDOWS\system32\drivers\vsapint.sys
2007-10-31 12:39 300,816 --a------ C:\WINDOWS\system32\drivers\TM_CFW.sys
2007-10-31 12:39 202,768 --a------ C:\WINDOWS\system32\drivers\tmxpflt.sys
2007-10-31 12:39 112,400 --a------ C:\WINDOWS\system32\drivers\tm_mbd_c.sys
2007-10-31 12:39 75,792 --a------ C:\WINDOWS\system32\drivers\tmtdi.sys
2007-10-31 12:39 35,856 --a------ C:\WINDOWS\system32\drivers\tmpreflt.sys
2007-10-31 12:38 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-31 12:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-10-27 16:06 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-10-27 16:06 3,727,720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-10-27 16:06 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-10-27 16:06 267,112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-10-27 16:06 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-10-27 16:06 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-10-27 16:05 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-10-27 16:04 <DIR> d--h----- C:\WINDOWS\msdownld.tmp
2007-10-25 20:46 <DIR> d-------- C:\Program Files\VstPlugins
2007-10-25 20:46 1,294,336 --a------ C:\WINDOWS\system32\vorbis.acm
2007-10-25 20:46 217,088 --a------ C:\WINDOWS\system32\rewire.dll
2007-10-25 20:45 <DIR> d-------- C:\Program Files\Image-Line
2007-10-23 15:15 <DIR> d-------- C:\Program Files\Sibelius Software
2007-10-23 15:15 <DIR> d-------- C:\Documents and Settings\Bryan\Application Data\Sibelius Software
2007-10-23 15:15 <DIR> d-------- C:\DOCUME~1\Bryan\APPLIC~1\Sibelius Software
2007-10-20 20:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\FLEXnet
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 06:41 --------- d---a-w C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-11-30 06:01 --------- d-----w C:\Program Files\Viewpoint
2007-11-30 06:01 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Viewpoint
2007-11-29 18:35 --------- d-----w C:\Program Files\QuickTime
2007-11-29 05:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-27 14:08 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-11-27 08:47 --------- d-----w C:\Documents and Settings\Bryan\Application Data\Uniblue
2007-11-27 08:47 --------- d-----w C:\DOCUME~1\Bryan\APPLIC~1\Uniblue
2007-11-26 03:42 --------- d-----w C:\Documents and Settings\Bryan\Application Data\Azureus
2007-11-26 03:42 --------- d-----w C:\DOCUME~1\Bryan\APPLIC~1\Azureus
2007-11-15 19:17 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-14 05:35 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-11-11 16:18 --------- d-----w C:\Program Files\Folding@Home
2007-11-10 20:19 --------- d-----w C:\Program Files\Realtek
2007-11-10 19:53 --------- d-----w C:\Documents and Settings\Bryan\Application Data\AdobeUM
2007-11-10 19:53 --------- d-----w C:\DOCUME~1\Bryan\APPLIC~1\AdobeUM
2007-11-10 19:25 --------- d-----w C:\Program Files\PCPitstop
2007-11-08 18:58 --------- d-----w C:\Program Files\AIM6
2007-11-08 18:51 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL
2007-11-08 18:48 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\AOL Downloads
2007-11-05 19:42 --------- d-----w C:\Program Files\Steam
2007-11-05 02:28 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-01 19:38 4,620,288 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2007-10-25 16:57 16,855,552 ----a-w C:\WINDOWS\RTHDCPL.exe
2007-10-25 15:39 --------- d-----w C:\Program Files\Azureus
2007-10-23 15:20 --------- d-----w C:\Documents and Settings\Bryan\Application Data\uTorrent
2007-10-23 15:20 --------- d-----w C:\DOCUME~1\Bryan\APPLIC~1\uTorrent
2007-10-13 15:26 --------- d-----w C:\Program Files\AMD
2007-10-11 16:04 1,826,816 ----a-w C:\WINDOWS\SkyTel.exe
2007-10-07 19:40 --------- d-----w C:\Program Files\Java
2007-10-04 22:14 6,854,464 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys
2007-09-30 19:56 --------- d-----w C:\Documents and Settings\Bryan\Application Data\Ruckus Network
2007-09-30 19:56 --------- d-----w C:\DOCUME~1\Bryan\APPLIC~1\Ruckus Network
2007-09-30 19:55 --------- d-----w C:\Program Files\Ruckus Player
2007-09-30 19:55 --------- d-----w C:\Program Files\Bonjour
2007-09-28 19:39 --------- d-----w C:\DOCUME~1\ALLUSE~1\APPLIC~1\Azureus
2007-08-13 21:53 73,728 ------w C:\WINDOWS\ALCFDRTM.EXE
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ED203331-9C33-49D8-8714-D24A366A04EC}]
2007-11-25 22:38 37376 --a------ C:\WINDOWS\system32\ljjkihh.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 18:03]
"Aim6"="" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-07-03 11:32]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"Steam"="" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2007-10-04 17:14 C:\WINDOWS\system32\nwiz.exe]
"CHotkey"="mHotkey.exe" [2004-12-08 16:57 C:\WINDOWS\mHotkey.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"amd_dc_opt"="C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe" [2006-11-17 15:49]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 14:57]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe" [2007-04-12 05:58]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-04 05:00 C:\WINDOWS\system32\rundll32.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-10-25 11:57 C:\WINDOWS\RTHDCPL.exe]
"lxcymon.exe"="C:\Program Files\Lexmark 3400 Series\lxcymon.exe" [2007-06-25 09:34]
"EzPrint"="C:\Program Files\Lexmark 3400 Series\ezprint.exe" [2007-06-25 09:34]
"FaxCenterServer"="C:\Program Files\Lexmark Fax Solutions\fm3032.exe" [2007-06-25 09:35]
"LXCYCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll" [2006-11-21 12:27]
"ec1fbec8"="C:\WINDOWS\system32\qrnythci.dll" [2007-11-29 11:01]
"WinSys2"="C:\WINDOWS\system32\winsys2.exe" [2006-12-14 21:59]
"SW24"="C:\WINDOWS\system32\sw24.exe" [2006-12-14 21:58]
"SW20"="C:\WINDOWS\system32\sw20.exe" [2006-12-14 21:58]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" []
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SpybotDeletingA7556"="command /c del C:\WINDOWS\system32\pokbmkdn.dll_old" []
"SpybotDeletingC1231"="cmd /c del C:\WINDOWS\system32\pokbmkdn.dll_old" []
"SpybotDeletingA2298"="command /c del C:\WINDOWS\system32\pokbmkdn.dll" []
"SpybotDeletingC3327"="cmd /c del C:\WINDOWS\system32\pokbmkdn.dll" []
"SpybotDeletingA7791"="command /c del C:\WINDOWS\Temp\startdrv.exe" []
"SpybotDeletingC2710"="cmd /c del C:\WINDOWS\Temp\startdrv.exe" []
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{ED203331-9C33-49D8-8714-D24A366A04EC}"= C:\WINDOWS\system32\ljjkihh.dll [2007-11-25 22:38 37376]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjkihh]
ljjkihh.dll 2007-11-25 22:38 37376 C:\WINDOWS\system32\ljjkihh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pokbmkdn]
pokbmkdn.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winoyb32]
winoyb32.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddcca.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Alcmtr"=ALCMTR.EXE
"WinSys"=C:\WINDOWS\system32\WinSys.exe
R1 BIOS;BIOS;\??\C:\WINDOWS\system32\drivers\BIOS.sys
R1 BS_I2cIo;BS_I2cIo;\??\C:\WINDOWS\system32\drivers\BS_I2cIo.sys
R1 nvport;NVIDIA PORT IO Control Driver;\??\C:\WINDOWS\system32\Drivers\nvport.sys
R2 lxcy_device;lxcy_device;C:\WINDOWS\system32\lxcycoms.exe -service
R3 AmdLLD;AMD Low Level Device Driver;C:\WINDOWS\system32\DRIVERS\AmdLLD.sys
R3 amdtools;AMD Special Tools Driver;C:\WINDOWS\system32\DRIVERS\AmdTools.sys
R3 HidMouse;HidMouse;C:\WINDOWS\system32\Drivers\HidMouse.sys
S1 kcp;kcp;\??\C:\WINDOWS\system32\drivers\kcp.sys
S3 AMDPCI;AMDPCI;\??\C:\DOCUME~1\Bryan\LOCALS~1\Temp\AMDPCI.sys
S3 gtermddo;gtermddo;\??\C:\DOCUME~1\Bryan\LOCALS~1\Temp\gtermddo.sys
*Newly Created Service* - GTNDIS5
.
**************************************************************************
catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-30 01:48:55
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-30 1:50:44 - machine was rebooted
.
--- E O F ---
compagent
2007-11-30, 08:04
Sorry for the split; the two logs didn't fit in one post!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:58:01 AM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\WINDOWS\system32\winsys2.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [ec1fbec8] rundll32.exe "C:\WINDOWS\system32\qrnythci.dll",b
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://www.ashland.edu:2490/lib/ashland/support/plugins/ebraryRdr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187046451059
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189295176984
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
--
End of file - 8709 bytes
pskelley
2007-11-30, 13:28
Thanks for your information and the feedback, you said:
Sorry for the split; the two logs didn't fit in one post!and this is normal. combofix and Vundofix got some of it, but there is a lot left.
There is a file that may or may not be bad, I think it is but wish to be sure before we remove it.
C:\WINDOWS\system32\winsys2.exe <<< use one or more of these free scans and post the results in your next post:
http://virusscan.jotti.org/
http://www.kaspersky.com/scanforvirus
http://www.virustotal.com/
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open a new notepad window
Paste the list of files from the quote box below into the notepad window.
C:\WINDOWS\system32\qrnythci.dll
C:\WINDOWS\system32\ichtynrq.ini
C:\WINDOWS\system32\hevvlgfp.dll
C:\WINDOWS\system32\oayklipw.dll
C:\WINDOWS\system32\gdycvgow.dll
C:\WINDOWS\system32\wogvcydg.ini
C:\WINDOWS\system32\ephhwyce.dll
C:\WINDOWS\system32\qatlfars.ini
C:\WINDOWS\system32\tsnpiwve.dll
C:\WINDOWS\system32\erbdavqw.ini
C:\WINDOWS\system32\fccyvut.dll
C:\WINDOWS\system32\jkkllkj.dll
C:\WINDOWS\system32\ljjkihh.dll
Save this as vundofix.vft and Save as type "all files".
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix.
Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O4 - HKLM\..\Run: [ec1fbec8] rundll32.exe "C:\WINDOWS\system32\qrnythci.dll",b
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) RIGHT Click on Start then click on Explore. Locate and delete these items:
C:\WINDOWS\system32\qrnythci.dll <<< make sure that file is gone
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the Vundofix report, a new HJT log, the results of the file scan and some feedback.
Thanks...Phil
compagent
2007-11-30, 20:57
I looked into the WinSys2.exe issue. What I found is that WinSys2 belongs to a DOT (Dynamic Overclocking Technology) program which came with my motherboard. However, there is a trojan that uses winsys2.exe (no caps) to carry into the windows directory. Since I don't overclock, I used HJT to disable the entry for winsys2.exe.
I ran the ATF cleaner for both 'everything' as you directed , and the other tab for my internet browser.
As for the Vundofix box, it was able to delete all but one of the files in the box you provided. (It was one of the last 2 on the list).
I deleted "C:\WINDOWS\system32\qrnythci.dll",b, and confirmed that it was removed from the system32 folder.
When I re-ran the online virus scanner, it still found 14 viruses in 35ish files. I have posted everything you requested below. The pop-ups I mentioned in the first post have all disappeared with the exception of an error message (box with red X) that randomly appears once every 5-12 minutes. It appears to try to load something that these methods have deleted. I will post the exact text when it happens again.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:48:59 PM, on 11/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\lxcycoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WMP54GSv1_1.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PccGuide.exe
C:\WINDOWS\mHotkey.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Lexmark 3400 Series\lxcymon.exe
C:\Program Files\Lexmark 3400 Series\ezprint.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
C:\WINDOWS\ALCFDRTM.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [amd_dc_opt] C:\Program Files\AMD\Dual-Core Optimizer\amd_dc_opt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [lxcymon.exe] "C:\Program Files\Lexmark 3400 Series\lxcymon.exe"
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 3400 Series\ezprint.exe"
O4 - HKLM\..\Run: [FaxCenterServer] "C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s
O4 - HKLM\..\Run: [LXCYCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCYtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [SW24] C:\WINDOWS\system32\sw24.exe
O4 - HKLM\..\Run: [SW20] C:\WINDOWS\system32\sw20.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Clean Access Agent.lnk = C:\Program Files\Cisco Systems\Clean Access Agent\CCAAgent.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://www.ashland.edu:2490/lib/ashland/support/plugins/ebraryRdr.cab
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20070711/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1187046451059
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1189295176984
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: lxcy_device - - C:\WINDOWS\system32\lxcycoms.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Protection Against Spyware (PcScnSrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcScnSrv.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WMP54GSSVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Network Adapter with SpeedBooster\WLService.exe
--
End of file - 8525 bytes
compagent
2007-11-30, 21:00
KASPERSKY ONLINE SCANNER REPORT
Friday, November 30, 2007 2:39:03 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/11/2007
Kaspersky Anti-Virus database records: 469480
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
E:\
F:\
Scan Statistics
Total number of scanned objects 144166
Number of viruses found 15
Number of infected objects 62
Number of suspicious objects 0
Duration of the scan process 01:19:07
Infected Object Name Virus Name Last Action
C:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip/winoyb32.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip/snmxvvtr.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc1.zip/sioeftjh.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc4.zip/nquxqkbg.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc4.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric15.zip/pokbmkdn.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric15.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric16.zip/pokbmkdn.dll_old Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric16.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric17.zip/pokbmkdn.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondegeneric17.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk.zip/startdrv.exe Infected: Trojan-Downloader.Win32.Agent.fke skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinMurloffrtk.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Bryan\Application Data\CiscoCAA\event.log Object is locked skipped
C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\1j0j0d0q.default\cert8.db Object is locked skipped
C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\1j0j0d0q.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\1j0j0d0q.default\history.dat Object is locked skipped
C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\1j0j0d0q.default\key3.db Object is locked skipped
C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\1j0j0d0q.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Bryan\Application Data\Mozilla\Firefox\Profiles\1j0j0d0q.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Bryan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Bryan\Desktop\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Bryan\Desktop\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\Bryan\Desktop\SmitfraudFix.exe RarSFX: infected - 2 skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\1j0j0d0q.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\1j0j0d0q.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\1j0j0d0q.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Application Data\Mozilla\Firefox\Profiles\1j0j0d0q.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Temp\~DF1ECE.tmp Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Bryan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bryan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Bryan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\DAP\Offers\spo3.exe/WISE0010.BIN Infected: not-a-virus:AdTool.Win32.MyWebSearch.bk skipped
C:\Program Files\DAP\Offers\spo3.exe WiseSFX: infected - 1 skipped
C:\Program Files\DAP\Offers\spo3.exe WiseSFX Dropper: infected - 1 skipped
C:\Program Files\DAP\Offers\VA21_DAPSO_US.exe/WISE0009.BIN Infected: not-a-virus:AdTool.Win32.MyWebSearch.bk skipped
C:\Program Files\DAP\Offers\VA21_DAPSO_US.exe WiseSFX: infected - 1 skipped
C:\Program Files\DAP\Offers\VA21_DAPSO_US.exe WiseSFX Dropper: infected - 1 skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\runtime2.sys.vir Infected: Rootkit.Win32.Agent.jp skipped
C:\qoobox\Quarantine\C\WINDOWS\system32\xpdx.sys.vir Infected: Trojan.Win32.Agent.cxs skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP144\A0029472.dll Infected: not-a-virus:AdWare.Win32.Comet.bl skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP160\A0031370.exe Infected: Trojan-Dropper.Win32.Agent.csv skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP160\A0032413.sys Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP160\A0032414.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP160\A0032415.dll Infected: Trojan-Downloader.Win32.Agent.bnm skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP161\A0032451.dll Infected: not-a-virus:AdTool.Win32.WhenU.r skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP161\A0032460.dll Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP161\A0034469.sys Infected: Rootkit.Win32.Agent.jp skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP161\A0035500.exe Infected: Trojan-Downloader.Win32.Injecter.ai skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP162\A0035551.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP162\A0035582.exe Infected: Trojan-Downloader.Win32.Injecter.ai skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP162\A0035587.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP164\A0035692.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP164\A0035693.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP164\A0035695.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP164\A0035760.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP164\A0035761.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP164\A0035762.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP164\A0035776.exe Infected: Trojan.Win32.Obfuscated.kp skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP164\A0035777.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP165\A0035799.sys Infected: Trojan.Win32.Agent.cxs skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP165\A0035807.dll Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP165\A0035811.sys Infected: Rootkit.Win32.Agent.jp skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP166\A0035876.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arm skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP166\A0035877.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP166\A0035879.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arm skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP166\A0035882.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP166\change.log Object is locked skipped
C:\VundoFix Backups\fccyvut.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.arm skipped
C:\VundoFix Backups\gdycvgow.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\VundoFix Backups\ivuaphbk.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\jkkllkj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.arm skipped
C:\VundoFix Backups\ljjkihh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.arm skipped
C:\VundoFix Backups\pokbmkdn.dll.bad Infected: not-a-virus:AdWare.Win32.SecToolBar.k skipped
C:\VundoFix Backups\qrnythci.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.aps skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\ljjkihh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.arm skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_264.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\autorun.inf\lpt3.This folder was created by Flash_Disinfector Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{BF363889-F59E-4D4A-8D3A-341F40D5F2AA}\RP166\change.log Object is locked skipped
Scan process completed.
compagent
2007-11-30, 21:01
VundoFix V6.6.2
Checking Java version...
Scan started at 1:04:06 AM 11/30/2007
Listing files found while scanning....
C:\windows\system32\ivuaphbk.dll
C:\WINDOWS\system32\pokbmkdn.dll
C:\windows\system32\pokbmkdn.dllbox
Beginning removal...
Attempting to delete C:\windows\system32\ivuaphbk.dll
C:\windows\system32\ivuaphbk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\pokbmkdn.dll
C:\WINDOWS\system32\pokbmkdn.dll Has been deleted!
Attempting to delete C:\windows\system32\pokbmkdn.dllbox
C:\windows\system32\pokbmkdn.dllbox Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ephhwyce.dll
C:\WINDOWS\system32\ephhwyce.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\erbdavqw.ini
C:\WINDOWS\system32\erbdavqw.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\fccyvut.dll
C:\WINDOWS\system32\fccyvut.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\gdycvgow.dll
C:\WINDOWS\system32\gdycvgow.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\hevvlgfp.dll
C:\WINDOWS\system32\hevvlgfp.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ichtynrq.ini
C:\WINDOWS\system32\ichtynrq.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jkkllkj.dll
C:\WINDOWS\system32\jkkllkj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ljjkihh.dll
C:\WINDOWS\system32\ljjkihh.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\oayklipw.dll
C:\WINDOWS\system32\oayklipw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\qatlfars.ini
C:\WINDOWS\system32\qatlfars.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\qrnythci.dll
C:\WINDOWS\system32\qrnythci.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\tsnpiwve.dll
C:\WINDOWS\system32\tsnpiwve.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wogvcydg.ini
C:\WINDOWS\system32\wogvcydg.ini Has been deleted!
Performing Repairs to the registry.
Done!
pskelley
2007-11-30, 21:19
I appreciate you are trying to help, but please post only what I request. I would have removed all of this junk before running the Kaspersky scan.
KASPERSKY ONLINE SCANNER REPORT Friday, November 30, 2007 2:39:03 PM
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< delete the contents of the Recovery folder.
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1
C:\Documents and Settings\Bryan\Desktop\SmitfraudFix.exe/ <<< delete Smitfraudfix folder from your computer
C:\Program Files\DAP\ <<< delete that DAP folder from your computer
C:\qoobox\Quarantine\ <<< delete this folder from your computer
C:\VundoFix Backups\ <<< delete that folder from your computer
C:\WINDOWS\system32\ljjkihh.dll <<< delete that file, you may have to do that in safe mode. I must know that it is gone!!
When you complete all of the above, restart your computer and clean the System Restore files like this:
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Run a new Kaspersky scan, please do not post the results from a clean scan, only if you have questions.
Thanks
pskelley
2007-12-09, 21:12
No response since 2007-11-30, 15:19, topic is closed.
If you need it re-opened please send me or a forum staff member a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.
Thanks