View Full Version : Virtumonde infection
bubbas45
2007-12-13, 04:35
Howdy, folks. I have read the Before You Post sticky, which was very helpful. I am running Windows XP Home, Version 5.1 (Build 2600.xpsp_sp2_gdr.070227-2254: Service Pack 2). I seem to be infected with Virtumonde and perhaps others, and have this maddening popup problem. I have the latest Windows updates. Norton Security detected the virus but did not remove it. I uninstalled Norton and installed Pandora 2008 Antivirus, which claimed to have removed it, but did not. I followed the directions in the sticky.
Here is the HJT log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:24:01 PM, on 12/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Gilat\QMS\QMS.exe
C:\Program Files\Gilat\GSU\GSU.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\Gilat\IBQoS\ibqossvc.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\StarBand\Mission Control\HsuGui\HsuGuiControl.exe
C:\Program Files\StarBand\Mission Control\TaskBarClient.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
C:\Program Files\Cloudmark\SpamNet\OE\snoe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
C:\Program Files\Gilat\NetAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\StarBand\MISSIO~1\evrep.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HsuGuiControl] C:\Program Files\StarBand\\Mission Control\HsuGui\HsuGuiControl.exe
O4 - HKLM\..\Run: [TaskBarClient] C:\Program Files\StarBand\\Mission Control\TaskBarClient.exe
O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Cloudmark Desktop for Outlook Express.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra 'Tools' menuitem: Express Cleanup - {5E638779-1818-4754-A595-EF1C63B87A56} - C:\Program Files\Norton SystemWorks Basic Edition\Norton Cleanup\WCQuick.lnk
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://www.triumph.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Gilat Quality Measurement Service (Gilat QMS) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\QMS\QMS.exe
O23 - Service: Gilat host software update service (GilatHSU) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\GSU\GSU.exe
O23 - Service: Gilat Network Agent Service (GilatNetAgent) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\NetAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Gilat IBQoS Agent (ibqossvc) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\IBQoS\ibqossvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: Norton UnErase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\NPROTECT.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: WgwService - Unknown owner - C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
--
End of file - 11192 bytes
Kaspersky log report to floouw in next post.
bws
bubbas45
2007-12-13, 04:37
Here is the Kaspersky log report:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, December 12, 2007 7:05:58 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/12/2007
Kaspersky Anti-Virus database records: 480817
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 92548
Number of viruses found: 9
Number of infected objects: 18
Number of suspicious objects: 0
Duration of the scan process: 01:41:02
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0106\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\sentinel\2.1\gwhashs.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-12-12_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\bws\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-29405ff-16046b20.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\bws\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-29405ff-16046b20.zip ZIP: infected - 1 skipped
C:\Documents and Settings\bws\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Cloudmark\SpamNet\CDOESpamDb-{445BA929-0754-421E-B2F9-D5F440A69141}.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Cloudmark\SpamNet\oemsgsvid.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\bws\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\History\History.IE5\MSHist012007121220071213\index.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Temp\sqlite_gzY65hIc79Ra0AF Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Temp\sqlite_UeL5QDdRV1A9hTp Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Temp\sqlite_xYT5pgUscCsJS5r Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Temp\winshow.exe Infected: Trojan-Downloader.Win32.VB.bvj skipped
C:\Documents and Settings\bws\Local Settings\Temp\wr-1-77.exe Infected: Trojan-Downloader.Win32.Small.gzs skipped
C:\Documents and Settings\bws\Local Settings\Temporary Internet Files\Content.IE5\7M837L8X\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\Documents and Settings\bws\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Temporary Internet Files\Content.IE5\WHQZW1A3\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\Documents and Settings\bws\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\bws\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\NG2000.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Juniper Networks\Common Files\NCService.log Object is locked skipped
C:\Program Files\Panda Security\Panda Antivirus 2008\cace2423dfb97c58fe7dd9f120557063PSK_NAMES Object is locked skipped
C:\Program Files\Panda Security\Panda Antivirus 2008\cace2423dfb97c58fe7dd9f120557063PSK_NAMES2 Object is locked skipped
C:\RECYCLER\NPROTECT\NPROTECT.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0032766.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP193\A0032856.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0033180.exe Infected: Trojan-Downloader.Win32.VB.bvj skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0033181.exe Infected: Trojan-Downloader.Win32.PurityScan.ey skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0033186.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0033276.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0033277.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0033280.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP197\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{F56DFC70-4386-4B78-A657-D5D01DABD74F}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\adjetwwf.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\aklqbwxi.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\isqwprpx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\yoqqtncr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
thanks, bws
pskelley
2007-12-15, 10:48
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Looks like Vundo to me, you need to know this: You have a Vundo infection which can be hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.
The junk will download more so stay offline except when you are troubleshoting until you are clean.
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< return here and rename HJT, call it bubbas45.exe that will work. After a restart we should be able to see this hidden infection.
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\j2re1.4.2_05\ <<< BADLY out of date and like why you are infected. Download the newest Java version and uninstall all old versions in Add Remove programs.
Clean your infected Java cache:
C:\Documents and Settings\bws\Application Data\Sun\Java\Deployment\cache\
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml
You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly. Uninstall one, update the one you keep and run a complete system scan, post for me any item that can't be removed, the complete name and pathway.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp
Panda Antivirus 2008
Norton/Symantec Shared
Uninstall one of those
Complete the above and post a new HJT log.
Thanks
bubbas45
2007-12-15, 20:40
Thanks for assisting. I have read "*BEFORE YOU POST*."
Via Add/Remove Programs I removed Norton SystemWorks, Liveupdate Notice, Liveupdate 3.2.
From /Program Files/Common Files I deleted Symantec Shared folder.
From /Program Files I deleted folders for Norton Antivirus, Norton executables, Norton SystemWorks.
I downloaded JRE 6 Update 3.
From Add/REmove PRograms I removed the old JRE. I restarted and then installed JRE 6.
I cleaned the Java cache by deleting the two folders in the cache.
I restarted and then ran HJT as bubbas45.exe. Here is the new log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:23:42 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Gilat\QMS\QMS.exe
C:\Program Files\Gilat\GSU\GSU.exe
C:\Program Files\Gilat\IBQoS\ibqossvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\StarBand\Mission Control\HsuGui\HsuGuiControl.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
C:\Program Files\StarBand\Mission Control\TaskBarClient.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Gilat\NetAgent.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Cloudmark\SpamNet\OE\snoe.exe
C:\PROGRA~1\StarBand\MISSIO~1\evrep.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\Program Files\Trend Micro\HijackThis\bubbas45.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5D7BC982-E1A7-4C2C-9F7D-B06A44E822EA} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\cbxuvtt.dll (file missing)
O2 - BHO: (no name) - {95F4AA43-368C-4B0E-D25A-38E6758F5B96} - C:\WINDOWS\system32\okda.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {CB91032B-3214-46C1-BFAD-55CFA024AD84} - C:\WINDOWS\system32\ssqpn.dll
O2 - BHO: (no name) - {EAF70EC9-532B-465A-A368-713C469A5582} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HsuGuiControl] C:\Program Files\StarBand\\Mission Control\HsuGui\HsuGuiControl.exe
O4 - HKLM\..\Run: [TaskBarClient] C:\Program Files\StarBand\\Mission Control\TaskBarClient.exe
O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Cloudmark Desktop for Outlook Express.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://www.triumph.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: cbxuvtt - cbxuvtt.dll (file missing)
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Gilat Quality Measurement Service (Gilat QMS) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\QMS\QMS.exe
O23 - Service: Gilat host software update service (GilatHSU) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\GSU\GSU.exe
O23 - Service: Gilat Network Agent Service (GilatNetAgent) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\NetAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Gilat IBQoS Agent (ibqossvc) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\IBQoS\ibqossvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: WgwService - Unknown owner - C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
--
End of file - 10131 bytes
pskelley
2007-12-15, 21:27
Thanks for returning your informaton and the feedback, please read follow these directions carefully.
If you have any of these tools, delete them and download them new from the links I provide.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
2) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\
(wait until you finish to post reports and logs)
3) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix.txt, combofix log and a new HJT log.
Thanks
bubbas45
2007-12-16, 03:07
VundoFix and ComboFix; HJT to follow in next post.
VundoFix V6.7.5
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 8:23:34 PM 12/15/2007
Listing files found while scanning....
C:\windows\system32\awvvw.dll
C:\WINDOWS\system32\cbxuvtt.dll
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\ssqpn.dll
Beginning removal...
Attempting to delete C:\windows\system32\awvvw.dll
C:\windows\system32\awvvw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\npqss.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqpn.dll
C:\WINDOWS\system32\ssqpn.dll Has been deleted!
Performing Repairs to the registry.
Done!
***************************
ComboFix 07-12-15.5 - bws 2007-12-15 20:46:28.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.171 [GMT -5:00]
Running from: C:\Documents and Settings\bws\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\bws\Start Menu\Programs\Outerinfo
C:\Documents and Settings\bws\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\bws\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\crosof~1.net
C:\Program Files\Common Files\crosof~1.net\??crosoft.NET\
C:\Program Files\icroso~1.net
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\bkR11
C:\WINDOWS\system32\bnwcyryq.dll
C:\WINDOWS\system32\daSgo02
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pjgsfnrr.dll
C:\WINDOWS\system32\rmknlubi.dll
C:\WINDOWS\system32\uxbkobtl.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.
2007-12-15 20:23 . 2007-12-15 20:23 <DIR> d-------- C:\VundoFix Backups
2007-12-15 13:56 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-12-12 22:23 . 2007-12-12 22:23 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 20:41 . 2004-11-18 21:22 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2007-12-12 20:41 . 2004-11-18 21:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Sonic
2007-12-12 20:41 . 2006-06-20 14:56 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Juniper Networks
2007-12-12 20:41 . 2004-11-18 21:21 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2007-12-12 18:24 . 2007-12-12 18:25 916,953 ---hs---- C:\WINDOWS\system32\rcntqqoy.ini
2007-12-12 17:28 . 2007-12-12 17:28 916,893 ---hs---- C:\WINDOWS\system32\xprpwqsi.ini
2007-12-12 08:24 . 2007-12-12 08:24 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-12 08:24 . 2007-12-12 08:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-11 17:18 . 2007-12-11 17:18 912,962 ---hs---- C:\WINDOWS\system32\sfhkicle.ini
2007-12-10 14:10 . 2007-12-10 17:29 858,884 ---hs---- C:\WINDOWS\system32\vvhwjcxj.ini
2007-12-09 19:35 . 2007-12-09 19:35 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\sentinel
2007-12-09 19:34 . 2007-12-11 18:12 <DIR> d-------- C:\WINDOWS\system32\PAV
2007-12-09 19:34 . 2007-06-06 11:43 83,640 --a------ C:\WINDOWS\system32\drivers\pavdrv51.sys
2007-12-09 19:34 . 2007-12-09 19:34 248 --a------ C:\WINDOWS\system32\PavCPL.dat
2007-12-09 19:33 . 2007-03-15 18:38 54,832 --a------ C:\WINDOWS\system32\pavcpl.cpl
2007-12-09 19:33 . 2007-02-15 20:02 50,736 --a------ C:\WINDOWS\system32\avldr.dll
2007-12-09 19:32 . 2007-12-09 19:32 <DIR> d-------- C:\Program Files\Panda Security
2007-12-09 14:26 . 2007-12-09 15:56 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-12-09 14:26 . 2007-12-09 14:26 30,590 --a------ C:\WINDOWS\system32\pavas.ico
2007-12-09 14:26 . 2007-12-09 14:26 2,550 --a------ C:\WINDOWS\system32\Uninstall.ico
2007-12-09 14:26 . 2007-12-09 14:26 1,406 --a------ C:\WINDOWS\system32\Help.ico
2007-12-09 14:19 . 2007-12-09 14:19 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-12-08 21:31 . 2007-12-08 21:31 130 --a------ C:\WINDOWS\wininit.ini
2007-12-08 20:58 . 2007-12-15 20:48 <DIR> d-------- C:\Temp
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-16 01:52 --------- d-----w C:\Program Files\Gilat
2007-12-15 18:56 --------- d-----w C:\Program Files\Java
2007-12-15 18:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-12-15 18:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-12-15 18:07 --------- d-----w C:\Program Files\GlobalSCAPE
2007-12-12 12:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-09 20:37 --------- d-----w C:\Program Files\iTunes
2007-12-09 20:37 --------- d-----w C:\Program Files\Google
2007-12-09 20:30 --------- d-----w C:\Program Files\Apoint2K
2007-12-09 19:19 --------- d-----w C:\Program Files\PCPitstop
2007-12-06 13:45 --------- d-----w C:\Documents and Settings\bws\Application Data\AdobeUM
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-10-07 14:44 3,852,256 ----a-w C:\WINDOWS\Southern Motor Company.SCR
2007-03-23 01:57 120,424 ----a-w C:\Documents and Settings\bws\Application Data\JuniperSetup.exe
2003-05-19 20:09 217,088 ----a-w C:\Documents and Settings\Acrobat6pro\setup.exe
2002-03-11 18:06 1,822,520 ----a-w C:\Documents and Settings\Acrobat6pro\instmsiw.exe
2002-03-11 17:45 1,708,856 ----a-w C:\Documents and Settings\Acrobat6pro\instmsia.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{09C1742C-207B-49C0-99B8-7DBEA92A55A0}]
C:\WINDOWS\system32\ssqpn.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{95F4AA43-368C-4B0E-D25A-38E6758F5B96}]
C:\WINDOWS\system32\okda.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:00]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2003-10-07 22:40]
"AGRSMMSG"="AGRSMMSG.exe" [2004-09-03 07:52 C:\WINDOWS\AGRSMMSG.exe]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 03:00 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2004-04-07 14:22 C:\WINDOWS\system32\nwiz.exe]
"Cpqset"="C:\Program Files\HPQ\Default Settings\cpqset.exe" [2004-03-01 13:05]
"UpdateManager"="C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" [2003-08-19 04:01]
"eabconfg.cpl"="C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe" [2004-08-19 14:50]
"HsuGuiControl"="C:\Program Files\StarBand\\Mission Control\HsuGui\HsuGuiControl.exe" [2004-12-08 10:51]
"TaskBarClient"="C:\Program Files\StarBand\\Mission Control\TaskBarClient.exe" [2005-02-17 16:03]
"NettGain2000 Verifier"="C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe" [2002-10-10 11:59]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
"PC Pitstop Optimize Scheduler"="C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe" [2007-07-09 15:51]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 09:54]
"APVXDWIN"="C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.exe" [2007-07-19 15:23]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"NettGain2000"="C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe" [2003-04-16 12:04]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\avldr]
avldr.dll 2007-02-15 20:02 50736 C:\WINDOWS\system32\avldr.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxuvtt]
cbxuvtt.dll
R1 NEOFLTR_500_10581;Juniper Networks TDI Filter Driver (NEOFLTR_500_10581);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_500_10581.SYS
R2 BCMNTIO;BCMNTIO;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\BCMNTIO.sys
R2 cnmpar21;C;\??\C:\Documents and Settings\All Users\Application Data\CanonBJ\IJPrinter\CNMWINDOWS\Canon i850 Installer\Inst2\cnmpar21.sys
R2 Gilat QMS;Gilat Quality Measurement Service;"C:\Program Files\Gilat\QMS\QMS.exe"
R2 GilatHSU;Gilat host software update service;"C:\Program Files\Gilat\GSU\GSU.exe"
R2 ibqossvc;Gilat IBQoS Agent;C:\Program Files\Gilat\IBQoS\ibqossvc.exe
R2 MAPMEM;MAPMEM;\??\C:\PROGRA~1\CheckIt\DIAGNO~1\MAPMEM.sys
R2 netpost;NetPost;\??\C:\WINDOWS\System32\Drivers\netpost.sys
R2 Wgw;WGW;C:\WINDOWS\system32\drivers\Wgw.sys
R2 WgwService;WgwService;"C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe"
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
R3 GilatNetAgent;Gilat Network Agent Service;"C:\Program Files\Gilat\NetAgent.exe"
S3 SWMX00;Sierra Wireless USB MUX Driver (#00);C:\WINDOWS\system32\DRIVERS\swmx00.sys
S3 SWNC5E00;Sierra Wireless MUX NDIS Driver (#00);C:\WINDOWS\system32\DRIVERS\SWNC5E00.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 02:37:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-15 20:53:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Cpqset = C:\Program Files\HPQ\Default Settings\cpqset.exe????????9?3?7?6??P???? ???B???????????????B? ??????
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-15 20:54:38 - machine was rebooted
.
2007-12-12 08:08:39 --- E O F ---
*************************************
bubbas45
2007-12-16, 03:08
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:07 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Gilat\QMS\QMS.exe
C:\Program Files\Gilat\GSU\GSU.exe
C:\Program Files\Gilat\IBQoS\ibqossvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
C:\Program Files\Gilat\NetAgent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Panda Security\Panda Antivirus 2008\ApvxdWin.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\StarBand\Mission Control\HsuGui\HsuGuiControl.exe
C:\Program Files\StarBand\Mission Control\TaskBarClient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\StarBand\MISSIO~1\evrep.exe
C:\Program Files\Cloudmark\SpamNet\OE\snoe.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\bubbas45.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09C1742C-207B-49C0-99B8-7DBEA92A55A0} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {95F4AA43-368C-4B0E-D25A-38E6758F5B96} - C:\WINDOWS\system32\okda.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HsuGuiControl] C:\Program Files\StarBand\\Mission Control\HsuGui\HsuGuiControl.exe
O4 - HKLM\..\Run: [TaskBarClient] C:\Program Files\StarBand\\Mission Control\TaskBarClient.exe
O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Cloudmark Desktop for Outlook Express.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://www.triumph.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O20 - Winlogon Notify: cbxuvtt - cbxuvtt.dll (file missing)
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Gilat Quality Measurement Service (Gilat QMS) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\QMS\QMS.exe
O23 - Service: Gilat host software update service (GilatHSU) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\GSU\GSU.exe
O23 - Service: Gilat Network Agent Service (GilatNetAgent) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\NetAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Gilat IBQoS Agent (ibqossvc) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\IBQoS\ibqossvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: WgwService - Unknown owner - C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
--
End of file - 9909 bytes
pskelley
2007-12-16, 09:59
Thanks for returning your information and the feedback.
1) TeaTimer still disabled!
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add
File(s), then click on Close Window. Then click Remove Vundo.
(files to add)
C:\WINDOWS\system32\rcntqqoy.ini
C:\WINDOWS\system32\xprpwqsi.ini
C:\WINDOWS\system32\sfhkicle.ini
C:\WINDOWS\system32\vvhwjcxj.ini
4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
(you may leave the two HP redirects if you need them. You can still set any startPage you wish)
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...lion&pf=laptop
O2 - BHO: (no name) - {09C1742C-207B-49C0-99B8-7DBEA92A55A0} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: (no name) - {95F4AA43-368C-4B0E-D25A-38E6758F5B96} - C:\WINDOWS\system32\okda.dll (file missing)
O20 - Winlogon Notify: cbxuvtt - cbxuvtt.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the Vundofix report, a new HJT log and some feedback.
Thanks...Phil
bubbas45
2007-12-16, 18:13
Howdy, Phil. Thanks for the help. Interestingly, I was unable to open a browser at all this morning, or rather it would open an IE window but never connect. Firefox did not open at all. Then Panda indicated that I needed to reinstall communication library (LSP) andrestart. I reinstalled from within Panda, but no restart took place, but then FireFox popped open and connected to the Internet. I then proceeded with your instructions.
Here is the Vundofix report, HJT log to follow in next post:
VundoFix V6.7.5
Checking Java version...
Java version is 1.4.2.5
Old versions of java are exploitable and should be removed.
Scan started at 8:23:34 PM 12/15/2007
Listing files found while scanning....
C:\windows\system32\awvvw.dll
C:\WINDOWS\system32\cbxuvtt.dll
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\ssqpn.dll
Beginning removal...
Attempting to delete C:\windows\system32\awvvw.dll
C:\windows\system32\awvvw.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\npqss.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\npqss.ini2
C:\WINDOWS\system32\npqss.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqpn.dll
C:\WINDOWS\system32\ssqpn.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\rcntqqoy.ini
C:\WINDOWS\system32\rcntqqoy.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\sfhkicle.ini
C:\WINDOWS\system32\sfhkicle.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\vvhwjcxj.ini
C:\WINDOWS\system32\vvhwjcxj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\xprpwqsi.ini
C:\WINDOWS\system32\xprpwqsi.ini Has been deleted!
Performing Repairs to the registry.
Done!
bubbas45
2007-12-16, 18:14
Here's the latest HJT log, run after following your Vundo fix instructions and ATF cleaner:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:07:37 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\AVENGINE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\Program Files\Gilat\QMS\QMS.exe
C:\Program Files\Gilat\GSU\GSU.exe
C:\Program Files\Gilat\IBQoS\ibqossvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Apoint2K\Apoint.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\Program Files\StarBand\Mission Control\HsuGui\HsuGuiControl.exe
C:\Program Files\StarBand\Mission Control\TaskBarClient.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\GILAT\INTERN~1\AS_Agent.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Cloudmark\SpamNet\OE\snoe.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
C:\Program Files\Gilat\NetAgent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\StarBand\MISSIO~1\evrep.exe
C:\Program Files\Panda Security\Panda Antivirus 2008\WebProxy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\bubbas45.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=127.0.0.1:9877
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [HsuGuiControl] C:\Program Files\StarBand\\Mission Control\HsuGui\HsuGuiControl.exe
O4 - HKLM\..\Run: [TaskBarClient] C:\Program Files\StarBand\\Mission Control\TaskBarClient.exe
O4 - HKLM\..\Run: [NettGain2000 Verifier] C:\Program Files\Flash Networks\NettGain2000\Bst\NettGain2000 Verifier.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [APVXDWIN] "C:\Program Files\Panda Security\Panda Antivirus 2008\APVXDWIN.EXE" /s
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\RunServices: [NettGain2000] C:\Program Files\Flash Networks\NettGain2000\Bst\WgwMngr.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Cloudmark Desktop for Outlook Express.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=laptop
O15 - Trusted Zone: http://www.triumph.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: Gilat Quality Measurement Service (Gilat QMS) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\QMS\QMS.exe
O23 - Service: Gilat host software update service (GilatHSU) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\GSU\GSU.exe
O23 - Service: Gilat Network Agent Service (GilatNetAgent) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\NetAgent.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Gilat IBQoS Agent (ibqossvc) - Gilat Satellite Networks Ltd. - C:\Program Files\Gilat\IBQoS\ibqossvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Software Controller - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsCtrls.exe
O23 - Service: Panda anti-virus service (PAVSRV) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\pavsrv51.exe
O23 - Service: Panda IManager Service (PSIMSVC) - Panda Software International - C:\Program Files\Panda Security\Panda Antivirus 2008\PsImSvc.exe
O23 - Service: RPAService - Unknown owner - C:\Program Files\GILAT\Internet Page Accelerator\RPAService.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: SPCSUtilityService - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sierra Wireless\Sprint PCS Connection Manager\SPCSUtilityService.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe (file missing)
O23 - Service: WgwService - Unknown owner - C:\Program Files\Flash Networks\NettGain2000\Bst\Srvany.exe
--
End of file - 9243 bytes
pskelley
2007-12-16, 18:36
Thanks for returning your information and the feedback. One thing I wanted to mention is the out of date Internet Explorer browser: MSIE: Internet Explorer v6.00 It's your call, but I suggest an update to IE7 if just for the additional security it provides:
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx
Please wait until we are finished with malware before downloading anything new.
http://www.mozilla.com/en-US/firefox/ <<< you also want to have the newest version of Firefox if you are going to run it.
Your HJT log is clean of malware. I will mention that I have several computers and every once in a while something will not load and I also will have issues. Usually a reboot fixes the problem.
Let's have a look at a new Kaspersky scan to make sure nothing is hiding. We will have a few because we still need to clean System Restore files.
Delete combofix, C:\qoobox\quarantine\ folder, Vundofix and the C:\VundofixBackups\ and run Kaspersky using these settings.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Thanks...Phil
bubbas45
2007-12-16, 22:31
Here is the Kaspersky Standard scan log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, December 16, 2007 4:28:56 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/12/2007
Kaspersky Anti-Virus database records: 453315
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
Scan Statistics:
Total number of scanned objects: 84349
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
Duration of the scan process: 01:17:45
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\0102\0106\values Object is locked skipped
C:\Documents and Settings\All Users\Application Data\sentinel\2.1\gwhashs.dat Object is locked skipped
C:\Documents and Settings\bws\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Cloudmark\SpamNet\CDOESpamDb-{445BA929-0754-421E-B2F9-D5F440A69141}.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Cloudmark\SpamNet\oemsgsvid.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\bws.dbx Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Deleted Items.dbx Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Pop3uidl.dbx Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Identities\{445BA929-0754-421E-B2F9-D5F440A69141}\Microsoft\Outlook Express\Spam (1).dbx Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\bws\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\History\History.IE5\MSHist012007121620071217\index.dat Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Temp\sqlite_C9AOf8bfhtdZ28c Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Temp\sqlite_GYo4SVYwc2hg4Eo Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Temp\sqlite_noBb4mRScADKUiq Object is locked skipped
C:\Documents and Settings\bws\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\bws\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\bws\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\NG2000.log Object is locked skipped
C:\Program Files\Juniper Networks\Common Files\NCService.log Object is locked skipped
C:\Program Files\Panda Security\Panda Antivirus 2008\cace2423dfb97c58fe7dd9f120557063PSK_NAMES Object is locked skipped
C:\Program Files\Panda Security\Panda Antivirus 2008\cace2423dfb97c58fe7dd9f120557063PSK_NAMES2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0033180.exe Infected: Trojan-Downloader.Win32.VB.bvj skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0033181.exe Infected: Trojan-Downloader.Win32.PurityScan.ey skipped
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP204\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4AE9B81F-2C78-4A1E-A31C-5FBC5A505746}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
pskelley
2007-12-16, 22:51
KASPERSKY ONLINE SCANNER REPORT Sunday, December 16, 2007 4:28:56 PM
Number of items = 2
Number of viruses found: 2
Number of infected objects: 2
Number of suspicious objects: 0
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0033180.exe ------> Trojan-Downloader.Win32.VB.bvj
C:\System Volume Information\_restore{D5341F9C-33F7-43CF-8BD2-1AE937C9BA1B}\RP195\A0033181.exe ------> Trojan-Downloader.Win32.PurityScan.ey
Thanks, you have two infected System Restore files, clean those like this:
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Happy Holidays:santa:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
bubbas45
2007-12-17, 03:07
Wow. This was my first experience with malware--I guess I have been lucky. Thanks so much for your assistance! I've just happily made a donation to SpyBot. The links you shared are very useful--I'm going to pass them along to my coworkers.
Thanks again--I hope I never have to come back!
bws