View Full Version : Merry xmas and Virtumonde
contact7
2007-12-26, 13:08
First of all i'd like to wish everyone a wonderful Christmas.
Unfortunatelly on Christmas day i've been infected with Virtumonde, so here's my Kaspersky report and the hijackthis log. I would appreciate any help on this.
Thanks beforahand
Mark
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, December 25, 2007 11:16:21 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 25/12/2007
Kaspersky Anti-Virus database records: 493321
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\contact7\LOCALS~1\Temp\
Scan Statistics:
Total number of scanned objects: 18282
Number of viruses found: 11
Number of infected objects: 80
Number of suspicious objects: 0
Duration of the scan process: 00:22:25
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\ddddax.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kw skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\0e6gvS50.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\0S8FHj43.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\0vrTLOhW.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\23GWiPvq.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\2B0E7jhj.exe Infected: Backdoor.Win32.VB.kb skipped
C:\WINDOWS\system32\3foL1t3k.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\5QI6AYUt.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\63oHf2f8.dll Infected: not-a-virus:AdWare.Win32.BHO.fd skipped
C:\WINDOWS\system32\6EVvn38P.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\76V42SHf.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\A2v2tFAD.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\ahQ24xC0.dll Infected: not-a-virus:AdWare.Win32.BHO.fd skipped
C:\WINDOWS\system32\ARf230N2.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\Bn5372Rv.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\cbxvtsq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.azt skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\DaIcRwv8.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\dy3M52Nl.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\FWXNkf5w.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\ggFa6kd2.dll Infected: not-a-virus:AdWare.Win32.BHO.fd skipped
C:\WINDOWS\system32\giPC25DF.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\h6YLl0uX.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\Ix40ymLr.dll Infected: not-a-virus:AdWare.Win32.BHO.fb skipped
C:\WINDOWS\system32\J50fQB6P.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\jBo72onk.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\M8J7ePX8.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\mLivS4M7.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\NXMNpx1e.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\ofb6LYRr.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\peiqmOBe.dll Infected: not-a-virus:AdWare.Win32.BHO.fd skipped
C:\WINDOWS\system32\Q452Lyhg.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\q8rcW2Wx.dll Infected: not-a-virus:AdWare.Win32.BHO.fb skipped
C:\WINDOWS\system32\QKPmNFpM.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\QT5kBI7D.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\rj13K6EQ.dll Infected: not-a-virus:AdWare.Win32.BHO.fd skipped
C:\WINDOWS\system32\sdPhNgi3.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\U040YIUQ.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\V0fL7LU5.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\vtsqq.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.ti skipped
C:\WINDOWS\system32\w6vC7cof.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wTB568x5.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\wwOhyU52.dll Infected: not-a-virus:AdWare.Win32.BHO.gw skipped
C:\WINDOWS\system32\YhIg11EQ.dll Infected: not-a-virus:AdWare.Win32.BHO.fd skipped
C:\WINDOWS\Temp\05e486Y8.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\0e6gvS50.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\0S8FHj43.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\0vrTLOhW.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\2Lu8d71h.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\3foL1t3k.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\4b6vEYDK.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\5DWp7rKx.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\5QI6AYUt.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\A2v2tFAD.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\C2ErAtNi.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\C6vwBhv7.exe Infected: Trojan-Dropper.Win32.Agent.bos skipped
C:\WINDOWS\Temp\DaIcRwv8.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\EP8Xc8L3.exe Infected: not-a-virus:AdWare.Win32.BHO.fb skipped
C:\WINDOWS\Temp\FWXNkf5w.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\g10t5tVM.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\gXhXqnQy.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\i73njcyd.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\imN83bGr.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\jBo72onk.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\M2T5lej3.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\NXMNpx1e.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\ofb6LYRr.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\Q452Lyhg.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\QKPmNFpM.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\r16EChTd.exe Infected: not-a-virus:AdWare.Win32.BHO.fb skipped
C:\WINDOWS\Temp\s2VNY5P6.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\sdPhNgi3.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\temp.exe Infected: Trojan.Win32.Agent.bi skipped
C:\WINDOWS\Temp\U040YIUQ.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\u61r4lJJ.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\V0fL7LU5.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\wTB568x5.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\wwOhyU52.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\xTuf0IR3.exe Infected: not-a-virus:AdWare.Win32.BHO.gx skipped
C:\WINDOWS\Temp\YhIg11EQ.exe Infected: not-a-virus:AdWare.Win32.BHO.fd skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\xhelper.dll Infected: not-a-virus:AdWare.Win32.Agent.db skipped
C:\DOCUME~1\contact7\LOCALS~1\Temp\WCESLog.log Object is locked skipped
C:\DOCUME~1\contact7\LOCALS~1\Temp\~DF2335.tmp Object is locked skipped
C:\DOCUME~1\contact7\LOCALS~1\Temp\~DF511.tmp Object is locked skipped
Scan process completed.
HIJACKTHIS LOG
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:03:17 μμ, on 26/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\PDesk\PDesk.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\mgabg.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
c:\xampp\mysql\bin\mysqld-nt.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\svchost.exe
C:\xampp\mysql\bin\winmysqladmin.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///H:/internet-work/HOME/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = VBS001_demo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\J50fQB6P.dll
O2 - BHO: (no name) - {8D786912-2D3E-4570-9E7B-347519AAB3B4} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {8E3FBDE2-7DBD-4040-85D9-29BBC559C129} - C:\WINDOWS\system32\cbxvtsq.dll
O2 - BHO: (no name) - {954F6319-FEDA-4F73-BBC0-A57CD4E89799} - (no file)
O2 - BHO: (no name) - {A7400AD6-8E22-4C24-9C1D-FF9FD1C48911} - C:\WINDOWS\system32\vtutu.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C8CC1AE8-0248-4B12-9BC2-52CC5C19389D} - C:\WINDOWS\system32\jkkjg.dll (file missing)
O2 - BHO: (no name) - {C92E12CF-D3B6-4055-830F-B71FDC84A751} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINDOWS\system32\PDesk\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [GBMLite7Agent] C:\Program Files\Genie-Soft\GBMLite7\GBMAgent.exe
O4 - HKLM\..\Run: [8cfc43d6] rundll32.exe "C:\WINDOWS\system32\ssnrylpj.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WinMySQLadmin.lnk = C:\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: cbxvtsq - C:\WINDOWS\SYSTEM32\cbxvtsq.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - c:\xampp\apache\bin\apache.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: mysql - Unknown owner - c:\xampp\mysql\bin\mysqld-nt.exe
--
End of file - 9558 bytes
contact7
2007-12-27, 11:06
On top of that, every time I reboot, teatimer keeps popping up asking me if I want to terminate a process or not. If I answer yes, then the message keeps appearing again and again. It's driving me crazy.
Help please
pskelley
2007-12-27, 15:11
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
Thanks for the feedback, you have a Vundo infection which can be hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.
The vast majority of infections right now are being caused by these hackers, here is some information:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
The junk can download more, please stay offline except when troubleshooting until you are clean.
Read and follow the directions carefully, the tools will not work unless you do. If you should have either tool onboard, delete it and download new from the links I provide.
1) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\
(wait until you finish to post reports and logs)
2) Thanks to sUBs and anyone else who helped with this fix.
Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix.txt, combofix log and a new HJT log.
Thanks
contact7
2007-12-27, 17:10
Thanks for your reply.
Here's what I did
First I run Vundofix. It found lots of problems and fixed them except of one. Even after reboot it couldn;t delete the file. Here's the log
VundoFix V6.5.7
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 12:01:48 μμ 28/8/2007
Listing files found while scanning....
C:\WINDOWS\ponoqr.ini
C:\WINDOWS\rqonop.dll
C:\windows\system32\geeddca.dll
C:\WINDOWS\system32\tmp12.tmp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\ponoqr.ini
C:\WINDOWS\ponoqr.ini Has been deleted!
Attempting to delete C:\WINDOWS\rqonop.dll
C:\WINDOWS\rqonop.dll Has been deleted!
Attempting to delete C:\windows\system32\geeddca.dll
C:\windows\system32\geeddca.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\tmp12.tmp.dll
C:\WINDOWS\system32\tmp12.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\geeddca.dll
C:\windows\system32\geeddca.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.7
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 12:34:56 μμ 28/8/2007
Listing files found while scanning....
C:\windows\system32\geeddca.dll
Beginning removal...
Attempting to delete C:\windows\system32\geeddca.dll
C:\windows\system32\geeddca.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\geeddca.dll
C:\windows\system32\geeddca.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 4:05:58 μμ 27/12/2007
Listing files found while scanning....
C:\WINDOWS\system32\0e6gvS50.dll
C:\WINDOWS\system32\0S8FHj43.dll
C:\WINDOWS\system32\0vrTLOhW.dll
C:\WINDOWS\system32\23GWiPvq.dll
C:\WINDOWS\system32\3foL1t3k.dll
C:\WINDOWS\system32\5QI6AYUt.dll
C:\WINDOWS\system32\63oHf2f8.dll
C:\WINDOWS\system32\6EVvn38P.dll
C:\WINDOWS\system32\76V42SHf.dll
C:\WINDOWS\system32\A2v2tFAD.dll
C:\WINDOWS\system32\ahQ24xC0.dll
C:\WINDOWS\system32\ARf230N2.dll
C:\WINDOWS\system32\Bn5372Rv.dll
C:\WINDOWS\system32\cbxvtsq.dll
C:\WINDOWS\system32\DaIcRwv8.dll
C:\WINDOWS\system32\dy3M52Nl.dll
C:\WINDOWS\system32\fofvtriu.dll
C:\WINDOWS\system32\FWXNkf5w.dll
C:\WINDOWS\system32\ggFa6kd2.dll
C:\WINDOWS\system32\giPC25DF.dll
C:\WINDOWS\system32\h6YLl0uX.dll
C:\WINDOWS\system32\Ix40ymLr.dll
C:\WINDOWS\system32\J50fQB6P.dll
C:\WINDOWS\system32\jBo72onk.dll
C:\WINDOWS\system32\kmlgblrv.dll
C:\WINDOWS\system32\lvfphawn.ini
C:\WINDOWS\system32\M8J7ePX8.dll
C:\WINDOWS\system32\mLivS4M7.dll
C:\WINDOWS\system32\mllmn.dll
C:\windows\system32\nmllm.bak1
C:\windows\system32\nmllm.bak2
C:\windows\system32\nmllm.ini
C:\WINDOWS\system32\nwahpfvl.dll
C:\WINDOWS\system32\NXMNpx1e.dll
C:\WINDOWS\system32\ofb6LYRr.dll
C:\WINDOWS\system32\peiqmOBe.dll
C:\WINDOWS\system32\piwmtvyi.dll
C:\WINDOWS\system32\Q452Lyhg.dll
C:\WINDOWS\system32\q8rcW2Wx.dll
C:\WINDOWS\system32\QKPmNFpM.dll
C:\WINDOWS\system32\QT5kBI7D.dll
C:\WINDOWS\system32\rj13K6EQ.dll
C:\WINDOWS\system32\sdPhNgi3.dll
C:\WINDOWS\system32\sifxyvut.dll
C:\WINDOWS\system32\U040YIUQ.dll
C:\WINDOWS\system32\V0fL7LU5.dll
C:\WINDOWS\system32\vvlxaelm.exe
C:\WINDOWS\system32\w6vC7cof.dll
C:\WINDOWS\system32\wdfydqnh.dll
C:\WINDOWS\system32\wTB568x5.dll
C:\WINDOWS\system32\wwOhyU52.dll
C:\WINDOWS\system32\YhIg11EQ.dll
C:\WINDOWS\xhelper.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\0e6gvS50.dll
C:\WINDOWS\system32\0e6gvS50.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\0S8FHj43.dll
C:\WINDOWS\system32\0S8FHj43.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\0vrTLOhW.dll
C:\WINDOWS\system32\0vrTLOhW.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\23GWiPvq.dll
C:\WINDOWS\system32\23GWiPvq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\3foL1t3k.dll
C:\WINDOWS\system32\3foL1t3k.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\5QI6AYUt.dll
C:\WINDOWS\system32\5QI6AYUt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\63oHf2f8.dll
C:\WINDOWS\system32\63oHf2f8.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\6EVvn38P.dll
C:\WINDOWS\system32\6EVvn38P.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\76V42SHf.dll
C:\WINDOWS\system32\76V42SHf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\A2v2tFAD.dll
C:\WINDOWS\system32\A2v2tFAD.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ahQ24xC0.dll
C:\WINDOWS\system32\ahQ24xC0.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ARf230N2.dll
C:\WINDOWS\system32\ARf230N2.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\Bn5372Rv.dll
C:\WINDOWS\system32\Bn5372Rv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxvtsq.dll
C:\WINDOWS\system32\cbxvtsq.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\DaIcRwv8.dll
C:\WINDOWS\system32\DaIcRwv8.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dy3M52Nl.dll
C:\WINDOWS\system32\dy3M52Nl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fofvtriu.dll
C:\WINDOWS\system32\fofvtriu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\FWXNkf5w.dll
C:\WINDOWS\system32\FWXNkf5w.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ggFa6kd2.dll
C:\WINDOWS\system32\ggFa6kd2.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\giPC25DF.dll
C:\WINDOWS\system32\giPC25DF.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\h6YLl0uX.dll
C:\WINDOWS\system32\h6YLl0uX.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\Ix40ymLr.dll
C:\WINDOWS\system32\Ix40ymLr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\J50fQB6P.dll
C:\WINDOWS\system32\J50fQB6P.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jBo72onk.dll
C:\WINDOWS\system32\jBo72onk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kmlgblrv.dll
C:\WINDOWS\system32\kmlgblrv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\lvfphawn.ini
C:\WINDOWS\system32\lvfphawn.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\M8J7ePX8.dll
C:\WINDOWS\system32\M8J7ePX8.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mLivS4M7.dll
C:\WINDOWS\system32\mLivS4M7.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\mllmn.dll Has been deleted!
Attempting to delete C:\windows\system32\nmllm.bak1
C:\windows\system32\nmllm.bak1 Has been deleted!
Attempting to delete C:\windows\system32\nmllm.bak2
C:\windows\system32\nmllm.bak2 Has been deleted!
Attempting to delete C:\windows\system32\nmllm.ini
C:\windows\system32\nmllm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\nwahpfvl.dll
C:\WINDOWS\system32\nwahpfvl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\NXMNpx1e.dll
C:\WINDOWS\system32\NXMNpx1e.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ofb6LYRr.dll
C:\WINDOWS\system32\ofb6LYRr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\peiqmOBe.dll
C:\WINDOWS\system32\peiqmOBe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\piwmtvyi.dll
C:\WINDOWS\system32\piwmtvyi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\Q452Lyhg.dll
C:\WINDOWS\system32\Q452Lyhg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\q8rcW2Wx.dll
C:\WINDOWS\system32\q8rcW2Wx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\QKPmNFpM.dll
C:\WINDOWS\system32\QKPmNFpM.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\QT5kBI7D.dll
C:\WINDOWS\system32\QT5kBI7D.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rj13K6EQ.dll
C:\WINDOWS\system32\rj13K6EQ.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sdPhNgi3.dll
C:\WINDOWS\system32\sdPhNgi3.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sifxyvut.dll
C:\WINDOWS\system32\sifxyvut.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\U040YIUQ.dll
C:\WINDOWS\system32\U040YIUQ.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\V0fL7LU5.dll
C:\WINDOWS\system32\V0fL7LU5.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vvlxaelm.exe
C:\WINDOWS\system32\vvlxaelm.exe Could not be deleted.
Attempting to delete C:\WINDOWS\system32\w6vC7cof.dll
C:\WINDOWS\system32\w6vC7cof.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wdfydqnh.dll
C:\WINDOWS\system32\wdfydqnh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wTB568x5.dll
C:\WINDOWS\system32\wTB568x5.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wwOhyU52.dll
C:\WINDOWS\system32\wwOhyU52.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\YhIg11EQ.dll
C:\WINDOWS\system32\YhIg11EQ.dll Has been deleted!
Attempting to delete C:\WINDOWS\xhelper.dll
C:\WINDOWS\xhelper.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cbxvtsq.dll
C:\WINDOWS\system32\cbxvtsq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vvlxaelm.exe
C:\WINDOWS\system32\vvlxaelm.exe Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 4:32:34 μμ 27/12/2007
Listing files found while scanning....
C:\WINDOWS\system32\vvlxaelm.exe
Beginning removal...
Attempting to delete C:\WINDOWS\system32\vvlxaelm.exe
C:\WINDOWS\system32\vvlxaelm.exe Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\vvlxaelm.exe
C:\WINDOWS\system32\vvlxaelm.exe Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
contact7
2007-12-27, 17:11
And here's the combo fix log
ComboFix 07-12-21.4 - contact7 2007-12-27 17:00:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1253.1.1032.18.198 [GMT 2:00]
Running from: C:\Documents and Settings\contact7\Επιφάνεια εργασίας\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\bold.log
C:\Documents and Settings\contact7\Application Data\tmp10.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp11.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp12.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp14.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp15.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp16.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp21.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp22.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp23.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp2B.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp30.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp4.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmp5C.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmpB8.tmp.exe
C:\Documents and Settings\contact7\Application Data\tmpBA.tmp.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\ddddax.dll
C:\WINDOWS\msettings.ini
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\dn8cfc4379.dat
C:\WINDOWS\system32\fhhkj.bak1
C:\WINDOWS\system32\fhhkj.bak2
C:\WINDOWS\system32\fhhkj.ini
C:\WINDOWS\system32\gjkkj.bak1
C:\WINDOWS\system32\gjkkj.bak2
C:\WINDOWS\system32\gjkkj.ini
C:\WINDOWS\system32\ututv.bak1
C:\WINDOWS\system32\ututv.bak2
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\vvlxaelm.exe
C:\WINDOWS\xadddd.ini
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
-------\DomainService
-------\nm
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.
2007-12-27 16:05 . 2007-12-27 16:54 <DIR> d-------- C:\VundoFix Backups
2007-12-27 10:46 . 2007-12-27 10:46 1,027,522 ---hs---- C:\WINDOWS\system32\tuvyxfis.ini
2007-12-25 10:52 . 2007-12-25 10:52 143 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-12-24 11:46 . 2007-12-25 09:46 1,743,480 --ahs---- C:\WINDOWS\system32\jplyrnss.ini
2007-12-22 18:58 . 2007-12-24 11:40 990,810 --ahs---- C:\WINDOWS\system32\axvetnkn.ini
2007-12-18 17:47 . 2007-12-18 17:47 <DIR> d-------- C:\Program Files\Quick StartUp
2007-12-14 12:56 . 2007-12-14 12:56 <DIR> d-------- C:\Program Files\Softland
2007-12-14 12:56 . 2007-11-09 15:54 21,144 --a------ C:\WINDOWS\system32\dopdfmn5.dll
2007-12-14 12:56 . 2007-11-09 15:54 17,560 --a------ C:\WINDOWS\system32\dopdfmi5.dll
2007-12-14 12:56 . 2007-07-20 16:22 5,269 --a------ C:\WINDOWS\system32\dopdf5.ctm
2007-12-12 19:35 . 2007-12-12 19:35 <DIR> d-------- C:\Program Files\CdCoverCreator
2007-12-07 18:41 . 2007-12-07 18:53 2,473,528 --a------ C:\atdata2.sql
2007-12-07 18:12 . 2007-12-07 18:12 2,459,707 --a------ C:\atdata.sql
2007-12-07 10:55 . 2007-12-07 10:59 <DIR> d-------- C:\Program Files\AllWebMenus5
2007-12-06 12:32 . 2007-10-11 01:49 6,065,664 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-12-06 12:32 . 2007-04-17 11:32 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-12-06 12:32 . 2007-03-08 07:09 1,118,208 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-12-06 12:32 . 2007-10-11 01:49 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-12-06 12:32 . 2007-10-11 01:49 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-12-06 12:32 . 2007-10-11 01:49 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-12-06 12:32 . 2007-10-11 01:49 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-12-06 12:32 . 2007-10-11 01:49 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-12-06 12:32 . 2007-10-10 12:59 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-12-06 12:31 . 2007-12-06 12:32 <DIR> d-------- C:\WINDOWS\system32\el-gr
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-24 10:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-13 13:23 --------- d-----w C:\Program Files\WordWeb
2007-12-07 08:56 --------- d-----w C:\Documents and Settings\contact7\Application Data\Likno
2007-12-01 16:01 1,049,720 ----a-w C:\WINDOWS\wweb32.dll
2007-11-26 10:56 105,136 ----a-w C:\Documents and Settings\contact7\Application Data\GDIPFONTCACHEV1.DAT
2007-11-22 10:17 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-08 09:22 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2006-11-17 10:56 0 ----a-w C:\Program Files\gamingGamePuzzleVB.DB
2005-10-11 18:42 56 --sha-r C:\WINDOWS\system32\B90C05EFD4.sys
2007-06-03 17:58 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{615ce2ac-a2ad-4d23-aae5-bfa09333fa1f}]
C:\WINDOWS\system32\wdfydqnh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D786912-2D3E-4570-9E7B-347519AAB3B4}]
C:\WINDOWS\system32\jkhhf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7400AD6-8E22-4C24-9C1D-FF9FD1C48911}]
C:\WINDOWS\system32\vtutu.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B140D340-60B2-4E26-9192-EAA18F93C8A7}]
C:\WINDOWS\system32\mllmn.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C8CC1AE8-0248-4B12-9BC2-52CC5C19389D}]
C:\WINDOWS\system32\jkkjg.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 18:24]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-25 16:57]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-06-26 16:13]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2002-12-31 14:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2002-12-31 14:00]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxvtsq]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Last.fm Helper.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Last.fm Helper.lnk
backup=C:\WINDOWS\pss\Last.fm Helper.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Προγράμματα^Εκκίνηση^Σήμερα.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Προγράμματα\Εκκίνηση\Σήμερα.lnk
backup=C:\WINDOWS\pss\Σήμερα.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBMLite7Agent]
2007-02-27 08:09 204800 --a------ C:\Program Files\Genie-Soft\GBMLite7\GBMAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GBMPro7Agent]
2007-02-27 08:09 204800 --a------ C:\Program Files\Genie-Soft\GBMLite7\GBMAgent.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KlipFolio]
C:\Program Files\KlipFolio\KlipFolio.exe /BOOT
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XarkaToday]
2007-04-13 12:33 2552288 --a------ C:\Program Files\Today Application\Today.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-disabled]
"Share-to-Web Namespace Daemon"=C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
R0 hotcore3;hotcore3;C:\WINDOWS\system32\drivers\hotcore3.sys [2007-03-30 14:47]
R1 Uim_IM;UIM Drive Backup Image Plugin;C:\WINDOWS\system32\Drivers\Uim_IM.sys [2007-03-30 14:47]
R1 UimBus;Universal Image Mounter Controller;C:\WINDOWS\system32\DRIVERS\UimBus.sys [2007-03-30 14:47]
R2 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice []
R3 G400DH;G400DH;C:\WINDOWS\system32\DRIVERS\g400dhm.sys [2006-02-27 15:32]
S2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys [2004-11-15 08:18]
S3 AVMUNET;AVM FRITZ!Box;C:\WINDOWS\system32\DRIVERS\avmunet.sys [2005-04-18 15:15]
S3 FreshIO;FreshIO;C:\Program Files\FreshDevices\FreshDiagnose\FreshIO.sys [2004-10-26 10:22]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2004-11-15 08:18]
S3 StMp3Rec;Player Recovery Device Control Driver;C:\WINDOWS\system32\Drivers\StMp3Rec.sys [2005-08-26 09:22]
S3 UtilNT;UtilNT;C:\WINDOWS\system32\drivers\UtilNT.sys [2000-04-17 17:32]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0ac35bdd-3e3e-11db-863c-f47474e62a3f}]
\Shell\AutoRun\command - J:\preinst.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47a7e548-052d-11dc-878b-00e04ffff5d3}]
\Shell\AutoRun\command - J:\preinst.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-06-16 17:26:12 C:\WINDOWS\Tasks\At1.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-08-08 06:01:51 C:\WINDOWS\Tasks\At10.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-25 08:01:38 C:\WINDOWS\Tasks\At11.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-25 09:01:48 C:\WINDOWS\Tasks\At12.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-27 10:01:39 C:\WINDOWS\Tasks\At13.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-27 11:00:30 C:\WINDOWS\Tasks\At14.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-27 12:00:30 C:\WINDOWS\Tasks\At15.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-27 13:00:30 C:\WINDOWS\Tasks\At16.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-27 14:00:30 C:\WINDOWS\Tasks\At17.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-27 15:01:49 C:\WINDOWS\Tasks\At18.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-24 16:00:31 C:\WINDOWS\Tasks\At19.job"
"2007-06-16 17:26:12 C:\WINDOWS\Tasks\At2.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-24 17:00:30 C:\WINDOWS\Tasks\At20.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-26 18:01:38 C:\WINDOWS\Tasks\At21.job"
"2007-12-26 19:00:30 C:\WINDOWS\Tasks\At22.job"
"2007-12-13 20:03:45 C:\WINDOWS\Tasks\At23.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-12-11 21:00:30 C:\WINDOWS\Tasks\At24.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-06-16 17:26:12 C:\WINDOWS\Tasks\At3.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-06-16 17:26:12 C:\WINDOWS\Tasks\At4.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-06-16 17:26:12 C:\WINDOWS\Tasks\At5.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-06-16 17:26:12 C:\WINDOWS\Tasks\At6.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-06-16 17:26:12 C:\WINDOWS\Tasks\At7.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-06-16 17:26:12 C:\WINDOWS\Tasks\At8.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-06-16 17:26:12 C:\WINDOWS\Tasks\At9.job"
- C:\WINDOWS\system32\2B0E7jhj.exe
"2007-05-13 21:00:00 C:\WINDOWS\Tasks\Paragon Archive name arc_230107165821218.job"
.
**************************************************************************
catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-27 17:05:13
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-12-27 17:06:22 - machine was rebooted
.
2007-12-12 16:31:09 --- E O F ---
contact7
2007-12-27, 17:12
and finally here's the Hijackthis log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:11:06 μμ, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\mgabg.exe
c:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\svchost.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\xampp\mysql\bin\winmysqladmin.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\JGsoft\EditPadPro6\EditPadPro.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///H:/internet-work/HOME/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = VBS001_demo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {f1af3339-0afb-5eaa-32d4-da2aca2ec516} - {615ce2ac-a2ad-4d23-aae5-bfa09333fa1f} - C:\WINDOWS\system32\wdfydqnh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8D786912-2D3E-4570-9E7B-347519AAB3B4} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {A7400AD6-8E22-4C24-9C1D-FF9FD1C48911} - C:\WINDOWS\system32\vtutu.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B140D340-60B2-4E26-9192-EAA18F93C8A7} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: (no name) - {C8CC1AE8-0248-4B12-9BC2-52CC5C19389D} - C:\WINDOWS\system32\jkkjg.dll (file missing)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WinMySQLadmin.lnk = C:\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: cbxvtsq - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - c:\xampp\apache\bin\apache.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: mysql - Unknown owner - c:\xampp\mysql\bin\mysqld-nt.exe
--
End of file - 8498 bytes
pskelley
2007-12-27, 17:21
Thanks for returning your information, before I proceed let's establish a couple of facts.
1) You are very infected
2) You have many old versions of Java (likely why you are infected) see this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
Make sure you have the newest version and then uninstall all old versions in add remove programs.
3) Make sure TeaTimer is off for the duration of this cleanup
We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
4) You did not download Vundofix from the link I provided, instead used an old version. Delete that old version and download 6.7 from the link I provided, run Vundofix using those instructions again and post the Vundofix report and a new HJT log.
Thanks
contact7
2007-12-27, 17:32
Hi again,
I downloaded Vundofix from the link you gave me. It says Vundofix 6.7.7 on the very top, although the log displays the message VundoFix V6.5.7. Don't know why.
Also as far as Java is concerned, on the Add/Remove programs list, I find the following
J2SE Runtime environment 5.0 update 9
J2SE Runtime environment 5.0 update 10
J2SE Runtime environment 5.0 update 11
J2SE Runtime environment 5.0 update 5
J2SE Runtime environment 5.0 update 6
Java 6 update 2
Java 6 Update 3
Java SE Runtime environment 6 update 1
Which should I remove?
Thanks.
pskelley
2007-12-27, 17:46
That's very strange about Vundo, I have a recent version on my Desktop and it is V6.7.0 and it may be off an update or so. If yours says V6.7 or better, then you are up to date and I have no idea why it is showing an old version in the report? and I apologize for assuming you you used an old version.
Java: I have Java 6 update 3 >>> in your post: Java 6 Update 3
Uninstall all of the rest, then check Java for any update to be sure.
I'll start working on your next instructions soon, it will take me some time, so be patient.
Thanks...Phil
contact7
2007-12-27, 18:04
Please do not appologize. You are doing an excelent job in this forum.
By the way I got rid of the older Java versions. I even checked for an update but I had the latest version.
pskelley
2007-12-27, 18:50
Thanks for the feedback, please read and follow the directions carefully, ask if you do not understand something.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above the buttons and right click, then click on Add More Files. When the next window opens, copy and paste the files into the boxes and click on Add File(s), then click on Close Window. Then click Remove Vundo.
(files to add)
C:\WINDOWS\system32\tuvyxfis.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\jplyrnss.ini
C:\WINDOWS\system32\axvetnkn.ini
4) Go to the Scheduled Tasks applet in Control Panel, right-click the task you want to delete, and select Delete from the displayed context menu. Click Yes to confirm the deletion. Be aware that you can't delete tasks you've created with the Task Scheduler Wizard from the command line using the AT command.
Delete all tasks that you did not set.
5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: {f1af3339-0afb-5eaa-32d4-da2aca2ec516} - {615ce2ac-a2ad-4d23-aae5-bfa09333fa1f} - C:\WINDOWS\system32\wdfydqnh.dll (file missing)
O2 - BHO: (no name) - {8D786912-2D3E-4570-9E7B-347519AAB3B4} - C:\WINDOWS\system32\jkhhf.dll (file missing)
O2 - BHO: (no name) - {A7400AD6-8E22-4C24-9C1D-FF9FD1C48911} - C:\WINDOWS\system32\vtutu.dll (file missing)
O2 - BHO: (no name) - {B140D340-60B2-4E26-9192-EAA18F93C8A7} - C:\WINDOWS\system32\mllmn.dll (file missing)
O2 - BHO: (no name) - {C8CC1AE8-0248-4B12-9BC2-52CC5C19389D} - C:\WINDOWS\system32\jkkjg.dll (file missing)
O20 - Winlogon Notify: cbxvtsq - C:\WINDOWS\
Close all programs but HJT and all browser windows, then click on "Fix Checked"
6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post the Vundofix report, a new HJT log and some feedback...how is the computer running?
Thanks...Phil:santa:
contact7
2007-12-27, 19:41
Thanks a lot Phil.
Here's my Vundofix report. Although it didn't find anything suspicious it worries me because it found some old Java versions. As I mentioned before i removed everything except the latest version.
VundoFix V6.5.7
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 12:01:48 μμ 28/8/2007
Listing files found while scanning....
C:\WINDOWS\ponoqr.ini
C:\WINDOWS\rqonop.dll
C:\windows\system32\geeddca.dll
C:\WINDOWS\system32\tmp12.tmp.dll
Beginning removal...
Attempting to delete C:\WINDOWS\ponoqr.ini
C:\WINDOWS\ponoqr.ini Has been deleted!
Attempting to delete C:\WINDOWS\rqonop.dll
C:\WINDOWS\rqonop.dll Has been deleted!
Attempting to delete C:\windows\system32\geeddca.dll
C:\windows\system32\geeddca.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\tmp12.tmp.dll
C:\WINDOWS\system32\tmp12.tmp.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\geeddca.dll
C:\windows\system32\geeddca.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.5.7
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 12:34:56 μμ 28/8/2007
Listing files found while scanning....
C:\windows\system32\geeddca.dll
Beginning removal...
Attempting to delete C:\windows\system32\geeddca.dll
C:\windows\system32\geeddca.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\geeddca.dll
C:\windows\system32\geeddca.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 4:05:58 μμ 27/12/2007
Listing files found while scanning....
C:\WINDOWS\system32\0e6gvS50.dll
C:\WINDOWS\system32\0S8FHj43.dll
C:\WINDOWS\system32\0vrTLOhW.dll
C:\WINDOWS\system32\23GWiPvq.dll
C:\WINDOWS\system32\3foL1t3k.dll
C:\WINDOWS\system32\5QI6AYUt.dll
C:\WINDOWS\system32\63oHf2f8.dll
C:\WINDOWS\system32\6EVvn38P.dll
C:\WINDOWS\system32\76V42SHf.dll
C:\WINDOWS\system32\A2v2tFAD.dll
C:\WINDOWS\system32\ahQ24xC0.dll
C:\WINDOWS\system32\ARf230N2.dll
C:\WINDOWS\system32\Bn5372Rv.dll
C:\WINDOWS\system32\cbxvtsq.dll
C:\WINDOWS\system32\DaIcRwv8.dll
C:\WINDOWS\system32\dy3M52Nl.dll
C:\WINDOWS\system32\fofvtriu.dll
C:\WINDOWS\system32\FWXNkf5w.dll
C:\WINDOWS\system32\ggFa6kd2.dll
C:\WINDOWS\system32\giPC25DF.dll
C:\WINDOWS\system32\h6YLl0uX.dll
C:\WINDOWS\system32\Ix40ymLr.dll
C:\WINDOWS\system32\J50fQB6P.dll
C:\WINDOWS\system32\jBo72onk.dll
C:\WINDOWS\system32\kmlgblrv.dll
C:\WINDOWS\system32\lvfphawn.ini
C:\WINDOWS\system32\M8J7ePX8.dll
C:\WINDOWS\system32\mLivS4M7.dll
C:\WINDOWS\system32\mllmn.dll
C:\windows\system32\nmllm.bak1
C:\windows\system32\nmllm.bak2
C:\windows\system32\nmllm.ini
C:\WINDOWS\system32\nwahpfvl.dll
C:\WINDOWS\system32\NXMNpx1e.dll
C:\WINDOWS\system32\ofb6LYRr.dll
C:\WINDOWS\system32\peiqmOBe.dll
C:\WINDOWS\system32\piwmtvyi.dll
C:\WINDOWS\system32\Q452Lyhg.dll
C:\WINDOWS\system32\q8rcW2Wx.dll
C:\WINDOWS\system32\QKPmNFpM.dll
C:\WINDOWS\system32\QT5kBI7D.dll
C:\WINDOWS\system32\rj13K6EQ.dll
C:\WINDOWS\system32\sdPhNgi3.dll
C:\WINDOWS\system32\sifxyvut.dll
C:\WINDOWS\system32\U040YIUQ.dll
C:\WINDOWS\system32\V0fL7LU5.dll
C:\WINDOWS\system32\vvlxaelm.exe
C:\WINDOWS\system32\w6vC7cof.dll
C:\WINDOWS\system32\wdfydqnh.dll
C:\WINDOWS\system32\wTB568x5.dll
C:\WINDOWS\system32\wwOhyU52.dll
C:\WINDOWS\system32\YhIg11EQ.dll
C:\WINDOWS\xhelper.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\0e6gvS50.dll
C:\WINDOWS\system32\0e6gvS50.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\0S8FHj43.dll
C:\WINDOWS\system32\0S8FHj43.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\0vrTLOhW.dll
C:\WINDOWS\system32\0vrTLOhW.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\23GWiPvq.dll
C:\WINDOWS\system32\23GWiPvq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\3foL1t3k.dll
C:\WINDOWS\system32\3foL1t3k.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\5QI6AYUt.dll
C:\WINDOWS\system32\5QI6AYUt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\63oHf2f8.dll
C:\WINDOWS\system32\63oHf2f8.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\6EVvn38P.dll
C:\WINDOWS\system32\6EVvn38P.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\76V42SHf.dll
C:\WINDOWS\system32\76V42SHf.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\A2v2tFAD.dll
C:\WINDOWS\system32\A2v2tFAD.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ahQ24xC0.dll
C:\WINDOWS\system32\ahQ24xC0.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ARf230N2.dll
C:\WINDOWS\system32\ARf230N2.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\Bn5372Rv.dll
C:\WINDOWS\system32\Bn5372Rv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\cbxvtsq.dll
C:\WINDOWS\system32\cbxvtsq.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\DaIcRwv8.dll
C:\WINDOWS\system32\DaIcRwv8.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\dy3M52Nl.dll
C:\WINDOWS\system32\dy3M52Nl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\fofvtriu.dll
C:\WINDOWS\system32\fofvtriu.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\FWXNkf5w.dll
C:\WINDOWS\system32\FWXNkf5w.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ggFa6kd2.dll
C:\WINDOWS\system32\ggFa6kd2.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\giPC25DF.dll
C:\WINDOWS\system32\giPC25DF.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\h6YLl0uX.dll
C:\WINDOWS\system32\h6YLl0uX.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\Ix40ymLr.dll
C:\WINDOWS\system32\Ix40ymLr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\J50fQB6P.dll
C:\WINDOWS\system32\J50fQB6P.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jBo72onk.dll
C:\WINDOWS\system32\jBo72onk.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\kmlgblrv.dll
C:\WINDOWS\system32\kmlgblrv.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\lvfphawn.ini
C:\WINDOWS\system32\lvfphawn.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\M8J7ePX8.dll
C:\WINDOWS\system32\M8J7ePX8.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mLivS4M7.dll
C:\WINDOWS\system32\mLivS4M7.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\mllmn.dll
C:\WINDOWS\system32\mllmn.dll Has been deleted!
Attempting to delete C:\windows\system32\nmllm.bak1
C:\windows\system32\nmllm.bak1 Has been deleted!
Attempting to delete C:\windows\system32\nmllm.bak2
C:\windows\system32\nmllm.bak2 Has been deleted!
Attempting to delete C:\windows\system32\nmllm.ini
C:\windows\system32\nmllm.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\nwahpfvl.dll
C:\WINDOWS\system32\nwahpfvl.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\NXMNpx1e.dll
C:\WINDOWS\system32\NXMNpx1e.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ofb6LYRr.dll
C:\WINDOWS\system32\ofb6LYRr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\peiqmOBe.dll
C:\WINDOWS\system32\peiqmOBe.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\piwmtvyi.dll
C:\WINDOWS\system32\piwmtvyi.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\Q452Lyhg.dll
C:\WINDOWS\system32\Q452Lyhg.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\q8rcW2Wx.dll
C:\WINDOWS\system32\q8rcW2Wx.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\QKPmNFpM.dll
C:\WINDOWS\system32\QKPmNFpM.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\QT5kBI7D.dll
C:\WINDOWS\system32\QT5kBI7D.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\rj13K6EQ.dll
C:\WINDOWS\system32\rj13K6EQ.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sdPhNgi3.dll
C:\WINDOWS\system32\sdPhNgi3.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\sifxyvut.dll
C:\WINDOWS\system32\sifxyvut.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\U040YIUQ.dll
C:\WINDOWS\system32\U040YIUQ.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\V0fL7LU5.dll
C:\WINDOWS\system32\V0fL7LU5.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vvlxaelm.exe
C:\WINDOWS\system32\vvlxaelm.exe Could not be deleted.
Attempting to delete C:\WINDOWS\system32\w6vC7cof.dll
C:\WINDOWS\system32\w6vC7cof.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wdfydqnh.dll
C:\WINDOWS\system32\wdfydqnh.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wTB568x5.dll
C:\WINDOWS\system32\wTB568x5.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\wwOhyU52.dll
C:\WINDOWS\system32\wwOhyU52.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\YhIg11EQ.dll
C:\WINDOWS\system32\YhIg11EQ.dll Has been deleted!
Attempting to delete C:\WINDOWS\xhelper.dll
C:\WINDOWS\xhelper.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\cbxvtsq.dll
C:\WINDOWS\system32\cbxvtsq.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\vvlxaelm.exe
C:\WINDOWS\system32\vvlxaelm.exe Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Java version is 1.5.0.5
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.
Java version is 1.5.0.10
Java version is 1.5.0.11
Scan started at 4:32:34 μμ 27/12/2007
Listing files found while scanning....
C:\WINDOWS\system32\vvlxaelm.exe
Beginning removal...
Attempting to delete C:\WINDOWS\system32\vvlxaelm.exe
C:\WINDOWS\system32\vvlxaelm.exe Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\vvlxaelm.exe
C:\WINDOWS\system32\vvlxaelm.exe Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Beginning removal...
Attempting to delete C:\WINDOWS\system32\axvetnkn.ini
C:\WINDOWS\system32\axvetnkn.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\jplyrnss.ini
C:\WINDOWS\system32\jplyrnss.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mcrh.tmp Has been deleted!
Attempting to delete C:\WINDOWS\system32\tuvyxfis.ini
C:\WINDOWS\system32\tuvyxfis.ini Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.7.7
Checking Java version...
Scan started at 7:16:29 μμ 27/12/2007
Listing files found while scanning....
No infected files were found.
contact7
2007-12-27, 19:42
AND the hijackthis report
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:38:03 μμ, on 27/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\mgabg.exe
c:\xampp\mysql\bin\mysqld-nt.exe
C:\PROGRA~1\MICROS~4\rapimgr.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
C:\WINDOWS\system32\svchost.exe
C:\xampp\mysql\bin\winmysqladmin.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\TechSmith\SnagIt 8\TSCHelp.exe
C:\Program Files\TechSmith\SnagIt 8\SnagPriv.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///H:/internet-work/HOME/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = VBS001_demo
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Συνδέσεις
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 8\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {615ce2ac-a2ad-4d23-aae5-bfa09333fa1f} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8D786912-2D3E-4570-9E7B-347519AAB3B4} - (no file)
O2 - BHO: (no name) - {A7400AD6-8E22-4C24-9C1D-FF9FD1C48911} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {B140D340-60B2-4E26-9192-EAA18F93C8A7} - (no file)
O2 - BHO: (no name) - {C8CC1AE8-0248-4B12-9BC2-52CC5C19389D} - (no file)
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WinMySQLadmin.lnk = C:\xampp\mysql\bin\winmysqladmin.exe
O4 - Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: SnagIt 8.lnk = C:\Program Files\TechSmith\SnagIt 8\SnagIt32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Ε&ξαγωγή στο Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Λήψη όλων με το FlashGet - C:\PROGRA~1\FlashGet\jc_all.htm
O8 - Extra context menu item: Λήψη με χρήση του FlashGet - C:\PROGRA~1\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedContent/vc/bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - Winlogon Notify: cbxvtsq - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2.2 - Apache Software Foundation - c:\xampp\apache\bin\apache.exe
O23 - Service: Autodesk Licensing Service - Unknown owner - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MGABGEXE - Matrox Graphics Inc. - C:\WINDOWS\system32\mgabg.exe
O23 - Service: mysql - Unknown owner - c:\xampp\mysql\bin\mysqld-nt.exe
--
End of file - 8716 bytes
pskelley
2007-12-27, 20:05
Thanks for returning your information, not to be concerned, seems the information about the old versions stays in the memory or something?
TeaTimer is causing us problems, sometime we have to uninstall Spybot to stop it, let's try this.
Make sure TeaTimer is disabled, then follow these directions.
In some cases it's sometimes quite usefull to reset TeaTimer, once you've had it disabled to remove HijackThis entries :
Download ResetTeaTimer.bat.
Double click ResetTeaTimer.bat http://downloads.subratam.org/ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).
Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {615ce2ac-a2ad-4d23-aae5-bfa09333fa1f} - (no file)
O2 - BHO: (no name) - {8D786912-2D3E-4570-9E7B-347519AAB3B4} - (no file)
O2 - BHO: (no name) - {A7400AD6-8E22-4C24-9C1D-FF9FD1C48911} - (no file)
O2 - BHO: (no name) - {B140D340-60B2-4E26-9192-EAA18F93C8A7} - (no file)
O2 - BHO: (no name) - {C8CC1AE8-0248-4B12-9BC2-52CC5C19389D} - (no file)
O16 - DPF: {CAFEEFAC-0015-0000-0005-ABCDEFFEDCBA} (Java Plug-in 1.5.0_05) -
O16 - DPF: {CAFEEFAC-0015-0000-0006-ABCDEFFEDCBA} (Java Plug-in 1.5.0_06) -
O16 - DPF: {CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Plug-in 1.5.0_09) -
O16 - DPF: {CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA} (Java Plug-in 1.5.0_10) -
O16 - DPF: {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA} (Java Plug-in 1.6.0_01) -
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - Winlogon Notify: cbxvtsq - C:\WINDOWS\
Close all programs but HJT and all browser windows, then click on "Fix Checked"
If this goes as it should, all of those dead items will be gone from the next HJT log. If that is the case, you can proceed with a Kaspersky scan to make sure nothing bad remains.
Before you scan, remove combofix, C:\qoobox\quarantine\, Vundofix and the C:\VundoFix Backups from your computer.
Run this online scan using Internet Explorer:
Kaspersky Online Scanner from http://www.kaspersky.com/virusscanner
Next Click on Launch Kaspersky Online Scanner
You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here.
Tkanks
contact7
2007-12-28, 18:38
Sorry for the delay Phil, but work can't wait...
I did exactly what you said and here's the kaspersky report. It does find quite a lot of suspicious files in the Spybot directory. Is this normal? Can I delete those files?
Thanks a lot
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 28, 2007 6:30:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/12/2007
Kaspersky Anti-Virus database records: 466272
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 92818
Number of viruses found: 7
Number of infected objects: 32
Number of suspicious objects: 0
Duration of the scan process: 02:13:22
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde27.zip/qwerty12.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde27.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde9.zip/qwerty12.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumonde9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip/vkfvvxdu.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc9.zip/lrfetdaw.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Virtumondeddc9.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinConHookah1.zip/tmpBA.tmp.dll Infected: Trojan.Win32.BHO.yi skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinConHookah1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinConHookah2.zip/tmp23.tmp.dll Infected: Trojan.Win32.BHO.yi skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinConHookah2.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinConHookah3.zip/tmp16.tmp.dll Infected: Trojan.Win32.BHO.yi skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinConHookah3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\contact7\Application Data\$_hpcst$.hpc Object is locked skipped
C:\Documents and Settings\contact7\Application Data\Sun\Java\Deployment\cache\6.0\21\6c120d5-29a54e62/Baaaaa.class Infected: Trojan.Java.ClassLoader.ap skipped
C:\Documents and Settings\contact7\Application Data\Sun\Java\Deployment\cache\6.0\21\6c120d5-29a54e62/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped
C:\Documents and Settings\contact7\Application Data\Sun\Java\Deployment\cache\6.0\21\6c120d5-29a54e62/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped
C:\Documents and Settings\contact7\Application Data\Sun\Java\Deployment\cache\6.0\21\6c120d5-29a54e62 ZIP: infected - 3 skipped
C:\Documents and Settings\contact7\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\contact7\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\contact7\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\contact7\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\contact7\Local Settings\Temp\WCESLog.log Object is locked skipped
C:\Documents and Settings\contact7\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\contact7\ntuser.dat Object is locked skipped
C:\Documents and Settings\contact7\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Log.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP44\A0005670.dll Infected: Trojan.Win32.BHO.yi skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP44\A0005672.dll Infected: Trojan.Win32.BHO.yi skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP44\A0005673.dll Infected: Trojan.Win32.BHO.yi skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP74\A0014336.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP75\A0016533.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP78\A0016984.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP78\A0016987.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP78\A0016989.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP78\A0016990.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP78\A0016991.exe Infected: Trojan.Win32.Agent.bur skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP78\A0016992.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP78\A0016994.exe Infected: Trojan.Win32.BHO.qg skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP78\A0016995.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP85\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\2B0E7jhj.exe Infected: Backdoor.Win32.VB.kb skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\xampp\apache\logs\access.log Object is locked skipped
C:\xampp\apache\logs\error.log Object is locked skipped
C:\xampp\apache\logs\ssl_request.log Object is locked skipped
C:\xampp\mysql\data\mark.err Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{F911F3E1-2FAB-4EE3-B6DE-1B28A8F508A5}\RP85\change.log Object is locked skipped
Scan was interrupted by user!
pskelley
2007-12-28, 18:55
Scan was interrupted by user!
You did not stop the scan before it was finished did you?
C:\WINDOWS\system32\2B0E7jhj.exe <<< delete that file (active infection)
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< empty the Spybot S&D Recovery folder:
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1
C:\Documents and Settings\contact7\Application Data\Sun\Java\Deployment\cache\ <<< empty the Jaca cache:
http://support.f-secure.com/enu/home/virusproblem/howtoclean/cleanjavacache.shtml
Restart the computer
Clean the System Restore files:
MANUAL INSTRUCTIONS FOR SYSTEM RESTORE
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
Same information plus more details:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
If you followed the directions the next Kaspersky scan will be clean.
Have a Happy New Year:clown:
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
contact7
2007-12-28, 19:57
Hi,
Yes I stopped the scan when it started working on my CD-rom which is awfully slow...
I followed your advice and here's the report.
Thank you for everything, and I wish you a wonderful 2008...
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 28, 2007 7:54:21 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/12/2007
Kaspersky Anti-Virus database records: 466379
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - Critical Areas:
C:\WINDOWS
C:\DOCUME~1\contact7\LOCALS~1\Temp\
Scan Statistics:
Total number of scanned objects: 16889
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:20:38
Infected Object Name / Virus Name / Last Action
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\DOCUME~1\contact7\LOCALS~1\Temp\WCESLog.log Object is locked skipped
Scan process completed.