View Full Version : pmkjj infection
Kentucky1986
2007-12-28, 01:37
Good Evening!
First I want to say thank you for this wonderful service...
OK let me provide as much detail as I can...
On 12/22/07 I was on myspace and I got a pop up saying "click here to run active X controls" on this page. I usually ctrl alt dlt those when I see them, THIS time I somehow caught it with my mouse and wham I discover that I got trojan.dropper on my machine, accoring to Norton.
I followed Norton's instructions, did a scan in safe mode and after several sweeps of it and Spybot S&D I think I got that problem.
I also discover that a new file dmkjj.dll has found it's self on my windows directory, created on 12/22/07 at the same time the active X hit me. It will not allow any kind of removal or anything. I even tried the program unlocker but that shows that pmkjj.dll is a nasty little bug that ties it's self to windows.exe and a few others that will not allow you to delete or be rid of it.
I saw a number of places where folks have posted how to rid of it, but I wanted to seek help in this instance incase there is more going on than I see.
I run Norton Antivirus, I also have the AVS spyware program too.
Here is my HijackThis log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 6:22:17 PM, on 12/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Outlook Express\msimn.exe
C:\download\HiJackThis_v2.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?zoneid=FLZ038
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: BndDrive BHO Class - {9815DA81-2E0C-478c-90E4-06E474E704D0} - C:\Program Files\ISM\BndDrive.dll (file missing)
O2 - BHO: (no name) - {A055FC0B-5E55-4660-BE53-8933D391409C} - C:\WINDOWS\system32\pmkjj.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CA4F0D8D-5F2B-4F16-838A-8D52249EAB21} - C:\WINDOWS\system32\ssqnnkh.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe"
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\ICROSO~1\fast.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138071306296
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O20 - Winlogon Notify: ssqnnkh - C:\WINDOWS\SYSTEM32\ssqnnkh.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 8670 bytes
Any assistance will be greatly appreacited!
Thanks!
BP
Kentucky1986
2007-12-28, 01:39
This issue has caused me the following problems
Occasional pop ups
Windows Explorer crashing for no reason
Killed my weatherwatcher program
Disabled Norton once
Thanks
BP
pskelley
2007-12-28, 19:21
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You have a Vundo infection which can be hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.
1) Read the directions, you have posted an out of date version of HJT, download the correct version 2.0.2 from the information I provided.
2) You are running System Configuration Utility in Selective Startup mode, return it to Normal Mode. You may return to SS to save your resources when we finish.
3) This junk will download more, stay offline except when troubleshooting until you are clean.
4) Post the required information:
Provide:
a) The HJT log. One HJT log only, until a helper responds.
b) The Kaspersky log report.
Thanks
Kentucky1986
2007-12-28, 23:30
Good Evening
First let me apologize for not getting all my info straight before posting...I was very tired at the time and did not see the follow ups on the read first before you post bit.
I will do all required tasks and post the requested reports as soon as they are ready.
Thank you for your response..
BP (In Flagler County Fla)
Kentucky1986
2007-12-29, 08:19
Good Morning...
Unless I screwed up somewhere I have completed all that was requested...
1. Went through the entire thread of before you post, again I did not realize at first how much was there. I am pretty sure I did all that was needed.
2. My System Configuration Utility somehow was removed (!!). I went ahead and reinstalled msconfig and made sure that I was in normal mode. I hope it was OK to do that (reinstall that component.)
3. I am staying off lin except for troublshooting.
4. Here is the requested info
HJT log from the updated version of HJT per your specs
==========================================
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:32 AM, on 12/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://forecast.weather.gov/MapClick.php?zoneid=FLZ038
F3 - REG:win.ini: load=C:\WINDOWS\system32\pmkjj.exe, C:\WINDOWS\system32\pmkjj.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [Lexmark X1100 Series] "C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe"
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [RecoverFromReboot] C:\WINDOWS\Temp\RecoverFromReboot.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant .exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WeatherWatcher] C:\Program Files\Weather Watcher\ww.exe
O4 - HKCU\..\Run: [Ltho] "C:\PROGRA~1\ICROSO~1\fast.exe" -vt yazb
O4 - HKUS\S-1-5-18\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [SetDefaultMidi] MIDIDEF.EXE (User 'Default user')
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/c381/chat.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B323CD9-50E3-11D3-9466-00A0C9700498} (Yahoo! Audio Conferencing) - http://us.chat1.yimg.com/us.yimg.com/i/chat/applet/v45/yacscom.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1138071306296
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/yautocomplete.cab
O23 - Service: Adobe Active File Monitor V5 (AdobeActiveFileMonitor5.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 5.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
--
End of file - 7314 bytes
###
Please see next post...for the "K" scan report...
Kentucky1986
2007-12-29, 08:23
The following is the scan report part 1
The Kaspersky log report
=============================================
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, December 28, 2007 11:51:55 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 28/12/2007
Kaspersky Anti-Virus database records: 499159
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
Scan Statistics:
Total number of scanned objects: 520580
Number of viruses found: 19
Number of infected objects: 186
Number of suspicious objects: 0
Duration of the scan process: 05:46:46
Infected Object Name / Virus Name / Last Action
C:\!KillBox\ssqnnkh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clz skipped
C:\5075.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\5075.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.Agent.ay skipped
C:\5075.tmp/stream/data0004 Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\5075.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\5075.tmp NSIS: infected - 4 skipped
C:\a984e7a723202bf97365129ac18\SETUP.18 Object is locked skipped
C:\a984e7a723202bf97365129ac18\SETUP.7 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor.zip/netmon.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\NetworkMonitor.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip/Yazzle1552OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle3.zip/Yazzle1552OinAdmin.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle3.zip ZIP: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\LiveUpdate\2007-12-28_Log.ALUSchedulerSvc.LiveUpdate Object is locked skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\5074.tmp.bac_a03496/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\5074.tmp.bac_a03496 NSIS: infected - 1 skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\5074.tmp.bac_a03496 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\D1E9C.tmp.bac_a03496/data0002 Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\D1E9C.tmp.bac_a03496 NSIS: infected - 1 skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\D1E9C.tmp.bac_a03496 CryptFF.b: infected - 1 skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\TMP1A.tmp.bac_a03496 Infected: Trojan-Downloader.Win32.PurityScan.fe skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\TMP1B.tmp.bac_a03496 Infected: Trojan-Downloader.Win32.PurityScan.fe skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\TMP1EB3.tmp.bac_a03496 Infected: Trojan-Downloader.Win32.PurityScan.fe skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\TMP1F01.tmp.bac_a03496 Infected: Trojan-Downloader.Win32.PurityScan.fe skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\TMP4D.tmp.bac_a03496 Infected: Trojan-Downloader.Win32.PurityScan.fe skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\TMP56.tmp.bac_a03496 Infected: Trojan-Downloader.Win32.PurityScan.fe skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\TMP59.tmp.bac_a03496 Infected: Trojan-Downloader.Win32.PurityScan.fe skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\TMP5D.tmp.bac_a03496 Infected: Trojan-Downloader.Win32.PurityScan.fe skipped
C:\Documents and Settings\Bob\.housecall6.6\Quarantine\VVSNInst.exe.bac_a03496 Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
C:\Documents and Settings\Bob\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bob\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bob\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bob\Local Settings\History\History.IE5\MSHist012007122820071229\index.dat Object is locked skipped
C:\Documents and Settings\Bob\Local Settings\Temp\D1EA3.tmp/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\Documents and Settings\Bob\Local Settings\Temp\D1EA3.tmp/stream Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
C:\Documents and Settings\Bob\Local Settings\Temp\D1EA3.tmp NSIS: infected - 2 skipped
C:\Documents and Settings\Bob\Local Settings\Temp\ismupd1.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.br skipped
C:\Documents and Settings\Bob\Local Settings\Temp\ismupd1.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX1F.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX22.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX28.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX29.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX2C.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX2D.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX2E.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX2F.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX30.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX31.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX36.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\RCX3A.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP18A3.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP1AC0.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP1ED7.tmp Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP1F2F.tmp Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP51.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP53D0.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP57.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP6A.tmp Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP72.tmp Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP7E.tmp Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP80.tmp Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP81.tmp Infected: Trojan-Downloader.Win32.Agent.gwh skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP87.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP8B.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temp\TMP98.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Documents and Settings\Bob\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bob\ntuser.dat Object is locked skipped
C:\Documents and Settings\Bob\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\download\backups\backup-20071228-003809-449.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clz skipped
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Common Files\Symantec Shared\ccApp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\iTunes\iTunesHelper.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Norton AntiVirus\AVApp.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVError.log Object is locked skipped
C:\Program Files\Norton AntiVirus\AVVirus.log Object is locked skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CF31475.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Program Files\Norton AntiVirus\Quarantine\100F4431.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\Program Files\Norton AntiVirus\Quarantine\10D04634.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\Program Files\Norton AntiVirus\Quarantine\11AD5340.exe Infected: not-virus:Hoax.Win32.Renos.vm skipped
C:\Program Files\Norton AntiVirus\Quarantine\14AA4DF7.exe Infected: Trojan-Downloader.Win32.Agent.fjv skipped
C:\Program Files\Norton AntiVirus\Quarantine\1C4B6192.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
C:\Program Files\Norton AntiVirus\Quarantine\23744BF8 Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\Program Files\Norton AntiVirus\Quarantine\4DFA057D.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\Program Files\Norton AntiVirus\Quarantine\78B36A32.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped
C:\Program Files\Norton AntiVirus\Quarantine\7AC151EF.exe Infected: not-a-virus:AdWare.Win32.Rond.c skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\QuickTime\qttask.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
### End Part 1
Please note due to length the next part of this report is in the next post....thanx - BP
Kentucky1986
2007-12-29, 08:25
This is the second part of the scan report sorry for the multi posts...
Report starts below double lines....
============================================
C:\RECYCLER\S-1-5-21-682003330-1343024091-2147195623-1004\Dc1.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0000023.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001004.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001005.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001008.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001009.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001010.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001013.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001014.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001019.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001031.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001032.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001034.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001035.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001036.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001039.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001040.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001050.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001051.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001052.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001055.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001056.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001057.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001059.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001060.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001063.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001071.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001072.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001074.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001075.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001076.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001078.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001079.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001081.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.clz skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001092.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001093.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001094.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001095.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001096.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001099.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0001100.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0002088.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0002090.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0002091.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0002092.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0002093.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0002095.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0003088.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0003090.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0003091.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0003092.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0003094.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP1\A0003097.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\System Volume Information\_restore{5E288B11-18D7-4511-AD30-FE33C72F1863}\RP2\change.log Object is locked skipped
C:\VundoFix Backups\MSConfig.exe.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\VundoFix Backups\pmkjj.exe.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\VundoFix Backups\RecoverFromReboot.exe.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\VundoFix Backups\ssqnnkh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.clz skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\mrofinu72.exe.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\pmkjj.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX2F.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX3E.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX41.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX42.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX43.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX44.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX45.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX46.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX47.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\RCX4E.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\{00000001-00000000-00000001-00001102-00000004-10061102}.CDF Object is locked skipped
Scan process completed.
###
=============================================
I hope I have done everything requested...PLEASE let me know if I did not.
I want to work to get this thing and I do understand it will take a fair amount of time and such. I am not afraid to dive into the depths of my machine with proper guidance.
Thank you for assisting me :-)
BP
pskelley
2007-12-29, 13:37
BP, I am afraid I have some bad news for you, you are infected with a new kind of Virtumonde file infector that infects your programs and as yet there is no way to clean this infection that I know of short of reformatting.
I will show you some examples:
C:\Program Files\Adobe\Photoshop Elements 5.0\apdproxy.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Common Files\Symantec Shared\ccApp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\iTunes\iTunesHelper.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Norton AntiVirus\Quarantine\0CF31475.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
C:\Program Files\QuickTime\qttask .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
C:\Program Files\Unlocker\UnlockerAssistant .exe Infected: not-a-virus:AdWare.Win32.Virtumonde.cli skipped
There may be more, the infection is probably spreading, I just don't know, not having enough information at this point.
That is not all of the files that are infected, but at least that many programs are infected.
Here is a little information about Virtumonde:
Since there is a class action involving this one, you may want to view this information:
http://www.networkworld.com/news/2007/030807-mystery-around-winfixer-slowly-unravels.html
http://www.youtube.com/watch?v=zBUZHiKhsog
http://msmvps.com/blogs/spywaresucks/search.aspx?q=winfixer+msn
http://www.malwarecomplaints.info/ <<< you can complain here.
As I see it, the courts are dragging their feet about doing something about these lowlife, the infection has been getting harder and harder to remove, but this time they have raised it to a whole new level. Considering they are involved in "fraud" in trying to sell fraudulant malware removal programs, I personally wonder why they did this?
I am watching the folks who create the tools and if I see anything that I think can help you, I will make you aware. To my knowledge, the infected programs are worthless and must be reinstalled.
http://spyware-free.us/tutorials/reformat/
http://www.cyberwalker.net/faqs/how-tos/reinstall-faq.html
http://helpdesk.its.uiowa.edu/windows/instructions/reformat.htm
Thanks
Kentucky1986
2007-12-29, 18:21
Good Morning
OK let me digest all of this....it does not sound good :-(
I want to thank you for your assistance and I will come back and look again later if you have any suggestions.
Thanks
BP
pskelley
2007-12-29, 18:26
sUBs, the creator of the combofix tool is supposed to be working on a fix. This is the talk of all the forums, I wili provide you with any updates I get. I may use private messages so watch for them.
Thanks
Kentucky1986
2007-12-30, 00:28
Good Evening
I will watch for any more info. This thing has killed my norton to a point I am going to un installed and I have activated the free AVG anitvirus for now...I rather it than no protection
Please let me know if any "fixes" come up...for now I will hold off on the reformat
Thank You!
BP
pskelley
2007-12-30, 02:51
This member has posted for help also at BleepingComputer:
http://www.bleepingcomputer.com/forums/topic123262.html
This topic is closed
Thanks