PDA

View Full Version : New Thread: What's yrndlcit.exe?



itsleo
2008-01-11, 20:43
New Thread: What's yrndlcit.exe?

I posted the original of this yesterday. No, I didn't post logs, because I wasn't sure if this was the right place or not, and right this instant, I'm not sure how to go about GETting log (keep reading, I'll explain).

I searched for yrndlcit and yrndlcit.exe and found zero references... kinda surprising - is it "the" problem or something totally off the wall?

Anyway, this "yrndlcit.exe" was popping up several times a minute - I'd put it on the blacklist - but either I accidentally put it on the white list too or it managed to add itself - I was getting multiple boxes on the screen announcing that yrndlcit.exe was running because it was white listed followed by boxes announcing that it was terminated because it was blacklisted... somehow I got into the lists - don't recall what I did - and deleted the white list entry, so at least I don't see the *(&#$@ boxes anymore. But something's up - still... my desktop icons are all highlighted all the time, and the computer is slow, and it keeps kicking off IE (I use FF) and complaining about being offline (I have no intention of putting it online on my little home LAN until something is resolved - only one other computer is Windows, but...).

I saw the stickies about the procedure - S&D is running right now [ NOTE: WAS when I write the original - keep reading for results ] on the infected computer, so when it's done I'll d/l the other progs, CD them and copy onto El Sicko and run, if there's any point to it...

Here's what happened next: I went back to edit my original, and provide some more information... but, of course, you can't edit your posts here, so I replied to it (is there some other alternative?), and I got a response, which was basically "RTFM" - which I think I had indicated (see above) that I had done already - and asked to start a new thread, which I am doing right now.

The result of the S&D scan was that it found 3 instances of virtumonde in the registry and said they were fixed (which I took to mean erased). When I rebooted it, intending to hook the computer directly to the DSL and avoid infecting others on my LAN, it came up with nothing but a desktopn wallpaper - no icons, no taskbar. Ctrl-Alt-Del does bring up the Task Manager, but I'm not sure where to go next. I can get it up in safe mode (although on this Dell notebook, the screen in this mode is about half the size of the full screen and a little hard to work with).

I understand that this post, like the previous one, is in violation of the requirement to post logs from Kaspersky Online, as well as some of the following ones, but I can't GET online, which makes it a bit of a problem.

Perhaps I should start somewhere else???

Anyway, if someone can help me get past this point, I promise I'll do my best to keep to the requirements the rest of the way.

Thanks!

tashi
2008-01-15, 00:42
New Thread: What's yrndlcit.exe? Probably a random name in the infection.



The result of the S&D scan was that it found 3 instances of virtumonde in the registry and said they were fixed (which I took to mean erased). When I rebooted it, intending to hook the computer directly to the DSL and avoid infecting others on my LAN, it came up with nothing but a desktopn wallpaper - no icons, no taskbar. Ctrl-Alt-Del does bring up the Task Manager, but I'm not sure where to go next. I can get it up in safe mode (although on this Dell notebook, the screen in this mode is about half the size of the full screen and a little hard to work with).


I will leave a note for our helpers to see if they have any ideas.

Best wishes.

CalamityJane
2008-01-15, 19:28
It's very confusing with all the posts going on here but I'll help if I can get some logs from you. We can't tell anything from descriptions. I saw the other log on the "good computer" and didn't see any problems, so let's just concentrate on the one you know is infected here. It probably IS Vundo and some of the new variants come with other multiple infections as well, so there are many scenerios for the behavior you describe. There is not a one-fix step so we need to try to find out some info on the infected machine (i.e.: logs specifically)

Are you able to get online in SAFE MODE with Networking?
If so, try that for the KAV scan.

Meanwhile let's get a report from this free tool.
Download Deckard's System Scanner (DSS) (http://www.techsupportforum.com/sectools/Deckard/dss.exe) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply

That will give me something to start with.

CalamityJane
2008-01-15, 19:36
Also, if you can attach the scan log from Spybot that might help too to see that report. When you go to post a reply, scroll down a bit and you'll see an area to "attach files" in *Additional Options*. That is how you can attach a report, but the DSS logs I want you to just paste that in as it shouldn't be too long and is easier to read that way

itsleo
2008-01-15, 21:02
Hello, Jane - I finally got this #(@*&$ notebook to show icons and desktop and got online. Here are the Deckard results you asked for (the machine's name is SHIRLEY WILLIAMS - it came from a county auction and I believe she was a JP). I will go find the S&D log and attach to another post.

Damn - the Deckard is too long, so I'm attaching IT as well.
pos
Aw, hell! As I was typing that, S&D popped up a notice about ZQest.K8L and it caught my kepresses... no telling what happened then... also pls excuse typos, it's a notebook and I usually have a "real" keyboard... plus that (*&#$@ ZQest (or something) keeps running and stealing keypresses and moving the cursor

Well - no go on the attachment. It's about 36K and the "Manage attachments" refused it. I'll zip it and attach that................

Thanks for responding!

itsleo
2008-01-15, 21:03
... and while I was doing that, the desktop icons and taskbar disappeared again....

CalamityJane
2008-01-15, 21:22
That's a mess alright. When did you acquire the computer? Do you have any of the install or recovery disks?

I'm asking because this computer only has SP1 and is dead meat if you can't get SP2. From the error logs:
Event Record #/Type3307 / Error
Event Submitted/Written: 01/11/2008 01:10:07 PM
Event ID/Source: 1010 / Windows Product Activation
Event Description:
The Windows license was restored due to a system error. You might need to reactivate your Windows product.
................
It looks like you got the KAV scan on this one? Did you save the log?

CalamityJane
2008-01-15, 21:23
You've got a remote control program installed. Did you install that?

CalamityJane
2008-01-15, 22:25
Hello, Leo? Where did you go?

I think maybe your idea to reformat and reinstall is probably a good one since the software on here isn't yours and you don't have anything important on it - that is going to be your easiest bet because this infection is really messy.

You are still going to need to validate windows to get SP2 installed which is really needed here but not until after you either get it cleaned up or reinstalled.

IF you want to try this tool, we can see what how it does but this computer has been infected quite a while (at least a month) and maybe done some damage we can't see in these.

Download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

itsleo
2008-01-15, 22:45
Hello, Leo? Where did you go?

I think maybe your idea to reformat and reinstall is probably a good one since the software on here isn't yours and you don't have anything important on it - that is going to be your easiest bet because this infection is really messy.

You are still going to need to validate windows to get SP2 installed which is really needed here but not until after you either get it cleaned up or reinstalled.

IF you want to try this tool, we can see what how it does but this computer has been infected quite a while (at least a month) and maybe done some damage we can't see in these.

Download ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

1. Close any open browsers.

2. Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

I had to take my favorite wife to lunch... when I rebooted this computer, it started popping up S&D messages about virtumonde.ddc and asking about registry changes on a couple of others so fast I couldn't get anything done for the next 15 minutes...

If I do have to burn this down, I am very doubtful about installing Windows again. Most of my computers are various flavors of Linux, and I have yet to see even a hint of all this viruspam BS on those. My XP Pro box has had its share of spyspam, but (I think you said you looked at the HJT log for it) nothing bothersome.

Anyway, I will go ahead with the combofix and see if we can make anything GOOD happen.

Jane, thanks again!

itsleo
2008-01-15, 23:24
Okay - here's combofix.txt and hjt log, as you requested.





ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-15 14:54:50.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.92 [GMT -6:00]
Running from: C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\install.dat
C:\Program Files\Common Files\mcroso~1
C:\Program Files\mcroso~1
C:\Program Files\MSN Gaming Zone\lavu.dll
C:\Program Files\MSN Gaming Zone\lavu441.dll
C:\Program Files\MSN Gaming Zone\profsy.html
C:\Program Files\WinBudget
C:\Program Files\WinBudget\bin\crap.1187063402.old
C:\Program Files\WinBudget\bin\crapmatrix.dllcrap
C:\Program Files\Windows Media Player\hokesotu4444.dll
C:\Program Files\Windows Media Player\hokesotu83122.dll
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINDOWS\horrible\tvyxx.ini
C:\WINDOWS\horrible\tvyxx.ini2
C:\WINDOWS\system32\aimsmx.dll
C:\WINDOWS\system32\aosmx.dll
C:\WINDOWS\system32\cavnfmkr.dll
C:\WINDOWS\system32\cbxyyww.dll
C:\WINDOWS\system32\dcuwemai.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\gobptxco.dll
C:\WINDOWS\system32\gtalsmx.dll
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\ipv6monk.dll
C:\WINDOWS\system32\mssdvoql.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pfxzmtaim.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtsmt.dll
C:\WINDOWS\system32\pfxzmtsmtspm.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\SYSTEM32\rkmfnvac.ini
C:\WINDOWS\system32\rsvp32_2.dll
C:\WINDOWS\system32\rsvp32_2.dll3f2tjw
C:\WINDOWS\system32\rsvp32_2.dllewfwe334f
C:\WINDOWS\system32\rsvp32_2.dllewfweff
C:\WINDOWS\system32\sfxzmtforum.dll
C:\WINDOWS\system32\sfxzmtsmt.dll
C:\WINDOWS\system32\sfxzmtsmtspm.dll
C:\WINDOWS\system32\sfxzmtwbmail.dll
C:\WINDOWS\SYSTEM32\tvyxx.ini
C:\WINDOWS\SYSTEM32\tvyxx.ini2
C:\WINDOWS\system32\xxyvt.dll
C:\WINDOWS\system32\ymsgsmx.dll
C:\WINDOWS\tk58.exe
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FAD
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-15 to 2008-01-15 )))))))))))))))))))))))))))))))
.

2008-01-15 14:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 14:17 . 2008-01-15 14:17 15,663 --a------ C:\WINDOWS\BMa345ea2a.xml
2008-01-15 14:17 . 2008-01-15 14:17 22 --a------ C:\WINDOWS\pskt.ini
2008-01-15 13:01 . 2008-01-15 13:01 10,949 --a------ C:\deck.zip
2008-01-15 12:30 . 2008-01-15 12:30 <DIR> d-------- C:\Deckard
2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 13:10 . 2008-01-15 12:18 2,184 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-01-11 12:26 . 2008-01-15 14:58 <DIR> d-------- C:\WINDOWS\horrible
2008-01-11 12:14 . 2005-05-28 06:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-01-04 18:18 . 2008-01-15 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2008-01-04 18:18 . 2008-01-15 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot
2008-01-03 13:41 . 2008-01-03 13:41 <DIR> d-------- C:\Documents and Settings\SHIRLEY WILLIAMS\windowscrap
2007-12-17 17:45 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\WinPcap
2007-12-17 16:31 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\Wireshark
2007-12-16 14:31 . 2007-12-16 14:31 <DIR> d-------- C:\Program Files\Enigma Software Group

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-15 18:18 --------- d-----w C:\Program Files\LogMeIn
2007-12-16 21:51 --------- d-----w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\AVG7
2007-12-16 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-07 17:55 --------- d-----w C:\Program Files\Apophysis 2.0
2007-12-03 21:23 --------- d-----w C:\Program Files\DBF Viewer 2000
2007-02-28 00:09 47,992 ----a-w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02012421-489E-444E-BE90-5334553E729B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{093725DF-43BD-4D73-BFC3-015648EBC06F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18034704-9EFB-4839-9959-565B4FADE80D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{297B7695-14FC-4F79-B9CD-372FA4E50E1E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3cba2671-44ea-4f46-8418-6ee56620909d}]
C:\WINDOWS\System32\nvpqsmo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89F5EC1A-C524-4D56-A67F-0A3FB5C8CF54}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A505F7C-4637-4C91-92C0-8CDABC4908AD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C84DE7AC-2968-79EC-1486-00E2970227EA}]
C:\WINDOWS\System32\mpum.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50EE5C-27CC-4403-9E23-CE08E01482C9}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5EEA2B3-CFF1-45A4-858C-0FE06C5D2A35}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F00B9FB6-B92A-4328-82F9-85CE971ED9FA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F74096E3-9F6E-4C7E-A5A3-F50B243B2D97}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:00 13312]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]
"WebBuying"="C:\Program Files\Web Buying\v1.8.6\webbuying.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-06-30 19:56 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-06-30 20:00 65536]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 10:38 892928]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 13:03 63048]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 05:00 145408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2005-06-25 21:47 74286]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-08-01 19:52:17]
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-10-10 09:07:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-27 14:27 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2005-06-25 21:46 343599 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
--a------ 2005-06-25 21:46 228404 C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-02-24 18:34 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-29 05:00 13312 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2002-07-17 10:18 28672 C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-01-24 08:05 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-01-24 08:17 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\bak\qttask.exe

R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\System32\DRIVERS\EAPPkt.sys [2005-04-01 10:43]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 13:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\System32\drivers\LMIRfsDriver.sys [2007-04-05 10:55]
R2 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-06-28 18:01]
R3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\System32\drivers\A311.sys [2003-02-04 22:04]
R3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\System32\drivers\A310.sys [2003-02-04 22:04]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\System32\Drivers\usbscan.sys [2002-08-29 01:48]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\System32\drivers\lccfltr.sys [2003-11-07 03:50]
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\System32\DRIVERS\rtl8180.sys [2003-09-30 20:54]
S3 Ndisusb;GeneLink Network Driver;C:\WINDOWS\System32\DRIVERS\genelan.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS [2004-03-23 20:12]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\System32\DRIVERS\CamDrL21.sys [2002-12-10 04:53]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\wg111v2.sys [2006-03-27 16:53]
S3 USBHSB;GeneLink USB Driver;C:\WINDOWS\System32\Drivers\glkusb.sys [2001-07-10 02:05]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-15 15:10:11
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-15 15:12:56 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-15 21:12:38






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:21:19 PM, on 1/15/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\LVComS.exe
C:\totalcmd\TOTALCMD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://co.brewster.tx.us/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/sbcydsl/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ie/defaults/su/sbcydsl/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3cba2671-44ea-4f46-8418-6ee56620909d} - C:\WINDOWS\System32\nvpqsmo.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {C84DE7AC-2968-79EC-1486-00E2970227EA} - C:\WINDOWS\System32\mpum.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: &Search - ?p=ZCxdm565YYUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O15 - Trusted Zone: *.amaena.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.hardintech.com/inc/kaxRemote.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4A43124-5643-4FFD-9FBF-74BB08C30948}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6512 bytes

CalamityJane
2008-01-16, 02:06
I may have to call you "Lucky Leo" as that seems to have made a serious dent in the malware. It needs a bit more cleanup so give me a few minutes to pour through all these logs to put together some next steps.

I'll be back in a bit. Were you able to get the online KAV scan done on this? If so were there infected files found?

I'm asking because some variants of Vundo will infect programs files and it isn't always clear on these logs which ones if that is the case

CalamityJane
2008-01-16, 02:40
Go to the Control Panel and in Add/Remove programs find this one and remove it.
Java 2 Runtime Environment, SE v1.4.2

That is an old version of Sun Java that is vulnerable to malware exploit (And Vundo loves to use that one)
If you need a new version that is safe to use, go here to get the newest version:
http://www.java.com/en/download/manual.jsp
(You can do that later after the machine is cleaned up)
.........................

Open HijackThis and choose to do a *system scan only*
When it finishes, checkmark these entries in the list, then press the *fix checked* button

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/cust...ch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/cust.../www.yahoo.com

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {3cba2671-44ea-4f46-8418-6ee56620909d} - C:\WINDOWS\System32\nvpqsmo.dll (file missing)

O2 - BHO: (no name) - {C84DE7AC-2968-79EC-1486-00E2970227EA} - C:\WINDOWS\System32\mpum.dll (file missing)

O3 - Toolbar: (no name) - {5CBE2611-C31B-401F-89BC-4CBB25E853D7} - (no file)

O8 - Extra context menu item: &Search - ?p=ZCxdm565YYUS

O15 - Trusted Zone: *.amaena.com

Once you have pressed the *fix checked* button you can go ahead and close HijackThis
....................
Do these steps next:

Make a copy of this instruction to have handy as these next steps need to be done with all browsers and any open windows closed.

1. Close any open browsers.

2. Open notepad and copy/paste the text you see in the the bluebox of the quotebox below into it (but not the word: quote)



File::
C:\WINDOWS\BMa345ea2a.xml
C:\WINDOWS\pskt.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02012421-489E-444E-BE90-5334553E729B}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{093725DF-43BD-4D73-BFC3-015648EBC06F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{18034704-9EFB-4839-9959-565B4FADE80D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{297B7695-14FC-4F79-B9CD-372FA4E50E1E}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{549B5CA7-4A86-11D7-A4DF-000874180BB3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{89F5EC1A-C524-4D56-A67F-0A3FB5C8CF54}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8A505F7C-4637-4C91-92C0-8CDABC4908AD}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DF50EE5C-27CC-4403-9E23-CE08E01482C9}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5EEA2B3-CFF1-45A4-858C-0FE06C5D2A35}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F00B9FB6-B92A-4328-82F9-85CE971ED9FA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F74096E3-9F6E-4C7E-A5A3-F50B243B2D97}]


Save this as CFScript.txt, in the same location as ComboFix.exe


http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.[/list]


Reminder:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

itsleo
2008-01-17, 17:47
Color me stoopid - I checked several times and have seen no responses. This morning I noticed that the little green light (on the thread messages) was dark and said I was offline... looked at ipconfig and found some totally bizarre ip address and realized this computer was not online, ran release/renew and got no change, and finally after two or three reboots it actually dhcp'ed itself into a connection and now it sees the net again.

Combofix seems to have repaired at least the more horrible aspects of virtumonde... is there anything else really nasty in sight on the log?

I'll be gone for a few hours now, as I have grand jury duty in about fifteen minutes and the DA says he's got a full slate for us...

itsleo
2008-01-17, 17:49
Ahhhh NOW I see your responses, Jane... 's funny, but they didn't show up when I first got reconnected, but only after I posted the preceding... I've GOT to run to get to Court, but as soon as that's over, I'll get right back on this...

THANKS!!!

itsleo
2008-01-17, 22:37
Looks pretty good so far - I still have all icons on the desktop highlighted, tho' - hmmmm...




*******************************************************************
ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-17 14:12:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.FILE
C:\WINDOWS\BMa345ea2a.xml
C:\WINDOWS\pskt.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BMa345ea2a.xml
C:\WINDOWS\pskt.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-17 to 2008-01-17 )))))))))))))))))))))))))))))))
.

2008-01-15 15:20 . 2008-01-15 15:20 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-15 14:52 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-15 13:01 . 2008-01-15 13:01 10,949 --a------ C:\deck.zip
2008-01-15 12:30 . 2008-01-15 12:30 <DIR> d-------- C:\Deckard
2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\WINDOWS\SYSTEM32\Kaspersky Lab
2008-01-11 16:19 . 2008-01-11 16:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-11 13:10 . 2008-01-15 12:18 2,184 --a------ C:\WINDOWS\SYSTEM32\wpa.dbl
2008-01-11 12:26 . 2008-01-15 14:58 <DIR> d-------- C:\WINDOWS\horrible
2008-01-11 12:14 . 2005-05-28 06:33 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Gtek
2008-01-04 18:18 . 2008-01-17 09:43 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot2
2008-01-04 18:18 . 2008-01-15 12:33 <DIR> d-------- C:\WINDOWS\SYSTEM32\CatRoot
2008-01-03 13:41 . 2008-01-03 13:41 <DIR> d-------- C:\Documents and Settings\SHIRLEY WILLIAMS\windowscrap
2007-12-17 17:45 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\WinPcap
2007-12-17 16:31 . 2007-12-17 17:46 <DIR> d-------- C:\Program Files\Wireshark

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-17 20:03 --------- d-----w C:\Program Files\Java
2008-01-17 06:00 --------- d-----w C:\Program Files\LogMeIn
2007-12-16 21:51 --------- d-----w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\AVG7
2007-12-16 20:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-16 20:31 --------- d-----w C:\Program Files\Enigma Software Group
2007-12-07 17:55 --------- d-----w C:\Program Files\Apophysis 2.0
2007-12-03 21:23 --------- d-----w C:\Program Files\DBF Viewer 2000
2007-11-27 20:27 87,352 ----a-w C:\WINDOWS\SYSTEM32\LMIinit.dll
2007-11-27 20:27 83,288 ----a-w C:\WINDOWS\SYSTEM32\LMIRfsClientNP.dll
2007-11-27 20:27 23,736 ----a-w C:\WINDOWS\SYSTEM32\lmimirr.dll
2007-11-27 20:27 21,496 ----a-w C:\WINDOWS\SYSTEM32\LMIport.dll
2007-11-27 20:27 10,040 ----a-w C:\WINDOWS\SYSTEM32\lmimirr2.dll
2007-02-28 00:09 47,992 ----a-w C:\Documents and Settings\SHIRLEY WILLIAMS\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((( snapshot@2008-01-15_15.12.11.53 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-15 20:54:13 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 20:12:04 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-15 20:54:13 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 20:12:04 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-15 20:54:13 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-17 20:12:04 765,952 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-15 20:54:13 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 20:12:04 8,192 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-15 20:54:14 3,465,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 20:12:05 3,465,216 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-15 20:54:14 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 20:12:05 12,288 ----a-w C:\WINDOWS\ERDNT\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-15 20:54:37 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
+ 2008-01-17 20:12:21 262,144 ----a-w C:\WINDOWS\SYSTEM32\CONFIG\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-20 15:08 1511453]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-29 05:00 13312]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PrinTray"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe" [ ]
"LogitechVideoRepair"="C:\Program Files\Logitech\Video\ISStart.exe" [2003-06-30 19:56 188416]
"LogitechVideoTray"="C:\Program Files\Logitech\Video\LogiTray.exe" [2003-06-30 20:00 65536]
"zBrowser Launcher"="C:\Program Files\Logitech\iTouch\iTouch.exe" [2003-12-01 10:38 892928]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 03:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
"LogMeIn GUI"="C:\Program Files\LogMeIn\x86\LogMeInSystray.exe" [2007-04-17 13:03 63048]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [ ]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2002-08-29 05:00 145408]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2005-06-25 21:47 74286]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech Desktop Messenger.lnk - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe [2007-08-01 19:52:17]
WG111v2 Smart Wizard Wireless Setting.lnk - C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe [2007-10-10 09:07:40]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LMIinit]
LMIinit.dll 2007-11-27 14:27 87352 C:\WINDOWS\SYSTEM32\LMIinit.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-05-11 02:06 40048 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2005-06-25 21:46 343599 C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_EMC]
--a------ 2005-06-25 21:46 228404 C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BCMSMMSG]
--a------ 2003-02-24 18:34 122880 C:\WINDOWS\BCMSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2002-08-29 05:00 13312 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDSentry]
--a------ 2002-07-17 10:18 28672 C:\WINDOWS\System32\DSentry.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
--a------ 2003-01-24 08:05 114688 C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
--a------ 2003-01-24 08:17 155648 C:\WINDOWS\System32\igfxtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\bak\qttask.exe

R2 EAPPkt;Realtek EAPPkt Protocol;C:\WINDOWS\System32\DRIVERS\EAPPkt.sys [2005-04-01 10:43]
R2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\x86\RaInfo.sys [2007-04-17 13:00]
R2 LMIRfsDriver;LogMeIn Remote File System Driver;C:\WINDOWS\System32\drivers\LMIRfsDriver.sys [2007-04-05 10:55]
R2 NPF;NetGroup Packet Filter Driver;C:\WINDOWS\System32\drivers\npf.sys [2007-06-28 18:01]
R3 {5C8B2B62-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-A;C:\WINDOWS\System32\drivers\A311.sys [2003-02-04 22:04]
R3 {5C8B2B65-A385-11d5-A78B-00104B672758};AIM 3.0 Part 01 Codec Driver CH-7017-B;C:\WINDOWS\System32\drivers\A310.sys [2003-02-04 22:04]
S2 BulkUsb;Genesys Logic USB Scanner Controller NT 5.0;C:\WINDOWS\System32\Drivers\usbscan.sys [2002-08-29 01:48]
S3 LCcfltr;Logitech USB Filter Driver;C:\WINDOWS\System32\drivers\lccfltr.sys [2003-11-07 03:50]
S3 LSWPCv4;Wireless-B Notebook Adapter Driver;C:\WINDOWS\System32\DRIVERS\rtl8180.sys [2003-09-30 20:54]
S3 Ndisusb;GeneLink Network Driver;C:\WINDOWS\System32\DRIVERS\genelan.sys []
S3 NSNDIS5;NSNDIS5 NDIS Protocol Driver;C:\WINDOWS\System32\NSNDIS5.SYS [2004-03-23 20:12]
S3 PhilCam8116;Logitech QuickCam Pro 3000(PID_08B0);C:\WINDOWS\System32\DRIVERS\CamDrL21.sys [2002-12-10 04:53]
S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\System32\DRIVERS\wg111v2.sys [2006-03-27 16:53]
S3 USBHSB;GeneLink USB Driver;C:\WINDOWS\System32\Drivers\glkusb.sys [2001-07-10 02:05]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-17 14:15:48
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-17 14:17:17
ComboFix-quarantined-files.txt 2008-01-17 20:16:56
ComboFix2.txt 2008-01-15 21:12:57








Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:34:03 PM, on 1/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\WINDOWS\SYSTEM32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://co.brewster.tx.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.hardintech.com/inc/kaxRemote.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4A43124-5643-4FFD-9FBF-74BB08C30948}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 5263 bytes

itsleo
2008-01-17, 23:47
It's 15:45 here, and I just started KAV online scan on the (hopefully formerly) infected computer.

If my previous experience is any guide, it'll be 3 or 4 hours before I can do anything else on that computer.

itsleo
2008-01-18, 00:51
Welllll... that wasn't so bad - only an hour. Here's the KASV log. I haven't done anything with any of the reported problems. I know VNC stuff isn't a virus (okay, I don't KNOW, but I'm pretty sure...) and there's some other stuff that I'm certain about.

Ooops, the *&#$ thing's 37K - attached as a zip file.

itsleo
2008-01-18, 17:34
Okay - I'm looking at a black bubble, saying I'm NOT online. I'm not sure if this is indicating a problem with this computer or it's just some sort of standard thing with the forum. I've brought up a couple of other windows in IE just to be really sure I'm seeing the world. Thought I'd post a message here and see if that would green the bubble... does it?

CalamityJane
2008-01-18, 19:26
Hi Leo,

Welcome back! Yes, you posted ok. Maybe it's that you need to make sure you have logged into your account when trying to post? Any way, it did take. I've got your logs here and going over them now. Give me a few minutes to review them.

itsleo
2008-01-18, 19:38
Hi Leo,

Welcome back! Yes, you posted ok. Maybe it's that you need to make sure you have logged into your account when trying to post? Any way, it did take. I've got your logs here and going over them now. Give me a few minutes to review them.

No, it was definitely online and logged in... and the buble turned green after I posted... of course, one can't edit one's posts here, so I couldn't add the yep... it's strange, alright. I was going to go back to my usual Firefox instead of IE (used for the KAV) but something erased 3 FF .dll's (that happened when I first installed FF on this computer last year when I got it... it almost looks like IE is doing it, because I wasn't doing any AV stuff... whatever, it's a side issue).

Thanks, Jane.

CalamityJane
2008-01-18, 19:48
Here is the KAV scan results (not good!)

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 17, 2008 4:45:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/01/2008
Kaspersky Anti-Virus database records: 517094
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52505
Number of viruses found: 23
Number of infected objects: 114
Number of suspicious objects: 2
Duration of the scan process: 00:58:24

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\SHIRLE~1\LOCALS~1\Temp\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Desktop\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe Inno: infected - 4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\My Documents\My Pictures\Setup.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ax skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\ntuser.dat Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\ntuser.dat.LOG Object is locked skipped
C:\ja.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\removed\Broadchump\Client Foundation\CFD.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\removed\Dell Support\DSAgnt.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\QooBox\Quarantine\C\Program Files\MSN Gaming Zone\lavu.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\MSN Gaming Zone\lavu441.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\MSN Gaming Zone\profsy.html.vir Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\hokesotu4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\hokesotu83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cavnfmkr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ipv6monk.dll.vir Infected: Trojan-Spy.Win32.BZub.ic skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mssdvoql.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dll.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dll3f2tjw.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dllewfwe334f.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dllewfweff.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\catchme2008-01-15_150933.27.zip/cbxyyww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\QooBox\Quarantine\catchme2008-01-15_150933.27.zip ZIP: infected - 1 skipped
\ashell3\ntsc3plyr.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\shit\bbc5\gstdrvr8.exe Infected: Trojan.Win32.Pakes.bvs skipped
C:\shit\doc4\mmildot83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\shit\doc4\mmildot83122.exe NSIS: infected - 1 skipped
C:\shit\mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Agent.fuc skipped
C:\shit\mrofinu572.exe Infected: Trojan-Downloader.Win32.Agent.fuc skipped
C:\shit\rex2\monidnpr3.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\shit\Temp\ja.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\shit\U0hJUkxFWSBXSUxMSUFNUw\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\shit\U0hJUkxFWSBXSUxMSUFNUw\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059952.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059952.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059953.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059954.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059960.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059968.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059968.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059969.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059970.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0060960.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060970.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060970.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060971.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060978.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060988.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060988.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060989.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060990.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP309\A0060994.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP309\A0060995.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP309\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0061013.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061038.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061038.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061039.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061040.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061046.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061056.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061089.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061089.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061090.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061091.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0062084.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063090.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063090.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063091.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063092.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063121.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063131.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063137.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063147.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063147.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063148.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063149.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063153.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063172.dll Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063177.dll Infected: Trojan-Spy.Win32.BZub.ic skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063178.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063179.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063180.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063181.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063182.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063183.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063194.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063195.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063195.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063199.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP318\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\horrible\cbxyyww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\WINDOWS\horrible\hrjxgroq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\imetrkcv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\nvpqsmo.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\WINDOWS\horrible\ocduwffh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\tejsngcs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\vhijifno.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\LastGood\System32\ctfmon.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\WINDOWS\lola.exe Infected: Trojan-Downloader.Win32.Agent.bhc skipped
C:\WINDOWS\MEMORY.DMP Object is locked skipped
C:\WINDOWS\run2.exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\WINDOWS\run2.exe NSIS: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4098AEB7-9611-4C3C-B248-7C861B1FBA74}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\v030817.exe Infected: Trojan-Downloader.Win32.Agent.bhc skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\winup3824.exe Infected: Trojan-Downloader.Win32.Agent.bhc skipped
C:\WINDOWS\zup.exe Infected: Trojan-Proxy.Win32.Agent.ly skipped

Scan process completed.
..................
I'll come back with a reply on what I see there

CalamityJane
2008-01-18, 19:50
True the VNC program is not a trojan (says so, infact with the tag of "Not a Virus" - Remote Admin tool) is just pointing out to you that you have remote admin tool installed because some malware can deposit those on an infected machine for malicious purposes, but it can also be installed by a user on purpose. If that is that the case and you did install that on purpose it is fine to ignore the VNC "detection". But the others, ugh! This machine has been very badly infected and likely done damage to the system that may be not be fixable at this point.

The numerous trojans on there are alarming and very nasty. It is more than just Vundo. Many program files have been infected to run the virus when you run those programs (trojan awf)

If you have been considering a reformat/reinstall this would be a good reason to wipe the machine and start over with a fresh install.

Is there some reason that wasn't done before the machine was put up for auction?

I hope there wasn't any sensitive data left on that machine because at least one of the trojans found by KAV is a password and information stealer (family of trojans named Bzub): These types of trojans compromise system security by providing authentication information (logon, passwords, credit card numbers, etc.) to malicious users. This trojan steals the logon information of some Online Bank accounts. Aside from that, it also steals e-mail accounts and passwords that are stored in the user's computer system.


What do you wish to do? I can't guarantee we can get this all cleaned up with satisfactory results because of the damage to system and program files I already see there.

itsleo
2008-01-18, 21:14
Hi, Jane - if you're willing, let's try to clean it up. In the following, I explain why I'd like to try, and why it's not a problem if you want to decline... it's my usual verbosity gone amok, so feel free to skip it!

This machine doesn't get used for much other 're willing, than 'net connection, and that normally with FF and Thunderbird... I also used it for Open Office work, mostly writer and calc. Although slightly flakey, it wasn't manifesting any great problems until just before the holidays when an acquaintance asked me to help her create some biz-card size handouts for campaigning... I made her a two-sided 2 x 10 standard biz-card document using OO writer and saved as .doc for her Office, but she was having trouble with it on her computer - I had noticed that MS Office was on here although I'd never used it, so I ran Word (which is what she uses, although I advise everyone to use OO) on this computer (never before used any of the MS Office on here) to try to walk her through editing and printing (and to see if it worked on Word more or less same as on Writer)... and I recall that when I ran Word, it popped up some MS-looking window wanting to register something to do with Office, which I simply closed... and that's when the grand fiasco began! As I said, I basically never used any of the other programs, so that's probably why it hung together for so long... I'm guessing that Word was (is) infected along with all the others.

Other than OS files, I don't really care a lot about disinfecting Office or most of the rest of it - I can reinstall clean versions of Mozilla and Open Office - I'm more concerned that the sh!t on here doesn't get loose and infect my XP Pro system, so I'd be perfectly happy to erase as much of the infected stuff as possible (realizing that the registry will then be full of orphans and have to be cleaned out).

This is a Dell notebook, and it does have the handy-dandy MS XP sticker on the bottom. with the product key, so I presume I could install XP again without any extreme hassles, although I've never installed XP from scratch... I do have XP install discs, although not the ones for this box. Since I mainly use this for 'net access and writing (almost all of my programming work is done on Linux and I do use this computer for PUtty to ssh to those computers) I am thinking that if we need to burn it down, I will try to reinstall XP and if that turns into a rat's nest, I'll install a Linux (FC 7 preferably, but my FC 7 install DVD only works on dual-layer capable DVD drives and I think this one won't handle it - maybe there's a way around that)... Mozilla and Open Office work just fine on Linux (I use them on a SuSE notebook all the time).

Still, I'd like to try to disinfect (and then lock it up safe), if you have the time and the inclination, at least partly because so many of my friends and neighbors are Windowers and this storm of malware is all over the place (my two younger sons are pretty staunch Mac users, so they have a tendency to ignore the whole mess... if I were into music and video as they are, I'd probably go the same way... you?)

So... if you will, let's try to clean it... and if you say no, I will most certainly understand!

Thanks, again!

itsleo
2008-01-18, 21:16
True the VNC program is not a trojan (says so, infact with the tag of "Not a Virus" - Remote Admin tool) is just pointing out to you that you have remote admin tool installed

Sure - I knew that, but I wasn't sure if you were referring to it, or to the logmein, or something other, tha's all!

Thanks!

CalamityJane
2008-01-18, 21:48
We have a number things to consider here.

1. The prior state of this computer and the information that is contained on it - obviously belongs to a former user and has not been wiped. Meanwhile it was infected with a information stealing trojan...compromised - hacked. Owned by someone else. This computer may have other people's data on it and that needs to be addressed (the compromise is a past event that has happened already.) Information may have been stolen from it and passed on to malicious strangers for use in data theft, identify theft, etc. That info may have ended up in the hands of a malicious attacker - do you understand that? I'm concerned if these machines are being auctioned without being wiped first, especially if they came from a government office. Is there government data still on there. The profile certainly is and that may likely be compromised as well.

2. The current state of the machine. You need to keep this off the net as much as possible and only where necessary. Do you have a clean computer from which you can connect to the net to get instructions?

3. I'm going to have to back through these logs posted to see what all has been done to it by the malware authors and what might be able to be fixed, some of which we may never know. It doesn't sound like you can do a reinstall unless you have recovery disks from Dell somewhere and it may be difficult to replace system files if they were totally wiped out.

4. Does this machine even validate as genuine Windows? If not, we won't be able to get you the SP2 update that it needs (and subsequent windows critical security updates). Even if we can clean this up, operating at your current level of XP SP1 is a security risk and certainly is vulnerable to future attack. Do you understand the importance of the fact it does not have Windows SP2 at all.

CalamityJane
2008-01-18, 22:04
This machine has numerous difficult to remove trojans, it's going to take quite a few steps to address them.

First, the awf trojan infects valid software programs so it continues to run and respawn if you run any of the affected programs. Therefore I need a report from this free tool to try identify which ones have been infected and where the clean backups might be (if they are there)

You should be able to download these from a clean computer and put them on CD or removable media to transfer to the affected machine so that you can keep it off the net.

Click here to download FindAWF.exe and save it to your desktop.
http://noahdfear.geekstogo.com/FindAWF.exe

* Double-click on the FindAWF.exe file to run it.
* It will open a command prompt and ask you to "Press any key to continue".
* You will be presented with a Menu.

* Press 1 then press Enter.
* Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

.........................
Next tool:

Download SDFix (http://downloads.andymanchesta.com/RemovalTools/SDFix.exe) and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log


There will be more, but let's see what those produce before going to the next step.

itsleo
2008-01-18, 22:23
Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 01/18/2008
The current time is: 14:12:09.99


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\REMOVED\DELLSU~1\BAK

07/19/2004 07:51 AM 306,688 DSAgnt.exe
1 File(s) 306,688 bytes

Directory of C:\PROGRA~1\LOGMEIN\X86\UPDATE\3-00-606.BAK

05/25/2007 02:21 PM 3,993,935 template.rab
04/05/2007 10:55 AM 5,759 WapClients.cfg
2 File(s) 3,999,694 bytes

Directory of C:\PROGRA~1\REMOVED\BROADC~1\CLIENT~1\BAK

09/10/2002 09:26 PM 368,706 CFD.exe
1 File(s) 368,706 bytes

Directory of C:\PROGRA~1\REMOVED\DELL\ACCESS~1\BAK

11/01/2002 04:47 PM 208,560 dadapp.exe
1 File(s) 208,560 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24588 Jan 25 2007 "C:\Program Files\removed\Dell Support\DSAgnt.exe"
306688 Jul 19 2004 "C:\Program Files\removed\Dell Support\bak\DSAgnt.exe"
4817711 Nov 27 2007 "C:\Program Files\LogMeIn\template.rab"
3993935 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\template.rab"
5750 Nov 27 2007 "C:\Program Files\LogMeIn\WapClients.cfg"
5759 Apr 5 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\WapClients.cfg"
87352 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIinit.dll"
80696 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIinit.dll"
87352 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIinit.dll"
14912 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIinit.dll"
63040 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIinit.dll"
23736 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr.dll"
34104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr.dll"
23736 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr.dll"
24000 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr.dll"
10040 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr2.dll"
13112 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr2.dll"
10040 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr2.dll"
13376 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr2.dll"
10304 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr2.dll"
21496 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIport.dll"
24376 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIport.dll"
21496 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIport.dll"
29248 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIport.dll"
26176 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIport.dll"
17720 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinter.dll"
15160 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinter.dll"
21568 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinter.dll"
16960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinter.dll"
18744 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinterui.dll"
15752 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinterui.dll"
22080 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinterui.dll"
12192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinterui.dll"
30008 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIproc.dll"
28472 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIproc.dll"
28472 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\LMIproc.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIproc.dll"
30784 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIproc.dll"
83288 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIRfsClientNP.dll"
87384 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIRfsClientNP.dll"
83288 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIRfsClientNP.dll"
87648 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIRfsClientNP.dll"
83552 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIRfsClientNP.dll"
4743480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeIn.dll"
3892536 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeIn.dll"
3332672 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeIn.dll"
2635328 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeIn.dll"
540480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.dll"
460096 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.dll"
517192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeInSystray.dll"
443976 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.dll"
1284416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\openssl.exe"
869696 Nov 27 2007 "C:\Program Files\LogMeIn\x86\openssl.exe"
1284680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\openssl.exe"
869960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\openssl.exe"
945984 Nov 27 2007 "C:\Program Files\LogMeIn\x64\raabout.exe"
697664 Nov 27 2007 "C:\Program Files\LogMeIn\x86\raabout.exe"
1014344 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\raabout.exe"
730696 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\raabout.exe"
475136 Nov 27 2007 "C:\Program Files\LogMeIn\x64\racodec.ax"
319488 Nov 27 2007 "C:\Program Files\LogMeIn\x86\racodec.ax"
483840 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\racodec.ax"
327680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\racodec.ax"
240952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rahook.dll"
193848 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rahook.dll"
239680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rahook.dll"
194112 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rahook.dll"
827200 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rainst.exe"
599360 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rainst.exe"
824392 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rainst.exe"
599624 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rainst.exe"
120128 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ramaint.exe"
116032 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ramaint.exe"
119368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ramaint.exe"
112200 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ramaint.exe"
55104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ra_reboot.exe"
58688 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ra_reboot.exe"
55368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ra_reboot.exe"
58952 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ra_reboot.exe"
112952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rntfywnd.dll"
111928 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rntfywnd.dll"
113216 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rntfywnd.dll"
112192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rntfywnd.dll"
42552 Feb 1 1993 "C:\JP\ZIP.EXE"
324416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\zip.exe"
226624 Nov 27 2007 "C:\Program Files\LogMeIn\x86\zip.exe"
42552 Feb 1 1993 "C:\Documents and Settings\SHIRLEY WILLIAMS\My Documents\JP\ZIP.EXE"
324680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\zip.exe"
226888 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\zip.exe"
87352 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIinit.dll"
80696 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIinit.dll"
87352 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIinit.dll"
14912 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIinit.dll"
63040 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIinit.dll"
23736 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr.dll"
34104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr.dll"
23736 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr.dll"
24000 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr.dll"
10040 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr2.dll"
13112 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr2.dll"
10040 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr2.dll"
13376 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr2.dll"
10304 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr2.dll"
21496 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIport.dll"
24376 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIport.dll"
21496 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIport.dll"
29248 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIport.dll"
26176 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIport.dll"
17720 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinter.dll"
15160 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinter.dll"
21568 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinter.dll"
16960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinter.dll"
18744 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinterui.dll"
15752 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinterui.dll"
22080 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinterui.dll"
12192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinterui.dll"
16696 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinterui.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinterdat.dll"
16960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinterui.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinterdat.dll"
21264 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinteruint.dll"
16448 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinteruint.dll"
30008 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIproc.dll"
28472 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIproc.dll"
28472 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\LMIproc.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIproc.dll"
30784 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIproc.dll"
24024 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprocnt.dll"
17472 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprocnt.dll"
83288 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIRfsClientNP.dll"
87384 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIRfsClientNP.dll"
83288 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIRfsClientNP.dll"
87648 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIRfsClientNP.dll"
83552 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIRfsClientNP.dll"
4743480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeIn.dll"
3892536 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeIn.dll"
3332672 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeIn.dll"
2635328 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeIn.dll"
540480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.dll"
460096 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.dll"
517192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeInSystray.dll"
443976 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.dll"
1284416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\openssl.exe"
869696 Nov 27 2007 "C:\Program Files\LogMeIn\x86\openssl.exe"
1284680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\openssl.exe"
869960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\openssl.exe"
945984 Nov 27 2007 "C:\Program Files\LogMeIn\x64\raabout.exe"
697664 Nov 27 2007 "C:\Program Files\LogMeIn\x86\raabout.exe"
1014344 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\raabout.exe"
730696 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\raabout.exe"
475136 Nov 27 2007 "C:\Program Files\LogMeIn\x64\racodec.ax"
319488 Nov 27 2007 "C:\Program Files\LogMeIn\x86\racodec.ax"
483840 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\racodec.ax"
327680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\racodec.ax"
240952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rahook.dll"
193848 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rahook.dll"
239680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rahook.dll"
194112 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rahook.dll"
12088 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rahook9x.dll"
12352 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rahook9x.dll"
827200 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rainst.exe"
599360 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rainst.exe"
824392 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rainst.exe"
599624 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rainst.exe"
120128 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ramaint.exe"
116032 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ramaint.exe"
119368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ramaint.exe"
112200 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ramaint.exe"
55104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ra_reboot.exe"
58688 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ra_reboot.exe"
55368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ra_reboot.exe"
58952 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ra_reboot.exe"
172352 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ra_sc.exe"
172616 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ra_sc.exe"
112952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rntfywnd.dll"
111928 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rntfywnd.dll"
113216 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rntfywnd.dll"
112192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rntfywnd.dll"
42552 Feb 1 1993 "C:\JP\ZIP.EXE"
324416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\zip.exe"
226624 Nov 27 2007 "C:\Program Files\LogMeIn\x86\zip.exe"
42552 Feb 1 1993 "C:\Documents and Settings\SHIRLEY WILLIAMS\My Documents\JP\ZIP.EXE"
324680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\zip.exe"
226888 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\zip.exe"
24588 Jan 25 2007 "C:\Program Files\removed\Broadchump\Client Foundation\CFD.exe"
368706 Sep 10 2002 "C:\Program Files\removed\Broadchump\Client Foundation\bak\CFD.exe"
208560 Nov 1 2002 "C:\Program Files\removed\Dell\AccessDirect\bak\dadapp.exe"


end of report

itsleo
2008-01-18, 22:52
SDFix: Version 1.127

Run by SHIRLEY WILLIAMS on Fri 01/18/2008 at 02:32 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\SMTSMX~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SPMSMT~1.DLL - Deleted
C:\PROGRA~1\MSNGAM~1\LAVU - Deleted
C:\PROGRA~1\MSNGAM~1\LAVU441 - Deleted




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 14:38:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 2 Aug 2005 187,904 A.SHR --- "C:\shit\U0hJUkxFWSBXSUxMSUFNUw\asappsrv.dll"
Tue 2 Aug 2005 293,888 A.SHR --- "C:\shit\U0hJUkxFWSBXSUxMSUFNUw\command.exe"
Fri 4 Jan 2008 1,043,800 A.SH. --- "C:\WINDOWS\horrible\ommudpvh.tmp"
Sat 27 Jan 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 17 Jan 2008 7,531,128 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\631bea423a2590540110f7e11fcbd692\BIT1.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:05 PM, on 1/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://co.brewster.tx.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.hardintech.com/inc/kaxRemote.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4A43124-5643-4FFD-9FBF-74BB08C30948}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6857 bytes

tashi
2008-01-18, 23:19
Sorry to slip in here.


We have a number things to consider here.

1. The prior state of this computer and the information that is contained on it - obviously belongs to a former user and has not been wiped. Meanwhile it was infected with a information stealing trojan...compromised - hacked. Owned by someone else. This computer may have other people's data on it and that needs to be addressed (the compromise is a past event that has happened already.) Information may have been stolen from it and passed on to malicious strangers for use in data theft, identify theft, etc. That info may have ended up in the hands of a malicious attacker - do you understand that? I'm concerned if these machines are being auctioned without being wiped first, especially if they came from a government office. Is there government data still on there. The profile certainly is and that may likely be compromised as well.

2. The current state of the machine. You need to keep this off the net as much as possible and only where necessary. Do you have a clean computer from which you can connect to the net to get instructions?

3. I'm going to have to back through these logs posted to see what all has been done to it by the malware authors and what might be able to be fixed, some of which we may never know. It doesn't sound like you can do a reinstall unless you have recovery disks from Dell somewhere and it may be difficult to replace system files if they were totally wiped out.

4. Does this machine even validate as genuine Windows? If not, we won't be able to get you the SP2 update that it needs (and subsequent windows critical security updates). Even if we can clean this up, operating at your current level of XP SP1 is a security risk and certainly is vulnerable to future attack. Do you understand the importance of the fact it does not have Windows SP2 at all.
itsleo, please respond to those questions and also my PM, thank you.

itsleo
2008-01-18, 23:44
Sorry to slip in here.


itsleo, please respond to those questions and also my PM, thank you.

Please note that I was responding to a FOLLOWING post, and that I did respond to your PM. My assumption is that if the questions were vitally important she would not have proceeded - was there a complaint?

itsleo
2008-01-18, 23:46
Sorry to slip in here.


itsleo, please respond to those questions and also my PM, thank you.

In any event, the answers, in order, are: Yes; Yes, I've already said so; and I don't know, but why wouldn't it?

CalamityJane
2008-01-19, 00:04
No, we still need answers. Is this machine being used at an office and also is the data on it belong to a former employee because it may be needed to have someone do forensics on it. Maybe I'll just ask Tashi to do that with you via PM (questions, that is not forensics). I can't really proceed until we have answers to those because of the security implications of a compromised machine.

itsleo
2008-01-19, 00:22
No, we still need answers. Is this machine being used at an office

It is not used for office work. It is a NOTEBOOK computer, and it goes with me most of the time - or it did before it cratered. It goes home, it goes upstairs, downstairs, it goes to other people's houses, coffee shops, et cetera. The reason I got it in the first place was so I had a portable that I could run a USB 11g wireless antenna on it - my other notebook is Linux and it doesn't play well with the wireless.


and also is the data on it belong to a former employee

To the best of my knowledge, there is no data on it that is belong to a former employee. I may have moved data to a backup directory in case it was needed by anyone, but if so, it can go away... this is why - as I believe I have stated several times now - I have no problem burning it down.


because it may be needed to have someone do forensics on it.


I have absolutely no idea what you are talking about here - what forensics, on what data, to what end?


Maybe I'll just ask Tashi to do that with you via PM.

Do that? What that?

Look - I already said, if you don't think it's worth while, just say so... I can try to reinstall XP on it, and if that doesn't work, I'll put a Linux on it.

CalamityJane
2008-01-19, 01:18
Hello Leo,

Let me explain why the questions.

The KAV scan has revealed a very serious trojan on the machine

You stated early on:

the machine's name is SHIRLEY WILLIAMS - it came from a county auction and I believe she was a JP)

It is not just the machine's name. You are running using her ADMIN account which may contain all of her data:

C:\Documents and Settings\SHIRLEY WILLIAMS\
C:\Program Files\LogMeIn
ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-17 14:12:29.2 - NTFSx86
Microsoft Windows XP Home Edition

I know you don't care about the technical details but it is important to understand (my bolded lines in the text below) what this trojan does.
It was this one that is the Bzub:

C\WINDOWS\SYSTEM32\ipv6monk.dll.vir Infected: Trojan-Spy.Win32.BZub.ic
............................................
Pay close attention: This is what that trojan does and it may mean that any data on the machine may have been stolen but I cannot tell you exact dates. It may be that it was stolen before you owned the machine, but if Shirley Williams, a JP had any data on there - you would need to have it investigated incase someone else's info contained therein has been compromised. Do you see what I am talking about?


Name Win32.BZub.ic
Threat Level
Alias Win32.BZub.ic,
Date 25 February, 2007
Type Win32,Trojan
Damage Theft of information,Other
Platform Win 95,Win 98,Win ME,Win NT,Win 2K,Win XP
Analysis Win32.BZub.ic installs a .dll in the Windows System folder, and register this .dll as a COM object and a BHO (Browser Helper Object) for Microsoft Internet Explorer. It also lowers Windows Firewall security settings, and steals data from the infected computer.

Malicious activity

Here are some of the actions performed by this Trojan on execution:

In order to lower Windows Firewall security settings, it adds the following registry entry:

[SPACE]"ProgramFiles\Internet Explorer\EXPLORE.EXE" = "ProgramFiles\Internet Explorer\IEXPLORE.EXE:*:Enabled:Internet Explorer"

to the following registry subkey:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy
\StandardProfile\AuthorizedApplications\List\

The Trojan registers the said .dll as a Browser Helper Object by creating the following registry subkeys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Browser Helper Objects\{78364D99-A640-4DDF-B91A-67EFF8373045}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\browser helper obJects\{78364D99-A240-4dff-B11A-67E448373045}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\Browser Helper Objects\{73364D99-1240-4dff-B11A-67E448373048}

It adds the following registry entries:

"(default)" = "C:\WINDOWS\system32\ipv6mons.dll"
"Enable Browser Extensions" = "yes"
"ThreadingModel" = "apartment"

to the following registry subkey:

HKEY_CLASSES_ROOT\CLSID\{73364D99-1240-4dff-B11A-67E448373048}\InProcServer32

in order to register the DLL as a Browser Helper Object.

It adds the following registry entry:

"Enable Browser Extensions" = "yes"

to the following registry subkey:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main

in order to register the DLL as a Browser Helper Object.

It creates the following files to store stolen information from the infected computer:

System\form.txt
System\info.txt
System\shot.html

It may steal the following information:

Host name and IP Address
Outlook Express Accounts
SMTP and POP3 Server
Password for Internet Explorer AutoComplete
MSN Explorer Signup account
Windows Cached Passwords
URLs visited
HTTP POST request
Content of HTTP FORM
TAN and PIN numbers of bank accounts

It searches for .pfx files on the infected computer.

It attempts to export and steal the crypto keys and certificates stored within the above files.

Therefore someone may need to look to see what data was stored on that computer and alert the former owner so that precautions against stolen info can be taken. If you wipe all that info now they won't know. It should have been wiped before it was put up for auction. Does nobody realize this?

itsleo
2008-01-19, 02:10
Hello Leo,

Let me explain why the questions.

The KAV scan has revealed a very serious trojan on the machine

You stated early on:


It is not just the machine's name. You are running using her ADMIN account which may contain all of her data:

C:\Documents and Settings\SHIRLEY WILLIAMS\
C:\Program Files\LogMeIn
ComboFix 08-01-15.4 - SHIRLEY WILLIAMS 2008-01-17 14:12:29.2 - NTFSx86
Microsoft Windows XP Home Edition

I know you don't care about the technical details but it is important to understand (my bolded lines in the text below) what this trojan does.
It was this one that is the Bzub:

C\WINDOWS\SYSTEM32\ipv6monk.dll.vir Infected: Trojan-Spy.Win32.BZub.ic
............................................
Pay close attention: This is what that trojan does and it may mean that any data on the machine may have been stolen but I cannot tell you exact dates. It may be that it was stolen before you owned the machine, but if Shirley Williams, a JP had any data on there - you would need to have it investigated incase someone else's info contained therein has been compromised. Do you see what I am talking about?

Therefore someone may need to look to see what data was stored on that computer and alert the former owner so that precautions against stolen info can be taken. If wipe all that info now they won't know. It should have been wiped before it was put up for auction. Doesn't nobody realize this?

I understand about removing the data prior to ditching the computer. It didn't happen. Whether you, I, we, or they understand this or not is essentially a moot point.... barn doors, spilt milk, dead-mule flogging, and all that sort of thing.

The former owner was a County JP, and from what I can see she used the computer mostly for personal things. There was an old DOS-based program and its xBase data files on the computer, which I personally moved into a "backup" directory and archived onto CDs. I probably should have erased it, but I didn't...

I seriously doubt that any of this particular data was stolen, but if it was, it was almost certainly useless to the thieves.

I don't know what your background in government and law enforcement is, but I do have some experience, and I can assure you that - at least on a state and local level - there is no money and no interest in investigating maybe's, particularly given the - in my view - absolute fact that live computers on the desks of government employees all over the country are far more likely to be regurgitating data to whatever cybercriminals may be lurking.

So... I do truly appreciate everything you've done so far...
shall we continue cleaning, or should I just burn it down? As I stated, I'd like to keep the XP - and I think I mentioned because of the wireless playing better - but some of the newer Linuxes apparently now have improved the wireless NIC code - one of my clients said he put Ubuntu (I think it was Ubuntu) on his notebook and the wireless jumped right up, although he did have to manually download an inf from MS... so maybe that's not as much of a chore as it was a year ago!

itsleo
2008-01-19, 02:25
It creates the following files to store stolen information from the infected computer:

System\form.txt
System\info.txt
System\shot.html

It may steal the following information:

Host name and IP Address
Outlook Express Accounts
SMTP and POP3 Server
Password for Internet Explorer AutoComplete
MSN Explorer Signup account
Windows Cached Passwords
URLs visited
HTTP POST request
Content of HTTP FORM
TAN and PIN numbers of bank accounts

It searches for .pfx files on the infected computer.

It attempts to export and steal the crypto keys and certificates stored within the above files.[/b]

Hi, Jane. I checked for those files. Now, I don't know if the indicated files above (form.txt, etc) have already been eliminated, or simply didn't exist, but there are no such files on the system at this time.

Furthermore - again - I DO NOT USE MS programs unless absolutely necessary (in fact, running the KAV online was, I believe, the first time I have used IE at all on the infected computer; on my XP Pro system at home I use IE only for my day-trading access, since the authors were stupid enough to use MS's java extensions and it doesn't work with FF or Opera). I have stated more than once that I don't use IE, nor do I use MS Office; I stated that I use Thunderbird, from which one should infer that I do not use Outlook, but let me state that unequivocally, anyway: I do not use any version of Outlook. I assume (always dangerous) that the trojan steals data from the directories known to be inhabited by IE, Office, Outlook, etc. The old data may have been there, I don't know, but if it was, it was almost certainly no longer valid.

I will inform the former JP that she had managed to collect a fairly horrendous set of viruses and that she should change her passwords as a matter of security.

CalamityJane
2008-01-19, 03:42
I will inform the former JP that she had managed to collect a fairly horrendous set of viruses and that she should change her passwords as a matter of security.
That would be good. Also I'm concerned if the county is selling their computers without wiping them, other people's info on them could be compromised without their knowledge (the JP's cases, whatever). That JP may know best what info may been on the computer that others could now have access to.

This computer has a lot of problems at the moment. If you decide to flatten it, check with Dell on the advisablity of that in case they have any special instructions and whether or not the version of Windows XP you have as install CD will work on that (you would almost certainly need a new version and not one borrowed off another machine).

If you decide to clean it, let me know - I'll try.

itsleo
2008-01-19, 06:29
That would be good. Also I'm concerned if the county is selling their computers without wiping them, other people's info on them could be compromised without their knowledge (the JP's cases, whatever). That JP may know best what info may been on the computer that others could now have access to.

This computer has a lot of problems at the moment. If you decide to flatten it, check with Dell on the advisablity of that in case they have any special instructions and whether or not the version of Windows XP you have as install CD will work on that (you would almost certainly need a new version and not one borrowed off another machine).

If you decide to clean it, let me know - I'll try.

I don't know what happens with other County computers - I'll see what I can find out.

Most people don't have a good understanding of government functioning at ANY level... here's a quick lesson: elected officials work for the voters / taxpayers, and not for some other official. For example, your County Clerk does not work for your County Judge and is under no obligation to take orders from the Judge (or the state, or anyone else)... likewise, the County Attorney doesn't work for the District Attorney or your state Attorney General or anyone else. Your state may or may not have laws specifying what can, should, or must be done with any forms of records (read, "data"), other than retention, availability or non-availability to the public, and so on. No official is liable for the acts of criminals, even in such a case as failure to lock doors or filing cabinets...

I'm not saying your points aren't good IDEAS, but - as far as I am aware, and speaking generally - they aren't LAWS, other than "best efforts" sort of things, and defining best efforts and culpability for failure to make such efforts are incredibly hard to prosecute, even if such prosecution were desirable, which it - again, generally - almost never seems to be, at least not from the standpoint of one elected official (or staff) taking after another elected official (or staff).

It looks to me like your heart and your interest aren't really in this, so unless you really, actually WANT to keep banging on this thing, I think I'm going to see if I can just format and (re-)install a generic XP Home on the thing. Besides, we've both spent already far more time and energy than the damned thing is worth - I'd bet there are identical ones on eBay going for less than the value of your time... in case you can't tell, I'm feeling pretty damn apologetic for even starting this in the first place... but I'm one of those people who hate like hell to junk something that can be fixed... it's sorta like spending three or four hours trying to fix a steam iron insstead of throwing the (*&#@$ thing away and buying a new one for $12.95....

I'm sure there will be fun and games involved in finding the secret mystery Dell drivers, but I have (re-)installed plain vanilla Windowses on other Dells (and Compaqs and Gateways - albeit no notebooks, and only a couple of XP versions - I borrowed a CD from the local store and used the original product key from the computer's sticker, no big deal, although I did have to talk to someone at MS about one of them and cross my heart that this was the same computer but with a new hard disk after the old one crashed), without huge problems ensuing. Maybe I'll get with Dell and see if they can provide the CDs... The computer has a gen-you-wine Dell / Windows sticker on it, product key and all. And if that doesn't work, I'm 100% certain I can install any of a large number of Linuxes on it, and I'm guessing that the wireless is going to be much less of an issue now... and, of course, the virus issue - for all practical purposes - simply doesn't exist.

Anyway, if you are interested, fine, I'm game to see what can be done - as I have repeatedly stated, I have absolutely no problem with simply erasing / replacing any or all of the apps or OS, by which I mean that if it's easier to erase and replace than to sanitize, that's what we do!

What do YOU suggest? Remember, I understand completely and have no hard feelings or disrespect if you just want to file this under Nightmare and walk away!

Jane, again, I thank you for your time and your patience in dealing with this. I hope you understand that I do really and truly appreciate it!

CalamityJane
2008-01-19, 15:22
What do YOU suggest? Remember, I understand completely and have no hard feelings or disrespect if you just want to file this under Nightmare and walk away!

Jane, again, I thank you for your time and your patience in dealing with this. I hope you understand that I do really and truly appreciate it!
If this were my computer, I would wipe it first and reinstall because of the type of malware that has been running on it. Some of the installed software programs are now infected and may need to be uninstalled/reinstalled. The security settings have been lowered by this trojan:
Trojan Zonebac (aka Trojan Agent AWF)
http://www.symantec.com/security_response/writeup.jsp?docid=2006-091612-5500-99

Trojan Bzub we have already covered - it does other system damage as well. There are a number of trojan downloader agents (these trojans download additional malware to the machine). It is all in the Kaspersky scan report.

I don't mind helping you try to clean it but I cannot guarantee we can find what settings/exploits have already been made to ensure an intruder can get back in.

If you choose to reinstall Windows please be sure that you can get Service Pack 2. Right now the machine is on SP1 and is no longer receiving critical security updates to Windows and is at the moment quite far behind so it is exploitable and vulnerable to attack. We could try to clean it up as best as possible and hopefully an install of SP2 would reset a lot of the security settings that have been compromised - but I can't guarantee it. The system logs indicate problem trying to validate and get updates, but of course you should not do that upgrade to SP2 before getting the malware off of there first.

I just need to know which way you want to go with this. I have gone over the logs and enumerated what infections are present and steps to begin to remove them but holding off until you tell me in which direction you would like to proceed.

And yes, it is easier to do this:
If it's easier to erase and replace than to sanitize....

tashi
2008-01-25, 06:46
itsleo, you have logged on since CalamityJane's last post.

What is the verdict?

tashi
2008-01-30, 08:28
:scratch:

This topic has been moved to archives.

If you still require help, please start a new topic and include a fresh HijackThis log and a link to this thread in your new topic.

Applies only to the original poster, anyone else with similar problems please start a new topic.

Thank you CalamityJane.