PDA

View Full Version : HJT log



rcb56
2008-02-04, 20:21
okay tashi, here is my log. i tried to d'load the s'bot and a-v and both were the same. i get the window to save it, i click "save file" and the location to save it to never opens. i use firefox and it's not in the downloads. hopefully you can help with this log. and thank you...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:53 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highimpacthalo.org/forum
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [McENUI] C:\PROGRA~1\McAfee\MHN\McENUI.exe /hide
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O23 - Service: McAfee Application Installer Cleanup (0053921202148161) (0053921202148161mcinstcleanup) - McAfee, Inc. - C:\WINDOWS\TEMP\005392~1.EXE
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gguudcdn.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7901 bytes

rcb56
2008-02-05, 07:12
i noticed when i opened firefox to msn, in the bottom left corner of firefox it reads "waiting on msn.com" but just now it read "waiting on a.rad.msn.com , i closed it and opened it back up and it had "waiting on c.msn.com". as i type this, i am about one word ahead of my cursor, my text is delayed in displaying. no one has replied to my thread and i hope someone does soon as this is getting worse. i hope i have a pc tomorrow. thanks for any help.

rcb56
2008-02-05, 07:53
well i finally got to d'load spybot to my desktop and when i try to install i get a prompt that it couldn't connect and to retry didn't work. it was connecting to 87.106.8.215

rcb56
2008-02-06, 14:04
finally got it ran...

Tuesday, February 05, 2008 7:48:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/02/2008
Kaspersky Anti-Virus database records: 550227
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics
Total number of scanned objects 89007
Number of viruses found 4
Number of infected objects 40
Number of suspicious objects 1
Duration of the scan process 03:45:00

Infected Object Name Virus Name Last Action
C:\!KillBox\wvusspn.dll Object is locked skipped
C:\!KillBox\wvusspn.dll( 1) Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0001 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0100 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0101 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0200 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0201 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0300 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0301 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.reph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.repi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.rept Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0001 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0100 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0101 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0200 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0201 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0300 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0301 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.reph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.repi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.rept Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0001 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0100 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0101 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0200 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0201 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.reph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.repi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.rept Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\EasyNet\MHNData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{DCF072DD-E506-4978-9BA5-1E2B10194EE7}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_884.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008020520080206\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF4410.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DFE056.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe NSIS: infected - 1 skipped
C:\Program Files\Crawler\Toolbar\firefox\components\xshared.dll Object is locked skipped
C:\Program Files\Crawler\Toolbar\firefox\components\xsupport.dll Object is locked skipped
C:\Program Files\Crawler\Toolbar\firefox\components\xwsg.dll Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_123.trc Object is locked skipped
C:\Program Files\VCOM\SystemSuite\VSSEM6UD.006 Suspicious: Type_Win32 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP10\A0051149.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0055997.EXE Object is locked skipped

rcb56
2008-02-06, 14:07
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0056156.EXE/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0056156.EXE WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0056156.EXE WiseSFXDropper: infected - 1 skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0056985.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0057002.DLL Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0057003.DLL Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0057982.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP22\A0058981.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP22\A0058982.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060493.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060495.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060496.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060510.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060511.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060513.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060533.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060536.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060558.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP27\A0061171.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP27\A0061177.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062150.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062152.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062153.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062154.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062155.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062156.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062157.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062158.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062159.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062160.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062161.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062162.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062163.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0064087.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0064088.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0065088.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0065089.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0065090.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP32\A0066242.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP32\A0066271.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP33\A0067025.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP33\A0067044.dll Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0067203.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0068071.EXE Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0068073.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0068074.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069077.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069182.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069183.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069184.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069196.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069202.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP38\A0069826.exe Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\change.log Object is locked skipped
C:\VundoFix Backups\geebb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\kxyxepux.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\onstvhvy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\qbtirtul.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\tpjymcvb.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\BRIDGESONE.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{35602D79-7E16-4706-BDB4-D80431047478}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\geebb.exe Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wvusspn.dll Object is locked skipped
C:\WINDOWS\system32\yybgcewb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\TEMP\mcafee_hUxW23yaVgeUSOd Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_rqlVoA8c6ylaiaB Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_X5ujnKCFv2GTHy7 Object is locked skipped
C:\WINDOWS\TEMP\ZLT05370.TMP Object is locked skipped
C:\WINDOWS\TEMP\ZLT0577b.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

pskelley
2008-02-07, 15:07
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

Thanks for returning the correct information, looks like you used Vundofix and still have some leftovers, unfortunately you are running System Configuration Utility (MSConfig) in Select Startup Mode and I have no idea what you may have unchecked. Return to Normal Mode until we finish.
You have a load of Vundo files in your System Restore, so until we clean it near the end, do not use System Restore.

1) You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
http://service1.symantec.com/SUPPORT/nav.nsf/docid/2000031316555206
"Microsoft recommends that you have only one anti-virus program installed on your computer."
http://www.washingtonpost.com/wp-dyn/content/article/2005/12/03/AR2005120300087.html
http://www.smartcomputing.com/editorial/article.asp?article=articles/2003/s1407/38s07/38s07.asp

C:\Program Files\Defender Pro\Defender Pro Anti-Virus\
C:\Program Files\McAfee\
Uninstall one of those

2) AVG Anti-Spyware: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

5) Disable the Service
Click Start > Run and type services.msc
Scroll down to DomainService and right click on it.
Click Properties and under Service Status click Stop, then under Startup Type change it to Disabled.

6) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\gguudcdn.exe (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

7) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\gguudcdn.exe <<< delete that file

C:\WINDOWS\system32\yybgcewb.dll <<< delete that file

C:\VundoFix Backups\ <<< delete that folder and the contents

8) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log and some feedback about performance.

Thanks

rcb56
2008-02-08, 07:01
ok psk, i did as you suggested and here's how it went, when i did step 5, in the services window, the was no "Domain Service", also in step 6, there was no 023. in step 7 the first two files weren't there and i proceeded the rest of the steps. i still have prompts at startup that windows cannot locate certain files. but after startup, firefox opens and runs much smoother and faster. as for my startup in configuration, there should only be one anti-virus checked and nothing else. i'll have to check that to be sure. my cpu fan has slowed downto normal, thank you! that was very annoying. i'm posting the hjt file after rebooting. thanks for your help andlet me know how we did...knock on wood!

hjt file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 23:00, on 2008-02-07
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highimpacthalo.org/forum
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcya.exe
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [RCScheduleCheck] C:\Program Files\VCOM\Recovery Commander\RCSCHED.EXE -CHECK
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [dcf3e960] rundll32.exe "C:\WINDOWS\system32\xlgmnhfl.dll",b
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: kavsvc - Defender Pro LLC - C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kavsvc.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6612 bytes

rcb56
2008-02-08, 08:22
well it was running fine and it just shut down to the "blue page" and after the 2nd try i had to select last known configuration that worked and my cpu is nuts again and everything has slowed way down!

rcb56
2008-02-08, 13:38
last night the last thing i did was run the kaspersky online av again here's the log...

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/02/2008
Kaspersky Anti-Virus database records: 554043
Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true
Scan Target My Computer
C:\
D:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics
Total number of scanned objects 89154
Number of viruses found 11
Number of infected objects 89
Number of suspicious objects 0
Duration of the scan process 01:41:35

Infected Object Name Virus Name Last Action
C:\!KillBox\wvusspn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.giq skipped
C:\!KillBox\wvusspn.dll( 1) Infected: not-a-virus:AdWare.Win32.Virtumonde.giq skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0001 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0100 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0101 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0200 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0201 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0300 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.i0301 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.reph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.repi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Backup\BackupMng.rept Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0001 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0100 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0101 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0200 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0201 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0300 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.i0301 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.reph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.repi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Quarantine\QMng.rept Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0000 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0001 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0100 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0101 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0200 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.i0201 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.reph Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.repi Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Defender Pro Anti-Virus\5.0\Reports\RptMng.rept Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_484.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012008020820080209\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\~DF4EBE.tmp Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Crawler\Toolbar\firefox\components\xshared.dll Object is locked skipped
C:\Program Files\Crawler\Toolbar\firefox\components\xsupport.dll Object is locked skipped
C:\Program Files\Crawler\Toolbar\firefox\components\xwsg.dll Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped

rcb56
2008-02-08, 13:40
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_133.trc Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\Yazzle1281OinUninstaller.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\yybgcewb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP10\A0051149.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0055997.EXE Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0056156.EXE/WISE0012.BIN Infected: not-a-virus:AdWare.Win32.WeatherBug.a skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0056156.EXE WiseSFX: infected - 1 skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0056156.EXE WiseSFXDropper: infected - 1 skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0056985.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0057002.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0057003.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.l skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0057982.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP22\A0058981.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP22\A0058982.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060493.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.edw skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060495.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060496.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.kp skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060510.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060511.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060513.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060533.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060536.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060558.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP27\A0061171.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.giq skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP27\A0061177.exe Infected: Trojan-Downloader.Win32.Agent.idv skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062150.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062152.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062153.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062154.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062155.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062156.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062157.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062158.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062159.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062160.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062161.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062162.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062163.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0064087.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0064088.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0065088.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0065089.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0065090.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP32\A0066242.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP32\A0066271.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP33\A0067025.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP33\A0067044.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.giq skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0067203.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0068071.EXE Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0068073.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0068074.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069077.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069182.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069183.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069184.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069185.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069196.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069202.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP38\A0069826.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0069865.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0069940.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0069940.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0069941.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0070050.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0070978.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0071079.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.giq skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0073088.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0073089.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0073097.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0073245.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0073371.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0074388.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0074391.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0075371.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0075375.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0076374.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0076377.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0077373.exe Infected: Virus.Win32.Trats.d skipped
C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\ModemLog_PCI Soft Data Fax Modem with SmartCP.txt Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{2635C180-5C03-4EE1-84C3-B3E73C5C68A0}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\bxxxbwlp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\ddcya.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ddcya.exe Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\geebb.exe Infected: Virus.Win32.Trats.d skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\mjosaxqs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\pgrxdmry.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wvusspn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.giq skipped
C:\WINDOWS\system32\wvusspn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.giq skipped
C:\WINDOWS\system32\xlgmnhfl.dll.vzr Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.

pskelley
2008-02-08, 13:46
This is not an easy infection to remove and I am seeing new junk now: F3 - REG:win.ini: load=C:\WINDOWS\system32\ddcya.exe probably because MSConfig is now in Normal Mode. Keep this computer offline except when troubleshooting and do not expect easy. If you want easy, I suggest you consider reformatting. If you wish instructions for doing that, Let me know.

Read and follow the directions carefully or the tools will not work. If you have any tool I use, delete it and download it new from the links I provide.

1) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

2) Tutorial if needed:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks

rcb56
2008-02-09, 04:35
well i apologize for taking your time, i obviously need your help as i am having a prob here. i've tried to do as you asked. i've owned a pc for 8 or 9 years and while i might can change the oil and shade tree mechanic some stuff, but i am know where near the skills of you pc wizards. if i don't do like you say, just thump my head. for the life of me i cannot find the emergency disk for this pc in case i need it. this a.m. i disconnected my cable modem as to not be connected to the internet. i ran vundofix as you said and saved the files. as slow as it all ran i had to leave for work. i ran combofix as you said. when i go to C:\ to retrieve the vundo file to post here i get a prompt, "C:\VundoFix.txt Access is Denied". i will post the combofix result and keep trying to open the other. i'll post it if i can get it. no...don't guess i will. i just tried to open it and got the same message. will run another scan ofeach and see if their logs open as i wait on your reply. thanks pskelley. i o u very much.

rcb56
2008-02-09, 05:16
i ran another vundofix and it said it had no files. then i ran combofix again and when i try to open the file to copy and paste i get the prompt again. fwiw, my pc is running very good, cpu fan is a hum, firefox loads very fast and no skippy when scrolling. but, i noticed earlier in my internet connections there wasn't one yet use to be two there. i opened device mgr and expanded the networks tree and reinstalled drivers and they now are back, yet if i click post here to post this, it might...and i might get the cannot locate server. it appears to be better as if vundo did a number on the bug but it also acts kinda like there's some offspring around meddling with stuff. i realize it may not be over but i hereby nominate pskelley for president and ruler of anything he or she wants and can have all of my womens. so preisdent/ruler pskelley what do i do now? >insert kneeling smiley bowing to a great one here<

rcb56
2008-02-09, 05:18
i guess you might want to see what a new hjt log shows so i ran one just in case.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:16, on 2008-02-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\LVComsX.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highimpacthalo.org/forum
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: {40e05adb-7fd8-7f9a-c6d4-aa90f833dd60} - {06dd338f-09aa-4d6c-a9f7-8df7bda50e04} - C:\WINDOWS\system32\mjosaxqs.dll (file missing)
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {248F3FC3-C813-49A1-8055-958FF2D1A1B4} - C:\WINDOWS\system32\geebb.dll (file missing)
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {768BA8BE-D63B-4B0F-9815-02D034C4B963} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {B51625B4-DB83-47E2-96D7-536759681372} - C:\WINDOWS\system32\ddcya.dll (file missing)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - Winlogon Notify: gebbxxx - gebbxxx.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7449 bytes

pskelley
2008-02-09, 13:24
Thanks for the HJT log and the feedback, we still have a cleanup to do. I need to see the reports from those two tools. Look on the C:\ drive for: C:\Vundofix.txt and C:\combofix.txt and post them please, once I make sure everything worked as it was supposed to, we get get on to finishing up.

Thanks...Phil

rcb56
2008-02-09, 18:12
i still get the same 'can't access' window if i try to open them. last night i tried to get on and read here but i had no internet connection. in the connections window it was just blank. in device mgr. i was able to get it back enabled and it showed up in the connections but when i'd try to enable it, i'd crash and get the 'blue page'. things have been running real smooth except for that though. i just can't get those two files to open. thanks man.

pskelley
2008-02-09, 19:16
I have thought about this and I want you to know that you should not start any of the directions if you do not have the time to complete them. I also want you to know we use these tools a lot and I have not had a problem like this, so there is a good chance the issues are originating on your end. Please make sure you are signed in as the system administrator and that you read and follow the directions carefully.

This is what I would like to try:

Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: {40e05adb-7fd8-7f9a-c6d4-aa90f833dd60} - {06dd338f-09aa-4d6c-a9f7-8df7bda50e04} - C:\WINDOWS\system32\mjosaxqs.dll (file missing)
O2 - BHO: (no name) - {248F3FC3-C813-49A1-8055-958FF2D1A1B4} - C:\WINDOWS\system32\geebb.dll (file missing)
O2 - BHO: (no name) - {768BA8BE-D63B-4B0F-9815-02D034C4B963} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: (no name) - {B51625B4-DB83-47E2-96D7-536759681372} - C:\WINDOWS\system32\ddcya.dll (file missing)
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O20 - Winlogon Notify: gebbxxx - gebbxxx.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Delete Vundofix and combofix from your computer, restart your computer.

Read these instructions so you will know what you are doing, especially these instructions:
Manually restoring the Internet connection

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log. Please add any comments you think will help.

Thanks

rcb56
2008-02-09, 20:21
here are the logs of the latest combofix and hjt scans. may i ask if i have said something wrong? i am well aware the problem is on my end. that is why i am here, seeking help of those with far more knowledge than i have about these things.i've never doubted you or any of the programs used, and i'm VERY thankful for everyone's help. what i meant about the connection was when i opened the window that shows the connections, it was blank, just white. same two weeks ago with system restore, no title at top of window, nothing. and search in start only showed the dog, no search options, nothing. i in no way have meant to offend any of you helpful people, you are very good at what you do. here are the scan logs...

"C:\WINDOWS\system32\ddcya.exe"
"C:\WINDOWS\system32\geebb.exe"
"C:\WINDOWS\system32\cqdtoipk.dll"
"C:\WINDOWS\system32\ddcya.dll"
"C:\WINDOWS\system32\geeda.dll"
"C:\WINDOWS\system32\mllml.dll"
"C:\WINDOWS\system32\oiiuirep.dll"
"C:\WINDOWS\system32\tdxyceek.dll"
"C:\WINDOWS\system32\wvusspn.dll"
"C:\WINDOWS\system32\aycdd.ini"
"C:\WINDOWS\system32\aycdd.ini2"
"C:\WINDOWS\system32\aycdd.ini"
"C:\WINDOWS\system32\periuiio.ini"
"C:\WINDOWS\system32\aycdd.ini"
"C:\WINDOWS\system32\aycdd.ini2"
"C:\WINDOWS\system32\periuiio.ini"
""C:\WINDOWS\system32\icqmlib.exe""
""C:\WINDOWS\system32\iepref32.dll""
""C:\WINDOWS\system32\ierplc.dll""
""C:\WINDOWS\system32\ips.dll""
""C:\WINDOWS\system32\lanmandrv.sys""
""C:\WINDOWS\system32\lanmanwrk.exe""
""C:\WINDOWS\system32\laprxy.dllexe""
""C:\WINDOWS\system32\ocxapi.dll""
""C:\WINDOWS\system32\ocxloader.exe""
""C:\WINDOWS\system32\qmopt.dll

and hjt...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:11, on 2008-02-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highimpacthalo.org/forum
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {248F3FC3-C813-49A1-8055-958FF2D1A1B4} - C:\WINDOWS\system32\geebb.dll (file missing)
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {768BA8BE-D63B-4B0F-9815-02D034C4B963} - C:\WINDOWS\system32\pmkji.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: gebbxxx - gebbxxx.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7550 bytes

i hope i did this right and thanks. let me know what's next.

rcb56
2008-02-09, 20:26
looking at the log i see the ones you told me to select are still there. i swear that i checked them. i was real careful to do as you said. unless i'm wrong and those are different? do i need to run it again? sorry to take so much of your time. :oops: :red:

pskelley
2008-02-09, 20:31
Thanks for the information you returning, you have not posted a complete combofix log. Look here:
http://forums.spybot.info/showthread.php?t=23876
scroll to post #4, the combofix log, and they will vary a little, starts like this:
___________________________________________
ComboFix 08-02.05.3 - Owner 2008-02-06 13:24:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.142 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

and ends like this:
Completion time: 2008-02-06 13:36:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-06 20:36:25
.
2008-02-04 10:00:27 --- E O F ---
________________________________________
Please post the complete log. You will find it here: C:\combofix.txt Copy and paste the complete text to this topic.

Thanks

rcb56
2008-02-10, 03:13
i knew that couldn't be right when i opened those (actually 2 log results) and that's all there was to them. i have found a few files, same time and date that i think are from the scan. i'll list them below but i haven't got a clue about this. one of the files only contains the row of parenthesis shown in other logs. i hope this helps.

ComboDel.txt

Files to Move:
C:\WINDOWS\system32\icqmlib.exe|C:\QooBox\Quarantine\C\WINDOWS\system32\icqmlib.exe.vir
C:\WINDOWS\system32\iepref32.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\iepref32.dll.vir
C:\WINDOWS\system32\ierplc.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\ierplc.dll.vir
C:\WINDOWS\system32\ips.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\ips.dll.vir
C:\WINDOWS\system32\lanmandrv.sys|C:\QooBox\Quarantine\C\WINDOWS\system32\lanmandrv.sys.vir
C:\WINDOWS\system32\lanmanwrk.exe|C:\QooBox\Quarantine\C\WINDOWS\system32\lanmanwrk.exe.vir
C:\WINDOWS\system32\laprxy.dllexe|C:\QooBox\Quarantine\C\WINDOWS\system32\laprxy.dllexe.vir
C:\WINDOWS\system32\ocxapi.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\ocxapi.dll.vir
C:\WINDOWS\system32\ocxloader.exe|C:\QooBox\Quarantine\C\WINDOWS\system32\ocxloader.exe.vir
C:\WINDOWS\system32\qmopt.dll|C:\QooBox\Quarantine\C\WINDOWS\system32\qmopt.dll.vir

ComboFix.txt

ComboFix 08-02.05.3 - Owner 2008-02-09 11:52:20.6 - NTFSx86
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
ADS - svchost.exe: deleted 68 bytes in 1 streams.
ADS - ntoskrnl.exe: deleted 36 bytes in 1 streams.
ADS - explorer.exe: deleted 68 bytes in 1 streams.

drevB.dat

"C:\WINDOWS\system32\ddcya.exe"
"C:\WINDOWS\system32\geebb.exe"
"C:\WINDOWS\system32\cqdtoipk.dll"
"C:\WINDOWS\system32\ddcya.dll"
"C:\WINDOWS\system32\geeda.dll"
"C:\WINDOWS\system32\mllml.dll"
"C:\WINDOWS\system32\oiiuirep.dll"
"C:\WINDOWS\system32\tdxyceek.dll"
"C:\WINDOWS\system32\wvusspn.dll"
"C:\WINDOWS\system32\aycdd.ini"
"C:\WINDOWS\system32\aycdd.ini2"
"C:\WINDOWS\system32\aycdd.ini"
"C:\WINDOWS\system32\periuiio.ini"
"C:\WINDOWS\system32\aycdd.ini"
"C:\WINDOWS\system32\aycdd.ini2"
"C:\WINDOWS\system32\periuiio.ini"

SvcTarget.dat

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.


d-del4AV.dat

""C:\WINDOWS\system32\icqmlib.exe""
""C:\WINDOWS\system32\iepref32.dll""
""C:\WINDOWS\system32\ierplc.dll""
""C:\WINDOWS\system32\ips.dll""
""C:\WINDOWS\system32\lanmandrv.sys""
""C:\WINDOWS\system32\lanmanwrk.exe""
""C:\WINDOWS\system32\laprxy.dllexe""
""C:\WINDOWS\system32\ocxapi.dll""
""C:\WINDOWS\system32\ocxloader.exe""
""C:\WINDOWS\system32\qmopt.dll""

and here is the only vundo log i can find anywhere...


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 10:22:14 AM 2/5/2008

Listing files found while scanning....

C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\kxyxepux.dll
C:\WINDOWS\system32\onstvhvy.dll
C:\WINDOWS\system32\qbtirtul.dll
C:\WINDOWS\system32\tpjymcvb.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bbeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\geebb.dll
C:\WINDOWS\system32\geebb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kxyxepux.dll
C:\WINDOWS\system32\kxyxepux.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\onstvhvy.dll
C:\WINDOWS\system32\onstvhvy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qbtirtul.dll
C:\WINDOWS\system32\qbtirtul.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tpjymcvb.dll
C:\WINDOWS\system32\tpjymcvb.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tpjymcvb.dll
C:\WINDOWS\system32\tpjymcvb.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 2:36:40 PM 2/5/2008

Listing files found while scanning....

No infected files were found.


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 3:29:51 PM 2/5/2008

Listing files found while scanning....

No infected files were found.


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 20:32:33 2008-02-05

Listing files found while scanning....


VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 05:56:42 2008-02-08

Listing files found while scanning....

C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\bxxxbwlp.dll
C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\ddcya.exe
C:\WINDOWS\system32\geebb.exe
C:\windows\system32\geeda.dll
C:\WINDOWS\system32\mjosaxqs.dll
C:\windows\system32\mllml.dll
C:\WINDOWS\system32\pgrxdmry.dll
C:\WINDOWS\system32\wvusspn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\aycdd.ini
C:\WINDOWS\system32\aycdd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\aycdd.ini2
C:\WINDOWS\system32\aycdd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\bxxxbwlp.dll
C:\WINDOWS\system32\bxxxbwlp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcya.dll
C:\WINDOWS\system32\ddcya.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddcya.exe
C:\WINDOWS\system32\ddcya.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\geebb.exe
C:\WINDOWS\system32\geebb.exe Has been deleted!

Attempting to delete C:\windows\system32\geeda.dll
C:\windows\system32\geeda.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mjosaxqs.dll
C:\WINDOWS\system32\mjosaxqs.dll Has been deleted!

Attempting to delete C:\windows\system32\mllml.dll
C:\windows\system32\mllml.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pgrxdmry.dll
C:\WINDOWS\system32\pgrxdmry.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvusspn.dll
C:\WINDOWS\system32\wvusspn.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 06:24:46 2008-02-08

Listing files found while scanning....

C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijkmp.ini2
C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\system32\pmkji.exe
C:\WINDOWS\system32\wvusspn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ijkmp.ini
C:\WINDOWS\system32\ijkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ijkmp.ini2
C:\WINDOWS\system32\ijkmp.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkji.dll
C:\WINDOWS\system32\pmkji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkji.exe
C:\WINDOWS\system32\pmkji.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvusspn.dll
C:\WINDOWS\system32\wvusspn.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\wvusspn.dll
C:\WINDOWS\system32\wvusspn.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 8:32:47 PM 2/8/2008

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 01:39:30 2008-02-09

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V6.7.8

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Scan started at 18:05:18 2008-02-09

Listing files found while scanning....

No infected files were found.

i hope you can make some sense of this. again i appreciate your patience in helping more than i can say. i know i'm of little help. i'd have made a good scarecrow in the wizard of oz. if i only had a brain. let me know what i need to do next.

pskelley
2008-02-10, 14:35
OK, that still does not look like a complete combofix log but I will live with it, I can see it was installed correctly. What I want you to do is remove combofix, make sure to delete the C:\qoobox\quarantine\ folder and remove Vundofix, making sure to delete the C:\Vundofix\Backups\ folder. Once that is done, post a new Kaspersky Online Scan. Include feedback about how the computer is performing. Use these settings:
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Thanks

rcb56
2008-02-10, 19:13
okay, i went to the site for the scan and it said if i had it on my pc to uninstall it or it wouldn't work correctly. i uninstalled it and clicked 'i agree' and it shows the window initializing the download now for four hours. it's never taken this long to d'load or upload the updates. it hasn't even got to the updates yet. have i done something wrong? is it better for you if i pm you with questions like this? thanks...

rcb56
2008-02-10, 19:15
i meant to add, at the bottom of the IE window where the d'load is initializing there is a caution sign with error loading page.

pskelley
2008-02-10, 19:23
I have no idea why it won't download, but all computers can't download it. Why don't we consider the situation. Suppost you post me a new HJT log and describe any malware issues you are experiencing.

Thanks

rcb56
2008-02-10, 19:33
here's the new log. i haven't had any problems of any kind other than that. i had d'loaded the scanner twice before as you had instructed previously. the second time it said to uninstal previous versions and i did. both times it only took a few minutes to initiate, update and didn't take very log to run the scan. i'm running VERY smooth here now for maybe the last 24 hours but i've done no surfing, emailing or other internet activity of any kind as to be careful not to complicate things further.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:24, on 2008-02-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\Program Files\SiteAdvisor\6253\SAService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.highimpacthalo.org/forum
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.gateway.com/g/startpage.html?Ch=Retail&Br=EM&Loc=ENG_US&Sys=DTP&M=T5212
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: EWPBrowseObject Class - {68F9551E-0411-48E4-9AAF-4BC42A6A46BE} - C:\Program Files\Canon\Easy-WebPrint\EWPBrowseLoader.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\kmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Toolband.dll/RC_Print.html
O9 - Extra button: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra 'Tools' menuitem: Popup Blocker - {0D555BC6-E331-48b3-A60E-AAC0DF79438A} - C:\Program Files\DefenderPro AntiSpy\PopupBlocker\PopupBlocker.dll (file missing)
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://pcpitstop.com/mhLbl.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - Unknown owner - C:\Program Files\COMODO\Firewall\cmdagent.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: SiteAdvisor Service - Unknown owner - C:\Program Files\SiteAdvisor\6253\SAService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe

--
End of file - 6714 bytes

pskelley
2008-02-10, 19:51
What are you running as your realtime antivirus program? I am not talking about an online scan, I see this:
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Defender Pro\Defender Pro Anti-Virus\kav.exe" /minimize

but I do not see it in running processes? If that is your antivirus provider, make sure it is running and run a system scan, let me know the results.
I can turn you loose, but I do want to make sure you are not going to have problems.

You can keep ATF-Cleaner if you wish, but I want you to remove from your computer all other tools we downloaded.

Thanks

rcb56
2008-02-10, 20:06
i've been using zone alarm a-v, i had disabled it so not to interfere with the kas d'load and scan. i'll run a scan and post results. i removed combofix and vundofix as you said to earlier and all of their files except for the last log of vundofix which showed no findings. i don't need crutches if i can walk but a hankie to blow on comes in handy so i'll keep the cleaner for now and thanks.

rcb56
2008-02-10, 23:45
i downloaded their free trial and ran a full scan. here is a copy of the report before actions and a copy of the results. it says all threats successfully disinfected. any suggestions on doing more?

deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP10\A0051149.dll
deleted: adware not-a-virus:AdWare.Win32.WeatherBug.a File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0055997.EXE
deleted: adware not-a-virus:AdWare.Win32.WeatherBug.a File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP13\A0056156.EXE//WiseSFXDropper//WISE0012.BIN
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.eby File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP16\A0056985.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP18\A0057982.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP22\A0058981.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.edw File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP22\A0058982.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.edw File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060493.dll
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.kp File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060495.dll
deleted: adware not-a-virus:AdWare.Win32.SuperJuan.kp File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060496.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060510.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060511.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060513.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060533.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060536.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP24\A0060558.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.giq File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP27\A0061171.dll
deleted: Trojan program Trojan-Downloader.Win32.Agent.idv File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP27\A0061177.exe//PE_Patch.Upolyx//PE_Patch.UPX//UPX
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062150.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062152.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062153.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062154.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062155.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062156.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062157.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062158.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062159.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062160.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062161.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062162.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP30\A0062163.dll
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0064087.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0064088.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0065088.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0065089.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP31\A0065090.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP32\A0066242.dll
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP33\A0067025.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.giq File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP33\A0067044.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0067203.dll
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0068071.EXE
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0068073.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0068074.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069077.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069182.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069183.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069184.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069185.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069196.dll
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP34\A0069202.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP38\A0069826.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0069865.exe
deleted: adware not-a-virus:AdWare.Win32.PurityScan.gp File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0069940.exe//data0001
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0069941.dll
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0070050.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0070978.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.giq File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP39\A0071079.dll
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0073088.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0073089.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0073097.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0073245.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0073371.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0074388.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0074391.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0075371.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0075375.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0076374.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0076377.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0077373.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0077668.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0077669.dll
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0077670.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0077672.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0077674.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.giq File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP41\A0077787.dll
not found: virus Heur.Invader (modification) File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP42\A0077897.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe
not found: virus Heur.Invader (modification) File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP44\A0085071.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP44\A0085828.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP44\A0085830.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP44\A0085831.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP44\A0086543.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP44\A0086544.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP45\A0086579.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP45\A0086580.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP46\A0086905.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP47\A0086910.exe
deleted: virus Virus.Win32.Trats.d File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP47\A0086911.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP47\A0086912.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP47\A0086913.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP47\A0086916.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP47\A0086917.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.giq File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP47\A0086918.dll
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.giq File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP47\A0086986.dll
not found: virus Heur.Invader (modification) File: C:\System Volume Information\_restore{4E015214-6BB0-4181-B365-456CF1DEC069}\RP48\A0087372.exe//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.gen File: C:\WINDOWS\system32\xlgmnhfl.dll.vzr

pskelley
2008-02-10, 23:51
Looks to me like System Restore needs to be cleaned, Kaspersky can not clean those protected files, follow these directions:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

If you need anything else, let me know.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

rcb56
2008-02-11, 00:18
okay sir! i did as suggested in that link. thanks for the other links, i'm going to visit them tonight and i always have room to learn.

now, i honestly can't say thanks enough to mr. kelley sir, gen norman schwartzkopf has nothing on you. you simply kick a$$. and to all other helpful people who kicked in help and are not named, my sons and i thank you as best we know how.

to those here looking for help, you are in the right place. my advice to you is be patient, do as they say and if there is a fix for what ails you, they'll help you.

mr. kelley again, THANK YOU!