View Full Version : I still have virtumonde
yellowbird
2008-02-12, 00:37
Hi -
I have run spybot s&d in Safe Mode but still have virtumonde coming up in scans. Here is my Kaspersky log. HJT log is too long to include in this post, so I'll post it as a reply to this one. Please let me know what I need to do next to get this fixed. I really appreciate your help!
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 11, 2008 12:31:08 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/02/2008
Kaspersky Anti-Virus database records: 557799
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 142581
Number of viruses found: 23
Number of infected objects: 65
Number of suspicious objects: 0
Duration of the scan process: 02:37:24
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\cert8.db Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\history.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\key3.db Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\parent.lock Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\ѕуstem32\wuauboot.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\Documents and Settings\Erich Brouhard\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\History\History.IE5\MSHist012008021120080212\index.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\4X6FW1QN\ADCFreeInstaller[1].exe Infected: not-a-virus:Downloader.Win32.AdvancedCleaner.c skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\816ZKHUF\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Agent.iug skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\816ZKHUF\_bm1fbWRfcmlka2tpaTIyX3JvbjNfbWE4_aHR0cA_bm1fNjg3MjNfNDk3NjM4ZDBkNzFkMTFkYzk1MDBmNjg3MjNkZWZmZmZfNjkxZTgxOWM3MTQ5NGEzYTlkOWUxMGJiMzE3N2M5M2I_[1].exe Infected: not-virus:Hoax.Win32.Renos.aun skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\G9ZGNS2W\AntiVirusInstallFreeNM_en[1].cab/UGA6P_0001_N120M1710NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.an skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\G9ZGNS2W\AntiVirusInstallFreeNM_en[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\J7MIWIDG\CA5WUTHN Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\J7MIWIDG\installer[1].exe/file1 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\J7MIWIDG\installer[1].exe/file2 Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\J7MIWIDG\installer[1].exe/file4 Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\J7MIWIDG\installer[1].exe Inno: infected - 3 skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\M5VAO8MQ\rasesnet[1].exe Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\WLE7G9AN\snapsnet[1].exe/data0006 Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\WLE7G9AN\snapsnet[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\WLE7G9AN\yazzsnet[1].exe/data0003 Infected: Trojan.Win32.Scapur.k skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\WLE7G9AN\yazzsnet[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\XZVYL7A8\!update-4495[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.fk skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\XZVYL7A8\17PHolmes[1].cmt Infected: Trojan-Downloader.Win32.Agent.iug skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\XZVYL7A8\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Erich Brouhard\ntuser.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1263\A0123587.dll Infected: Trojan-Spy.Win32.Agent.ir skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125656.exe Infected: not-a-virus:Monitor.Win32.NetMon.a skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125658.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125660.exe Infected: not-a-virus:FraudTool.Win32.DrAntispy.ax skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125662.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.f skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125664.dll Infected: not-a-virus:FraudTool.Win32.BraveSentry.b skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125667.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125668.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125668.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125669.dll Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125670.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125672.exe Infected: not-virus:Hoax.Win32.Renos.aun skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125681.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125683.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0126674.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0126700.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0126701.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0126702.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0126703.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0126704.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0126705.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1266\change.log Object is locked skipped
C:\VundoFix Backups\iagofjkv.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\jkkli.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\leeskeaj.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\nwjqdvac.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\tuvuvut.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\xxyywxw.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\VundoFix Backups\yxsatqxy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Agent.iug skipped
C:\WINDOWS\mrofinu572.exe Infected: Trojan-Downloader.Win32.Agent.iug skipped
C:\WINDOWS\RXJpY2ggQnJvdWhhcmQ\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\RXJpY2ggQnJvdWhhcmQ\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\ac1\tliamdll2.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\WINDOWS\system32\afern.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gv skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\atinrvxxx.sys Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\ehbukosj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\jdjvyehn.exe Infected: Trojan-Spy.Win32.Agent.ir skipped
C:\WINDOWS\system32\kp9\liopud89104.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\WINDOWS\system32\kp9\liopud89104.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\mmqoaaaa.exe Infected: Trojan-Clicker.Win32.Delf.hi skipped
C:\WINDOWS\system32\mvrcuaaa.exe Infected: Backdoor.Win32.Small.na skipped
C:\WINDOWS\system32\mxmmcaaa.exe Infected: Trojan-Spy.Win32.BZub.ik skipped
C:\WINDOWS\system32\nastrdmw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\WINDOWS\system32\rtxhnnue.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ttehgaju.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\xxyywxw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
yellowbird
2008-02-12, 00:39
Here is the HJT log that wouldn't fit before:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:05:04 PM, on 2/11/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\Secure Desktop\Storage.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\LTSMMSG.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\DOCUME~1\ERICHB~1\APPLIC~1\STEM32~1\wuauboot.exe
C:\Program Files\Common Files\??crosoft\??oolsv.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\RABCO\X_RABCOse.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Documents and Settings\Erich Brouhard\Desktop\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2AE91ECB-FD63-4FBF-A276-10468A914C5D} - C:\WINDOWS\System32\mljgf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {606FC9C9-5A7F-60AA-0065-5E00B7CADBCF} - C:\WINDOWS\System32\afern.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {81C66839-993F-4EEB-AF67-A0380C18A0CA} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\nastrdmw.dll (file missing)
O2 - BHO: (no name) - {B86F9027-6FBC-4570-B489-D097D00B4903} - C:\WINDOWS\System32\pmnnk.dll (file missing)
O2 - BHO: (no name) - {C0E7A6CC-CF24-446C-9C51-7C3D7A280A8E} - C:\WINDOWS\System32\jkkli.dll (file missing)
O2 - BHO: (no name) - {CB7FE559-01FE-438C-882D-878E7930F28F} - C:\WINDOWS\System32\ddaby.dll (file missing)
O2 - BHO: (no name) - {E180F496-8A4B-44E2-9FE0-0364E345DB7F} - C:\WINDOWS\System32\xxyywxw.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iinl] "C:\DOCUME~1\ERICHB~1\APPLIC~1\STEM32~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Lbr] "C:\Program Files\Common Files\??crosoft\??oolsv.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: InstallerJava - https://webmail.usaa.com/CACHE/sdesktop/install/binaries/instjava.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/26512945663cbb16be05/netzip/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5028/mcfscan.cab
O20 - Winlogon Notify: iwripami - iwripami.dll (file missing)
O20 - Winlogon Notify: nastrdmw - nastrdmw.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Firewall - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Cisco Systems Secure Desktop (TwingoStorageService) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\Secure Desktop\Storage.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
--
End of file - 10929 bytes
Thank you..
pskelley
2008-02-12, 14:13
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page. Thanks for posting the correct information.
You are still infected, please keep this computer offline except when troubleshooting, the junk may download more. Read and follow all directions carefully or the tools will not work. If you have any tool I use, delete it and download it new from the link I provide.
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) Thanks to Atribune and any others who helped with this fix.
http://vundofix.atribune.org/ <<< tutorial
"Download VundoFix" to your Desktop
http://www.atribune.org/ccount/click.php?id=4
Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\
(wait until you finish to post reports and logs)
2) Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the Vundofix.txt, combofix log and a new HJT log.
Thanks
yellowbird
2008-02-13, 01:58
Hi pskelley -
Thank you so much for your reply. I followed your instructions here are the logs you requested (vundofix and combofix below, hjt in separate reply due to size):
VundoFix V6.7.8
Checking Java version...
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.
Scan started at 10:57:01 AM 2/12/2008
Listing files found while scanning....
C:\WINDOWS\system32\ehbukosj.dll
C:\WINDOWS\system32\eunnhxtr.ini
C:\WINDOWS\system32\glvrqcrr.dll
C:\WINDOWS\system32\jswyiidn.dll
C:\WINDOWS\system32\nastrdmw.dll
C:\WINDOWS\system32\ndiiywsj.ini
C:\WINDOWS\system32\rtxhnnue.dll
C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\ttehgaju.dll
C:\WINDOWS\system32\xxyywxw.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ehbukosj.dll
C:\WINDOWS\system32\ehbukosj.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\eunnhxtr.ini
C:\WINDOWS\system32\eunnhxtr.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\glvrqcrr.dll
C:\WINDOWS\system32\glvrqcrr.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\jswyiidn.dll
C:\WINDOWS\system32\jswyiidn.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ndiiywsj.ini
C:\WINDOWS\system32\ndiiywsj.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\rtxhnnue.dll
C:\WINDOWS\system32\rtxhnnue.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ssqro.dll
C:\WINDOWS\system32\ssqro.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\ttehgaju.dll
C:\WINDOWS\system32\ttehgaju.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyywxw.dll
C:\WINDOWS\system32\xxyywxw.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.7.8
Checking Java version...
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.
Scan started at 11:18:40 AM 2/12/2008
Listing files found while scanning....
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\xxyywxw.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\ttstv.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\ttstv.ini2
C:\WINDOWS\system32\ttstv.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtstt.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\xxyywxw.dll
C:\WINDOWS\system32\xxyywxw.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\xxyywxw.dll
C:\WINDOWS\system32\xxyywxw.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V6.7.8
Checking Java version...
Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.
Scan started at 11:40:49 AM 2/12/2008
Listing files found while scanning....
C:\WINDOWS\system32\xxyywxw.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\xxyywxw.dll
C:\WINDOWS\system32\xxyywxw.dll Could not be deleted.
Performing Repairs to the registry.
Done!
ComboFix 08-02-13.1 - Erich Brouhard 2008-02-12 12:01:41.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.178 [GMT -7:00]
Running from: C:\Documents and Settings\Erich Brouhard\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\drivers\atinrvxxx.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\Documents and Settings\Erich Brouhard\Application Data\STEM32~1
C:\Documents and Settings\Erich Brouhard\Application Data\STEM32~1\??stem32\
C:\Documents and Settings\Erich Brouhard\Application Data\STEM32~1\wuauboot.exe
C:\Documents and Settings\Erich Brouhard\g2mdlhlpx.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1\??oolsv.exe
C:\Program Files\outerinfo
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\isgTi19
C:\Temp\isgTi19\lPig.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\mrofinu1000106.exe
C:\WINDOWS\mrofinu572.exe
C:\WINDOWS\system32\ac1
C:\WINDOWS\system32\ac1\tliamdll2.exe
C:\WINDOWS\system32\afern.dll
C:\WINDOWS\system32\cdedntia.ini
C:\WINDOWS\system32\drivers\atinrvxxx.sys
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\fgjlm.ini
C:\WINDOWS\system32\fgjlm.ini2
C:\WINDOWS\system32\HVK56.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\nGpxx01\nGpxx011065.exe
C:\WINDOWS\system32\orqss.ini
C:\WINDOWS\system32\orqss.ini2
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\xxyywxw.dll
C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini2
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ATINRVXXX
-------\LEGACY_CMDSERVICE
-------\LEGACY_HVK56
-------\LEGACY_NETWORK_MONITOR
-------\atinrvxxx
-------\Network Monitor
-------\RpcApi
((((((((((((((((((((((((( Files Created from 2008-01-13 to 2008-02-13 )))))))))))))))))))))))))))))))
.
2008-02-10 18:48 . 2008-02-10 18:48 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-10 18:48 . 2008-02-10 18:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-10 18:17 . 2002-06-14 18:46 19,274 --a------ C:\WINDOWS\000001_.tmp
2008-02-10 13:58 . 2008-02-12 11:37 <DIR> d-------- C:\VundoFix Backups
2008-02-10 13:55 . 2008-02-10 13:55 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-09 15:45 . 2008-02-09 15:45 294 --ahs---- C:\WINDOWS\system32\cavdqjwn.ini
2008-02-09 12:24 . 2008-02-11 14:10 833 --a------ C:\WINDOWS\wininit.ini
2008-02-09 10:20 . 2008-02-09 10:20 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-02-09 10:20 . 2008-02-09 11:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-09 07:57 . 2008-02-09 10:14 <DIR> d-------- C:\Program Files\Spyware Doctor
2008-02-09 07:57 . 2008-02-09 10:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-02-09 07:39 . 2008-02-09 13:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-02-09 07:35 . 2008-02-09 07:35 <DIR> d-------- C:\WINDOWS\system32\za7
2008-02-09 07:35 . 2008-02-09 07:35 <DIR> d-------- C:\WINDOWS\system32\wd11
2008-02-09 07:35 . 2008-02-09 07:35 <DIR> d-------- C:\WINDOWS\system32\kp9
2008-02-09 07:35 . 2008-02-09 07:35 <DIR> d--hs---- C:\WINDOWS\RXJpY2ggQnJvdWhhcmQ
2008-02-09 07:35 . 2008-02-13 12:02 <DIR> d-------- C:\Temp
2008-02-09 07:35 . 2008-02-09 07:40 <DIR> d-------- C:\Program Files\RABCO
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-16 14:07 --------- d-----w C:\Program Files\Costco
2007-12-16 14:07 --------- d-----w C:\Program Files\Common Files\HP
2007-12-16 14:07 --------- d-----w C:\Documents and Settings\Erich Brouhard\Application Data\Costco Photo Organizer
2007-12-16 14:06 --------- d-----w C:\Documents and Settings\Erich Brouhard\Application Data\Costco Photo Viewer US
2007-12-13 17:41 --------- d-----w C:\Documents and Settings\Erich Brouhard\Application Data\Snapfish
2005-08-02 23:46 187,904 --sha-r C:\WINDOWS\RXJpY2ggQnJvdWhhcmQ\asappsrv.dll
2005-08-02 23:58 293,888 --sha-r C:\WINDOWS\RXJpY2ggQnJvdWhhcmQ\command.exe
2005-07-29 23:24 472 --sha-r C:\WINDOWS\RXJpY2ggQnJvdWhhcmQ\lrLDsZ00kBLSxq11wAk.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AE91ECB-FD63-4FBF-A276-10468A914C5D}]
C:\WINDOWS\System32\mljgf.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6656BF0F-2716-4DBC-90EF-A70EEE495A09}]
C:\WINDOWS\System32\vtstt.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{736541F1-A5B3-41FE-93E1-7F10484C79E2}]
C:\WINDOWS\System32\ssqro.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B86F9027-6FBC-4570-B489-D097D00B4903}]
C:\WINDOWS\System32\pmnnk.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C0E7A6CC-CF24-446C-9C51-7C3D7A280A8E}]
C:\WINDOWS\System32\jkkli.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB7FE559-01FE-438C-882D-878E7930F28F}]
C:\WINDOWS\System32\ddaby.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2003-04-14 19:30 1491216]
"Iinl"="C:\DOCUME~1\ERICHB~1\APPLIC~1\STEM32~1\wuauboot.exe" [ ]
"Lbr"="C:\Program Files\Common Files\??crosoft\??oolsv.exe" [ ]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="NvQTwk" []
"SiSUSBRG"="C:\WINDOWS\SiSUSBrg.exe" [2002-04-26 17:17 102400]
"SiS Tray"="" []
"SiS KHooker"="C:\WINDOWS\System32\khooker.exe" [ ]
"LTSMMSG"="LTSMMSG.exe" [2002-07-20 09:22 32768 C:\WINDOWS\LTSMMSG.exe]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-07-03 17:17 40960]
"StorageGuard"="C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" [2002-06-18 02:01 155648]
"QuickFinder Scheduler"="C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE" [2002-07-10 15:07 77887]
"BJCFD"="C:\Program Files\BroadJump\Client Foundation\CFD.exe" [2004-05-31 13:22 368706]
"fxredir"="C:\WINDOWS\System32\fxredir.exe" [2001-08-21 17:49 65536]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-07-09 08:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2004-04-25 23:20 180269]
"QAGENT"="C:\Program Files\QUICKENW\QAGENT.EXE" [2001-07-31 16:41 94208]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-26 14:42 267064]
C:\Documents and Settings\Erich Brouhard\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-02-03 15:10:52 113664]
RABCO - Auto Update.lnk - C:\Program Files\RABCO\RABCOse.exe [2008-02-09 07:35:17 183216]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2003-02-03 15:10:52 113664]
Cisco Systems VPN Client.lnk - C:\Program Files\Cisco Systems\VPN Client\vpngui.exe [2004-03-24 17:27:36 1470296]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 13:05:56 65588]
MiniEYE-MiniREAD Launch.lnk - C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe [2003-07-21 20:07:29 323584]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-02-21 19:53:21 724992]
VAIO Action Setup (Server).lnk - C:\Program Files\Sony\VAIO Action Setup\VAServ.exe [2002-08-15 10:26:39 40960]
WinZip Quick Pick.lnk - C:\Program Files\WinZip\WZQKPICK.EXE [2006-04-23 12:26:15 122880]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iwripami]
iwripami.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nastrdmw]
nastrdmw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ZTgServerSwitch"=c:\program files\support.com\client\lserver\server.vbs
R2 AvSynMgr;AVSync Manager;C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe [2003-06-03 06:03]
R2 cis1284;cis1284;C:\WINDOWS\System32\drivers\cis1284.sys [2001-06-26 21:00]
R2 mrtRate;mrtRate;C:\WINDOWS\System32\drivers\mrtRate.sys [2001-02-28 10:42]
R2 TwingoStorageDriver;TwingoStorageDriver;C:\Program Files\Cisco Systems\Secure Desktop\Storage.sys [2006-12-19 22:14]
R2 TwingoStorageService;Cisco Systems Secure Desktop;C:\Program Files\Cisco Systems\Secure Desktop\Storage.exe [2006-12-19 22:14]
R3 LucentSoftModem;Lucent Technologies Soft Modem;C:\WINDOWS\System32\DRIVERS\LTSM.sys [2002-07-20 09:22]
R3 McAfeePF;McAfee Firewall Network Filter Miniport;C:\WINDOWS\System32\DRIVERS\fw220.sys [2002-08-05 04:00]
S2 Nmpdrv_N;PogoProducts Nmpdrv_N USB Controller Service;C:\WINDOWS\System32\DRIVERS\Nmpdrv_N.sys [2003-03-05 13:26]
*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2008-02-08 04:21:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-13 12:13:35
Windows 5.1.2600 Service Pack 1 NTFS
detected NTDLL code modification:
ZwOpenFile
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\RABCO\X_RABCOse.exe
.
**************************************************************************
.
Completion time: 2008-02-13 12:20:38 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-13 19:20:31
yellowbird
2008-02-13, 02:00
Here is the HJT log..
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:13 PM, on 2/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\Secure Desktop\Storage.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {2AE91ECB-FD63-4FBF-A276-10468A914C5D} - C:\WINDOWS\System32\mljgf.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6656BF0F-2716-4DBC-90EF-A70EEE495A09} - C:\WINDOWS\System32\vtstt.dll (file missing)
O2 - BHO: (no name) - {736541F1-A5B3-41FE-93E1-7F10484C79E2} - C:\WINDOWS\System32\ssqro.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O2 - BHO: (no name) - {B86F9027-6FBC-4570-B489-D097D00B4903} - C:\WINDOWS\System32\pmnnk.dll (file missing)
O2 - BHO: (no name) - {C0E7A6CC-CF24-446C-9C51-7C3D7A280A8E} - C:\WINDOWS\System32\jkkli.dll (file missing)
O2 - BHO: (no name) - {CB7FE559-01FE-438C-882D-878E7930F28F} - C:\WINDOWS\System32\ddaby.dll (file missing)
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Iinl] "C:\DOCUME~1\ERICHB~1\APPLIC~1\STEM32~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Lbr] "C:\Program Files\Common Files\??crosoft\??oolsv.exe"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: InstallerJava - https://webmail.usaa.com/CACHE/sdesktop/install/binaries/instjava.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/26512945663cbb16be05/netzip/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0) - https://java.sun.com/update/1.5.0/jinstall-1_5_0_07-windows-i586.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5028/mcfscan.cab
O20 - Winlogon Notify: iwripami - iwripami.dll (file missing)
O20 - Winlogon Notify: nastrdmw - nastrdmw.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Firewall - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Cisco Systems Secure Desktop (TwingoStorageService) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\Secure Desktop\Storage.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
--
End of file - 10343 bytes
Please let me know what's next. I really appreciate this.
pskelley
2008-02-13, 02:34
Thanks for returning your information...
See this: http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0_07\ <<< update Java and then uninstall all old versions in Add Remove Programs.
1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.
2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.
3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {2AE91ECB-FD63-4FBF-A276-10468A914C5D} - C:\WINDOWS\System32\mljgf.dll (file missing)
O2 - BHO: (no name) - {6656BF0F-2716-4DBC-90EF-A70EEE495A09} - C:\WINDOWS\System32\vtstt.dll (file missing)
O2 - BHO: (no name) - {736541F1-A5B3-41FE-93E1-7F10484C79E2} - C:\WINDOWS\System32\ssqro.dll (file missing)
O2 - BHO: (no name) - {B86F9027-6FBC-4570-B489-D097D00B4903} - C:\WINDOWS\System32\pmnnk.dll (file missing)
O2 - BHO: (no name) - {C0E7A6CC-CF24-446C-9C51-7C3D7A280A8E} - C:\WINDOWS\System32\jkkli.dll (file missing)
O2 - BHO: (no name) - {CB7FE559-01FE-438C-882D-878E7930F28F} - C:\WINDOWS\System32\ddaby.dll (file missing)
O4 - HKCU\..\Run: [Iinl] "C:\DOCUME~1\ERICHB~1\APPLIC~1\STEM32~1\wuauboot.exe" -vt yazb
O4 - HKCU\..\Run: [Lbr] "C:\Program Files\Common Files\??crosoft\??oolsv.exe"
(next two Alexa toolbar related, if you don't use Alexa, remove them)
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/26512945...p/RdxIE601.cab
O20 - Winlogon Notify: iwripami - iwripami.dll (file missing)
O20 - Winlogon Notify: nastrdmw - nastrdmw.dll (file missing)
Close all programs but HJT and all browser windows, then click on "Fix Checked"
4) Right click Start > Explore and navigate to these files/folders and delete them if there.
C:\WINDOWS\system32\cavdqjwn.ini <<< delete that file
C:\Documents and Settings\Erich Brouhard\Application Data\STEM32~1\ <<< delete that folder
5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.
Restart and post a new HJT log and tell me how the computer is running.
Thanks
*** I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD needed, as is explained, it can be installed before we remove combofix.
yellowbird
2008-02-13, 03:53
Hi there...
Thank you for pointing out the Java issue...for now I have uninstalled the old version. I have not installed the new version because I got a warning that my operating system is unsupported (because we are not on SP2 yet).
At what point should I move forward with the rest of the Microsoft XP updates? Is getting caught up on the IE updates a separate process?
I've installed Firefox and made it my default browser...do I need to uninstall IE, or is keeping it up-to-date sufficiently safe to keep it installed on this PC?
Shortly I will be installing AVG, ZoneAlarm and Spyware Blaster...is there anything I'm missing?
Overall, things are running much, much better (as far as I can tell), but I want to make sure this never happens again.
In the meantime, here is another HJT log after following your previous steps. I can't thank you enough for all you've done.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:40:40 PM, on 2/13/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Cisco Systems\Secure Desktop\Storage.exe
C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
C:\WINDOWS\LTSMMSG.exe
C:\Program Files\McAfee\McAfee VirusScan\VsStat.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\System32\fxredir.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QUICKENW\QAGENT.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
C:\Program Files\Sony\VAIO Action Setup\VAServ.exe
C:\WINDOWS\System32\mrtMngr.EXE
C:\Program Files\McAfee\McAfee VirusScan\Avconsol.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\RABCO\X_RABCOse.exe
C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\adobe\acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: McAfee VirusScan - {ACB1E670-3217-45C4-A021-6B829A8A27CB} - C:\Program Files\McAfee\McAfee VirusScan\VSCShellExtension.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
O4 - HKLM\..\Run: [LTSMMSG] LTSMMSG.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [StorageGuard] "C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [fxredir] C:\WINDOWS\System32\fxredir.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QAGENT] C:\Program Files\QUICKENW\QAGENT.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: RABCO - Auto Update.lnk = C:\Program Files\RABCO\RABCOse.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MiniEYE-MiniREAD Launch.lnk = C:\Program Files\Infinite Mind LC\eyeQ\ARLaunch.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: VAIO Action Setup (Server).lnk = ?
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O16 - DPF: InstallerJava - https://webmail.usaa.com/CACHE/sdesktop/install/binaries/instjava.cab
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {2FC9A21E-2069-4E47-8235-36318989DB13} (PPSDKActiveXScanner.MainScreen) - http://www.pestscan.com/scanner/axscanner.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.costcophotocenter.com/CostcoActivia.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-loc/mcfscan/2,2,0,5028/mcfscan.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVSync Manager (AvSynMgr) - Network Associates, Inc. - C:\Program Files\McAfee\McAfee VirusScan\Avsynmgr.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Firewall - Network Associates, Inc. - C:\Program Files\McAfee\McAfee Firewall\CPD.EXE
O23 - Service: McShield - Unknown owner - C:\Program Files\Common Files\Network Associates\McShield\Mcshield.exe
O23 - Service: MpService - Canon Inc - C:\Program Files\Canon\MultiPASS4\MPSERVIC.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\PROGRA~1\COMMON~1\SONYSH~1\AVLib\Sptisrv.exe
O23 - Service: Cisco Systems Secure Desktop (TwingoStorageService) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\Secure Desktop\Storage.exe
O23 - Service: VAIO Media Music Server (Application) (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Music Server\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\sv_httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (Application) (VAIOMediaPlatform-PhotoServer-AppServer) - Unknown owner - C:\Program Files\Sony\Photo Server 20\appsrv\PicAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\VAIO Media Platform\UPnPFramework.exe
--
End of file - 8322 bytes
yellowbird
2008-02-13, 04:22
Thanks also for pointing out the Recovery Console thing...I would like to get that installed, but we don't have the XP CD. Thanks again for all your help.
pskelley
2008-02-13, 15:11
Sorry for the delay, Safer Networking was moving to a new server. Let's make sure you are clean, then I suggest you go to Windows Updates and download all critical updates for your computer. IE 7 will be one of those updates but I believe you have to do that as a separate update, you will be informed.
Please do not install any new software until we are completed finished. I posted instructions for installing "Recovery Console" and combofix is needed for the installation. Please read here:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Then: http://www.bleepingcomputer.com/tutorials/tutorial117.html
If on the other hand, you use Windows XP and do not have the Windows CD, ComboFix includes a method of installing the Windows Recovery console by downloading a file from Microsoft. To install the Windows Recovery Console when you do not have the Windows XP CD, please follow these instructions:
and follow the prompts carefully to install "Recovery Console", then post the .txt file that opens.
Your HJT log looks clean of malware, so as soon as you finish, let me know and we will run a Kaspersky scan to be sure nothing is hiding and get you on your way.
Thanks...Phil
yellowbird
2008-02-13, 18:37
Thank you, Phil...
Just to make sure I get this right (because now I see where I messed up on the Combofix/Recovery Console thing), do you want me to install the Recovery Console and THEN finish with the Windows updates, or the other way around?
pskelley
2008-02-13, 18:52
Read the instructions carefully:
Your HJT log looks clean of malware, so as soon as you finish, let me know and we will run a Kaspersky scan to be sure nothing is hiding and get you on your way.
and follow the prompts carefully to install "Recovery Console", then post the .txt file that opens.
Your HJT log looks clean of malware, so as soon as you finish, let me know and we will run a Kaspersky scan to be sure nothing is hiding and get you on your way.
If you wish to install Recovery Console, do so now, and when I see the .txt file indicating that it was installed properly, I will post instructions for running a last Kaspersky scan to check for anything that might be hidden. When I am sure you are clean, I will tell you so and post links to information to help you stay that way. At that point, you should visit Windows Updates, after you are clean.
Thanks
yellowbird
2008-02-13, 19:19
Thanks...here is the .txt file that opened after attempting to install Recovery Console via Combofix:
winxpsp1_en_hom_bf.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
pskelley
2008-02-13, 19:26
Thanks, remove from your computer the tools we used during the cleanup. You may keep ATF-Cleaner if you wish. When that is done, run a KOS using these settings:
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.
Then post it here. <<< no need to post a clean clean.
Thanks
yellowbird
2008-02-13, 22:36
<sigh> Still infected. Is there any hope? Am I doing something wrong?
Here is the Kaspersky log:
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, February 14, 2008 1:31:31 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 13/02/2008
Kaspersky Anti-Virus database records: 521857
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
Scan Statistics:
Total number of scanned objects: 112328
Number of viruses found: 12
Number of infected objects: 21
Number of suspicious objects: 0
Duration of the scan process: 02:19:23
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.ldb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Sony Corporation\SonicStage\Packages\MtData.mdb Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\cert8.db Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\history.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\key3.db Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\parent.lock Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Application Data\Mozilla\Firefox\Profiles\362zmt2f.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\History\History.IE5\MSHist012008021420080215\index.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\ntuser.dat Object is locked skipped
C:\Documents and Settings\Erich Brouhard\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Erich Brouhard\Application Data\STEM32~1\wuauboot.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu1000106.exe.vir Infected: Trojan-Downloader.Win32.Agent.iug skipped
C:\QooBox\Quarantine\C\WINDOWS\mrofinu572.exe.vir Infected: Trojan-Downloader.Win32.Agent.iug skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ac1\tliamdll2.exe.vir Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\Hvk56.sys.vir Infected: Rootkit.Win32.Agent.ea skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nGpxx01\nGpxx011065.exe.vir Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\QooBox\Quarantine\catchme2008-02-13_121316.20.zip/atinrvxxx.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-02-13_121316.20.zip ZIP: infected - 1 skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1263\A0123587.dll Infected: Trojan-Spy.Win32.Agent.ir skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125667.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1264\A0125672.exe Infected: not-virus:Hoax.Win32.Renos.aun skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1267\A0133075.exe Infected: Trojan-Downloader.Win32.VB.cgu skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1267\A0133077.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1267\A0133080.exe Infected: Trojan-Downloader.Win32.Agent.iug skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1267\A0133081.exe Infected: Trojan-Downloader.Win32.Agent.iug skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1267\A0133088.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1267\A0133101.sys Infected: Rootkit.Win32.Agent.ea skipped
C:\System Volume Information\_restore{58E30938-66A1-4D08-9DCD-360CE25B3A88}\RP1272\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{9D630E31-DCD6-4345-A9BD-7131A0403D85}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jdjvyehn.exe Infected: Trojan-Spy.Win32.Agent.ir skipped
C:\WINDOWS\system32\mmqoaaaa.exe Infected: Trojan-Clicker.Win32.Delf.hi skipped
C:\WINDOWS\system32\mvrcuaaa.exe Infected: Backdoor.Win32.Small.na skipped
C:\WINDOWS\system32\mxmmcaaa.exe Infected: Trojan-Spy.Win32.BZub.ik skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\Temp\JETB3CF.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
Again - I really appreciate all your help.
pskelley
2008-02-14, 00:43
Please be patient, we are almost there.
KASPERSKY ONLINE SCANNER REPORT Thursday, February 14, 2008 1:31:31 PM
Make sure all files and folders are still enabled:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html
C:\QooBox\Quarantine\ <<< delete that folder and contents
(delete these files in red)
C:\WINDOWS\system32\jdjvyehn.exe
C:\WINDOWS\system32\mmqoaaaa.exe
C:\WINDOWS\system32\mvrcuaaa.exe
C:\WINDOWS\system32\mxmmcaaa.exe
Empty the Recycle Bin on the Desktop and restart the computer.
Clean the infected System Restore files like this:
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Reboot
Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.
If you follow the directions the next Kaspersky scan will be clean. I will post this information for you now so you can begin to benefit from it.
Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx
Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml
http://www.malwarecomplaints.info/
Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
yellowbird
2008-02-14, 03:47
Woo hoo!
You were right, this time the Kaspersky scan came back clean. I ran the scan the same way as last time (standard db, target = my computer).
If I understood your last reply correctly, the fact that this scan came back clean means that I can move on to installing all the windows updates, anti-virus and firewall software.
Could you please confirm I am ready to go?
Thank you so much for your patience throughout this process - I've never had to deal with this issue before.
pskelley
2008-02-14, 13:21
You are ready to go, here is some information to help:
http://www.microsoft.com/windowsxp/sp2/sp2_whattoknow.mspx
http://www.microsoft.com/windowsxp/sp2/sysreqs.mspx
http://www.microsoft.com/windowsxp/downloads/updates/sp2/cdorder/en_us/default.mspx
http://support.microsoft.com/
Safe surfing:bigthumb:
yellowbird
2008-02-15, 03:35
Thank you soooo much for all of your help throughout this ordeal.
Today I got all of the windows updates installed, and then installed ZoneAlarm, AVG, and spywareblaster.
I have only one remaining question...the PC seems a bit slower, which I suppose is to be expected with the background scanning going on, but I took a look at the process in TaskManager to see what was happening.
I keep seeing x_RABCOse.exe taking up a small amount of CPU several times per minute. Information about this app is spotty, but it appears that it was installed on our PC the day it got infected. It's billed as a "Search Enhancer".
The program appears in our Add/Remove Programs list in Control Panel. Is it safe to Remove it that way?
We didn't choose to install it, so if it's any sort of Spyware, I didn't know if using the control panel to remove it could actually backfire.
If you can spare one more post for me, I'd appreciate your input on this.
You have been really great to work with and I have learned a ton. Thanks once again for making something horrible much less so. Your expertise has been a blessing.
pskelley
2008-02-15, 13:58
Make sure you review those links I posted in closing, especially this one:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
Most info at Google: http://www.google.com/search?hl=en&q=Search+Enhancer&btnG=Google+Search
seems to indicate that Search Enhancer is junk. This >>> x_RABCOse.exe is part of it see this:
http://www.whatsrunning.net/whatsrunning/QueryProcessID.aspx?Process=17234
Use Add Remove programs to uninstall it.
If you post an uninstall list, I'll see if I spot any other junk:
Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)
Thanks
yellowbird
2008-02-15, 19:31
Thanks very much...
It looks like we will probably need to upgrade our RAM...only 480 MB on there.
After uninstalling some stuff I knew we didn't need, here is the HJT uninstall list (with the obvious windows stuff removed):
Adobe Acrobat 5.0
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Photoshop Elements 2.0
Adobe Premiere 6 LE
Adobe Stock Photos 1.0
Apple Software Update
ArcSoft Camera Suite
AVG 7.5
BroadJump Client Foundation
Bulk Rename Utility 2, 3, 7, 1
Canon Camera Window for ZoomBrowser EX
Canon MultiPASS Suite 4.00
Canon PhotoRecord
Canon Utilities File Viewer Utility 1.2
Canon Utilities PhotoStitch 3.1
Canon Utilities RemoteCapture 2.7
Canon Utilities ZoomBrowser EX
Cisco Secure Desktop
Click to DVD 1.0
Costco Photo Organizer
DVgate
Experience Vaio
eyeQ
Google Earth
HijackThis 2.0.2
ImageStation Demo
ImageStation Tour
InterActual Player
iTunes
Kaspersky Online Scanner
Lucent Technologies Soft Modem AMR
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Professional
Microsoft SQL Server 2000
Motion JPEG Software Decoder
MovieShaker 3.3
Mozilla Firefox (2.0.0.12)
MSN Music Assistant
Music Visualizer Library 1.4.00
Nero - Burning Rom
Network Smart Capture
NVIDIA Windows 2000/XP Display Drivers
OpenMG Secure Module 3.1
PDFCreator
PicoPlayer
PicoPlayer Demo
PicoPlayerSplashScreen
PictureGear Studio 1.0
PowerDVD
QuickBooks Pro Edition 2004
QuickTime
RealPlayer
RealProducer Basic 8.5
RipFlashPlus
Screenblast ACID 2.0a
Screenblast Sound Forge 1.0b
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
SiS Compatible VGA V2.09a
SonicStage 1.5.00
Sony Certificate PCH
Sony DV Shared Library
Sony on Yahoo! Essentials
Spybot - Search & Destroy
Support Actions WinXP
VAIO Action Setup
VAIO Brezza Wallpaper
VAIO Edit Components LE
VAIO Grid Wallpaper
VAIO Help & Support
VAIO Media 2.0
VAIO Media Installer 2.0
VAIO Media Music Server 2.0
VAIO Media Photo Server 2.0
VAIO Media Platform 2.0
VAIO Registration
VAIO Serenus Wallpaper
VAIO Support
VERITAS RecordNow DX
VERITAS RecordNow DX Update Manager
VPN Client
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
WinZip
WordPerfect Office 2002
ZoneAlarm
***************************
Please let me know if there is any obvious junk in there. Also, re: WordPerfect Office 2002, that does not appear in the Add/Remove Programs section of Control Panel, nor is it listed in Start>All Programs. However, in HJT, the Uninstall Command is listed as "C:\WINDOWS\Corel\uninst32.exe"
Does that mean I can navigate to that file through Explorer, double click it and that will uninstall it for me?
Thanks again for your help!
pskelley
2008-02-15, 21:12
Thanks for the feedback, you said:
It looks like we will probably need to upgrade our RAM...only 480 MB on there.
I run 1.25 GB's on my Dell 4550 Windows XPPro, but it all depends on what you use the computer for. In my opinion, that is not enough RAM for resource intense gaming or running multiple programs at the same time that use lots of resources, see what is said here:
http://ask-leo.com/how_much_memory_do_i_really_need_for_windows_xp.html
and here: http://www.crucial.com/support/howmuch.aspx
Looking at your uninstall list...
What is this: AVG 7.5 I am under the impression you are running McAfee? And yet I see no McAfee in the uninstall list. I believe that (from looking at my own Add Remove programs) is AVG Anti-virus so if you are going to run McAfee, you can uninstall it.
I can not see anything that is malware, I do see three media players, do you use them? I personally remove everything but WMP which can use an update by the way. You should take a hard look at your programs, if you use them, keep them. If you do not, uninstall them.
WordPerfect Office 2002 <<< probably install OEM and a good program, It may not show in Add Remove? Try Goggle for answers if you are sure you want to uninstall it.
WordPerfect Office 2002 <<< it is showing in the uninstall list, so it should be in Add Remove programs?
Thanks
yellowbird
2008-02-15, 23:04
Thanks for the add'l memory info.
AVG is our anti-virus...we had McAfee, but I wanted to move to a lighter anti-virus app.
Unfortunately, WordPerfect is not listed in our Add/Remove Programs list...not sure why. I'll take a look around to see if I can verify how to uninstall it, since we don't use it.
We truly appreciate all your help in getting our system cleaned up. You saved us a lot of headaches. Thank you so much!!