SmitFraud C Zlob and other nasties HJT File attached [Archive]

View Full Version : SmitFraud C Zlob and other nasties HJT File attached

Lane412000

2008-03-06, 19:06

I have a number of new strange things going on with the computer that I am seeking help with.

When I turn on the volume, I have some song that continues playing that I have never heard before.

I keep getting pop up for a trusted adware product

I receive a message on top of my IE bar reading: “Warning: possible spyware or adware infection: Click here to scan your computer.”

I have run the Spybot S&D and keep showing in the final report infestation with SmitFraud C and Zlob.downloader.vcd

Also, I ended up with PartyPoker.Net in my tools menu. Can I delete this?

I have run HJT, Kaspersky and SmitfraudFix and am enclosing those reports.

Please tell me what the next step is.

Thanks

Lane 412000

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:59 AM, on 3/6/2008
Platform: Windows 2000 SP4 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
C:\WINNT\system32\Ati2evxx.exe
C:\Program Files\ISS\BlackICE\blackd.exe
C:\Program Files\Compaq\Compaq Management Agents\cpqalert.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\DefWatch.exe
C:\WINNT\Cpqdiag\Cpqdfwag.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
C:\WINNT\system32\HPZipm12.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\WINNT\system32\stisvc.exe
C:\Program Files\Symantec Client Security\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\system32\MsPMSPSv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
C:\WINNT\system32\atiptaxx.exe
C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe
C:\WINNT\system32\ltmsg.exe
C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\antiviirus.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\ISS\BlackICE\blackice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe
C:\Program Files\TimeLeft3\TimeLeft.exe
C:\WINNT\System32\SCardSvr.exe
C:\DOCUME~1\LCHERA~1.OWE\LOCALS~1\Temp\wwhwwlOF.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://google.icq.com/search/search_frame.php
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.cardinalpps.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.cardinalpps.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Cardinal Health PPS
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat

5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: RDL Rolex - {BF108732-DF6A-4644-BC03-F04EB71763BF} - C:\WINNT\dkxrstqnog.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [ChkAdmin] C:\PROGRA~1\Compaq\COMPAQ~1\CHKADMIN.EXE
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SprintPort] "C:\Program Files\Novatel Wireless\SprintPort\SprintPortA.exe"
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [LTWinModem1] ltmsg.exe 9
O4 - HKLM\..\Run: [projselector] "C:\Program Files\Common Files\Roxio Shared\Project Selector\projselector.exe" -r
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [AeXAgentLogon] C:\Program Files\Altiris\Altiris Agent\AeXAgentActivate.exe /logon
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~2\VPTray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [antiviirus] C:\Program Files\antiviirus.exe
O4 - HKLM\..\RunServices: [CPQDFWAG] C:\WINNT\Cpqdiag\CpqDfwAg.exe
O4 - HKCU\..\Run: [ctfmon.exe] ctfmon.exe
O4 - HKCU\..\Run: [NetSP - restore settings on power failure] "C:\Program Files\AT&T Global Network Client\NetSP.exe" -show
O4 - HKUS\S-1-5-21-52592350-1112094291-630672053-17755\..\Run: [ctfmon.exe] ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-52592350-1112094291-630672053-17755\..\Run: [NetSP - restore settings on power failure] "C:\Program

Files\AT&T Global Network Client\NetSP.exe" -show (User '?')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

(User 'Default user')
O4 - S-1-5-21-52592350-1112094291-630672053-17755 Startup: Wireless-G Notebook Adapter with SRX Utility.lnk = C:\Program

Files\Linksys\Wireless-G Notebook Adapter with SRX Utility\lcu.exe (User '?')
O4 - S-1-5-21-52592350-1112094291-630672053-17755 Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe (User '?')
O4 - Startup: Wireless-G Notebook Adapter with SRX Utility.lnk = C:\Program Files\Linksys\Wireless-G Notebook Adapter with SRX

Utility\lcu.exe
O4 - Startup: TimeLeft.lnk = C:\Program Files\TimeLeft3\TimeLeft.exe
O4 - Global Startup: RealSecure(r) Desktop Protector.lnk = C:\Program Files\ISS\BlackICE\blackice.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} -

C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program

Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program

Files\PartyGaming.Net\PartyPokerNet\RunPF.exe (file missing)
O12 - Plugin for .NPSSView: C:\Program Files\Seagate Software\Viewers\ActiveXViewer\NPssView.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.cardinalpps.com
O15 - Trusted Zone: *.cahapps.net (HKLM)
O15 - Trusted Zone: *.cardinalhealth.net (HKLM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) -

http://gfx2.hotmail.com/mail/w2/pr02/resources/MSNPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1155046283407
O16 - DPF: {A8739816-022C-11D6-A85D-00C04F9AEAFB} (WebEyeControl) - http://www.mikethetiger.com/cam/wg_webeye.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) -

https://attwm.webex.com/client/v_mywebex-pso-attwm/webex/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = owenhlt.cardinalpps.net
O21 - SSODL: KernelWin - {eebe7698-051a-4364-83c9-0c643b051a64} -

C:\WINNT\Installer\{eebe7698-051a-4364-83c9-0c643b051a64}\KernelWin.dll
O21 - SSODL: apdqnxp - {BDC36390-4E9A-450A-BA06-47364D410B4C} - C:\WINNT\apdqnxp.dll
O21 - SSODL: zip - {3a0201d9-0c91-4635-9ca0-7869806def0f} - C:\WINNT\Installer\{3a0201d9-0c91-4635-9ca0-7869806def0f}\zip.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Altiris Agent (AeXNSClient) - Altiris, Inc. - C:\Program Files\Altiris\Altiris Agent\AeXNSAgent.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\blackd.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\ccSetMgr.exe
O23 - Service: Insight Local Alerter (CPQALERT) - Hewlett-Packard Company - C:\Program Files\Compaq\Compaq Management

Agents\cpqalert.exe
O23 - Service: cpqdmi - Compaq Computer Corporation - C:\PROGRA~1\Compaq\COMPAQ~1\cpqdmi.exe
O23 - Service: Insight Web Agent (cpqWebDmi) - Hewlett-Packard Company - C:\PROGRA~1\Compaq\COMPAQ~1\CPQWEB~1\WebDmi.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN

Client\cvpnd.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec Client

Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: Remote Diagnostics Enabling Agent (DfwWebAgent) - Hewlett Packard - C:\WINNT\Cpqdiag\Cpqdfwag.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINNT\system32\FreezeScreenSaver.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common

Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec Client

Firewall\ISSVC.exe
O23 - Service: Network Configuration Service (NetCfgSvr) - AT&T - C:\Program Files\AT&T Global Network Client\NetCfgSv.EXE
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\BlackICE\rapapp.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec Client Security\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec

Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec

AntiVirus\Rtvscan.exe
O23 - Service: Symantec SecurePort (SymSecurePort) - Symantec Corporation - C:\Program Files\Symantec Client Security\Symantec

Client Firewall\SymSPort.exe
O23 - Service: Win32Sl (WIN32SL) - Intel - C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\bin\Win32sl.exe

--
End of file - 13442 bytes

Lane412000

2008-03-06, 19:07

SmitFraudFix v2.300

Scan done at 6:46:27.26, Thu 03/06/2008
Run from C:\Documents and Settings\lcherami.OWENHLT\Desktop\SmitfraudFix
OS: Microsoft Windows 2000 [Version 5.00.2195] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINNT\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lcherami.OWENHLT

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\lcherami.OWENHLT\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\LCHERA~1.OWE\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

C:\Program Files\tmp???????.exe FOUND !
C:\Program Files\antiviirus.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» IEDFix
!!!Attention, following keys are not inevitably infected!!!

IEDFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» VACFix
!!!Attention, following keys are not inevitably infected!!!

VACFix
Credits: Malware Analysis & Diagnostic
Code: S!Ri
+--------------------------------------------------+
[!] Suspicious: dkxrstqnog.dll
BHO: RDL Rolex - {BF108732-DF6A-4644-BC03-F04EB71763BF}
TypeLib: {02A4A156-966C-4511-9797-ABC1CA0DF2A0}
Interface: {0C4C329C-34DD-4E7E-A624-316F758BFFC9}
Interface: {356BB288-2CE5-4F9E-ADB7-8EAFE63C2014}

[!] Suspicious: apdqnxp.dll
SSODL: apdqnxp - {BDC36390-4E9A-450A-BA06-47364D410B4C}

[!] Suspicious: KernelWin.dll
SSODL: KernelWin - {eebe7698-051a-4364-83c9-0c643b051a64}

[!] Suspicious: zip.dll
SSODL: zip - {3a0201d9-0c91-4635-9ca0-7869806def0f}

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

Lane412000

2008-03-06, 19:08

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 06, 2008 10:56:13 AM
Operating System: Microsoft Windows 2000 Professional, Service Pack 4 (Build 2195)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/03/2008
Kaspersky Anti-Virus database records: 553928
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
F:\

Scan Statistics:
Total number of scanned objects: 101710
Number of viruses found: 1
Number of infected objects: 28
Number of suspicious objects: 0
Duration of the scan process: 02:26:14

Infected Object Name / Virus Name / Last Action
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM.ALT Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SYSTEM Object is locked skipped
C:\WINNT\system32\config\SOFTWARE Object is locked skipped
C:\WINNT\system32\config\DEFAULT Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\CSC\00000001 Object is locked skipped
C:\WINNT\Installer\{eebe7698-051a-4364-83c9-0c643b051a64}\KernelWin.dll Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\WINNT\Installer\{3a0201d9-0c91-4635-9ca0-7869806def0f}\zip.dll Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\Internet Logs\tvDebug.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\Documents and Settings\Default User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Default User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\dZ3bert1.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\mso11.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\y5PSAiAu.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\r5GgxzHT.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\rxjxmshE.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\kkRGoUqi.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\dvndhzvV.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\cFtPReXW.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\nyd5UL95.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\SE8Ot7Qz.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DF6199.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\poaTpWoH.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DFB140.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\wwhwwlOF.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DF4C3C.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\~DF80C0.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temp\fla3D91.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\History\History.IE5\MSHist012008030620080307\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.IE5\4E62XLPO\1204751588[1].exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.IE5\KHSTC6HU\1204809775[1].exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Temporary Internet Files\Content.Word\~WRS0000.tmp Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\ApplicationHistory\hpqgalry.exe.cf8dd223.ini.inuse Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\CB_Server_Errors.txt Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\administrativeInfo.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\pathnameTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\albumImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\keywordImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\managedFolderTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\EXIFTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.dbf Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\ROFImagesTable.cdx Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Local Settings\Application Data\HP\Digital Imaging\db\imageTable.fpt Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\My Documents\Excel\Expense Report.xls Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Outlook\MS Exchange Settings.srs Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Outlook\MS Exchange Settings.NK2 Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\lcherami.OWENHLT\Application Data\Microsoft\Word\AutoRecovery save of Document1.asd Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\VirusDefs\lulock.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Compaq\Compaq Management Agents\Dmi\Win32\mifdb\errors.log Object is locked skipped
C:\Program Files\Novatel Wireless\SprintPort\1796\20080306.TXT Object is locked skipped
C:\Program Files\ISS\BlackICE\blackice-service.log Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Tasks\AeXTaskSchedulerLock\taskSchedulerLock.tmp Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Software Delivery\pkgdlvlk.tmp Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\Agents\InventoryRuleAgent\InventoryRuleCache.iad Object is locked skipped
C:\Program Files\Altiris\Altiris Agent\PackageDownload\pkgdlvlk.tmp Object is locked skipped
C:\Program Files\antiviirus.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\instaler.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp5522631.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp5715137.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp236690.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp465879.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp5602205.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp498677.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp86983155.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp516232.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp1742135.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped
C:\Program Files\tmp251601.exe Infected: Trojan-Dropper.Win32.Agent.fbe skipped

Scan process completed.

tashi

2008-03-06, 19:49

Hello,

This appears to be the same machine as the one you started a topic for here: http://forums.spybot.info/showthread.php?t=25178
:eek:

Did you miss:
"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)
NOTE:We do NOT ask Users to run fixes before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806)
The Waiting Room: Post here if waiting for help longer than four days (http://forums.spybot.info/forumdisplay.php?f=37)

Best regards.

Lane412000

2008-03-06, 20:17

tashi

I ran the other two text files so I thought that I should start a new thread. I apologize for doing this the wrong way. :oops: Should I paste the two text files into my other thread?

Thanks

lane412000

tashi

2008-03-06, 20:49

SmitFraudFix v2.300

Should I paste the two text files into my other thread?

NOTE:We do NOT ask Users to run fixes before helpers have analyzed HJT/KAV scans (http://forums.spybot.info/showthread.php?t=16806)

You could paste the results of the KASPERSKY scan into your original thread if it does not take more than one post.

Cheers.

Lane412000

2008-03-06, 20:53

ok...will do....thanks

lane 412000