PDA

View Full Version : Virtumonde.generic and Win32.Inject.bw



LadyBriggan
2008-03-06, 23:47
I am having the same problem as this person:
http://forums.spywareinfo.com/index.php?showtopic=113943

Here is my Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, March 06, 2008 1:41:52 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 6/03/2008
Kaspersky Anti-Virus database records: 605235
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 115123
Number of viruses found: 8
Number of infected objects: 43
Number of suspicious objects: 0
Duration of the scan process: 01:26:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\8719798D.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Lady Briggan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\Application Data\Identities\{D075E37A-68AD-4237-8448-AFF27CDF74B3}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\Application Data\Identities\{D075E37A-68AD-4237-8448-AFF27CDF74B3}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\Application Data\Identities\{D075E37A-68AD-4237-8448-AFF27CDF74B3}\Microsoft\Outlook Express\Yoneda - Inbox.dbx Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lady Briggan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Lady Briggan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymcData\idsdefs\lulock.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SymcData\nco1.0defs\lulock.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\VirusDefs\lulock.dat Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP581\A0106858.dll Infected: not-a-virus:AdWare.Win32.Agent.ahl skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP582\A0106899.dll Infected: not-a-virus:AdWare.Win32.Agent.ahl skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0110930.exe/TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.d skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0110930.exe CAB: infected - 1 skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0110930.exe Execryptor: infected - 1 skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0111915.exe Infected: Trojan-Downloader.Win32.Small.imu skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0111916.exe/data0006 Infected: Trojan-Downloader.Win32.VB.ceh skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0111916.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP587\A0112078.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP587\A0112092.exe Infected: not-a-virus:AdWare.Win32.Agent.zk skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP595\A0143704.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.ahl skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP595\A0143704.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP595\A0143705.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.jb skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP595\A0143705.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP595\A0143722.exe/data0002 Infected: not-a-virus:AdWare.Win32.Agent.ahl skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP595\A0143722.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP595\A0143835.exe Infected: not-a-virus:AdWare.Win32.Sahat.bp skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP598\A0150636.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP599\A0150661.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP606\A0155029.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP607\A0155045.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP609\A0155095.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP609\A0155099.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP618\A0157569.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{B4E9E2EA-B09E-4714-AD21-C327C84977B6}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\astlkdbf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\cdcyunih.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\ddcyw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\drivers\etc\Hosts.bak Object is locked skipped
C:\WINNT\system32\duhssetc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\etxacunt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\giibnrfu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\gnncnfbg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\jgtesfjg.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\jtoihshj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\kfbbbcxc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\lbqyfwfm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\lslldncp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\ovmnaqgr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\pcnclswk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\rwlleqlx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\tbhawcfc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\urqomnl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\vjaymjws.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\system32\xxyaxvt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINNT\Temp\JET542.tmp Object is locked skipped
C:\WINNT\Temp\JET5BF.tmp Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

LadyBriggan
2008-03-07, 00:38
I believe I'm also supposed to post the HJT log here. If not, apologies:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:00 PM, on 3/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\acs.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\system32\Rundll32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {03CA3EED-B01A-40A2-BCF5-EB76140E2C4F} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1D0BA451-88AB-44A9-B57D-3C98A9801C99} - (no file)
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: (no name) - {3AAC958D-9582-4B31-86B1-DDA980240ED3} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5B2038C2-7360-4328-B336-6B2967BC3D14} - (no file)
O2 - BHO: (no name) - {85b9cdbe-f3ef-4195-9858-4eddf9a543bd} - (no file)
O2 - BHO: (no name) - {9632D3F0-7E91-4F43-BC20-A37791169E7D} - (no file)
O2 - BHO: (no name) - {A41DC74E-1555-422A-8F48-F4E8DD4A52D7} - (no file)
O2 - BHO: (no name) - {BA160267-D574-443C-9DAC-B894A93D630D} - (no file)
O2 - BHO: (no name) - {BECDE71C-3CCA-4CCD-8E38-1F2DA270ECA2} - C:\WINNT\system32\ddcyw.dll (disabled by BHODemon)
O2 - BHO: (no name) - {C67FEC69-D1F7-46E6-8964-26E7C1AE7AF5} - (no file)
O2 - BHO: (no name) - {C6C565C1-B0E4-44AB-8E63-0CF81EBBC848} - (no file)
O2 - BHO: (no name) - {F4F6345C-251E-469A-A304-6F0D7EB5DB26} - (no file)
O2 - BHO: (no name) - {f58a2ee2-effa-4a3f-9318-1e977b03442a} - (no file)
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [b8ded18c] rundll32.exe "C:\WINNT\system32\efdgeltp.dll",b
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKLM\..\Run: [BMbbede210] Rundll32.exe "C:\WINNT\system32\jtoihshj.dll",s
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.2.17&build=Symantec&a=00000082.00000045.00000119&b=00000082.00000049.000000b9&c=00000082.00000096.000001da
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Lady Briggan\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185837395453
O18 - Filter hijack: text/html - (no CLSID) - (no file)
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pbxhmdbf - C:\WINNT\
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 7127 bytes

pskelley
2008-03-07, 18:51
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

Looks like you have been fighting this one for a while,
SUPERAntiSpyware <<< do you own this program? Please turn it off so it will not block out tools.

1) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

2) Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks

LadyBriggan
2008-03-07, 19:28
Thank you for the welcome, and for replying so quickly.

SUPERAntiSpyware is disabled. I picked up VundoFix and upon clicking the icon, got this:

Run-time error '339':
Component 'comdlg32.ocx' or one of its dependencies not correctly registered: a file is missing or invalid


Have done nothing else, will wait for reply.

pskelley
2008-03-07, 19:44
Thanks for the feedback, follow the directions carefully.
Go here: http://www.boletrice.com/missingfiles.html
and follow these directions:
Run-time error 339
Component ‘comdlg32.ocx’ or one of its dependencies not correctly registered: a file is missing or invalid.

Download comdlg32.ocx to your Sytem folder by clicking the link: www.boletrice.com/downloads/comdlg32.ocx. After downloading, register the file by clicking Start - Run, and type "Regsvr32 c:\windows\system32\comdlg32.ocx"

Then give Vundofix another try, you may need a restart.

Thanks

LadyBriggan
2008-03-08, 01:15
VundoFix V7.0.1

Scan started at 2:53:22 PM 3/7/2008

Listing files found while scanning....

No infected files were found.



ComboFix 08-03-07.1 - Lady Briggan 2008-03-07 15:06:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1686 [GMT -8:00]
Running from: C:\Documents and Settings\Lady Briggan\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINNT\system32\htybufqs.dllbox
.
---- Previous Run -------
.
C:\Documents and Settings\All Users\documents\setup.exe
C:\setup.exe
C:\WINNT\BMbbede210.xml
C:\WINNT\pskt.ini
C:\WINNT\system32\akllcbyq.ini
C:\WINNT\system32\astlkdbf.dll
C:\WINNT\system32\cdcyunih.dll
C:\WINNT\system32\cxcbbbfk.ini
C:\WINNT\system32\ddcyw.dll
C:\WINNT\system32\duhssetc.dll
C:\WINNT\system32\etxacunt.dll
C:\WINNT\system32\giibnrfu.dll
C:\WINNT\system32\gnncnfbg.dll
C:\WINNT\system32\hinuycdc.ini
C:\WINNT\system32\hjkkj.ini
C:\WINNT\system32\hjkkj.ini2
C:\WINNT\system32\ivmqeyis.ini
C:\WINNT\system32\jgtesfjg.dll
C:\WINNT\system32\jtoihshj.dll
C:\WINNT\system32\kfbbbcxc.dll
C:\WINNT\system32\kwslcncp.ini
C:\WINNT\system32\lbqyfwfm.dll
C:\WINNT\system32\lslldncp.dll
C:\WINNT\system32\muujxfad.ini
C:\WINNT\system32\nGpxx18
C:\WINNT\system32\ovmnaqgr.dll
C:\WINNT\system32\pac.txt
C:\WINNT\system32\pcnclswk.dll
C:\WINNT\system32\rwlleqlx.dll
C:\WINNT\system32\siyeqmvi.dll
C:\WINNT\system32\tbhawcfc.dll
C:\WINNT\system32\urqomnl.dll
C:\WINNT\system32\vjaymjws.dll
C:\WINNT\system32\winsys.exe
C:\WINNT\system32\wvvwa.ini
C:\WINNT\system32\wvvwa.ini2
C:\WINNT\system32\wycdd.ini
C:\WINNT\system32\wycdd.ini2
C:\WINNT\system32\xxyaxvt.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((( Files Created from 2008-02-07 to 2008-03-07 )))))))))))))))))))))))))))))))
.

2008-03-07 14:53 . 2008-03-07 14:53 <DIR> d-------- C:\VundoFix Backups
2008-03-07 14:44 . 2008-03-07 14:47 140,288 --a------ C:\WINNT\system32\comdlg32.ocx
2008-03-06 14:34 . 2008-03-06 14:34 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-06 12:22 . 2008-01-12 18:32 23,904 --a------ C:\WINNT\system32\drivers\COH_Mon.sys
2008-03-06 12:22 . 2008-01-15 09:54 10,537 --a------ C:\WINNT\system32\drivers\COH_Mon.cat
2008-03-06 12:22 . 2008-01-15 05:28 706 --a------ C:\WINNT\system32\drivers\COH_Mon.inf
2008-03-06 11:24 . 2008-03-06 11:24 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-03-06 11:24 . 2008-03-06 11:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-06 11:12 . 2008-03-06 11:12 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-05 22:32 . 2008-03-05 22:32 <DIR> d-------- C:\Documents and Settings\Lady Briggan\Application Data\Symantec
2008-03-05 21:32 . 2008-03-05 21:55 354 ---hs---- C:\WINNT\system32\ptlegdfe.ini
2008-03-05 20:51 . 2008-03-07 15:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-03-05 20:51 . 2008-03-07 15:05 <DIR> d-------- C:\Documents and Settings\Lady Briggan\Application Data\SUPERAntiSpyware.com
2008-03-05 20:03 . 2008-03-06 10:51 <DIR> d-------- C:\Program Files\Norton 360
2008-03-05 20:02 . 2008-03-06 00:16 123,952 --a------ C:\WINNT\system32\drivers\SYMEVENT.SYS
2008-03-05 20:02 . 2008-03-06 00:16 60,800 --a------ C:\WINNT\system32\S32EVNT1.DLL
2008-03-05 20:01 . 2008-03-06 00:16 <DIR> d-------- C:\Program Files\Symantec
2008-03-05 19:20 . 2008-03-05 19:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-03-04 14:37 . 2008-03-04 17:10 <DIR> d-------- C:\Program Files\Microsoft Silverlight
2008-03-04 13:20 . 2008-03-04 13:59 354 ---hs---- C:\WINNT\system32\nfkwggqo.ini
2008-03-04 12:24 . 2008-03-04 12:24 294 ---hs---- C:\WINNT\system32\ioyprmpw.ini
2008-03-01 17:30 . 2008-03-01 17:32 <DIR> d-------- C:\N360_BACKUP
2008-03-01 16:47 . 2008-03-01 16:47 <DIR> d-------- C:\Program Files\MtStudio
2008-03-01 16:47 . 2008-03-01 16:47 <DIR> d-------- C:\Documents and Settings\Lady Briggan\Application Data\MtStudio
2008-03-01 01:52 . 2007-03-21 20:33 348,160 --a------ C:\WINNT\system32\MSVCR71.DL1
2008-02-29 21:34 . 2008-03-06 00:16 10,740 --a------ C:\WINNT\system32\drivers\SYMEVENT.CAT
2008-02-29 21:34 . 2008-03-06 00:16 805 --a------ C:\WINNT\system32\drivers\SYMEVENT.INF
2008-02-29 21:25 . 2008-02-29 21:25 354 --ahs---- C:\WINNT\system32\knxdgywa.ini
2008-02-29 21:21 . 2008-02-29 21:21 294 --ahs---- C:\WINNT\system32\rykbwlkw.ini
2008-02-29 15:14 . 2008-02-29 16:00 294 --ahs---- C:\WINNT\system32\xjxctsji.ini
2008-02-28 08:17 . 2008-02-28 08:17 294 --ahs---- C:\WINNT\system32\ejaojxtb.ini
2008-02-27 22:20 . 2008-02-27 22:20 294 --ahs---- C:\WINNT\system32\ofhnoung.ini
2008-02-27 15:23 . 2004-08-03 22:58 14,848 --a------ C:\WINNT\system32\drivers\kbdhid.sys
2008-02-27 15:23 . 2004-08-03 22:58 14,848 --a--c--- C:\WINNT\system32\dllcache\kbdhid.sys
2008-02-26 22:20 . 2008-02-26 22:20 294 --ahs---- C:\WINNT\system32\ykqnfawa.ini
2008-02-26 20:54 . 2008-03-04 13:59 473 --a------ C:\WINNT\wininit.ini
2008-02-26 11:09 . 2008-02-26 11:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-25 22:14 . 2008-02-26 10:42 894 --ahs---- C:\WINNT\system32\wqubxsuo.ini
2008-02-25 16:25 . 2008-02-26 11:39 <DIR> d-------- C:\WINNT\system32\iDlo18
2008-02-25 11:11 . 2008-02-25 11:11 <DIR> d-------- C:\WINNT\Sun
2008-02-24 22:13 . 2008-02-25 22:13 654 --ahs---- C:\WINNT\system32\apnuryrg.ini
2008-02-23 22:10 . 2008-02-24 22:10 414 --ahs---- C:\WINNT\system32\csdfgkxw.ini
2008-02-23 11:50 . 2008-02-23 11:50 <DIR> d-------- C:\Documents and Settings\All Users\Symantec Temporary Files
2008-02-23 11:06 . 2008-02-23 11:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems
2008-02-23 11:01 . 2008-02-23 11:01 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2008-02-23 10:00 . 2008-02-23 10:00 147,456 --a------ C:\WINNT\system32\vbzip10.dll
2008-02-23 09:57 . 2008-03-05 20:46 <DIR> d-------- C:\Temp
2008-02-23 09:40 . 2008-02-23 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Bait cake roam slow

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-07 23:05 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-03-06 23:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-06 20:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-03-06 19:14 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 23:03 --------- d-----w C:\Program Files\Common Files\Adobe
2008-02-26 19:15 --------- d-----w C:\Documents and Settings\Lady Briggan\Application Data\Lavasoft
2008-02-26 00:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-25 19:18 --------- d-----w C:\Program Files\Google
2008-02-23 18:55 163,840 ----a-w C:\WINNT\IsUninst.exe
2008-02-06 06:46 --------- d-----w C:\Program Files\VentSrv
2008-02-03 00:19 --------- d-----w C:\Program Files\Trillian
2008-01-30 11:01 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-30 02:57 17,801 ----a-w C:\WINNT\system32\drivers\AegisP.sys
2008-01-30 02:57 --------- d-----w C:\Program Files\NETGEAR
2008-01-30 02:54 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-29 23:02 --------- d-----w C:\Documents and Settings\Lady Briggan\Application Data\Hewlett-Packard
2008-01-29 22:38 --------- d-----w C:\Program Files\Hewlett-Packard
2008-01-29 22:36 --------- d-----w C:\Program Files\Common Files\Hewlett-Packard
2008-01-29 05:01 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-01-29 00:26 --------- d-----w C:\Program Files\Wizards
2007-12-07 00:44 666,112 ----a-w C:\WINNT\system32\wininet.dll
2006-06-24 12:47 271 --sh--w C:\Program Files\desktop.ini
2006-06-24 12:47 21,952 -c-ha-w C:\Program Files\folder.htt
2005-09-20 19:05 456,768 ----a-w C:\WINNT\inf\WG311T\WG311T13.sys
2004-10-20 03:58 35,232 ----a-w C:\WINNT\inf\WG311T\ME_INST.EXE
2004-10-20 03:58 26,112 ----a-w C:\WINNT\inf\WG311T\install.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"@"="C:\Program Files\Mozilla Firefox\firefox.exe" [2008-02-11 09:18 7655024]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMediaCenter"="C:\WINNT\system32\NvMcTray.dll" [2006-03-07 15:24 86016]
"NvCplDaemon"="C:\WINNT\system32\NvCpl.dll" [2006-03-07 15:24 7557120]
"googletalk"="C:\Program Files\Google\Google Talk\googletalk.exe" [2007-01-01 13:22 3739648]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-25 11:18 29744]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-07-17 17:54 116072]
"b8ded18c"="C:\WINNT\system32\efdgeltp.dll" [ ]
"Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-29 17:38 583048]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 12:05:56 65588]
NETGEAR WG311T Smart Wizard.lnk - C:\Program Files\NETGEAR\WG311T\wlancfg5.exe [2006-02-22 11:59:32 1486848]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pbxhmdbf]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINNT\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 08:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
C:\Program Files\Norton Internet Security\osCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINNT\\system32\\dpnsvr.exe"=
"C:\\WINNT\\system32\\dpvsetup.exe"=
"C:\\WINNT\\system32\\rundll32.exe"=
"F:\\SpellForce II\\spellforce2.exe"=
"F:\\Dungeon Siege II\\DungeonSiege2.exe"=
"F:\\NWN2\\nwn2main.exe"=
"F:\\NWN2\\nwn2main_amdxp.exe"=
"F:\\NWN2\\nwupdate.exe"=
"F:\\NWN2\\nwn2server.exe"=
"C:\\Program Files\\Sony\\Station\\LaunchPad\\LaunchPad.exe"=
"F:\\Starcraft\\StarCraft.exe"=
"C:\\Program Files\\Google\\Google Talk\\googletalk.exe"=
"C:\\Program Files\\Trillian\\trillian.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=

S3 GoogleDesktopManager-010108-205858;Google Desktop Manager 5.7.801.1629;"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2008-02-25 11:18]
S3 usbprint;Microsoft USB PRINTER Class;C:\WINNT\system32\DRIVERS\usbprint.sys [2004-08-03 22:01]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{4ed4cfcf-038b-11db-891a-806d6172696f}]
\Shell\AutoRun\command - D:\Setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{58577431-03b2-11db-b747-806d6172696f}]
\Shell\AutoRun\command - E:\Launch.exe

*Newly Created Service* - COMHOST
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-07 15:08:19
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\system32\winlogon.exe
-> C:\WINNT\system32\ginamsi.dll
-> C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
.
Completion time: 2008-03-07 15:09:08
ComboFix-quarantined-files.txt 2008-03-07 23:09:06
.
2008-02-13 11:02:48 --- E O F ---

LadyBriggan
2008-03-08, 01:16
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:11:49 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\acs.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\WINNT\system32\msiexec.exe
C:\WINNT\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [b8ded18c] rundll32.exe "C:\WINNT\system32\efdgeltp.dll",b
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/servlet/ProductMessages?module=2007&error=0&language=en&product=SymNRT&version=2008.0.2.17&build=Symantec&a=00000082.00000045.00000119&b=00000082.00000049.000000b9&c=00000082.00000096.000001da
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Lady Briggan\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185837395453
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: pbxhmdbf - C:\WINNT\
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 5913 bytes

pskelley
2008-03-08, 02:34
Thanks for returning your infoamation, I see this item in the combofix log:
C:\Documents and Settings\All Users\Application Data\Bait cake roam slow
This is probably evidence of a LOP/C2 Media infection, see this:
http://research.sunbelt-software.com/threatdisplay.aspx?name=C2.lop&threatid=8144
Once we remove Vundo, we will have to check for this.


1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open a new notepad window
Paste the list of files from the quote box below into the notepad window.


C:\WINNT\system32\nfkwggqo.ini
C:\WINNT\system32\ptlegdfe.ini
C:\WINNT\system32\knxdgywa.ini
C:\WINNT\system32\rykbwlkw.ini
C:\WINNT\system32\xjxctsji.ini
C:\WINNT\system32\ejaojxtb.ini
C:\WINNT\system32\ofhnoung.ini
C:\WINNT\system32\ykqnfawa.ini
C:\WINNT\system32\wqubxsuo.ini
C:\WINNT\system32\apnuryrg.ini
C:\WINNT\system32\csdfgkxw.ini
C:\WINNT\system32\efdgeltp.dll
C:\WINNT\system32\ioyprmpw.ini

Save this as vundofix.vft and Save as type "all files".
Double-click VundoFix.exe to run it.
Drag vundofix.vft onto the listbox (white box) of VundoFix. Click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions
starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

4) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

(if you set the first one like this, you may leave it)
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [b8ded18c] rundll32.exe "C:\WINNT\system32\efdgeltp.dll",b
O4 - HKCU\..\RunOnce: [] C:\Program Files\Mozilla Firefox\firefox.exe http://www.symantec.com/techsupp/ser...00096.000001da
O20 - Winlogon Notify: pbxhmdbf - C:\WINNT\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

5) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINNT\system32\efdgeltp.dll <<< make sure that file is gone

C:\Documents and Settings\All Users\Application Data\Bait cake roam slow <<< Delete this folder if there

6) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix report, a new HJT log and some feedback. How is the computer running?

Thanks

LadyBriggan
2008-03-08, 03:42
Beginning removal...

Performing Repairs to the registry.
Done!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:32:44 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\acs.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINNT\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINNT\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [googletalk] C:\Program Files\Google\Google Talk\googletalk.exe /autostart
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: NETGEAR WG311T Smart Wizard.lnk = C:\Program Files\NETGEAR\WG311T\wlancfg5.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Lady Briggan\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1185837395453
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINNT\system32\acs.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Desktop Manager 5.7.801.1629 (GoogleDesktopManager-010108-205858) - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ventrilo - Unknown owner - C:\Program Files\VentSrv\ventrilo_svc.exe (file missing)

--
End of file - 5348 bytes



Feedback: Machine is still booting up slowly. Once I log in, it takes over a minute for my icons and such to load up. I don't recall it taking that long. It also seems to lose programs to hanging about as often; though I can move between programs a bit faster now.

LadyBriggan
2008-03-08, 03:49
I forgot to add:

C:\WINNT\system32\efdgeltp.dll <<< make sure that file is gone

C:\Documents and Settings\All Users\Application Data\Bait cake roam slow <<< Delete this folder if there

The top file was already gone, the bottom file needed deleting.

pskelley
2008-03-08, 04:04
Thanks for returning your information, I appreciate the feedback, please be patient. Once I am sure malware has been removed, I will do what I can to improve performance.

You HJT log looks clean of malware, please post and uninstall list and a new Kaspersky Online scan. I am also interested in how much RAM you have installed, if you do not know, follow the directions to find out.

During the cleanup we cleaned your Prefetch folder, until Windows repopulates Prefetch, boot times will be slower.
http://www.windowsnetworking.com/articles_tutorials/Gaining-Speed-Empty-Prefetch-XP.html

1) Open Hijackthis.
Click the "Open the Misc Tools" section Button.
Click the "Open Uninstall Manager" Button.
Click the "Save list..." Button.
Save it to your desktop. Copy and paste the contents into your reply.
(You may edit out Microsoft, Hotfixes, Security Update for Windows XP, Update for Windows XP and Windows XP Hotfix to shorten the list)

2) RAM: Right click on MyComputer > Click on Properties > RAM will be in the bottom right corner.

3) Start looking at this information as time permits:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

4) Besides slow boot times, are you seeing any other symptoms of malware? Popups? Error messages?

5) Run Kaspersky Online Scan using these settings:
* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here along with the uninstall list and any other information I requested.

Thanks

LadyBriggan
2008-03-10, 21:26
Not in much of a rush to get this done, I want this done right and you've been a tremendous help in achieving that!


Here is my HJTUnintall:

Adobe Bridge 1.0
Adobe Flash Player ActiveX
Adobe Flash Player Plugin
Adobe Reader 8.1.1
Age of Mythology
Age of Mythology - The Titans Expansion
AppCore
AV
Belarc Advisor 7.1
BioWare Premium Module: Neverwinter Nights - Kingmaker
BioWare Premium Module: Neverwinter Nights - ShadowGuard
BioWare Premium Module: Neverwinter Nights - Witch's Wake
ccCommon
D&D Character Generator Demo
DB's EQ2 Mod
Disciples 2 Gold Gallean
Disciples II Rise of the Elves
Dungeon Siege 2
Dungeon Siege Legends of Aranna
EasyCleaner
Elys DS2 Succubus Manager
EverQuest II
GearDrvs
Google Desktop
Google Talk (remove only)
Guild Wars
High Definition Audio Driver Package - KB888111
HijackThis 2.0.2
HP Photo and Imaging 2.0 - All-in-One
HP Photo and Imaging 2.0 - All-in-One Drivers
Kaspersky Online Scanner
LiveUpdate 3.2 (Symantec Corporation)
LiveUpdate Notice (Symantec Corporation)
LockBox
Mahjong Towers Eternity (remove only)
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Visual C++ 2005 Redistributable
Mozilla Firefox (2.0.0.12)
Mozilla Thunderbird (1.5.0.14)
MSI Live Update 3
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 6.0 Parser (KB933579)
MSXML4 Parser
MultitrackStudio Lite 4.31
NETGEAR WG311T Wireless Adapter
Neverwinter Nights
Neverwinter Nights 2
Norton 360
Norton 360
Norton 360
Norton 360 (Symantec Corporation)
Norton 360 Help
Norton Confidential Browser Component
Norton Confidential Web Authentification Component
Norton Confidential Web Protection Component
NVIDIA Drivers
PasswordKeeper
Realtek AC'97 Audio
SecureDoc
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Shockwave
SoulSeekkor's TQ Defiler
SoulSeekkor's TQ Defiler (C:\Program Files\TQDefiler\)
SoulSeekkor's TQ Defiler (f:\TQDefiler\)
SPBBC 32bit
SpellForce 2 - Shadow Wars
Spybot - Search & Destroy
Starcraft
SuppSoft
Symantec Technical Support Controls
SymNet
Titan Quest
Titan Quest Immortal Throne
Trillian
WinRAR archiver
World of Warcraft


My machine sports 2G of RAM, verified.


The only popup I've seen is Norton telling me about a scan, though I have disabled it until this troubleshooting is complete. I am also no longer seeing any error messages. I haven't done a lot of testing with it otherwise, preferring to wait until instructed in case I accidentally trigger something else [that'd be my luck]. I haven't restarted the machine yet, so I can't assess the time it takes to boot up; though my browser seems to be okay the times I used it.


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 10, 2008 12:18:56 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/03/2008
Kaspersky Anti-Virus database records: 562842
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 103007
Number of viruses found: 2
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 01:16:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\8719798D.TMP Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped
C:\Documents and Settings\Lady Briggan\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\History\History.IE5\MSHist012008031020080311\index.dat Object is locked skipped
C:\Documents and Settings\Lady Briggan\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Lady Briggan\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Lady Briggan\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAD.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWADMT.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.dat Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.ldb Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped
C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped
C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped
C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped
C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped
C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped
C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped
C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped
C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped
C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped
C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0111915.exe Infected: Trojan-Downloader.Win32.Small.imu skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0111916.exe/data0006 Infected: Trojan-Downloader.Win32.VB.ceh skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0111916.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP624\change.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\SchedLgU.Txt Object is locked skipped
C:\WINNT\SoftwareDistribution\EventCache\{875C7BCB-8B91-46E3-A484-A7B91B440C64}.bin Object is locked skipped
C:\WINNT\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINNT\Sti_Trace.log Object is locked skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\drivers\etc\Hosts.bak Object is locked skipped
C:\WINNT\system32\h323log.txt Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\Temp\JET2DEC.tmp Object is locked skipped
C:\WINNT\Temp\JET2F34.tmp Object is locked skipped
C:\WINNT\wiadebug.log Object is locked skipped
C:\WINNT\wiaservc.log Object is locked skipped
C:\WINNT\WindowsUpdate.log Object is locked skipped
F:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

pskelley
2008-03-10, 21:55
Thanks for returning your informstion, to make the uninstall list a little shorter, though I really see nothing I can point at as malware, I will edit the items I asked not to be posted.

I suggest you take a look at that uninstall list to make sure there is nothing there you are not aware of.

KASPERSKY ONLINE SCANNER REPORT Monday, March 10, 2008 12:18:56 PM
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0111915.exe ------> Trojan-Downloader.Win32.Small.imu
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0111916.exe/data0006 ------> Trojan-Downloader.Win32.VB.ceh
C:\System Volume Information\_restore{DAC1A2A5-FFBB-481D-B4F1-AF22DD54042B}\RP586\A0111916.exe NSIS: infected - 1
all infected System Restore files whcih can be cleaned with this information:
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Before we remove the tools we used, you must have seen this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.

Thanks

LadyBriggan
2008-03-10, 22:36
Apologies for posting information you did not need.

I checked the uninstall list, and do not recognize the SymNet and SuppSoft entries.

I cleaned out and then restarted the System Restore point.

I did install the Recovery Console.

pskelley
2008-03-10, 23:08
Thanks for the feedback, did you just install Recovery Console, if so you should have received a .txt file indicating the installation worked.

I get this for SymNet: http://www.symnetaudio.com/index.php

and this for SuppSoft: http://mitglied.lycos.de/SuppSoft/index.php

If you have no use for them, uninstall them in Add Remove Programs.

If all is running well, remove all programs we downloaded for the cleanup. Make sure to delete the C:\Vundofix Backups\ and the C:\Qoobox\Quarantine\ folders. You may keep ATF-Cleaner if you wish. It is a nice small tool for cleaning.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...Phil
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.