Kaspersky scan Results [Archive] - Safer-Networking Forums

View Full Version : Kaspersky scan Results

debra23

2008-03-07, 13:33

This is only a portion of the results, the list was to long for this post

Scan Statistics:
Total number of scanned objects: 113585
Number of viruses found: 16
Number of infected objects: 648
Number of suspicious objects: 2
Duration of the scan process: 01:28:10

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip/mrofinu72.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WinSmallazl.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\4278fa73-6bd44059/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\6.0\51\4278fa73-6bd44059 ZIP: infected - 1 skipped
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-6edc746f.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\HP_Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0dc2-6edc746f.zip ZIP: infected - 1 skipped
C:\Documents and Settings\HP_Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\agcuiyjl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\aitofrwj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebw skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\cnjcwwnn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\evfsqwdc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\fusbkdhu.exe Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\fxxmrlda.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\ighigelp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebw skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\itmtjlfq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\juiyisgm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\kxfsjwfk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\qsbldslw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX10.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX11.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX12.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX13.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX14.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX15.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX16.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX17.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX18.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX19.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX1A.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX1B.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX1D.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX1F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX21.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX22.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX23.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX23F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX245.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX248.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX254.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX25B.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX27.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX28.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX29.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX2A.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX2D.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX2E.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX2E5.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX2EB.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX2EE.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX2FE.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX30.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX30A.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX31.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX314.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX31A.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX32.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX323.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX32F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX33.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX335.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX35.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX36.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX37.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX38.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX3B.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX3D.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX4F5.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX4FB.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX4FF.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX50E.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX514.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX545.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX547.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX54F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX550.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX553.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX557.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX55F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX565.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX566.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX56C.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX666.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX669.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX675.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX694.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX695.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX697.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX698.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX6A3.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX6A4.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX6A9.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX6B7.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX6BA.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX6C6.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX6D9.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX6DC.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX6E8.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX6FB.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX6FE.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX70A.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX8.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCX9FE.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXA0C.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXA0F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXA1B.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXA21.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXB.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXD.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXE.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXE0.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXEA.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXED.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXF.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXF9.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\RCXFF.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\TMP6F.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\TMP8EB.tmp Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\uuurqqiy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\vnkrjsth.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\wleycryn.exe Infected: Backdoor.Win32.Agent.dbm skipped
C:\Documents and Settings\HP_Owner\Local Settings\Temp\~DFBD7E.tmp Object is locked skipped
Scan process completed.

ken545

2008-03-08, 03:41

Hello debra23

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe

Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.

debra23

2008-03-08, 03:54

This is the logfile from HijackThis.....

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:51:39 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\windows\system\hpsysdrv .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ps2 .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F3 - REG:win.ini: load=C:\WINDOWS\system32\vtstu.exe
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [2c69fc8c] rundll32.exe "C:\WINDOWS\system32\dtgieimo.dll",b
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA1046] command /c del "C:\WINDOWS\system32\vtstu.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3533] cmd /c del "C:\WINDOWS\system32\vtstu.dll_old"
O4 - HKLM\..\RunOnce: [getPlusUninstall_ocx] rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSo.INF, DefaultUninstall
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAA0DC~1 .EXE" -quiet
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200676017906
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9414 bytes

ken545

2008-03-08, 04:13

Hi Debra,

You are infected with the Vundo Trojan :red: It may take running a few programs to remove it, I don't want to overwhelm you so we can start this way.

Do this first...Important

Disable the TeaTimer, you can re enable it when were done if you wish

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.<--You need to do this for it to take effect

Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please download Malwarebytes' Anti-Malware from Here (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) or Here (http://www.besttechie.net/tools/mbam-setup.exe)

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy and Paste the entire report in your next reply along with a Hijackthis log.

Post the Vundofix log, the Malwarebytes log and a new HJT log please

debra23

2008-03-08, 05:31

VundoFix V7.0.1

Scan started at 9:50:56 PM 3/7/2008

Listing files found while scanning....

C:\windows\system32\utstv.ini
C:\windows\system32\utstv.ini2
C:\windows\system32\vtstu.dll

Beginning removal...

Attempting to delete C:\windows\system32\utstv.ini
C:\windows\system32\utstv.ini Has been deleted!

Attempting to delete C:\windows\system32\utstv.ini2
C:\windows\system32\utstv.ini2 Has been deleted!

Attempting to delete C:\windows\system32\vtstu.dll
C:\windows\system32\vtstu.dll Has been deleted!

Performing Repairs to the registry.
Done!

Malwarebytes' Anti-Malware 1.07
Database version: 460

Scan type: Quick Scan
Objects scanned: 60108
Time elapsed: 10 minute(s), 16 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 15
Registry Values Infected: 0
Registry Data Items Infected: 3
Folders Infected: 4
Files Infected: 88

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\dtgieimo.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\vtstu.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ecfc82b8-360b-49a8-b42c-82867df12ab6} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ecfc82b8-360b-49a8-b42c-82867df12ab6} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load (Trojan.Vundo) -> Data: c:\windows\system32\vtstu.exe -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtstu -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\vtstu -> Delete on reboot.

Folders Infected:
C:\Program Files\AntispyStorm (Rogue.AntispyStorm) -> Quarantined and deleted successfully.
C:\Program Files\amsys (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\QdrDrive (Adware.AdBand) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\abggxnmv.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vmnxggba.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\begqptvh.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hvtpqgeb.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cjbpsmje.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ejmspbjc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ckwwumvg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gvmuwwkc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\cnvbjnnm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mnnjbvnc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dtgieimo.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\omieigtd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fjkxiwdi.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\idwixkjf.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\imopreed.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\deerpomi.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jvgxqypk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kpyqxgvj.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\oeghtfos.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\softhgeo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ojkoyilf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fliyokjo.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\osegxefx.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xfexgeso.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pfvlqcov.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vocqlvfp.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qbndbirg.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\gribdnbq.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rtvobjnr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rnjbovtr.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\surrjoyp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pyojrrus.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtstu.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\vtstu.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\utstv.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\utstv.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ykexvkpn.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\npkvxeky.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\Media\fuwarxyus.dll (Spyware.Delf) -> Quarantined and deleted successfully.
C:\Program Files\AntispyStorm\stat.bin (Rogue.AntispyStorm) -> Quarantined and deleted successfully.
C:\Program Files\AntispyStorm\uninstall.exe (Rogue.AntispyStorm) -> Quarantined and deleted successfully.
C:\Program Files\AntispyStorm\uninstall.log (Rogue.AntispyStorm) -> Quarantined and deleted successfully.
C:\Program Files\amsys\awmsg.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\amsys\mfc42.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\amsys\msvcrt.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\amsys\unins000.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\amsys\unis000.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\amsys\winam.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\akl.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\akl.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\curlog.htm (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\keylog.txt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\readme.txt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\uninstall.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\unsetup.dat (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\Program Files\akl\unsetup.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\BSZIP.DLL (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\absolute key logger.lnk (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aconti.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\aconti.log (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\acontidialer.txt (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\adbar.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\cbinst$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\daxtime.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\dp0.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\eventlowg.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\fhfmm-Uninstaller.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\fhfmm.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\hotporn.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ie_32.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\jd2002.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\kkcomp$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\kkcomp.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\kkcomp.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\liqad$.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\liqad.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\liqad.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\liqui-Uninstaller.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\liqui.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\liqui.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\ngd.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\pbar.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\spredirect.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xadbrk.dll (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xadbrk.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xadbrk_.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\xxxvideo.exe (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
C:\WINDOWS\Temp\BN1.tmp (Trojan.Agent) -> Quarantined and deleted successfully.

debra23

2008-03-08, 05:32

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:17 PM, on 3/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\windows\system\hpsysdrv .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\WINDOWS\system32\ps2 .exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\QBMsgMgr.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {170545E4-F414-446E-BA8A-82930B5CB354} - (no file)
O2 - BHO: (no name) - {17141AAD-42B7-407D-ADFE-72D9861149F1} - (no file)
O2 - BHO: (no name) - {4B172BA2-0384-4E85-842D-46364988F370} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {786961A4-E4A0-43A5-968D-C3FF17FE196B} - (no file)
O2 - BHO: (no name) - {8C39B3F5-C85D-40DB-A85C-9AB403198653} - (no file)
O2 - BHO: (no name) - {B65F2128-FB78-4A09-872E-33EB6A5B604B} - (no file)
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [2c69fc8c] rundll32.exe "C:\WINDOWS\system32\dtgieimo.dll",b
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAA0DC~1 .EXE" -quiet
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200676017906
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 9483 bytes

ken545

2008-03-08, 13:34

Good Morning,:)

We are making some headway, this trojan installs random files and registry entries all over your system.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: (no name) - {170545E4-F414-446E-BA8A-82930B5CB354} - (no file)
O2 - BHO: (no name) - {17141AAD-42B7-407D-ADFE-72D9861149F1} - (no file)
O2 - BHO: (no name) - {4B172BA2-0384-4E85-842D-46364988F370} - (no file)
O2 - BHO: (no name) - {786961A4-E4A0-43A5-968D-C3FF17FE196B} - (no file)
O2 - BHO: (no name) - {8C39B3F5-C85D-40DB-A85C-9AB403198653} - (no file)
O2 - BHO: (no name) - {B65F2128-FB78-4A09-872E-33EB6A5B604B} - (no file)

O4 - HKLM\..\Run: [2c69fc8c] rundll32.exe "C:\WINDOWS\system32\dtgieimo.dll",b

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post the Combofix log and a New HJT log please

debra23

2008-03-11, 01:32

Please forgive my delay in a response to this. I've attempted the combofix quite a few times with not much luck. It gets to a certain point and just stops. I looked for the findstr, find, sed, and swreg in my task manager and didn't find any of them at any point. I'm having to run the combofix and wait till it stops for roughly 30 mins then I have to power my computer down by the power switch because nothing else comes up, it's just the background picture (no start button, tool bar, NOTHING). I will get the combofix to finish running, it may take a couple days more to get it to finish all the way though. Unless you have a better suggestion, all I know is this computer is whoopin me!!

debra23

2008-03-11, 02:25

Combofix log.....just like a child, gets told on then acts right =)

ComboFix 08-03-07.4 - HP_Owner 2008-03-10 20:12:16.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.92 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\HP_Owner\Application Data\DOBE~1
C:\WINDOWS\CREATOR\Remind_XP.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system\hpsysdrv.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\utstv.ini
C:\WINDOWS\system32\utstv.ini2
C:\WINDOWS\system32\vtstu.dll
C:\WINDOWS\system32\vtstu.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-07 23:11 . 2008-03-07 23:11 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
2008-03-07 23:10 . 2008-03-07 23:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-07 23:10 . 2008-03-07 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-07 22:50 . 2008-03-07 23:05 <DIR> d-------- C:\VundoFix Backups
2008-03-06 07:49 . 2008-03-06 07:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-06 07:49 . 2008-03-06 07:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-04 19:48 . 2008-03-04 19:47 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-04 19:48 . 2008-03-04 19:48 2,551 --a------ C:\WINDOWS\unins000.dat
2008-03-04 19:42 . 2008-03-04 19:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-26 20:51 . 2005-08-23 13:54 1,650,688 --a------ C:\WINDOWS\system32\cdintf250.dll
2008-02-26 20:35 . 2008-02-26 20:35 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-26 20:33 . 2008-02-26 20:33 <DIR> d-------- C:\Program Files\Intuit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 00:05 --------- d-----w C:\Program Files\QuickTime
2008-03-09 19:26 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-09 19:26 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-06 13:00 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-05 01:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-27 01:37 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-27 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-10 13:27 --------- d-----w C:\Program Files\Java
2008-01-19 14:00 --------- d-----w C:\Program Files\Common Files\Logitech
2008-01-19 13:50 --------- d-----w C:\Program Files\Yahoo!
2008-01-19 13:49 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Yahoo!
2008-01-19 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-18 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-18 18:38 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-18 17:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-18 17:00 --------- d-----w C:\Program Files\Microsoft Works
2008-01-18 16:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 16:49 --------- d-----w C:\Program Files\Quicken
2008-01-18 16:49 --------- d-----w C:\Program Files\Common Files\Palo Alto Software
2008-01-18 16:14 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Symantec
2008-01-18 16:12 1,837 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PW526AA-ABA a1007w_YC_0Pavi_QCNH517_E52NAheBLU1_47_ISalmon_SASUSTek Computer INC._V1.04_B3.10_T050309_WXH2_L409_M384_J120_7AMD_8Athlon 64_92.21_#051209_N10390900_Z11C1048C_G10396330.MRK
2008-01-18 16:09 --------- d-----w C:\Program Files\SiS VGA Utilities V3.63
2008-01-15 18:13 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-01-15 18:12 --------- d-----w C:\Program Files\MSECACHE
2008-01-15 17:58 --------- d-----w C:\Program Files\Common Files\Authentium Shared
2008-01-15 17:29 --------- d-----w C:\Program Files\MSBuild
2008-01-15 17:22 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-15 17:20 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-15 15:05 --------- d-----w C:\Program Files\Common Files\RuleSpace
2008-01-15 15:05 --------- d-----w C:\Program Files\Common Files\Aluria
2008-01-15 15:04 --------- d-----w C:\Program Files\Common Files\Authentium
2008-01-15 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-15 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 22:38 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2008-01-12 17:06 --------- d-----w C:\Program Files\LimeWire
2008-01-12 17:01 21,760 ----a-w C:\WINDOWS\Hkm14.sys
2006-01-18 02:34 0 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
.

<pre>
----a-w 253,952 2008-03-09 19:18:51 C:\hp\drivers\hplsbwatcher\lsburnwatcher .exe
----a-w 61,440 2008-03-09 19:18:46 C:\hp\KBD\KBD .EXE
----a-w 39,792 2008-03-09 19:18:50 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 180,269 2008-03-09 19:18:48 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 58,488 2008-03-09 19:18:49 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 218,240 2008-01-18 17:14:48 C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
----a-w 6,731,312 2008-01-18 12:34:46 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w 6,731,312 2008-01-18 15:46:23 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w 579,072 2008-01-13 00:54:07 C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w 32,881 2008-02-07 00:36:49 C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
----a-w 132,496 2008-03-09 19:18:45 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 458,752 2008-01-18 17:38:53 C:\Program Files\Logitech\Video\ISStart .exe
----a-w 217,088 2008-01-18 22:38:14 C:\Program Files\Logitech\Video\LogiTray .exe
----a-w 33,936 2008-03-09 19:18:49 C:\Program Files\Norton Internet Security\UrlLstCk .exe
----a-w 98,304 2008-01-18 12:34:31 C:\Program Files\QuickTime\qttask .exe
----a-w 2,097,488 2008-03-05 01:40:03 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 3,810,544 2008-02-27 12:10:24 C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
----a-w 4,670,968 2008-01-16 18:22:33 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w 4,670,968 2008-01-18 12:34:52 C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
----a-w 663,552 2008-02-07 00:37:11 C:\WINDOWS\CREATOR\Remind_XP .exe
----a-w 233,472 2008-03-11 01:09:51 C:\WINDOWS\SMINST\RECGUARD .EXE
----a-w 52,736 2008-03-11 01:09:49 C:\WINDOWS\system\hpsysdrv .exe
----a-w 15,360 2008-03-11 01:09:54 C:\WINDOWS\system32\ctfmon .exe
----a-w 221,184 2008-01-19 13:41:23 C:\WINDOWS\system32\LVCOMSX .EXE
----a-w 90,112 2008-03-11 01:09:51 C:\WINDOWS\system32\ps2 .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAA0DC~1 .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [ ]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [ ]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 19:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [ ]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [ ]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [ ]
"PS2"="C:\WINDOWS\system32\ps2.exe" [ ]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [ ]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]
WkCalRem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-24 02:23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 05:28:24 258048]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-26 04:09:52 811008]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2005-02-15 06:59:31 45056]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2005-02-15 12:24:35 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-02-25 22:29:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-07 22:10:39 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 20:20:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-10 20:22:32 - machine was rebooted [HP_Owner]
ComboFix-quarantined-files.txt 2008-03-11 01:22:29
.
2008-02-27 09:09:33 --- E O F ---

debra23

2008-03-11, 02:28

HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:26:14 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAA0DC~1 .EXE" -quiet
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200676017906
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7904 bytes

ken545

2008-03-11, 03:03

Hello Debra,

Your doing fine , not to worry about the replies, I am still here.

This is what we are up against, the variant of Vundo that you had includes a File Infector, on your Combofix log, all the files and programs in the Blue Code Box have been infected by this nasty trojan. This is what I need you to do, drag Combofix to the trash and you can use the same links I provided earlier and download a fresh copy as this program is updated quite regularly. Make sure you download it to your desktop.

Open Notepad Go to Start> All Programs> Assessories> Notepad ( this will only work with Notepad )and copy all the text inside the Codebox by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Killall::

Killall::

RenV::
C:\hp\drivers\hplsbwatcher\lsburnwatcher .exe
C:\hp\KBD\KBD .EXE
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Grisoft\AVG7\avgcc .exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Logitech\Video\ISStart .exe
C:\Program Files\Logitech\Video\LogiTray .exe
C:\Program Files\Norton Internet Security\UrlLstCk .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger .exe
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\Program Files\Yahoo!\Messenger\YAHOOM~1 .EXE
C:\WINDOWS\CREATOR\Remind_XP .exe
C:\WINDOWS\SMINST\RECGUARD .EXE
C:\WINDOWS\system\hpsysdrv .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\LVCOMSX .EXE
C:\WINDOWS\system32\ps2 .exe

Folder::
C:\VundoFix Backups

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

debra23

2008-03-11, 11:53

ComboFix 08-03-10.1 - HP_Owner 2008-03-11 5:36:18.6 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.131 [GMT -5:00]
Running from: C:\Documents and Settings\HP_Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\HP_Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\utstv.ini.bad
C:\VundoFix Backups\utstv.ini2.bad
C:\VundoFix Backups\vtstu.dll.bad

.
((((((((((((((((((((((((( Files Created from 2008-02-11 to 2008-03-11 )))))))))))))))))))))))))))))))
.

2008-03-07 23:11 . 2008-03-07 23:11 <DIR> d-------- C:\Documents and Settings\HP_Owner\Application Data\Malwarebytes
2008-03-07 23:10 . 2008-03-07 23:10 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-07 23:10 . 2008-03-07 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-06 07:49 . 2008-03-06 07:49 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-06 07:49 . 2008-03-06 07:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-04 19:48 . 2008-03-04 19:47 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-04 19:48 . 2008-03-04 19:48 2,551 --a------ C:\WINDOWS\unins000.dat
2008-03-04 19:42 . 2008-03-04 19:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-26 20:51 . 2005-08-23 13:54 1,650,688 --a------ C:\WINDOWS\system32\cdintf250.dll
2008-02-26 20:35 . 2008-02-26 20:35 <DIR> d-------- C:\Program Files\Common Files\AnswerWorks 4.0
2008-02-26 20:33 . 2008-02-26 20:33 <DIR> d-------- C:\Program Files\Intuit

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-11 10:36 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-11 10:36 --------- d-----w C:\Program Files\QuickTime
2008-03-11 10:36 --------- d-----w C:\Program Files\Norton Internet Security
2008-03-11 10:36 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-03-05 01:40 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-27 01:37 --------- d-----w C:\Program Files\Common Files\Intuit
2008-02-27 01:33 --------- d-----w C:\Documents and Settings\All Users\Application Data\Intuit
2008-02-10 13:27 --------- d-----w C:\Program Files\Java
2008-01-19 14:00 --------- d-----w C:\Program Files\Common Files\Logitech
2008-01-19 13:50 --------- d-----w C:\Program Files\Yahoo!
2008-01-19 13:49 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Yahoo!
2008-01-19 13:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-01-18 18:50 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2008-01-18 18:38 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-18 17:53 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-01-18 17:00 --------- d-----w C:\Program Files\Microsoft Works
2008-01-18 16:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-18 16:49 --------- d-----w C:\Program Files\Quicken
2008-01-18 16:49 --------- d-----w C:\Program Files\Common Files\Palo Alto Software
2008-01-18 16:14 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Symantec
2008-01-18 16:12 1,837 --sha-r C:\WINDOWS\system32\drivers\103C_HP_CPC_PW526AA-ABA a1007w_YC_0Pavi_QCNH517_E52NAheBLU1_47_ISalmon_SASUSTek Computer INC._V1.04_B3.10_T050309_WXH2_L409_M384_J120_7AMD_8Athlon 64_92.21_#051209_N10390900_Z11C1048C_G10396330.MRK
2008-01-18 16:09 --------- d-----w C:\Program Files\SiS VGA Utilities V3.63
2008-01-15 18:13 --------- d-----w C:\Program Files\Windows Installer Clean Up
2008-01-15 18:12 --------- d-----w C:\Program Files\MSECACHE
2008-01-15 17:58 --------- d-----w C:\Program Files\Common Files\Authentium Shared
2008-01-15 17:29 --------- d-----w C:\Program Files\MSBuild
2008-01-15 17:22 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-15 17:20 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-15 15:05 --------- d-----w C:\Program Files\Common Files\RuleSpace
2008-01-15 15:05 --------- d-----w C:\Program Files\Common Files\Aluria
2008-01-15 15:04 --------- d-----w C:\Program Files\Common Files\Authentium
2008-01-15 14:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Avg7
2008-01-15 14:55 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-12 22:38 --------- d-----w C:\Documents and Settings\HP_Owner\Application Data\Grisoft
2008-01-12 17:06 --------- d-----w C:\Program Files\LimeWire
2008-01-12 17:01 21,760 ----a-w C:\WINDOWS\Hkm14.sys
2006-01-18 02:34 0 -c--a-w C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-03-10 20:09 15360]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAA0DC~1 .exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-03-09 14:18 132496]
"hpsysdrv"="c:\windows\system\hpsysdrv.exe" [2008-03-10 20:09 52736]
"AGRSMMSG"="AGRSMMSG.exe" [2004-06-29 19:06 88363 C:\WINDOWS\AGRSMMSG.exe]
"KBD"="C:\HP\KBD\KBD.EXE" [2008-03-09 14:18 61440]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-03-09 14:18 180269]
"Recguard"="C:\WINDOWS\SMINST\RECGUARD.EXE" [2008-03-10 20:09 233472]
"ccApp"="c:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-03-09 14:18 58488]
"URLLSTCK.exe"="c:\Program Files\Norton Internet Security\UrlLstCk.exe" [2008-03-09 14:18 33936]
"PS2"="C:\WINDOWS\system32\ps2.exe" [2008-03-10 20:09 90112]
"LSBWatcher"="c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe" [2008-03-09 14:18 253952]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 22:47 57344 C:\WINDOWS\ALCXMNTR.EXE]
"LVCOMSX"="C:\WINDOWS\system32\LVCOMSX.EXE" [2008-01-19 08:41 221184]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-03-09 14:18 39792]

C:\Documents and Settings\HP_Owner\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE [2007-08-24 05:45:42 101784]
WkCalRem.LNK - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe [2004-06-24 02:23:00 15360]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-05 05:28:24 258048]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2005-10-26 04:09:52 811008]
Updates from HP.lnk - C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe [2005-02-15 06:59:31 45056]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Updates from HP\\309731\\Program\\Updates from HP.exe"=
"C:\\Program Files\\Microsoft Office\\Office12\\ONENOTE.EXE"=
"C:\\Program Files\\Intuit\\QuickBooks 2006\\QBDBMgrN.exe"=

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{946850c5-1e27-11d9-baf0-806d6172696f}]
\Shell\AutoRun\command - D:\setup.exe

.
Contents of the 'Scheduled Tasks' folder
"2005-02-15 12:24:35 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
"2008-02-25 22:29:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-07 22:10:39 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-11 05:40:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
.
**************************************************************************
.
Completion time: 2008-03-11 5:45:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-11 10:45:48
ComboFix2.txt 2008-03-11 10:25:35
ComboFix3.txt 2008-03-11 01:22:33
.
2008-02-27 09:09:33 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:42 AM, on 3/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\ISSVC.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\AGRSMMSG.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iesearch&locale=EN_US&c=Q105&bd=pavilion&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] c:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAA0DC~1 .EXE" -quiet
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: WkCalRem.LNK = C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkCalRem.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\309731\Program\Updates from HP.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200676017906
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ISSvc (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8129 bytes

ken545

2008-03-11, 12:08

Good Morning Debra,

That worked quite well, your log looks fine :bigthumb:

How are things running now???

debra23

2008-03-11, 12:14

I guess things are runnin ok. Does that mean we fixed it?
I'm unable to get into my secured login for work, but I can learn to apprecitate that =). My nortin isn't working though. Should I leave that alone?
Also I've got my computer networked with my boyfriends, only through our modem, monitor, mouse and keyboard. Should I check his computer too?

ken545

2008-03-11, 12:34

Debra,

The reason we refer to this garbage as Malware is because that expression is short for Malicious Ware and sometimes even if the infection is removed and your system is clean , not always but sometimes leaves some damage. Symantec was one of the programs this trojan infected, it may have borked the the program, you may want to uninstall it and then reinstall it. If you want links to free Anti Virus programs let me know.

As far as your boyfriends computer, it most likely is ok but you can post his log and we can take a look at it to make sure. Don't post it into this thread, start a new topic , you can reply to this thread and give me a heads up as to his log on name to this forum, if I miss it another member will find it.

Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs

Glad we could help

Safe Surfn
Ken

debra23

2008-03-11, 23:02

Thank you for your time and assistance. Hopefully I won't have to talk to you again....nothing against you!!!
My boyfriend does not want me to install SpyBot to his computer, so I guess this will be it for me!

THANKS!!!!!

ken545

2008-03-11, 23:31

Your call about Spybot Search and Destroy ( not to be confused with SpywareBot which is a Rogue program ) I have it on every computer in my work place, all my home computers, laptop, friends and families computers. It has a Immunization feature that blocks 1000s of bad sites from infecting your computer, but thats totally your call.

Take Care,

Ken