View Full Version : virtumonde got me! please help.
ghostdog
2008-03-08, 22:51
Greetings good people, I was infected with what turned out to be the virtumonde trojan virus a couple days ago. McAfee had kept my system clean for almost 2 years until now. It knew something was wrong but could not fix it. Neither did Avast. Spybot S&D identified the problem. Followed your instructions in the forum section. Will include the HJT log followed by the Kaspersky scan. I am not with any company...it's just me and my home computer. Any help will be VERY much appreciated! Thank You.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:09:07 PM, on 3/8/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gateway\EzTune\dtsrvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\PROGRA~1\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\WinPortrait\floater.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0yahoo&bm=yh_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/redir.asp?affid=370-12&installtype=force&systempopup=true
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKLM\..\Run: [24c37e47] rundll32.exe "C:\WINDOWS\system32\ednbqxmq.dll",b
O4 - HKLM\..\Run: [BM27f04ddb] Rundll32.exe "C:\WINDOWS\system32\ooshsdip.dll",s
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: EzTune.lnk = C:\Program Files\Gateway\EzTune\dthtml.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O23 - Service: McAfee Application Installer Cleanup (0065071204476474) (0065071204476474mcinstcleanup) - Unknown owner - C:\WINDOWS\TEMP\006507~1.EXE (file missing)
O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Gateway\EzTune\dtsslsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DataSvr - Unknown owner - C:\Program Files\Wave Systems Corp\Common\DataServer.exe (file missing)
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Gateway\EzTune\dtsrvc.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
--
End of file - 9735 bytes
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 08, 2008 1:34:08 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/03/2008
Kaspersky Anti-Virus database records: 614319
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 79120
Number of viruses found: 1
Number of infected objects: 4
Number of suspicious objects: 0
Duration of the scan process: 01:19:49
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{77973A4D-3BC2-4306-9657-0FE43371B461}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\james\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\james\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temp\sqlite_B1j4NIHgco6gtOx Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\IT1AFMW6\logo_Best_Buy_200x74[1].gif Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\RCH4GZ2E\images[1].xml Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\RCH4GZ2E\main_banner_v4[1].swf Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\YESY19MP\main_banner_v4[1].swf Object is locked skipped
C:\Documents and Settings\james\ntuser.dat Object is locked skipped
C:\Documents and Settings\james\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_Vista.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Other.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Urgent.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Welcome.dat Object is locked skipped
C:\Program Files\Verizon\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\SmartBridge.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP494\A0052261.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP494\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{ABE73782-69E9-432F-853C-DBA49FD0D0F6}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\ceukdknf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\gebcayx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wvuvsss.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Temp\mcmsc_czDEafcmePWqovE Object is locked skipped
C:\WINDOWS\Temp\mcmsc_U0sKz4NNikpeX12 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Z0Un0lfxTGS8H9Q Object is locked skipped
C:\WINDOWS\Temp\sqlite_eADFhzLscaJby4n Object is locked skipped
C:\WINDOWS\Temp\sqlite_lzxpwUQpukZMcvu Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\MSDVRMM_879248663_1179648_802 Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
D:\Recorded TV\TempRec\{F15B1D89-AD43-42D6-814B-4545C62275A0}.TmpSBE Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP494\change.log Object is locked skipped
Scan process completed.
steamwiz
2008-03-08, 23:49
Please follow these directions to run Combofix & post a log.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
steam
ghostdog
2008-03-09, 01:45
Hello steamwiz and thank you for helping. I have combofix on my desktop ready to use. My Q is about installing the Windows XP recovery console. I have the OS disc from Gateway that I got with the system. The instructions in the tutorial from BleepingComputer say that I should insert the disc and then Start>Run> then type some script ....
X:/i386/winnt32.exe/cmdcons
Please tell me if I am to use the letter of my optical drive in place of 'X' or am I to use the letter of the hard drive that Windows is on. I think they mean for me to use the optical drive letter but I just want to be sure so I don't mess this up. Please forgive my "newbie-ness". Also, my OS disk is from Gateway and not directly from Microsoft. Does this matter? It should work the same and not re-install Windows unless I restart the computer right? Thank you VERY much! As you can guess I am nervous about this stage of the fix.
steamwiz
2008-03-09, 21:41
HI
Sounds like you are talking about a restore disc, not an install disc, it would probably work OK, but I would rather you downloaded the file from Microsoft, & then drag and drop it onto the Combofix icon & let Combofix install it for you ( make sure you download the one for service pack 2 & either "pro" or "home" whichever you have ? ... installing the recovery console is recommended in case of severe complications when removing malware, if your computer ends up not able to boot, then the recovery console could be your saviour. However you don't have to install it if you don't want to, just continue with the instructions to run Combofix & post the log.
steam
ghostdog
2008-03-09, 22:08
Hi Steam,
I will try to get the file from Microsoft. When I followed the link from the tutorial it did not look like there were any Recovery Console downloads there, rather files to make a bootable floppy disc. Did not search the Microsoft site due to the virus I have. Wanted to limit my online activity until I heard back from you about the OS disc I have. I'll try now. Will post the log if successful. Could the file be called something other than Recovery Console? Will look for it now and get back to you with the results. THANK YOU
ghostdog
2008-03-09, 23:51
Hello again. I am sorry if I am causing you to have to make an extra post to explain this to me. The Microsoft site does not contain any downloads for a 'Recovery Console' that I could find. I did download the file from the link provided in the tutorial about ComboFix for Windows XP Pro. (I have MediaCenter edition which I believe is really Pro with an extra media player). The file is....
WindowsXP-KB310994-SP2-Pro-BootDisc-ENU
This file is described as what you need to make 6 bootable floppydiscs. Is this correct?
The tutorial says to just drop the file onto the ComboFix icon and it will automatically install. Unfortunately it does not. I get asked if I want to run ComboFix.exe which I cancelled because the tutorial makes no mention of this happening, but was very accurate previously about what would happen. Things are not matching up with the instructions unless the instructions assume a higher level of understanding than I have yet about this. It does not look like I will be able to install Recovery Console without a little more help. Will go get something to eat then see if you had time to read this post and respond. If not, I will shut down my anti-virus and let ComboFix run. If you can though, please tell me if this was the right Windows file that I downloaded and should I select RUN when prompted, as it does not install by itself when I drop it on ComboFix.
Also, should I disconnect my DSL before turning off my anti-virus and firewall when ComboFix runs? or does it need a connection?
Sorry and thanks again....
steamwiz
2008-03-10, 01:40
HI
I understand it can be a little daunting at times ... but you're doing fine ... it's always best to ask questions first if you are unsure about anything :)
Yes you have the correct download, MediaCenter edition is XP Pro with a few extras...
When you drop it onto Combofix, you have to let Combofix run, so that it can install it ... just follow the prompts ...
Have a look at this thread & see if it makes it any clearer to you :-
http://forums.whatthetech.com/Popups_windows_and_slow_performance_etc_t89567.html
Post #2 #3 #4
DO NOT run the file from microsoft SAVE it to the desktop (as you have done) & drop it onto Combofix.exe
steam
ghostdog
2008-03-10, 02:34
Hi steam, thanks for your understanding! After dinner I checked for your response but you had not made it yet so I figured you might be offline or asleep. Was going to wait untill tomorrow (no problem waiting) but I decided to run combofix and take my chances without Recovery Console. If I had waited 10 more minutes I would have seen your post and been able to install it. Silly me.
Luckily it worked out OK and rebooted fine. The reason I didn't RUN after the drag/drop of the Windows file is because I could not be sure that it was the install...thought it might be the actual scan. The install needs a connection to check for files according to the instuctions, and the scan needed me to turn off my firewall along with all real-time protection. Did not want to risk going online W/O a firewall or anything else if it was the install and not the scan. I got infected WITH them...the thought of connecting with nothing was toooo scary. Likewise, I could not scan with the protection on. Anyway, I will install the console if you say to do so. After combofix ran it made a nice new IE icon on the desktop.(a good sign i hope). Here is the log.
ComboFix 08-03-07.4 - james 2008-03-09 19:45:33.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1544 [GMT -4:00]
Running from: C:\Documents and Settings\james\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\aygausos.dll
C:\WINDOWS\system32\ceukdknf.dll
C:\WINDOWS\system32\cldnjecp.dll
C:\WINDOWS\system32\fuiejitd.dll
C:\WINDOWS\system32\gebcayx.dll
C:\WINDOWS\system32\hftfanws.dll
C:\WINDOWS\system32\jkklm.dll
C:\WINDOWS\system32\mlkkj.ini
C:\WINDOWS\system32\mlkkj.ini2
C:\WINDOWS\system32\ooshsdip.dll
C:\WINDOWS\system32\pcejndlc.ini
C:\WINDOWS\system32\rehnmqqx.dll
C:\WINDOWS\system32\wvuvsss.dll
.
((((((((((((((((((((((((( Files Created from 2008-02-09 to 2008-03-09 )))))))))))))))))))))))))))))))
.
2008-03-08 16:07 . 2008-03-08 16:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 11:44 . 2008-03-08 11:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-08 11:44 . 2008-03-08 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-08 07:39 . 2008-03-08 07:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-08 07:39 . 2008-03-08 08:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-08 06:59 . 2008-03-09 06:27 1,308,129 ---hs---- C:\WINDOWS\system32\qmxqbnde.ini
2008-03-07 07:00 . 2008-03-08 00:12 1,308,148 ---hs---- C:\WINDOWS\system32\jxfstgvr.ini
2008-03-03 18:37 . 2008-03-03 18:37 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-03 18:17 . 2008-03-03 18:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-02 16:42 . 2008-03-02 16:42 13,413,048 --a------ C:\Program Files\Google_Earth_BZXV.exe
2008-02-28 21:45 . 2008-02-28 21:45 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-17 20:43 . 2008-02-17 20:43 <DIR> d-------- C:\Program Files\Any Video Converter
2008-02-17 20:43 . 2008-02-17 20:46 <DIR> d-------- C:\Documents and Settings\james\Application Data\Any Video Converter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 22:35 --------- d-----w C:\Program Files\McAfee
2008-03-08 21:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-02 20:10 --------- d-----w C:\Program Files\Mp3 My Mp3 2.0
2008-03-02 02:45 --------- d-----w C:\Documents and Settings\james\Application Data\dvdcss
2008-02-17 13:37 --------- d-----w C:\Documents and Settings\james\Application Data\Move Networks
2008-01-26 15:49 --------- d-----w C:\Program Files\Virtual Earth 3D
2007-12-29 04:42 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-27 02:23 60,968 ----a-w C:\WINDOWS\system32\wpfb_ati2dvag.dll
2007-12-11 21:09 2,112 ----a-w C:\Documents and Settings\james\fet2_settings.dat
2007-10-30 23:32 217 ----a-w C:\Documents and Settings\james\fet_settings.dat
2007-09-23 14:36 2,841,074 ----a-w C:\Program Files\youtubed_setup.exe
2007-07-26 01:35 6,059,008 ----a-w C:\Program Files\mp3mymp3install2.exe
2007-07-21 18:06 16,757,793 ----a-w C:\Program Files\World_Wind_1.4.0_Full.exe
2007-07-16 21:48 2,345,747 ----a-w C:\Program Files\DVDFabHDDecrypter3140.exe
2007-07-07 01:03 193,026 ----a-w C:\Program Files\capturei.exe
2007-06-03 13:24 2,212,472 ----a-w C:\Program Files\asbsetup.exe
2007-01-27 19:19 3,897,168 ----a-w C:\Program Files\dvd-audio-ripper.exe
2006-12-16 23:22 21,020,928 ----a-w C:\Program Files\eztuneSetup.exe
2006-12-16 22:28 6,359,640 ----a-w C:\Program Files\dvdbuilder.exe
2006-12-16 21:21 50,912 ----a-w C:\Program Files\IN
2006-02-21 23:05 9,692,886 ----a-w C:\Program Files\vlc-0.8.4a-win32.exe
2006-02-21 17:11 541,279 ----a-w C:\Program Files\ccsetup126.exe
2006-02-21 17:06 11,817,800 ----a-w C:\Program Files\GoogleEarth.exe
2006-02-21 16:51 1,665,325 ----a-w C:\Program Files\agsetup.exe
2004-07-26 08:16 598,086 ----a-w C:\Program Files\DVD Shrink 3.2.exe
2005-05-13 22:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2005-07-14 17:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 20:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2004-01-25 05:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-02-28 18:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 05:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 19:44 139264]
"CTHelper"="CTHELPER.EXE" [2006-12-12 11:46 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 11:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 17:30 73728]
"Motive SmartBridge"="C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 12:33 438359]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"PivotSoftware"="C:\Program Files\WinPortrait\wpctrl.exe" [2005-01-26 13:57 698104]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2007-02-20 14:09 81920]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2007-02-20 03:07 199752]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-12-13 23:49:08 2168360]
EzTune.lnk - C:\Program Files\Gateway\EzTune\dthtml.exe [2006-12-16 19:09:31 260608]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R1 pivot;pivot;C:\WINDOWS\system32\drivers\pivot.sys [2005-01-26 13:55]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 09:36]
R3 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;C:\WINDOWS\system32\DRIVERS\IAMTXP.sys [2005-11-28 20:07]
R3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\system32\drivers\pivotmou.sys [2005-01-26 13:55]
S2 IntelDHSvcConf;Intel DH Service;"C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe" [2006-06-15 21:29]
S3 PinnacleMarvinAVS;Pinnacle AVStream Service for MovieBox Deluxe, 500-USB and 700-USB;C:\WINDOWS\system32\DRIVERS\MarvinAVS.sys [2007-05-09 10:36]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 06:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-09 19:51:50
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Gateway\EzTune\dtsslsrv.exe
C:\Program Files\Gateway\EzTune\dtsrvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\WinPortrait\floater.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
.
**************************************************************************
.
Completion time: 2008-03-09 19:53:57 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-09 23:53:54
.
2007-12-12 04:24:39 --- E O F ---
steamwiz
2008-03-10, 22:21
HI
As I said before, you don't have to install the recovery console, but if you did, it may well be to your benefit at some time in the future, should anything go wrong when removing malware ...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
C:\WINDOWS\system32\qmxqbnde.ini
C:\WINDOWS\system32\jxfstgvr.ini
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
steam
ghostdog
2008-03-11, 00:54
Hi Steam, here is the new combofix log and the HJT log.
ComboFix 08-03-07.4 - james 2008-03-10 18:27:30.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1562 [GMT -4:00]
Running from: C:\Documents and Settings\james\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\james\Desktop\CFScript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINDOWS\system32\jxfstgvr.ini
C:\WINDOWS\system32\qmxqbnde.ini
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\jxfstgvr.ini
C:\WINDOWS\system32\qmxqbnde.ini
.
((((((((((((((((((((((((( Files Created from 2008-02-10 to 2008-03-10 )))))))))))))))))))))))))))))))
.
2008-03-08 16:07 . 2008-03-08 16:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-08 11:44 . 2008-03-08 11:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-08 11:44 . 2008-03-08 11:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-08 07:39 . 2008-03-08 07:39 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-08 07:39 . 2008-03-08 08:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-03 18:37 . 2008-03-03 18:37 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-03 18:17 . 2008-03-03 18:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-03-02 16:42 . 2008-03-02 16:42 13,413,048 --a------ C:\Program Files\Google_Earth_BZXV.exe
2008-02-28 21:45 . 2008-02-28 21:45 <DIR> d-------- C:\Program Files\Veoh Networks
2008-02-17 20:43 . 2008-02-17 20:43 <DIR> d-------- C:\Program Files\Any Video Converter
2008-02-17 20:43 . 2008-02-17 20:46 <DIR> d-------- C:\Documents and Settings\james\Application Data\Any Video Converter
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-09 22:35 --------- d-----w C:\Program Files\McAfee
2008-03-08 21:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-03-02 20:10 --------- d-----w C:\Program Files\Mp3 My Mp3 2.0
2008-03-02 02:45 --------- d-----w C:\Documents and Settings\james\Application Data\dvdcss
2008-02-17 13:37 --------- d-----w C:\Documents and Settings\james\Application Data\Move Networks
2008-01-26 15:49 --------- d-----w C:\Program Files\Virtual Earth 3D
2007-12-29 04:42 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-12-27 02:23 60,968 ----a-w C:\WINDOWS\system32\wpfb_ati2dvag.dll
2007-12-11 21:09 2,112 ----a-w C:\Documents and Settings\james\fet2_settings.dat
2007-10-30 23:32 217 ----a-w C:\Documents and Settings\james\fet_settings.dat
2007-09-23 14:36 2,841,074 ----a-w C:\Program Files\youtubed_setup.exe
2007-07-26 01:35 6,059,008 ----a-w C:\Program Files\mp3mymp3install2.exe
2007-07-21 18:06 16,757,793 ----a-w C:\Program Files\World_Wind_1.4.0_Full.exe
2007-07-16 21:48 2,345,747 ----a-w C:\Program Files\DVDFabHDDecrypter3140.exe
2007-07-07 01:03 193,026 ----a-w C:\Program Files\capturei.exe
2007-06-03 13:24 2,212,472 ----a-w C:\Program Files\asbsetup.exe
2007-01-27 19:19 3,897,168 ----a-w C:\Program Files\dvd-audio-ripper.exe
2006-12-16 23:22 21,020,928 ----a-w C:\Program Files\eztuneSetup.exe
2006-12-16 22:28 6,359,640 ----a-w C:\Program Files\dvdbuilder.exe
2006-12-16 21:21 50,912 ----a-w C:\Program Files\IN
2006-02-21 23:05 9,692,886 ----a-w C:\Program Files\vlc-0.8.4a-win32.exe
2006-02-21 17:11 541,279 ----a-w C:\Program Files\ccsetup126.exe
2006-02-21 17:06 11,817,800 ----a-w C:\Program Files\GoogleEarth.exe
2006-02-21 16:51 1,665,325 ----a-w C:\Program Files\agsetup.exe
2004-07-26 08:16 598,086 ----a-w C:\Program Files\DVD Shrink 3.2.exe
2005-05-13 22:12 217,073 --sha-r C:\WINDOWS\meta4.exe
2007-12-09 06:03 88 --sh--r C:\WINDOWS\system32\4D740DF735.sys
2005-07-14 17:31 27,648 --sha-r C:\WINDOWS\system32\AVSredirect.dll
2005-06-26 20:32 616,448 --sha-r C:\WINDOWS\system32\cygwin1.dll
2005-06-22 03:37 45,568 --sha-r C:\WINDOWS\system32\cygz.dll
2006-05-03 09:06 163,328 --sh--r C:\WINDOWS\system32\flvDX.dll
2004-01-25 05:00 70,656 --sha-r C:\WINDOWS\system32\i420vfw.dll
2007-02-21 10:47 31,232 --sh--r C:\WINDOWS\system32\msfDX.dll
2005-02-28 18:16 240,128 --sha-r C:\WINDOWS\system32\x.264.exe
2004-01-25 05:00 70,656 --sha-r C:\WINDOWS\system32\yv12vfw.dll
.
((((((((((((((((((((((((((((( snapshot@2008-03-09_19.53.44.54 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-09 20:53:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2008-03-10 20:11:41 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2008-03-09 20:53:44 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-10 20:11:41 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2008-03-10 20:11:41 32,768 --sha-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2008-03-09 22:40:10 84,914 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-10 20:10:46 84,914 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-09 22:40:10 454,128 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-10 20:10:46 454,128 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Power2GoExpress"="NA" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 15:00 15360]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 16:45 313472]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-08-06 00:56 64512]
"readericon"="C:\Program Files\Digital Media Reader\readericon45G.exe" [2005-12-09 19:44 139264]
"CTHelper"="CTHELPER.EXE" [2006-12-12 11:46 19456 C:\WINDOWS\system32\CtHelper.exe]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-12-12 11:46 20480 C:\WINDOWS\system32\Ctxfihlp.exe]
"Gateway Extended Warranty"="C:\Program Files\Gateway\GWCares\GWCares.exe" [2004-02-08 17:30 73728]
"Motive SmartBridge"="C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe" [2006-06-23 12:33 438359]
"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe" [2003-05-08 12:00 49152]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"PivotSoftware"="C:\Program Files\WinPortrait\wpctrl.exe" [2005-01-26 13:57 698104]
"USB2Check"="C:\WINDOWS\system32\PCLECoInst.dll" [2007-02-20 14:09 81920]
"USBToolTip"="C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe" [2007-02-20 03:07 199752]
"mcagent_exe"="C:\Program Files\McAfee.com\Agent\mcagent.exe" [2007-08-03 23:33 582992]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
BigFix.lnk - C:\Program Files\BigFix\bigfix.exe [2006-12-13 23:49:08 2168360]
EzTune.lnk - C:\Program Files\Gateway\EzTune\dthtml.exe [2006-12-16 19:09:31 260608]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\RM.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\Studio.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\PMSRegisterFile.exe"=
"C:\\Program Files\\Pinnacle\\Studio 10\\programs\\umi.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=
R1 pivot;pivot;C:\WINDOWS\system32\drivers\pivot.sys [2005-01-26 13:55]
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2006-12-19 09:36]
R3 IAMTXP;Driver for Intel(R) Active Management Technology - KCS;C:\WINDOWS\system32\DRIVERS\IAMTXP.sys [2005-11-28 20:07]
R3 pivotmou;Pivot Mouse/Pointers Filter Driver;C:\WINDOWS\system32\drivers\pivotmou.sys [2005-01-26 13:55]
S2 IntelDHSvcConf;Intel DH Service;"C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe" [2006-06-15 21:29]
S3 PinnacleMarvinAVS;Pinnacle AVStream Service for MovieBox Deluxe, 500-USB and 700-USB;C:\WINDOWS\system32\DRIVERS\MarvinAVS.sys [2007-05-09 10:36]
.
Contents of the 'Scheduled Tasks' folder
"2008-02-15 06:00:00 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-10 18:29:51
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-10 18:30:13
ComboFix-quarantined-files.txt 2008-03-10 22:30:11
ComboFix2.txt 2008-03-09 23:53:58
.
2007-12-12 04:24:39 --- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:32:49 PM, on 3/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Gateway\EzTune\dtsrvc.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Digital Media Reader\readericon45G.exe
C:\WINDOWS\system32\CTHELPER.EXE
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
C:\WINDOWS\system32\CTXFIHLP.EXE
C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe
C:\Program Files\WinPortrait\wpctrl.exe
C:\Program Files\Pinnacle\Shared Files\Programs\USBTip\USBTip.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\Program Files\McAfee.com\Agent\mcagent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\BigFix\bigfix.exe
C:\Program Files\WinPortrait\floater.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\McAfee\MSC\mcuimgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://wapp.verizon.net/bookmarks/bmredir.asp?region=all&bw=dsl&cd=7.0yahoo&bm=yh_home
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/apps/vso/en-us/redir.asp?affid=370-12&installtype=force&systempopup=true
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: McAntiPhishingBHO - {377C180E-6F0E-4D4C-980F-F45BD3D40CF4} - C:\Program Files\McAfee\MSK\mcapbho.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - C:\Program Files\McAfee\VirusScan\scriptsn.dll
O2 - BHO: PosHelp - {CDEEC43D-3572-4E95-A2A5-F519D29F00C0} - C:\PROGRA~1\ADVANC~1\ADVANC~1.DLL
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [readericon] C:\Program Files\Digital Media Reader\readericon45G.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Gateway Extended Warranty] "C:\Program Files\Gateway\GWCares\GWCares.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\Verizon\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [OpwareSE2] "C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PivotSoftware] "C:\Program Files\WinPortrait\wpctrl.exe"
O4 - HKLM\..\Run: [USB2Check] RUNDLL32.EXE "C:\WINDOWS\system32\PCLECoInst.dll",CheckUSBController
O4 - HKLM\..\Run: [USBToolTip] "C:\Program Files\Pinnacle\Shared Files\\Programs\USBTip\USBTip.exe"
O4 - HKLM\..\Run: [mcagent_exe] C:\Program Files\McAfee.com\Agent\mcagent.exe /runkey
O4 - HKCU\..\Run: [Power2GoExpress] NA
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\bigfix.exe
O4 - Global Startup: EzTune.lnk = C:\Program Files\Gateway\EzTune\dthtml.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra 'Tools' menuitem: Advanced Searchbar - {57F02779-3D88-4958-8AD3-83C12D86ADC7} - C:\Program Files\AdvancedSearchbar\advancedsearchbar.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O23 - Service: Intel(R) Alert Service (AlertService) - Intel Corporation - C:\Program Files\Intel\IntelDH\CCU\AlertService.exe
O23 - Service: Asset Management Daemon - Unknown owner - C:\Program Files\Gateway\EzTune\dtsslsrv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: DataSvr - Unknown owner - C:\Program Files\Wave Systems Corp\Common\DataServer.exe (file missing)
O23 - Service: Portrait Displays Display Tune Service (DTSRVC) - Unknown owner - C:\Program Files\Gateway\EzTune\dtsrvc.exe
O23 - Service: Intel(R) Quick Resume technology (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology Drivers\Elservice.exe
O23 - Service: Intel DH Service (IntelDHSvcConf) - Intel(R) Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Tools\IntelDHSvcConf.exe
O23 - Service: Intel(R) Software Services Manager (ISSM) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\ISSM.exe
O23 - Service: Intel(R) Viiv(TM) Media Server (M1 Server) - Unknown owner - C:\Program Files\Intel\IntelDH\Intel Media Server\Media Server\bin\mediaserver.exe
O23 - Service: Intel(R) Application Tracker (MCLServiceATL) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\MCLServiceATL.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee, Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: Intel(R) Remoting Service (Remote UI Service) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel Media Server\Shells\Remote UI Service.exe
--
End of file - 9648 bytes
steamwiz
2008-03-11, 01:15
HI
Your logs look good :)
Post a new KASPERSKY ONLINE SCANNER REPORT please ...
steam
ghostdog
2008-03-11, 03:08
Hi Steam, here is the new K scan. It says I'm still infected. Hopefully it's a false positive.
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, March 10, 2008 9:03:06 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 10/03/2008
Kaspersky Anti-Virus database records: 622455
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 79578
Number of viruses found: 2
Number of infected objects: 9
Number of suspicious objects: 0
Duration of the scan process: 01:18:46
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{77973A4D-3BC2-4306-9657-0FE43371B461}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR2A.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\james\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\james\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\History\History.IE5\MSHist012008031020080311\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temp\sqlite_LifHqHwSeA5ilAH Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\james\ntuser.dat Object is locked skipped
C:\Documents and Settings\james\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Gateway_Specific_Vista.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Microsoft_Security_UK.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Other.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Urgent.dat Object is locked skipped
C:\Program Files\BigFix\__Data\Gateway\__Local\Tmp\Welcome.dat Object is locked skipped
C:\Program Files\BigFix\__Data\__Global\Logs\20080310.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\SmartBridge.log Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ceukdknf.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rehnmqqx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jxa skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wvuvsss.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-09_195113.28.zip/gebcayx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-09_195113.28.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP494\A0052261.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP496\A0053362.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP496\A0053367.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jxa skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP496\A0053368.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP498\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{208EA2E6-C578-43B1-B895-5A71EAF991DC}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_3C7fbeMeKgGOJeY Object is locked skipped
C:\WINDOWS\Temp\mcmsc_3lDXh9ruaAIWPrt Object is locked skipped
C:\WINDOWS\Temp\mcmsc_6vyaOenTxZ0wG3p Object is locked skipped
C:\WINDOWS\Temp\mcmsc_dECvf7exA9yl5DC Object is locked skipped
C:\WINDOWS\Temp\sqlite_DpHO8P2Ypz8yXZC Object is locked skipped
C:\WINDOWS\Temp\sqlite_ITEzokEQF23pzJY Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\MSDVRMM_879248663_1900544_1743 Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
D:\Recorded TV\TempRec\{89792240-9CDB-4560-84A8-472A44578C1B}.TmpSBE Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP498\change.log Object is locked skipped
Scan process completed.
steamwiz
2008-03-11, 21:49
Hi
Looking good :)
The only infected files are now to be found in Combofix quarantine & system restore ...
Please do the following :-
Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK
http://img.photobucket.com/albums/v624/29wood/Clipboard01-1.gif
This removes Combofix from your computer...
THEN ...
This will clear all your infected restore points...
Turn off (Disable) System Restore in XP :-
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.
Then...
Turn on (enable) System Restore :-
Follow the same procedure, but this time uncheck Turn off System Restore
if you have any problem with this... here's a link to instructions :-
Disabling or enabling Windows XP System Restore >
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
Then ...
Post a new KASPERSKY ONLINE SCANNER REPORT please ...
steam
ghostdog
2008-03-12, 00:13
Hi Steam, here is the latest K scan. Came back clean :) There is one thing however that I can't figure out. The Start-up/Prompt window that used to open whenever a disc of any type was inserted into either of my DVD R/RW drives is gone. ?? In the properties for each drive the auto-run is set to show this window upon disc insertion, but it no longer does. Could the virus still be in the system somehow?
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 11, 2008 5:48:46 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 11/03/2008
Kaspersky Anti-Virus database records: 624691
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
Scan Statistics:
Total number of scanned objects: 69214
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 01:10:26
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{77973A4D-3BC2-4306-9657-0FE43371B461}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR3.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\james\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\james\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\History\History.IE5\MSHist012008031120080312\index.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temp\sqlite_khs5pxejwynaMWJ Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\james\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\james\ntuser.dat Object is locked skipped
C:\Documents and Settings\james\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\bf-500.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\conf-100.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\conf-900.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\ie7conflict.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\notes.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\partner-700.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\subscrip-2000.dat Object is locked skipped
C:\Program Files\BigFix\__Data\BigFix\__Local\Tmp\survey.dat Object is locked skipped
C:\Program Files\BigFix\__Data\__Global\Logs\20080311.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\AlertFilter.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\log\httpclient.log Object is locked skipped
C:\Program Files\Verizon\SmartBridge\SmartBridge.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{593F298F-B7D6-4A3D-A260-6D7E68E3F587}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{CCEEDD70-9CD2-4D13-9E2A-6BD4D552BAB3}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_7bOiCgxEkN7KyeL Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Ac4AKoMNd3Zgsti Object is locked skipped
C:\WINDOWS\Temp\mcmsc_rGYdnhvU4uWWI1b Object is locked skipped
C:\WINDOWS\Temp\sqlite_KYp1HtLnKUNvWiQ Object is locked skipped
C:\WINDOWS\Temp\sqlite_zjRHvcK28idK4HH Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\MSDVRMM_879248663_1441792_72 Object is locked skipped
D:\Recorded TV\TempRec\TempSBE\SBE1.tmp Object is locked skipped
D:\Recorded TV\TempRec\{76A46C96-D752-4C9D-8194-57C34FC8D187}.TmpSBE Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
Scan process completed.
steamwiz
2008-03-12, 21:25
Hi
The Autorun feature is way a lot of malware gets to run on your computer, when it is enabled it is a serious security risk, even Microsoft recommend that you disable Autoruns. For this reason Combofix disables autoruns in order to clean your computer, and leaves it disabled to increase your security. It is far better to run a program/CD etc, manually, when you know what it is, than let anything run itself (which could be malware).
Having said that, if you want to re-enable Autoruns, let me know & I will give you a reg file that will do it for you.
cheers
steam
ghostdog
2008-03-12, 22:35
Thanks for the explanation about autorun. As long as it was not an unknown reason why it would not work, I'm fine with doing W/O it to increase security. I learned a lot during this episode, and I can't thank you enough for helping me! Will check back to see if there were any final instructions, but it seems like a success from my end. If not, then God bless and keep fighting the good fight!
:beerbeerb:
steamwiz
2008-03-13, 01:34
HI
You're very welcome :)
As your logs are clean now, if you have no more questons or problems, then ....
Happy surfing
steam