View Full Version : Serious help needed please!
Hi, and thanks for the help in advance. I'm visiting my sister-in-law and their family computer is infected. When I got here, I found if compeletely outdated and an IEXPLORE.EXE process was running at 95-100% CPU. I only have the next 6 or so hours before we leave. I've been working on this all weekend before I found this resource. Unfortunately, I updated XP to SP2 already. BTW, all they have is "dial-up". Not sure I can fix it that fast. I couldn't find the "save as text button". I"m going to run Spybot now and will post. Thanks, PB
*** Duplicate KOS report, waste of space ***
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 12, 2008 8:28:32 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/03/2008
Kaspersky Anti-Virus database records: 625083
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
F:\
Scan Statistics:
Total number of scanned objects: 139364
Number of viruses found: 22
Number of infected objects: 48
Number of suspicious objects: 1
Duration of the scan process: 02:45:06
Infected Object Name / Virus Name / Last Action
C:\22437177749ac28ef33a6b\sp2\spmsg.dll Object is locked skipped
C:\22437177749ac28ef33a6b\sp2\spuninst.exe Object is locked skipped
C:\22437177749ac28ef33a6b\sp2\update\eula.txt Object is locked skipped
C:\22437177749ac28ef33a6b\sp2\update\spcustom.dll Object is locked skipped
C:\22437177749ac28ef33a6b\sp2\update\update.exe Object is locked skipped
C:\counter.cab/counter.exe Infected: Trojan-Dropper.Win32.Agent.az skipped
C:\counter.cab CAB: infected - 1 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates\BOPDATA\_Date-20080311_Time-171330531_EnterceptExceptions.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates\BOPDATA\_Date-20080311_Time-171330531_EnterceptRules.dat Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates\Common Framework\Db\Agent_HUBRIG-0AQNC4QA.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates\Common Framework\Db\PrdMgr_HUBRIG-0AQNC4QA.log Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates\VirusScan\AccessProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates\VirusScan\BufferOverflowProtectionLog.txt Object is locked skipped
C:\Documents and Settings\All Users.WINDOWS\Application Data\Network Associates\VirusScan\OnAccessScanLog.txt Object is locked skipped
C:\Documents and Settings\hunter\Local Settings\Temp\asmfiles.cab/asm.exe Infected: not-a-virus:AdWare.Win32.Altnet.m skipped
C:\Documents and Settings\hunter\Local Settings\Temp\asmfiles.cab/asmps.dll Infected: not-a-virus:AdWare.Win32.Altnet.u skipped
C:\Documents and Settings\hunter\Local Settings\Temp\asmfiles.cab CAB: infected - 2 skipped
C:\Documents and Settings\hunter\Local Settings\Temp\Temporary Directory 2 for kazaalite_202_b1.zip\first stage\kazaa_lite_202_english.exe/data0014 Infected: not-a-virus:AdWare.Win32.Altnet.o skipped
C:\Documents and Settings\hunter\Local Settings\Temp\Temporary Directory 2 for kazaalite_202_b1.zip\first stage\kazaa_lite_202_english.exe Inno: infected - 1 skipped
C:\Documents and Settings\hunter\Local Settings\Temp\__unin__.exe Infected: not-a-virus:AdWare.Win32.Altnet.b skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temp\~669163.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temp\~767321.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temp\~860690.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temp\~974575.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\05W7O7CZ\google[1].htm Infected: Trojan-Downloader.JS.IstBar.z skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\2PKBI9YL\downloads_manager[1].htm Infected: Trojan-Downloader.JS.IstBar.k skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\8LARGTYJ\downloads_manager[1] Infected: Exploit.HTML.CodeBaseExec skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\8TMRCXIJ\secure[1].php Suspicious: Trojan-Downloader.JS.gen skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\AZAN6LEN\prompt[2].php Infected: Trojan-Downloader.JS.IstBar.ab skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\GXINC9UR\install_iframe[1].jsp Infected: Trojan-Downloader.JS.Agent.kk skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\GXINC9UR\tb3[1].cab/toolbar.dll Infected: not-a-virus:AdWare.Win32.WebSearch.q skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\GXINC9UR\tb3[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\ID8ZEXUP\prompt[2].php Infected: Trojan-Downloader.JS.IstBar.b skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\IQYTD1WU\downloads_manager[1] Infected: Exploit.HTML.CodeBaseExec skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\IQYTD1WU\mtrslib2[1].js Infected: Exploit.HTML.CodeBaseExec skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\JNH37LWW\0006_regular[1].cab/istactivex.dll Infected: Trojan-Downloader.Win32.IstBar.gen skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\JNH37LWW\0006_regular[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\KNN36SL9\count[1].htm Infected: Exploit.HTML.Mht skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\L0OVLLWL\[1]/[From <Saved by Microsoft Internet Explorer 5>][Date Fri, 6 Feb 2004 08:22:20 -0000]/UNNAMED Infected: Trojan-Downloader.Win32.Small.bjh skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\L0OVLLWL\[1] Mail: infected - 1 skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\OXU32NGX\counter_v1[1].cab/counter.exe Infected: Trojan-Dropper.Win32.Agent.az skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\OXU32NGX\counter_v1[1].cab CAB: infected - 1 skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\OXU32NGX\downloads_manager[2] Infected: Exploit.HTML.CodeBaseExec skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\OXU32NGX\index1[1].htm Infected: Trojan-Clicker.JS.Linker.j skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\UTOJMTE5\HELP1[1].CHM/help.htm Infected: Trojan-Downloader.JS.gen skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\UTOJMTE5\HELP1[1].CHM CHM: infected - 1 skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\WL6ZCL6Z\install_iframe[1].jsp/packed Infected: Trojan-Downloader.JS.Agent.kk skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\WL6ZCL6Z\install_iframe[1].jsp GZIP: infected - 1 skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Hunter.HUBRIG-0AQNC4QA\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\i love beer\Local Settings\Temp\~538915.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\lori\Local Settings\Temporary Internet Files\Content.IE5\K5MV4DAR\index[4].htm Infected: Trojan.JS.Minor.a skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService.NT AUTHORITY.000\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\History\History.IE5\MSHist012008031120080312\index.dat Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temp\temp.fr4DBB Infected: not-a-virus:AdWare.Win32.WebSearch.q skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temp\temp.frC8E8 Infected: not-a-virus:AdWare.Win32.WebSearch.s skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temp\~117045.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temp\~826878.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temp\~867765.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temp\~878214.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temp\~888963.tmp Infected: not-a-virus:AdWare.Win32.Wintol.p skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temp\~DF6DB3.tmp Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temp\~DF6DED.tmp Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\C8QU0G66\23137[1].xml Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner.HUBRIG-0AQNC4QA\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Kazaa\TopSearch.dll Infected: not-a-virus:AdWare.Win32.Altnet.c skipped
C:\System Volume Information\_restore{19396922-7113-44ED-AA8E-9A860EA3DDEC}\RP1441\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
C:\WINDOWS\Internet Logs\HUBRIG-0AQNC4QA.ldb Object is locked skipped
C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\default Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\default.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\Internet.evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\software Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\software.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\system Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\system.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.dat Object is locked skipped
C:\WINDOWS\SYSTEM32\DRIVERS\fidbox.idx Object is locked skipped
C:\WINDOWS\SYSTEM32\h323log.txt Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\SYSTEM32\сhkdsk.exe Infected: Trojan.Win32.Scapur.h skipped
C:\WINDOWS\Temp\ZLT07f48.TMP Object is locked skipped
C:\WINDOWS\Temp\ZLT07f4f.TMP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\x.mht/[From <Saved by Microsoft Internet Explorer 5>][Date Fri, 6 Feb 2004 08:22:20 -0000]/UNNAMED Infected: Trojan-Downloader.Win32.Small.bjh skipped
C:\x.mht Mail: infected - 1 skipped
Scan process completed.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:16 AM, on 3/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe
C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Dell AIO Printer A920\dlbkbmon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\WINDOWS\FSScrCtl.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: (no name) - {87766247-311C-43B4-8499-3D5FEC94A183} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: ZoneAlarm Spy Blocker BHO - {F0D4B231-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: ZoneAlarm Spy Blocker - {F0D4B239-DA4B-4daf-81E4-DFEE4931A4AA} - C:\Program Files\ZoneAlarmSB\bar\1.bin\SPYBLOCK.DLL
O4 - HKLM\..\Run: [Dell AIO Printer A920] "C:\Program Files\Dell AIO Printer A920\dlbkbmgr.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [Drag'n'Drop_Autolaunch] "C:\Program Files\Iomega HotBurn Pro\Autolaunch.exe"
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [Network Associates Error Reporting Service] "C:\Program Files\Common Files\Network Associates\TalkBack\TBMon.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Screen Saver Control.lnk = C:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office2K\Office\OSA9.EXE
O8 - Extra context menu item: LimeShop Preferences - file://C:\Program Files\LimeShop\System\Temp\limeshop_script0.htm
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1205074864812
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BEBD78D4-2FB0-41B9-AD54-6AB7AD08BCDF}: NameServer = 66.234.112.70 66.234.112.71
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\SYSTEM32\ZoneLabs\vsmon.exe
--
End of file - 6842 bytes
pskelley
2008-03-13, 13:05
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.
You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
O4 - HKLM\..\Run: [Microsoft Inet Xp..] teekids.exe
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081312-1554-99
Lot's of nasty junk in the KOS san, let's do this:
1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)
2) From my understanding, Microsoft patched for this worm long ago? Are your critical Windows Updates being kept current? See these instructions:
http://www.symantec.com/security_response/writeup.jsp?docid=2003-081312-1554-99&tabid=2
Adds the value:
"Microsoft Inet Xp.."="teekids.exe"
Follow the instructions under the Removal Tab in the Symantec link carefully to remove this infection.
3) When you have removed that worm, then run combofix:
Remove any old copies of combofix before you proceed.
Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Thanks to sUBs and anyone else who helped with this fix.
It is important that it is saved directly to your Desktop
Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
Post the combofix log and a new HJT log.
Thanks
I'm now 1500 miles away from her computer and trying to walk her through the steps you've detailed. More to follow... Thanks PB
pskelley
2008-03-16, 10:32
I will just say that it is difficult to do a remote repair, trying to do a three way repair is even more difficult. You might be much better off allowing her access to the forum and monitoring what she does. Communication is an issue and it only takes one error to have real problems, good luck.
Phil
I'm trying to see what the initial results are first. The advantage is that I can take the time and talk to her on the phone while we go through it...I know you folks don't have that kind of time..She should be doing the blaster repair today. Then I'll work the ComboFix. As she gets used to the routine, we'll see how it goes. Thanks again. PB
I'm waiting to hear back from her on the results. I may not hear anything until the weekend. Thanks, PB
pskelley
2008-03-30, 13:19
Ten days without a response, advised this member via PM to start a new topic if they are ever ready to proceed with this.
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
If it has been five days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.
If it has been less than five days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.
Everyone else please begin a New Topic.