PDA

View Full Version : infected with trojans please help


aaron78
2008-03-17, 06:55
I have ran Spybot numerous times as well as AVG and windows live one care on this computer and I can nto get rid of the same infections that pops up on them after they are done. Also when I am connected to Internet explorer new windows pop up at spurattic times with advertisments. I also have the Kaspersky log but I am not sure if it would be to long for this post. Please help im at my wits end with this boat anchor.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:56:24 PM, on 3/16/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Reverend Z\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
F2 - REG:system.ini: Shell=
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {437E759B-D86B-418B-ACD8-325500A4309A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8AB40924-D6AF-4C26-B3DE-45D2E0628394} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {93F6122F-9D50-46FE-9F1D-DAA0F2A9397C} - (no file)
O2 - BHO: (no name) - {A051B1FF-8D7E-418B-AABE-4FF82F4280A2} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {cf872b9f-4c75-4295-b546-09739541b75d} - (no file)
O2 - BHO: (no name) - {EA09FCE3-8A63-40E4-8249-7BBAC86A0E49} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\RunOnce: [SpybotDeletingA9815] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKLM\..\RunOnce: [SpybotDeletingC622] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB3747] command /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4099] cmd /c del "C:\WINDOWS\system32\drivers\core.cache.dsk"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: services.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj03.rightnowtech.com/7520-b289h/rnl/java/RntX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: efcywvu - efcywvu.dll (file missing)
O20 - Winlogon Notify: ytuctvji - ytuctvji.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 8226 bytes
aaron78
2008-03-17, 07:24
I also think i have a problem with the svchost.exe Here is the Kaspersky log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 16, 2008 11:38:15 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 16/03/2008
Kaspersky Anti-Virus database records: 634270
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 127355
Number of viruses found: 3
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 05:25:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\All Users\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Owner\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\Reverend Z\Application Data\Microsoft\Outlook\MS Exchange Settings.srs Object is locked skipped
C:\Documents and Settings\Reverend Z\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Messenger\reverendz@msn.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Messenger\reverendz@msn.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Messenger\reverendz@msn.com\SharingMetadata\Working\database_6F06_BB47_5B77_90D3\dfsr.db Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Messenger\reverendz@msn.com\SharingMetadata\Working\database_6F06_BB47_5B77_90D3\fsr.log Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Messenger\reverendz@msn.com\SharingMetadata\Working\database_6F06_BB47_5B77_90D3\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Messenger\reverendz@msn.com\SharingMetadata\Working\database_6F06_BB47_5B77_90D3\tmp.edb Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Outlook\mailbox.pst Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Windows Live Contacts\reverendz@msn.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Windows Live Contacts\reverendz@msn.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temp\Perflib_Perfdata_460.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temp\~DF1A46.tmp Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temp\~DF1BB3.tmp Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temp\~DFD4F9.tmp Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temp\~DFDC99.tmp Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temporary Internet Files\Content.IE5\F5XRVTG7\link043216789376021[1].htm Infected: Trojan-Clicker.HTML.IFrame.jr skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temporary Internet Files\Content.IE5\F5XRVTG7\link043216789376031[1].htm Infected: Trojan-Clicker.HTML.IFrame.jr skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temporary Internet Files\Content.IE5\NWKB6GST\z0432167893760[1].htm Infected: Trojan-Clicker.HTML.IFrame.jr skipped
C:\Documents and Settings\Reverend Z\ntuser.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ComPlus Applications\rteprehdyb.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Reverend Z.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Reverend Z.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Reverend Z.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP230\A0064418.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP263\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4B6ED24D-AC1F-4CD2-9D1B-40DDA9F2ACA0}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\zumbuss.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
pskelley
2008-03-17, 15:04
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

First a few questions, you mentioned Windows Live OneCare
http://onecare.live.com/standard/en-us/default.htm
You understand that program is supposed to supply all of your security needs. While I can not say, not being a user, if it does, and I do not see it running on your computer, you would not want AVG running at the same time.

I can see a log of stuff, including a Vundo infection that could still be active, so I am not sure what we will run into.

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

Remove any old copies of combofix before you proceed.

Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Thanks
aaron78
2008-03-17, 19:33
Thank you so much for your help. As the Live one care. I just went to the web site to run the "scan and tune up". I disabled the Tea timer and and the scans you requested.

HJT
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:25:25 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Reverend Z\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {437E759B-D86B-418B-ACD8-325500A4309A} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8AB40924-D6AF-4C26-B3DE-45D2E0628394} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {93F6122F-9D50-46FE-9F1D-DAA0F2A9397C} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {cf872b9f-4c75-4295-b546-09739541b75d} - (no file)
O2 - BHO: (no name) - {EA09FCE3-8A63-40E4-8249-7BBAC86A0E49} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: services.lnk = ?
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj03.rightnowtech.com/7520-b289h/rnl/java/RntX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: efcywvu - efcywvu.dll (file missing)
O20 - Winlogon Notify: ytuctvji - ytuctvji.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7621 bytes

then next
ComboFix 08-03-14.4 - Reverend Z 2008-03-17 13:05:43.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.373 [GMT -5:00]
Running from: C:\Documents and Settings\Reverend Z\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Common Files\{3B779~1
C:\Program Files\Common Files\{5B779~1
C:\Program Files\Common Files\{5B779~2
C:\Program Files\Common Files\{5B779~3
C:\Program Files\racle~1
C:\temp\tn3
C:\WINDOWS\BM5844a3e0.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\drivers\zumbuss.sys
C:\WINDOWS\system32\jrxglxvp.ini
C:\WINDOWS\system32\kopitpyl.ini
C:\WINDOWS\system32\ldpivkvc.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mevveajw.ini
C:\WINDOWS\system32\nfmofiyv.ini
C:\WINDOWS\system32\nGpxx01
C:\WINDOWS\system32\oofevhgt.ini
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\qevgbqya.ini
C:\WINDOWS\system32\qtstv.ini
C:\WINDOWS\system32\qtstv.ini2
C:\WINDOWS\system32\srmpxyhn.ini
C:\WINDOWS\system32\uhqohlxm.ini
C:\WINDOWS\system32\uioxafji.ini
C:\WINDOWS\system32\ureyruht.ini
C:\WINDOWS\system32\uvvwa.ini
C:\WINDOWS\system32\uvvwa.ini2
C:\WINDOWS\system32\xabeg.ini
C:\WINDOWS\system32\xabeg.ini2
C:\WINDOWS\system32\xwggoyku.ini
C:\WINDOWS\system32\yyghrvvc.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_NPF
-------\LEGACY_ZUMBUSS
-------\zumbuss


((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-16 17:10 . 2008-03-16 17:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-16 17:10 . 2008-03-16 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 17:37 --------- d-----w C:\Documents and Settings\Reverend Z\Application Data\AVG7
2008-03-07 02:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-03-07 00:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-10 05:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-10 04:01 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 22:01 --------- d-----w C:\Program Files\Google
2008-02-07 18:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-24 20:45 --------- d-----w C:\Program Files\Java
2008-01-23 05:29 --------- d-----w C:\Program Files\Lavasoft
2008-01-23 05:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 05:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 06:59 --------- d-----w C:\Program Files\Zune
2008-01-21 05:53 167,545 ------w C:\WINDOWS\system32\drivers\core.cache.dsk
2008-01-18 18:16 --------- d-----w C:\Documents and Settings\Reverend Z\Application Data\Skype
2008-01-18 17:42 --------- d-----w C:\Documents and Settings\Reverend Z\Application Data\skypePM
2007-12-22 08:06 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-05-10 15:47 21,100 ----a-w C:\Program Files\Common Files\AllFreqCable.lst
2006-04-27 22:59 19,594 ----a-w C:\Program Files\Common Files\CABLES-S8x0D.LST
2005-07-12 18:44 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-09-03 17:10 39,005,370 ----a-w C:\Program Files\NISP2004.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{437E759B-D86B-418B-ACD8-325500A4309A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8AB40924-D6AF-4C26-B3DE-45D2E0628394}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{93F6122F-9D50-46FE-9F1D-DAA0F2A9397C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf872b9f-4c75-4295-b546-09739541b75d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EA09FCE3-8A63-40E4-8249-7BBAC86A0E49}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-09 23:01 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-09 23:01 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcywvu]
efcywvu.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ytuctvji]
ytuctvji.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Team17\\Worms Armageddon\\wa.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

R2 SpPortEx;Samsung Port Exclusion;C:\WINDOWS\system32\Drivers\SpPortEx.sys [1999-12-14 10:00]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 22:51]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;C:\WINDOWS\system32\drivers\caliaud.sys [2004-02-17 17:58]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2004-02-17 17:59]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2003-07-16 20:01]
S3 adusbmdm6501;AnyDATA CDMA USB Modem Driver (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbmdm6501.sys [2005-06-08 14:54]
S3 adusbser6501;AnyDATA CDMA USB Serial Port (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbser6501.sys [2005-06-08 14:54]
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys [2003-07-10 06:16]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 22:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 14:39:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-06 15:39:23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 13:17:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\MsPMSPSv.exe
.
**************************************************************************
.
Completion time: 2008-03-17 13:22:14 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-17 18:22:10
.
2008-03-17 06:58:38 --- E O F ---
pskelley
2008-03-17, 20:22
Thanks for returning your informstion, proceed like this.

1) TeaTimer is disabled. Download ResetTeaTimer.bat
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {437E759B-D86B-418B-ACD8-325500A4309A} - (no file)
O2 - BHO: (no name) - {8AB40924-D6AF-4C26-B3DE-45D2E0628394} - (no file)
O2 - BHO: (no name) - {93F6122F-9D50-46FE-9F1D-DAA0F2A9397C} - (no file)
O2 - BHO: (no name) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - (no file)
O2 - BHO: (no name) - {cf872b9f-4c75-4295-b546-09739541b75d} - (no file)
O2 - BHO: (no name) - {EA09FCE3-8A63-40E4-8249-7BBAC86A0E49} - (no file)
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O4 - Startup: services.lnk = ?
O20 - Winlogon Notify: efcywvu - efcywvu.dll (file missing)
O20 - Winlogon Notify: ytuctvji - ytuctvji.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log, tell me how the computer is running.

Thanks
aaron78
2008-03-17, 20:40
moving through the C drive is a lot smother. I am still seeing that smitfraud core.case.dsk that spybot said was a trojan. Do you know a good firewall? I know it is dumb running with out one but it sucks when your broke.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:33:48 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\Reverend Z\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj03.rightnowtech.com/7520-b289h/rnl/java/RntX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6981 bytes
pskelley
2008-03-17, 21:23
Thanks for the HJT log and the feedback, I need more information.

I am still seeing that smitfraud core.case.dsk that spybot said was a trojanI need to know what Spybot is showing you exactly. smitfraud core.case.dsk <<< gives me nothing when Googled, are you sure you are spelling it correctly?

Here are four good free firewalls, install only one.
http://www.personalfirewall.comodo.com/
http://www.jetico.com/jpfirewall.htm
http://www.agnitum.com/products/outpostfree/download.php
http://www.online-armor.com/free-firewall-protection-software.html

Kaspersky Online Scan:
I am showing one infected System Restore file which we will clean a little later and this:

Even though we cleaned TIF with ATF-Cleaner, clean it again, folder in red.

C:\Documents and Settings\Reverend Z\Local Settings\Temporary Internet Files\ <<< empty this folder (may be a few old files that will not delete, don't be concerned about those. The infections will be recent).

(delete the file in red)
C:\Program Files\ComPlus Applications\rteprehdyb.html ------> Trojan-Clicker.HTML.IFrame.dn

Provide more information about what is being seen.

Thanks
aaron78
2008-03-17, 21:32
ok it is saying Smitfraud-C.CoreService
and the file it is pointing to is C:\WINDOWS\system32\drivers\core.cache.dsk

im going to do what you told me to now. I hope the weather down in FL is better then the crap up here in chicago
aaron78
2008-03-17, 21:41
ok when i went to the temp IE files all I saw was an empty folder and 2 other files that I could not delete. I deleted the empty folder. I also deleted the file in ComPlus Applications. There is another file under this folder. It is qugasah

Anything you need just let me know. As the computer seems to be running smoother now and the lag is not as well add what ever nice offencive word you wsh to describe it.
pskelley
2008-03-17, 21:58
http://www.google.com/search?hl=en&q=clearwater+florida+weather&btnG=Search

How long has have you been having this problem? See this:
http://www.google.com/search?hl=en&q=core.cache.dsk+&btnG=Google+Search
I am showing this has been installed on the computer since:
2008-01-21 05:53 167,545 ------w C:\WINDOWS\system32\drivers\core.cache.dsk
and there may be a rootkit involved?

Follow these instructions carefully:

Open notepad and copy/paste the text in the codebox below into it:



File::
C:\WINDOWS\system32\drivers\core.cache.dsk

Save this as CFScript

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif

Refering to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks
pskelley
2008-03-17, 22:01
I can't get anything on: qugasah <<< as you posted it? No type of file or anything? You can try to scan it with:

http://virusscan.jotti.org/
aaron78
2008-03-17, 22:05
it seems like it has been a long time. But will do and get back to you.
aaron78
2008-03-17, 22:23
here you go. I will try that other link for the file.

HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:18:52 PM, on 3/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\HPConfig.exe
C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
C:\PROGRA~1\Iomega\System32\AppServices.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Reverend Z\Desktop\HiJackThis.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www6.comcast.net/a/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase370.cab
O16 - DPF: {7DFDB8FD-B498-4958-B930-38021B94351D} (imlUCID Class) - http://imlive.com/chatsource/ImlCID.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B9A296D4-38AC-4566-8168-F7ACAF7D35E6} (Eyeball Video Session Control) - http://imlive.com/ChatSource/gVideoContol.cab
O16 - DPF: {D4323BF2-006A-4440-A2F5-27E3E7AB25F8} (Virtools WebPlayer Class) - http://a532.g.akamai.net/f/532/6712/5m/virtools.download.akamai.com/6712/player/install3.5/installer.exe
O16 - DPF: {D6376DD2-C2BD-49B2-A1B1-138F869633F3} (ASPRO Installer Class) - http://acs.pandasoftware.com/activescanpro/as5/asproinst.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {E7D2588A-7FB5-47DC-8830-832605661009} (Live Collaboration) - http://livenj03.rightnowtech.com/7520-b289h/rnl/java/RntX.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: HP Configuration Interface Service (HPConfig) - Hewlett-Packard - C:\WINDOWS\system32\HPConfig.exe
O23 - Service: HPWirelessMgr - Hewlett-Packard Co. - C:\Program Files\HPQ\Notebook Utilities\HPWirelessMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 7014 bytes

combo fix

ComboFix 08-03-14.4 - Reverend Z 2008-03-17 16:10:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.378 [GMT -5:00]
Running from: C:\Documents and Settings\Reverend Z\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Reverend Z\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ytuctvji.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-16 17:10 . 2008-03-16 17:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-16 17:10 . 2008-03-16 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 21:04 167,545 ----a-w C:\WINDOWS\system32\drivers\CFScript.txt
2008-03-17 17:37 --------- d-----w C:\Documents and Settings\Reverend Z\Application Data\AVG7
2008-03-17 02:02 10,646 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-07 02:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-03-07 00:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-10 05:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-10 04:01 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 22:01 --------- d-----w C:\Program Files\Google
2008-02-07 18:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-24 20:45 --------- d-----w C:\Program Files\Java
2008-01-23 05:29 --------- d-----w C:\Program Files\Lavasoft
2008-01-23 05:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 05:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 06:59 --------- d-----w C:\Program Files\Zune
2008-01-18 18:16 --------- d-----w C:\Documents and Settings\Reverend Z\Application Data\Skype
2008-01-18 17:42 --------- d-----w C:\Documents and Settings\Reverend Z\Application Data\skypePM
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-22 08:06 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 18:38 48,128 ----a-w C:\WINDOWS\system32\A53.tmp
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-05-10 15:47 21,100 ----a-w C:\Program Files\Common Files\AllFreqCable.lst
2006-04-27 22:59 19,594 ----a-w C:\Program Files\Common Files\CABLES-S8x0D.LST
2005-07-12 18:44 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-09-03 17:10 39,005,370 ----a-w C:\Program Files\NISP2004.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-17_13.21.46.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-17 17:56:34 71,480 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-17 19:44:39 71,480 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-17 17:56:34 440,048 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-17 19:44:39 440,048 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-09 23:01 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-09 23:01 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Team17\\Worms Armageddon\\wa.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

R2 SpPortEx;Samsung Port Exclusion;C:\WINDOWS\system32\Drivers\SpPortEx.sys [1999-12-14 10:00]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 22:51]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;C:\WINDOWS\system32\drivers\caliaud.sys [2004-02-17 17:58]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2004-02-17 17:59]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2003-07-16 20:01]
S3 adusbmdm6501;AnyDATA CDMA USB Modem Driver (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbmdm6501.sys [2005-06-08 14:54]
S3 adusbser6501;AnyDATA CDMA USB Serial Port (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbser6501.sys [2005-06-08 14:54]
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys [2003-07-10 06:16]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 22:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 14:39:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-06 15:39:23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 16:15:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2008-03-17 16:16:48
ComboFix-quarantined-files.txt 2008-03-17 21:16:26
ComboFix2.txt 2008-03-17 18:22:15
.
2008-03-17 06:58:38 --- E O F ---
aaron78
2008-03-17, 22:29
with that file I did not see any extention on it.
pskelley
2008-03-17, 22:57
Do this first, if the file is gone, then the CFS script worked:
Have a look in the drivers folder and see if core.cache.dsk is gone. If it is gone, no reason to run the script again.

C:\WINDOWS\system32\drivers\core.cache.dsk <<< should not be there

You will need all files and folwers enabled to see it:
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Are you sure you followed the directions exactly. Look at this codebox:

File::
C:\WINDOWS\system32\drivers\core.cache.dsk

When you copy/paste it to the notepad, the File:: must be on the very top line and the balance of the instructions must be followed exactly. Look at them again, and you may want to do it again.

The reason I am not sure it was done correctly is this:
((((((((((((((((( Other Deletions ))))))))))))))))))))))))))
Here I believe I should see this:
C:\WINDOWS\system32\drivers\core.cache.dsk

if the CFS script was executed as instructed.

Thanks
aaron78
2008-03-17, 23:05
I am not seeing it. You want me to power down and then try it again? And yes I screwed up the first time around. I miss read it and opend the .dsk file with notepad and tried it. It did not like it so then i re-read what you put and then did it the right way. after that was finished I deleted my screw up.
pskelley
2008-03-17, 23:14
Just set on it for a day, and see if all symptoms are gone. While you do that, review this information which requires a decision before we remove combofix.

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.

Thanks
aaron78
2008-03-17, 23:16
Will do. Thank you for all of your help and I will get back to you tomorrow.
aaron78
2008-03-17, 23:22
ok. Where do i find what service pack I am running?
aaron78
2008-03-17, 23:31
i see it.. damn i feel dumb.. lol
aaron78
2008-03-18, 19:23
i did what it said to do with the sp2 for XP home addition
pskelley
2008-03-18, 19:48
combofix placed a .txt file on your Desktop, post the contents of that file.

Thanks
aaron78
2008-03-18, 21:01
i belive this one is it.. or I can do it again if needed

ComboFix 08-03-14.4 - Reverend Z 2008-03-17 16:10:17.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.378 [GMT -5:00]
Running from: C:\Documents and Settings\Reverend Z\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Reverend Z\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ytuctvji.dllbox

.
((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-16 17:10 . 2008-03-16 17:10 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-16 17:10 . 2008-03-16 17:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 21:04 167,545 ----a-w C:\WINDOWS\system32\drivers\CFScript.txt
2008-03-17 17:37 --------- d-----w C:\Documents and Settings\Reverend Z\Application Data\AVG7
2008-03-17 02:02 10,646 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-03-07 02:15 --------- d-----w C:\Program Files\Windows Live Safety Center
2008-03-07 00:50 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-10 05:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-02-10 04:01 --------- d-----w C:\Documents and Settings\LocalService\Application Data\AVG7
2008-02-10 04:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-02-07 22:01 --------- d-----w C:\Program Files\Google
2008-02-07 18:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-04 19:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-24 20:45 --------- d-----w C:\Program Files\Java
2008-01-23 05:29 --------- d-----w C:\Program Files\Lavasoft
2008-01-23 05:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-23 05:02 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-21 06:59 --------- d-----w C:\Program Files\Zune
2008-01-18 18:16 --------- d-----w C:\Documents and Settings\Reverend Z\Application Data\Skype
2008-01-18 17:42 --------- d-----w C:\Documents and Settings\Reverend Z\Application Data\skypePM
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2007-12-22 08:06 32 ----a-w C:\Documents and Settings\All Users\Application Data\ezsid.dat
2007-12-19 23:01 347,136 ----a-w C:\WINDOWS\system32\dllcache\dxtmsft.dll
2007-12-18 18:38 48,128 ----a-w C:\WINDOWS\system32\A53.tmp
2007-12-18 09:51 179,584 ------w C:\WINDOWS\system32\dllcache\mrxdav.sys
2007-05-10 15:47 21,100 ----a-w C:\Program Files\Common Files\AllFreqCable.lst
2006-04-27 22:59 19,594 ----a-w C:\Program Files\Common Files\CABLES-S8x0D.LST
2005-07-12 18:44 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2004-09-03 17:10 39,005,370 ----a-w C:\Program Files\NISP2004.exe
.

((((((((((((((((((((((((((((( snapshot@2008-03-17_13.21.46.21 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-03-17 17:56:34 71,480 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-03-17 19:44:39 71,480 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2008-03-17 17:56:34 440,048 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-03-17 19:44:39 440,048 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-09 23:01 579072]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-02-09 23:01 219136]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 19:05:56 65588]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\Program Files\\Team17\\Worms Armageddon\\wa.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=

R2 SpPortEx;Samsung Port Exclusion;C:\WINDOWS\system32\Drivers\SpPortEx.sys [1999-12-14 10:00]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2007-11-15 22:38]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2007-11-15 22:51]
R3 CALIAUD;Conexant AMC 3D Environmental Audio;C:\WINDOWS\system32\drivers\caliaud.sys [2004-02-17 17:58]
R3 CALIHALA;CALIHALA;C:\WINDOWS\system32\drivers\calihal.sys [2004-02-17 17:59]
R3 DP83815;National Semiconductor Corp. DP83815/816 NDIS 5.0 Miniport Driver;C:\WINDOWS\system32\DRIVERS\DP83815.SYS [2003-07-16 20:01]
S3 adusbmdm6501;AnyDATA CDMA USB Modem Driver (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbmdm6501.sys [2005-06-08 14:54]
S3 adusbser6501;AnyDATA CDMA USB Serial Port (PID 6501);C:\WINDOWS\system32\DRIVERS\adusbser6501.sys [2005-06-08 14:54]
S3 ALiIRDA;ALi Infrared Device Driver;C:\WINDOWS\system32\DRIVERS\aliirda.sys [2003-07-10 06:16]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2007-11-15 22:51]

.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 14:39:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-11-06 15:39:23 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 16:15:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\Iomega Activity Disk2]
"ImagePath"="\"\""
.
Completion time: 2008-03-17 16:16:48
ComboFix-quarantined-files.txt 2008-03-17 21:16:26
ComboFix2.txt 2008-03-17 18:22:15
.
2008-03-17 06:58:38 --- E O F ---
pskelley
2008-03-18, 21:07
2008-03-17 16:10:17.2 <<< that is an combofix log from this time, the text file from the installation of the Recovery Console will only have about seven lines of information.

Thanks
aaron78
2008-03-18, 21:10
you know where it might be located? I am not seeing a new one on the desktop
pskelley
2008-03-18, 21:24
Please remove combofix and the C:\qoobox\quarantine\ folder from the computer. Run a last KOS using these settings.


* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Thanks
aaron78
2008-03-18, 21:30
just delete them or uninstall?
pskelley
2008-03-18, 21:50
right click and delete.

Thanks
aaron78
2008-03-18, 21:54
thanks. now to just wait for that long scan
aaron78
2008-03-19, 01:36
KOS scan

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, March 18, 2008 7:31:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 18/03/2008
Kaspersky Anti-Virus database records: 638211
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 93738
Number of viruses found: 1
Number of infected objects: 1
Number of suspicious objects: 0
Duration of the scan process: 03:49:42

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Reverend Z\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\CardSpace\CardSpace.db.shadow Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\History\History.IE5\MSHist012008031820080319\index.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temp\Perflib_Perfdata_ac0.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temp\~DF62CA.tmp Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temp\~DF62D7.tmp Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\ntuser.dat Object is locked skipped
C:\Documents and Settings\Reverend Z\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\billing_Reverend Z.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\client_Reverend Z.log Object is locked skipped
C:\Program Files\Yahoo!\Messenger\logs\network_Reverend Z.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP230\A0064418.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP269\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{2BE0DBC4-F8D5-4247-93BD-C13FFD192D57}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\MSFWSVC.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\Windows_OneCare_Evt.evt Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
pskelley
2008-03-19, 01:39
Thanks for returning your scan, one infected System Restore file. Follow the directions in the link to clean that.
C:\System Volume Information\_restore{2E9DCF39-6F73-409D-8C36-24193BEF49E3}\RP230\A0064418.exe ------> RiskTool.Win32.Reboot.f skipped
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
aaron78
2008-03-19, 02:39
thanks very much for all your help!