View Full Version : Another case of Virtumonde
Hi folks... you guys really rock!!
I volunteered to help a friend of a friend resolve some issues with his Dell Dimension E510 Windows XP Media Center PC. After running Spybot S&D, I discovered that he had contracted Vundo and Virtumonde.
I have tried using Spybot S&D, VundoFix, and VirtumondoBeGone several times to remove this infection, but it is not working. I have followed your instructions for posting and ran spybot several times to get rid of all the red entries. The only one remaining, which will not go away, is Virtumonde.dll, which points to c:\windowsystem32\geedc.dll_old.
I have the permission of the owner to restore the machine to factory configuration, if necessary, but I would like to fix it in-place if I can, but I'll definitely need your help.
I have the system connected to the web, but running anything from the web is VERY painful, as I couldn't even open this forum from that machine (it was so slow). It does seem to be successful at launching lots of browser windows with advertising and pornographic materials, though. I'm using a clean machine to download and a thumbdrive to transfer software and other files to/from the infected machine.
I also have discovered that his McAfee subscription just lapsed on March 9th, so updates to his current virus protection are not possible. McAfee also refuses to scan the system to see what might be found, even without updating the database. I have considered installing a free virus protection package (e.g. AVG) to protect the system until he decides what he wants to do, but I have not done so, yet.
Here is the current HJT log (Kaspersky log to follow in next post):
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:37:27 PM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\PROGRA~1\COMMON~1\CROSOF~1\services.exe
C:\Program Files\nvcoi\nvcoi.exe
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by CenturyTel
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {161608E4-C639-43E7-80E3-4C945F2526D3} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {9851FB36-08BB-4858-83BD-0C2316E0DDD0} - C:\WINDOWS\system32\mljge.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {ED120D76-BF31-412C-A99B-783C6676E128} - C:\WINDOWS\system32\mljklkh.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ISUSPM Startup] "c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [f0cda152] rundll32.exe "C:\WINDOWS\system32\nkgmjryc.dll",b
O4 - HKLM\..\Run: [BMf3fe92ce] Rundll32.exe "C:\WINDOWS\system32\oyfgxvvp.dll",s
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKCU\..\Run: [Uaol] "C:\PROGRA~1\COMMON~1\CROSOF~1\services.exe" -vt yazb
O4 - HKCU\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe
O4 - HKCU\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe
O4 - HKUS\S-1-5-21-753380332-3619798799-3628505546-1005\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup (User '?')
O4 - HKUS\S-1-5-21-753380332-3619798799-3628505546-1005\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User '?')
O4 - HKUS\S-1-5-21-753380332-3619798799-3628505546-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-753380332-3619798799-3628505546-1005\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" (User '?')
O4 - HKUS\S-1-5-21-753380332-3619798799-3628505546-1005\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User '?')
O4 - HKUS\S-1-5-21-753380332-3619798799-3628505546-1005\..\Run: [Uaol] "C:\PROGRA~1\COMMON~1\CROSOF~1\services.exe" -vt yazb (User '?')
O4 - HKUS\S-1-5-21-753380332-3619798799-3628505546-1005\..\Run: [nvcoi] C:\Program Files\nvcoi\nvcoi.exe (User '?')
O4 - HKUS\S-1-5-21-753380332-3619798799-3628505546-1005\..\Run: [NoDNS] C:\Program Files\\NoDNS\\NoDNS.exe (User '?')
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
--
End of file - 12869 bytes
Sorry if you are scrapping the report mechanically. I can send it as an attachment if desired. I shortened words, like skipped to skip.
---
KASPERSKY ONLINE SCANNER REPORT
Wed, Mar 19, 2008 8:10:12 PM
OS: MS WinXP Prof, SP2 (Build 2600)
Kaspersky Online Scan ver: 5.0.98.0
Kaspersky AV db last upd: 19/03/2008
Kaspersky AV db recs: 642580
---
Scan Settings:
Scan using: extended
Archives: true
Mail Bases: true
Scan - My Computer:
Scan Stats:
Tot num scan objects: 81449
Num viruses found: 20
Num infected objects: 87
Number of suspicious objects: 0
Dur scan process: 01:01:55
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skip
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skip
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\logout.edb Object is locked skip
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skip
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{661B025D-CB7F-4012-A13E-CAE0E108944B}.log Object is locked skip
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{ACBA00DE-479A-4684-A0C6-9A2AC2B096D1}.log Object is locked skip
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skip
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skip
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\RBLDB.dat Object is locked skip
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skip
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR3.tmp Object is locked skip
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skip
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skip
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skip
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skip
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Application Data\ApplicationHistory\TransferAgent.exe.91f03f4d.ini.inuse Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\History\History.IE5\index.dat Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temp\Perflib_Perfdata_b08.dat Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temp\yazzsnet.exe/data0003 Infected: Trojan.Win32.Scapur.k skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temp\yazzsnet.exe NSIS: infected - 1 skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temp\~DF3A9F.tmp Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temp\~DF7C62.tmp Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temp\~DFA265.tmp Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\16D90QJZ\718f466754402ac597de014577627f96[1].zip/b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\16D90QJZ\718f466754402ac597de014577627f96[1].zip/b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\16D90QJZ\718f466754402ac597de014577627f96[1].zip/b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\16D90QJZ\718f466754402ac597de014577627f96[1].zip/b104.exe Infected: not-a-virus:AdWare.Win32.Mostofate.u skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\16D90QJZ\718f466754402ac597de014577627f96[1].zip ZIP: infected - 4 skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\16D90QJZ\a537119c47192bc08952189ae8782f08[1].zip/b152.exe Infected: Trojan-Dropper.Win32.Agent.eso skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\16D90QJZ\a537119c47192bc08952189ae8782f08[1].zip ZIP: infected - 1 skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\30RZYGGV\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\9J0JL311\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\9J0JL311\iddqd[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skip
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\ZKOC515V\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\Documents and Settings\Greg and Gloria's\My Documents\My Received Files\photo_722-jpg.zip/foto-652-JPEG.zip Infected: Trojan.Win32.Pakes.byj skip
C:\Documents and Settings\Greg and Gloria's\My Documents\My Received Files\photo_722-jpg.zip ZIP: infected - 1 skip
C:\Documents and Settings\Greg and Gloria's\NTUSER.DAT Object is locked skip
C:\Documents and Settings\Greg and Gloria's\ntuser.dat.LOG Object is locked skip
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skip
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skip
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skip
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skip
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skip
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skip
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skip
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skip
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skip
C:\Program Files\Common Files\Μіcrosoft\services.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skip
C:\Program Files\ComPlus Applications\meqyx777444.dll Infected: not-a-virus:AdWare.Win32.TTC.e skip
C:\Program Files\ComPlus Applications\meqyx821058.dll Infected: not-a-virus:AdWare.Win32.TTC.d skip
C:\Program Files\JavaCore\JavaCore.exe Infected: not-a-virus:AdWare.Win32.Insider.b skip
C:\Program Files\NoDNS\NoDNS.exe Infected: Trojan-Downloader.Win32.Agent.kji skip
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP10\change.log Object is locked skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002020.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002020.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002020.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002020.exe NSIS: infected - 3 skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002042.exe Infected: not-a-virus:AdWare.Win32.Insider.d skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002043.exe Infected: not-a-virus:AdWare.Win32.Insider.d skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002044.exe Infected: Trojan-Dropper.Win32.Agent.eso skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002045.exe Infected: Trojan-Downloader.Win32.Agent.kha skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002047.exe Infected: Trojan-Downloader.Win32.Agent.ezc skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0003014.exe Infected: Trojan-Downloader.Win32.Agent.lak skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0004046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0005046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0007046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0008046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\A0009063.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\A0009074.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\A0009075.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009097.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.e skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009097.exe NSIS: infected - 1 skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009149.exe Infected: Trojan-Downloader.Win32.Agent.lbx skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009150.exe Infected: Trojan-Downloader.Win32.Agent.kha skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009152.exe Infected: not-a-virus:AdWare.Win32.Insider.d skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009153.exe Infected: not-a-virus:AdWare.Win32.Insider.c skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009169.exe Infected: not-a-virus:Downloader.Win32.Agent.ak skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009171.exe Infected: Trojan-Downloader.Win32.Agent.ezc skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009172.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009172.exe NSIS: infected - 1 skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009173.exe Infected: Trojan.Win32.Scapur.k skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009338.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009339.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jxa skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009340.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009341.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009342.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009343.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009344.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009347.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009349.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009350.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009351.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009352.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009353.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009355.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009356.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009357.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009358.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009359.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009361.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009362.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009363.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009364.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009365.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009366.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009368.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009369.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009370.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009371.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009372.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\VundoFix Backups\ckrnqwlx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\VundoFix Backups\khfcday.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\VundoFix Backups\mljklkh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\WINDOWS\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skip
C:\WINDOWS\b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skip
C:\WINDOWS\b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skip
C:\WINDOWS\b104.exe NSIS: infected - 3 skip
C:\WINDOWS\b152.exe_tobedeleted Infected: not-a-virus:AdWare.Win32.Insider.c skip
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skip
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{A3F4562A-A5B3-4959-BAEC-9C56DDA4A2F0}.crmlog Object is locked skip
C:\WINDOWS\SchedLgU.Txt Object is locked skip
C:\WINDOWS\Sti_Trace.log Object is locked skip
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skip
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skip
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skip
C:\WINDOWS\system32\config\DEFAULT Object is locked skip
C:\WINDOWS\system32\config\default.LOG Object is locked skip
C:\WINDOWS\system32\config\Internet.evt Object is locked skip
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skip
C:\WINDOWS\system32\config\SAM Object is locked skip
C:\WINDOWS\system32\config\SAM.LOG Object is locked skip
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skip
C:\WINDOWS\system32\config\SECURITY Object is locked skip
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skip
C:\WINDOWS\system32\config\SOFTWARE Object is locked skip
C:\WINDOWS\system32\config\software.LOG Object is locked skip
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skip
C:\WINDOWS\system32\config\SYSTEM Object is locked skip
C:\WINDOWS\system32\config\system.LOG Object is locked skip
C:\WINDOWS\system32\geedc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\WINDOWS\system32\mljklkh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skip
C:\WINDOWS\Temp\mcafee_Hl5mTBfjRO3pWsM Object is locked skip
C:\WINDOWS\Temp\mcafee_NHoImTxtvXV3Ovp Object is locked skip
C:\WINDOWS\Temp\mcmsc_57okc4EwyPxDTFj Object is locked skip
C:\WINDOWS\Temp\mcmsc_D1QvJxMjRJfM2PS Object is locked skip
C:\WINDOWS\Temp\mcmsc_EIecmO0WyiBpcEw Object is locked skip
C:\WINDOWS\Temp\mcmsc_idbqMsygL48IbYH Object is locked skip
C:\WINDOWS\Temp\mcmsc_Qc4mljPgKY22VKh Object is locked skip
C:\WINDOWS\Temp\mcmsc_zMjGA2NhsHPhoTI Object is locked skip
C:\WINDOWS\Temp\sqlite_CAyznJYbwHMfL0a Object is locked skip
C:\WINDOWS\Temp\sqlite_jmdYBjKCz4JkMGt Object is locked skip
C:\WINDOWS\Temp\sqlite_QEhj8vxxdg3sf1F Object is locked skip
C:\WINDOWS\Temp\sqlite_xH5MYJEV0CKYRgJ Object is locked skip
Scan completed
steamwiz
2008-03-20, 22:36
Hi
I would like to see the VundoFix, and VirtumondoBeGone logs please ...
If possible I suggest you uninstall McAfee & install AVG free anti-virus (once we have you cleaned)
Please follow these directions to run Combofix & post a log.
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
steam
Hi and thanks for the quick response to my request for assistance.
The VundoFix log:
VundoFix V7.0.3
Scan started at 4:39:08 PM 3/17/2008
Listing files found while scanning....
C:\windows\system32\ckrnqwlx.dll
C:\windows\system32\ckrnqwlx.dllbox
C:\windows\system32\khfcday.dll
C:\windows\system32\mljklkh.dll
C:\WINDOWS\system32\nwhavqgt.dll
C:\WINDOWS\system32\tgqvahwn.ini
Beginning removal...
Attempting to delete C:\windows\system32\ckrnqwlx.dll
C:\windows\system32\ckrnqwlx.dll Has been deleted!
Attempting to delete C:\windows\system32\ckrnqwlx.dllbox
C:\windows\system32\ckrnqwlx.dllbox Has been deleted!
Attempting to delete C:\windows\system32\khfcday.dll
C:\windows\system32\khfcday.dll Has been deleted!
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\nwhavqgt.dll
C:\WINDOWS\system32\nwhavqgt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\tgqvahwn.ini
C:\WINDOWS\system32\tgqvahwn.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Performing Repairs to the registry.
Done!
VundoFix V7.0.3
Scan started at 1:09:46 AM 3/18/2008
Listing files found while scanning....
C:\windows\system32\mljklkh.dll
C:\WINDOWS\system32\nwhavqgt.dll
C:\WINDOWS\system32\tgqvahwn.ini
Beginning removal...
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\nwhavqgt.dll
C:\WINDOWS\system32\nwhavqgt.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\tgqvahwn.ini
C:\WINDOWS\system32\tgqvahwn.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V7.0.3
Scan started at 3:57:12 PM 3/18/2008
Listing files found while scanning....
C:\windows\system32\mljklkh.dll
C:\WINDOWS\system32\uphcvory.dll
C:\WINDOWS\system32\yrovchpu.ini
Beginning removal...
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\uphcvory.dll
C:\WINDOWS\system32\uphcvory.dll Has been deleted!
Attempting to delete C:\WINDOWS\system32\yrovchpu.ini
C:\WINDOWS\system32\yrovchpu.ini Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V7.0.3
Scan started at 5:04:23 PM 3/18/2008
Listing files found while scanning....
C:\windows\system32\mljklkh.dll
Beginning removal...
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V7.0.3
Scan started at 6:20:27 PM 3/18/2008
Listing files found while scanning....
C:\windows\system32\mljklkh.dll
Beginning removal...
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
VundoFix V7.0.3
Scan started at 12:15:01 PM 3/19/2008
Listing files found while scanning....
C:\WINDOWS\system32\dbljeskq.ini
C:\windows\system32\mljklkh.dll
C:\WINDOWS\system32\qksejlbd.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\dbljeskq.ini
C:\WINDOWS\system32\dbljeskq.ini Has been deleted!
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\qksejlbd.dll
C:\WINDOWS\system32\qksejlbd.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\qksejlbd.dll
C:\WINDOWS\system32\qksejlbd.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V7.0.3
Scan started at 12:31:33 PM 3/19/2008
Listing files found while scanning....
C:\windows\system32\mljklkh.dll
VundoFix V7.0.3
Scan started at 4:02:36 PM 3/20/2008
Listing files found while scanning....
C:\WINDOWS\system32\duqtvocl.ini
C:\WINDOWS\system32\lcovtqud.dll
C:\windows\system32\mljklkh.dll
Beginning removal...
Attempting to delete C:\WINDOWS\system32\duqtvocl.ini
C:\WINDOWS\system32\duqtvocl.ini Has been deleted!
Attempting to delete C:\WINDOWS\system32\lcovtqud.dll
C:\WINDOWS\system32\lcovtqud.dll Could not be deleted.
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\WINDOWS\system32\lcovtqud.dll
C:\WINDOWS\system32\lcovtqud.dll Has been deleted!
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Performing Repairs to the registry.
Done!
VundoFix V7.0.3
Scan started at 4:30:46 PM 3/20/2008
Listing files found while scanning....
C:\windows\system32\mljklkh.dll
Beginning removal...
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\mljklkh.dll
C:\windows\system32\mljklkh.dll Could not be deleted.
Performing Repairs to the registry.
Done!
Unfortunately, I forgot to run VirtumundoBeGone again to capture a log, but it kept telling me that there was nothing found to remove.
I ran over the 20K limit per post, here, so I'll post the ComboFix log in the next post.
After running ComboFix, I ran another scan with Spybot S&D, which shows the system as clean... for the first time.
Should I submit another HJT log, too?
Thanks for your help.
Dan
Here is the ComboFix log:
ComboFix 08-03-20.2 - Greg and Gloria's 2008-03-20 18:33:58.1 - NTFSx86 NETWORK
Running from: C:\Documents and Settings\Greg and Gloria's\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\Common Files\crosof~1
C:\Program Files\Common Files\crosof~1\??crosoft\
C:\Program Files\Common Files\crosof~1\services.exe
C:\Program Files\ComPlus Applications\meqyx777444.dll
C:\Program Files\ComPlus Applications\meqyx821058.dll
C:\Program Files\JavaCore
C:\Program Files\JavaCore\JavaCore.exe
C:\Program Files\JavaCore\UnInstall.exe
C:\Program Files\NoDNS
C:\Program Files\NoDNS\NoDNS.exe
C:\Program Files\NoDNS\UnInstall.exe
C:\Program Files\Temporary
C:\Temp\sanR24
C:\WINDOWS\BMf3fe92ce.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apudocas.ini
C:\WINDOWS\system32\arljifel.ini
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini2
C:\WINDOWS\system32\egjlm.ini
C:\WINDOWS\system32\egjlm.ini2
C:\WINDOWS\system32\egxolacl.dll
C:\WINDOWS\system32\hmiioabs.dll
C:\WINDOWS\system32\iDlo01
C:\WINDOWS\system32\jkakseex.ini
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljklkh.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\vdtvqufj.ini
C:\WINDOWS\system32\wokamsbw.ini
.
((((((((((((((((((((((((( Files Created from 2008-02-20 to 2008-03-20 )))))))))))))))))))))))))))))))
.
2008-03-19 15:34 . 2008-03-19 20:19 1,544,199 --ahs---- C:\WINDOWS\system32\cyrjmgkn.ini
2008-03-19 15:30 . 2008-03-19 15:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-19 15:30 . 2008-03-19 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-19 14:38 . 2008-03-19 14:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-17 21:18 . 2008-03-17 21:27 <DIR> d-------- C:\Program Files\MSECACHE
2008-03-17 18:02 . 2008-03-17 18:02 <DIR> d-------- C:\Program Files\GPLGS
2008-03-17 18:01 . 2008-03-17 18:01 <DIR> d-------- C:\Program Files\Acro Software
2008-03-17 18:01 . 2007-04-25 19:09 87,808 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-03-17 17:08 . 2008-03-19 13:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-17 17:08 . 2008-03-19 13:52 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-17 16:39 . 2008-03-20 17:06 <DIR> d-------- C:\VundoFix Backups
2008-03-16 11:43 . 2008-03-17 15:13 1,359,307 --ahs---- C:\WINDOWS\system32\vjspjujf.ini
2008-03-16 09:07 . 2008-03-16 11:40 1,366,923 --ahs---- C:\WINDOWS\system32\gbhhhkmd.ini
2008-03-14 18:22 . 2008-03-16 09:07 1,366,803 --ahs---- C:\WINDOWS\system32\ooeskxxg.ini
2008-03-14 17:23 . 2008-03-14 17:23 1,366,683 --ahs---- C:\WINDOWS\system32\hctmuvam.ini
2008-03-13 17:20 . 2008-03-13 17:21 1,346,690 --ahs---- C:\WINDOWS\system32\jpvqqslq.ini
2008-03-12 17:22 . 2008-03-12 20:05 1,320,155 --ahs---- C:\WINDOWS\system32\chdsmael.ini
2008-03-11 16:22 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2008-03-11 16:22 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\system32\COMCT332.OCX
2008-03-11 16:22 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d30.ocx
2008-03-11 16:22 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2008-03-11 16:22 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-03-11 16:22 . 2001-08-22 08:42 13,632 --------- C:\WINDOWS\system32\drivers\omci.sys
2008-03-11 16:22 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-03-04 17:48 . 2008-03-05 18:51 1,307,980 --ahs---- C:\WINDOWS\system32\fxngqibk.ini
2008-03-04 16:32 . 2008-03-04 14:32 105,984 --------- C:\WINDOWS\b152.exe_tobedeleted
2008-03-04 10:46 . 2008-03-20 18:39 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-04 10:46 . 2008-03-04 10:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-04 10:33 . 2008-03-04 10:35 <DIR> d-------- C:\Program Files\iTunes
2008-03-04 09:54 . 2008-03-04 10:02 <DIR> d-------- C:\Program Files\QuickTime
2008-03-03 21:06 . 2008-03-11 19:17 <DIR> d-------- C:\Program Files\nvcoi
2008-03-03 17:46 . 2008-03-04 17:46 1,302,838 --ahs---- C:\WINDOWS\system32\dvowcnjg.ini
2008-03-02 20:51 . 2008-03-20 18:34 <DIR> d-------- C:\Temp
2008-02-28 23:08 . 2008-02-28 23:12 <DIR> d-------- C:\Documents and Settings\Greg and Gloria's\Local Setting
2008-02-24 12:34 . 2006-10-04 21:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-24 12:34 . 2006-10-04 21:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-24 12:33 . 2008-02-27 20:43 <DIR> d-------- C:\Program Files\Picasa2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 20:12 --------- d-----w C:\Program Files\Dl_cats
2008-03-12 01:24 10,288 ----a-w C:\Documents and Settings\Greg and Gloria's\Application Data\wklnhst.dat
2008-03-11 23:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-11 23:41 --------- d-----w C:\Program Files\Pearl Harbor - Zero Hour
2008-03-11 22:12 --------- d-----w C:\Documents and Settings\Greg and Gloria's\Application Data\SiteAdvisor
2008-03-04 15:34 --------- d-----w C:\Program Files\iPod
2008-02-29 00:06 --------- d-----w C:\Program Files\McAfee
2008-02-27 09:01 --------- d-----w C:\Program Files\Windows Live
2008-02-26 23:46 --------- d-----w C:\Documents and Settings\Greg and Gloria's\Application Data\AdobeUM
2008-02-24 01:19 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-02-06 17:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-01 17:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-31 02:24 --------- d-----w C:\Program Files\MySpace
2008-01-21 21:03 --------- d-----w C:\Program Files\Groove Games
2008-01-09 04:01 92,064 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmmdm.sys
2008-01-09 04:01 9,232 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmmdfl.sys
2008-01-09 04:01 79,328 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmserd.sys
2008-01-09 04:01 66,656 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmbus.sys
2008-01-09 04:01 6,208 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmcmnt.sys
2008-01-09 04:01 5,936 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmwhnt.sys
2008-01-09 04:01 4,048 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmcr.sys
2008-01-09 04:01 25,600 ----a-w C:\Documents and Settings\Greg and Gloria's\usbsermptxp.sys
2008-01-09 04:01 22,768 ----a-w C:\Documents and Settings\Greg and Gloria's\usbsermpt.sys
2008-01-07 02:04 71,208 ----a-w C:\Documents and Settings\Greg and Gloria's\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{161608E4-C639-43E7-80E3-4C945F2526D3}]
C:\WINDOWS\system32\geedc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9851FB36-08BB-4858-83BD-0C2316E0DDD0}]
C:\WINDOWS\system32\mljge.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-17 21:28 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 16:46 135168]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 16:18 443968]
"Uaol"="C:\PROGRA~1\COMMON~1\CROSOF~1\services.exe" [ ]
"nvcoi"="C:\Program Files\nvcoi\nvcoi.exe" [2008-03-03 21:06 57344]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 00:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 00:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 00:10 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-19 14:04 26112]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"ISUSPM Startup"="c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 11:44 249856]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2003-11-20 16:21 69632]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 08:45 430080]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 06:05 282624]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 10:42 36904]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 07:39 69632]
"f0cda152"="C:\WINDOWS\system32\lcovtqud.dll" [ ]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-19 14:00:32 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Pearl Harbor - Zero Hour\\PHarbor.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 09:19]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
S3 USB_RNDIS_XP;Westell USB Network Interface;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-12-08 10:34]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 00:49:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-20 23:25:00 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-15 06:24:38 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-03-01 13:58:18 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-20 18:39:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\explorer.exe
-> C:\Program Files\SiteAdvisor\6253\saHook.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\dllhost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\SoftwareDistribution\Download\Install\Windows-KB890830-V1.39-delta.exe
c:\program files\mcafee\msc\mcuimgr.exe
c:\e9b5de48772e56b8ff0c\mrtstub.exe
C:\WINDOWS\system32\MRT.exe
.
**************************************************************************
.
Completion time: 2008-03-20 18:44:12 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-20 23:44:03
.
2008-03-09 16:10:07 --- E O F ---
steamwiz
2008-03-21, 19:57
Hi
A lot of the malware has gone but you still have a lot to do ...
First please do this :-
1. Download SDFix and save it to your Desktop.
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe
2. Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
3. Reboot into Safe Mode`:-
Reboot into >>>safe mode (http://www.computerhope.com/issues/chsafe.htm)
4. Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum.
steam
Hi Steam,
I really appreciate your insight. Here's the report from SDFix that you requested.
SDFix: Version 1.159
Run by Greg and Gloria's on Fri 03/21/2008 at 02:03 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix
Checking Services :
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting
Checking Files :
Trojan Files Found:
C:\Program Files\nvcoi\mst.stt - Deleted
C:\Program Files\nvcoi\nvcoi.exe - Deleted
C:\Program Files\nvcoi\nvcoi.exe.lzma - Deleted
C:\WINDOWS\b104.exe - Deleted
Folder C:\Program Files\nvcoi - Removed
Removing Temp Files
ADS Check :
Final Check :
catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 14:09:37
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000039
"TracesSuccessful"=dword:00000006
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
Remaining Services :
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Ares\\Ares.exe"="C:\\Program Files\\Ares\\Ares.exe:*:Disabled:Ares p2p for windows"
"C:\\Program Files\\Pearl Harbor - Zero Hour\\PHarbor.exe"="C:\\Program Files\\Pearl Harbor - Zero Hour\\PHarbor.exe:*:Enabled:PHarbor"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
Remaining Files :
File Backups: - C:\SDFix\backups\backups.zip
Files with Hidden Attributes :
Tue 11 Mar 2008 209 A.SHR --- "C:\BOOT.BAK"
Sun 24 Feb 2008 6,219,320 A..H. --- "C:\Program Files\Picasa2\setup.exe"
Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe"
Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"
Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
Mon 21 Jan 2008 56 ..SHR --- "C:\WINDOWS\system32\959479CED6.sys"
Mon 21 Jan 2008 3,350 A.SH. --- "C:\WINDOWS\system32\KGyGaAvL.sys"
Thu 20 Dec 2007 224 A..H. --- "C:\Program Files\InterActual\InterActual Player\iti186.tmp"
Fri 7 Oct 2005 1,847,296 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\LAUNCHER.EXE"
Fri 7 Oct 2005 62,464 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\MNYINSTA.DLL"
Fri 7 Oct 2005 95,232 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\RMVSUITE.EXE"
Fri 7 Oct 2005 36,864 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\SETUPLNG.DLL"
Fri 7 Oct 2005 20,480 ...HR --- "C:\Program Files\Microsoft Works Suite 2006\Setup\UNREGWTR.EXE"
Thu 20 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"
Sun 9 Sep 2007 7,939,032 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\4a882309d56e564894505aaa60eac9b1\BITA0.tmp"
Mon 25 Feb 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\585dc2612ebcefc90e7dee4c276ee95e\BIT5A.tmp"
Thu 18 Oct 2007 8,706,680 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\d20174378a49939f5f8825cfb630e979\BIT51.tmp"
Mon 13 Nov 2006 43,008 ...H. --- "C:\Documents and Settings\Greg and Gloria's\Application Data\Microsoft\Word\~WRL2168.tmp"
Sun 9 Sep 2007 4,296,320 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\866dfbcabf59f6e422168c9ec5d1af75\download\BITF5.tmp"
Sun 6 May 2007 8 A..H. --- "C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u1\lock.tmp"
Sun 6 May 2007 8 A..H. --- "C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u2\lock.tmp"
Mon 7 May 2007 8 A..H. --- "C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u3\lock.tmp"
Tue 8 May 2007 8 A..H. --- "C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u4\lock.tmp"
Sun 27 May 2007 8 A..H. --- "C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\Channels\ch_u5\lock.tmp"
Finished!
I don't know if it is related, but I've been chasing the opening of a Windows Explorer of c:\Program Files\Dell that happens on every boot, too. I'm having difficulty figuring out where it is coming from. IT doesn't hurt anything, but it is annoying.
Earlier, you suggested dumping McAfee and loading AVGFree. Is it because the subscription lapsed or are you more comfortable with AVG? Does it make a difference in your suggestion to know that it is/was McAfee SecurityCenter?
Again, your insight is appreciated!
Thanks,
Dan
steamwiz
2008-03-22, 02:13
HI
My opinion of McAfee is that it is overrated, overpriced & bloated, using a lot of system resources to run, the same goes for Symantec/Norton ... you couldn't apply any of those adjectives to AVG free.
Remind me again later about the DELL popup...
I want you to do this now :-
Please Download CCleaner from :-
http://www.filehippo.com/download_ccleaner/ (click the download tab)
During the installation be sure to UN-check the box for "Ccleaner Yahoo Toolbar" unless you want it.
doubleclick the ccsetup.exe file and install the program...
After installing, go to Start > programs > CCleaner > Options > Advanced > UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
Make sure the "windows" tab is selected
Under "internet explorer" tick...
Temporary internet files
Cookies* > see Note below
History
Recently typed URL's (leave this unticked if you DON'T want to clear the drop down list in the address window of IE)
Delete index.dat files
Last download location
Autocomplete form history
under "Windows explorer" these are optional, but you can safely tick them all if you wish, they are only "most recently used lists"
Other explorer MRU's (leave this unticked if you DON'T want to clear lists such as the start\run list)
under "System"
Tick ALL these ...
under "Advanced"
no need to tick any of these (but you can if you want, and realise what they do)
Applications tab...
These will mostly clean out old log files for these applications...
Clean:- (if you use them)
Firefox/Mozilla (optional - leave the cookies - see note)
Opera
Sun Java
ZoneAlarm
...
Personally I clean everything in the applications tab... but you tick what you want...
Note: *If there are any cookies you want to keep (if you remove the cookie for a site you require a password for, you will need to re-enter your password when you next visit that site) ... click options > cookies > then keep the cookies you want.
click "analyse" if you want to see a list of what is going to be removed, before it is removed.
Or
click "run cleaner" to let it get on with it's work... clicking this will result in the following pop-up
"This process will permanently delete files from your system. Are you sure you wish to proceed?"
click OK.
THEN...
Open notepad and copy/paste the text in the code box below into it:
NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
Also ..
Pay particular attention to this :-
Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
File::
c:\windowsystem32\geedc.dll_old
C:\WINDOWS\system32\cyrjmgkn.ini
C:\WINDOWS\system32\vjspjujf.ini
C:\WINDOWS\system32\gbhhhkmd.ini
C:\WINDOWS\system32\ooeskxxg.ini
C:\WINDOWS\system32\hctmuvam.ini
C:\WINDOWS\system32\jpvqqslq.ini
C:\WINDOWS\system32\chdsmael.ini
C:\WINDOWS\system32\fxngqibk.ini
C:\WINDOWS\b152.exe_tobedeleted
C:\WINDOWS\system32\dvowcnjg.ini
C:\Documents and Settings\Greg and Gloria's\My Documents\My Received Files\photo_722-jpg.zip
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\mljklkh.dll
Folder::
C:\VundoFix Backups
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{161608E4-C639-43E7-80E3-4C945F2526D3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9851FB36-08BB-4858-83BD-0C2316E0DDD0}]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Uaol"=-
"nvcoi"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f0cda152"=-
Save this as "CFScript.txt"
Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
Also please post a new KASPERSKY ONLINE SCANNER REPORT
steam
Thanks, Steam. I'm posting the ComboFix with CFScript output, HJT log, and Kaspersky scan report. Combined, they are about 45K, so I'll have to break them up to post.
ComboFix 08-03-20.2 - Greg and Gloria's 2008-03-22 0:01:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.135 [GMT -5:00]
Running from: C:\Documents and Settings\Greg and Gloria's\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Greg and Gloria's\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\Documents and Settings\Greg and Gloria's\My Documents\My Received Files\photo_722-jpg.zip
C:\WINDOWS\b152.exe_tobedeleted
C:\WINDOWS\system32\chdsmael.ini
C:\WINDOWS\system32\cyrjmgkn.ini
C:\WINDOWS\system32\dvowcnjg.ini
C:\WINDOWS\system32\fxngqibk.ini
C:\WINDOWS\system32\gbhhhkmd.ini
C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\hctmuvam.ini
C:\WINDOWS\system32\jpvqqslq.ini
C:\WINDOWS\system32\mljklkh.dll
C:\WINDOWS\system32\ooeskxxg.ini
C:\WINDOWS\system32\vjspjujf.ini
c:\windowsystem32\geedc.dll_old
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Greg and Gloria's\My Documents\My Received Files\photo_722-jpg.zip
C:\VundoFix Backups
C:\VundoFix Backups\ckrnqwlx.dll.bad
C:\VundoFix Backups\ckrnqwlx.dllbox.bad
C:\VundoFix Backups\dbljeskq.ini.bad
C:\VundoFix Backups\duqtvocl.ini.bad
C:\VundoFix Backups\khfcday.dll.bad
C:\VundoFix Backups\lcovtqud.dll.bad
C:\VundoFix Backups\mljklkh.dll.bad
C:\VundoFix Backups\nwhavqgt.dll.bad
C:\VundoFix Backups\qksejlbd.dll.bad
C:\VundoFix Backups\tgqvahwn.ini.bad
C:\VundoFix Backups\uphcvory.dll.bad
C:\VundoFix Backups\yrovchpu.ini.bad
C:\WINDOWS\b152.exe_tobedeleted
C:\WINDOWS\system32\chdsmael.ini
C:\WINDOWS\system32\cyrjmgkn.ini
C:\WINDOWS\system32\dvowcnjg.ini
C:\WINDOWS\system32\fxngqibk.ini
C:\WINDOWS\system32\gbhhhkmd.ini
C:\WINDOWS\system32\hctmuvam.ini
C:\WINDOWS\system32\jpvqqslq.ini
C:\WINDOWS\system32\ooeskxxg.ini
C:\WINDOWS\system32\vjspjujf.ini
.
((((((((((((((((((((((((( Files Created from 2008-02-22 to 2008-03-22 )))))))))))))))))))))))))))))))
.
2008-03-21 23:40 . 2008-03-21 23:40 <DIR> d-------- C:\Program Files\CCleaner
2008-03-21 14:00 . 2008-03-21 14:00 <DIR> d-------- C:\WINDOWS\ERUNT
2008-03-21 13:55 . 2008-03-21 14:12 <DIR> d-------- C:\SDFix
2008-03-20 20:45 . 2008-03-20 20:45 <DIR> d-------- C:\Program Files\Macrovision Corporation
2008-03-20 20:45 . 2008-03-20 20:45 <DIR> d-------- C:\Documents and Settings\Greg and Gloria's\Application Data\InstallShield
2008-03-19 15:30 . 2008-03-19 15:30 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-19 15:30 . 2008-03-19 15:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-19 14:38 . 2008-03-19 14:38 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-17 21:18 . 2008-03-17 21:27 <DIR> d-------- C:\Program Files\MSECACHE
2008-03-17 18:02 . 2008-03-17 18:02 <DIR> d-------- C:\Program Files\GPLGS
2008-03-17 18:01 . 2008-03-17 18:01 <DIR> d-------- C:\Program Files\Acro Software
2008-03-17 18:01 . 2007-04-25 19:09 87,808 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-03-17 17:08 . 2008-03-19 13:16 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-17 17:08 . 2008-03-21 23:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-11 16:22 . 2000-03-23 12:50 446,464 -ra------ C:\WINDOWS\system32\hhactivex.dll
2008-03-11 16:22 . 1999-05-07 13:24 414,944 --a------ C:\WINDOWS\system32\COMCT332.OCX
2008-03-11 16:22 . 1998-11-10 10:46 328,480 --a------ C:\WINDOWS\system32\ssa3d30.ocx
2008-03-11 16:22 . 2002-01-08 17:00 176,128 --a------ C:\WINDOWS\system32\RcdScan.dll
2008-03-11 16:22 . 1998-09-24 12:03 171,967 --a------ C:\WINDOWS\system32\Odbcjet.hlp
2008-03-11 16:22 . 2001-08-22 08:42 13,632 --------- C:\WINDOWS\system32\drivers\omci.sys
2008-03-11 16:22 . 1998-09-24 12:03 7,348 --a------ C:\WINDOWS\system32\Odbcjet.cnt
2008-03-04 10:46 . 2008-03-21 14:14 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-03-04 10:46 . 2008-03-04 10:46 1,409 --a------ C:\WINDOWS\QTFont.for
2008-03-04 10:33 . 2008-03-04 10:35 <DIR> d-------- C:\Program Files\iTunes
2008-03-04 09:54 . 2008-03-04 10:02 <DIR> d-------- C:\Program Files\QuickTime
2008-03-02 20:51 . 2008-03-20 18:34 <DIR> d-------- C:\Temp
2008-02-28 23:08 . 2008-02-28 23:12 <DIR> d-------- C:\Documents and Settings\Greg and Gloria's\Local Setting
2008-02-24 12:34 . 2006-10-04 21:42 2,560 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-02-24 12:34 . 2006-10-04 21:42 2,432 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-02-24 12:33 . 2008-02-27 20:43 <DIR> d-------- C:\Program Files\Picasa2
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 18:51 --------- d-----w C:\Documents and Settings\Greg and Gloria's\Application Data\SiteAdvisor
2008-03-17 20:12 --------- d-----w C:\Program Files\Dl_cats
2008-03-12 01:24 10,288 ----a-w C:\Documents and Settings\Greg and Gloria's\Application Data\wklnhst.dat
2008-03-11 23:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-11 23:41 --------- d-----w C:\Program Files\Pearl Harbor - Zero Hour
2008-03-04 15:34 --------- d-----w C:\Program Files\iPod
2008-02-29 00:06 --------- d-----w C:\Program Files\McAfee
2008-02-27 09:01 --------- d-----w C:\Program Files\Windows Live
2008-02-26 23:46 --------- d-----w C:\Documents and Settings\Greg and Gloria's\Application Data\AdobeUM
2008-02-24 01:19 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-02-06 17:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\Dell
2008-02-01 17:11 586,240 ----a-w C:\WINDOWS\WLXPGSS.SCR
2008-01-31 02:24 --------- d-----w C:\Program Files\MySpace
2008-01-22 00:09 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-01-11 05:53 44,544 ----a-w C:\WINDOWS\system32\dllcache\pngfilt.dll
2008-01-09 04:01 92,064 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmmdm.sys
2008-01-09 04:01 9,232 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmmdfl.sys
2008-01-09 04:01 79,328 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmserd.sys
2008-01-09 04:01 66,656 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmbus.sys
2008-01-09 04:01 6,208 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmcmnt.sys
2008-01-09 04:01 5,936 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmwhnt.sys
2008-01-09 04:01 4,048 ----a-w C:\Documents and Settings\Greg and Gloria's\mqdmcr.sys
2008-01-09 04:01 25,600 ----a-w C:\Documents and Settings\Greg and Gloria's\usbsermptxp.sys
2008-01-09 04:01 22,768 ----a-w C:\Documents and Settings\Greg and Gloria's\usbsermpt.sys
2008-01-07 02:04 71,208 ----a-w C:\Documents and Settings\Greg and Gloria's\Application Data\GDIPFONTCACHEV1.DAT
.
((((((((((((((((((((((((((((( snapshot@2008-03-20_18.43.12.76 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-03-21 05:23:26 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX\ERDNT.EXE
+ 2008-03-21 19:00:44 4,386,816 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2008-03-21 19:00:44 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2008-03-21 05:23:26 163,328 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\ERDNT.EXE
+ 2008-03-21 19:00:32 4,386,816 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000001\NTUSER.DAT
+ 2008-03-21 19:00:32 12,288 ----a-w C:\WINDOWS\ERUNT\SDFIX_First_Run\Users\00000002\UsrClass.dat
- 2008-02-04 23:09:46 18,214,008 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-03-05 16:30:54 19,148,408 ----a-w C:\WINDOWS\system32\MRT.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{161608E4-C639-43E7-80E3-4C945F2526D3}]
C:\WINDOWS\system32\geedc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9851FB36-08BB-4858-83BD-0C2316E0DDD0}]
C:\WINDOWS\system32\mljge.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09 460784]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-17 21:28 171448]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00 15360]
"DellTransferAgent"="C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe" [2007-11-13 16:46 135168]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-10-23 16:18 443968]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2005-09-29 15:01 67584]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2005-07-20 00:09 94208]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2005-07-20 00:06 77824]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2005-07-20 00:10 114688]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 18:48 32881]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-23 01:20 339968 C:\WINDOWS\stsystra.exe]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 17:19 53248]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2005-12-19 14:04 26112]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"dlcdmon.exe"="C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe" [2005-07-22 08:45 430080]
"MemoryCardManager"="C:\Program Files\Dell Photo AIO Printer 944\memcard.exe" [2005-06-27 06:05 282624]
"MskAgentexe"="C:\Program Files\McAfee\MSK\MskAgent.exe" [2007-01-17 16:30 152144]
"SiteAdvisor"="C:\Program Files\SiteAdvisor\6253\SiteAdv.exe" [2007-03-30 10:42 36904]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-02-01 00:13 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-02-19 14:10 267048]
"DLCDCATS"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll" [2005-06-07 07:39 69632]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2005-12-19 14:00:32 24576]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04 83360]
QuickBooks Update Agent.lnk - C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe [2004-11-11 12:59:36 806912]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Ares\\Ares.exe"=
"C:\\Program Files\\Pearl Harbor - Zero Hour\\PHarbor.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
R3 dlcd_device;dlcd_device;C:\WINDOWS\system32\dlcdcoms.exe [2005-06-21 09:19]
S3 sonypvs1;Sony Digital Imaging Video2;C:\WINDOWS\system32\DRIVERS\sonypvs1.sys [2002-10-15 23:41]
S3 USB_RNDIS_XP;Westell USB Network Interface;C:\WINDOWS\system32\DRIVERS\usb8023.sys [2004-12-08 10:34]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 00:49:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-03-22 04:25:02 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2008-03-15 06:24:38 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe'
"2008-03-01 13:58:18 C:\WINDOWS\Tasks\McQcTask.job"
- c:\program files\mcafee\mqc\QcConsol.exe
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-22 00:03:57
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-03-22 0:04:41
ComboFix-quarantined-files.txt 2008-03-22 05:04:38
.
2008-03-20 23:45:36 --- E O F ---
------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:42:40 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe
C:\Program Files\McAfee\MSK\MskAgent.exe
C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
C:\Program Files\QuickTime\QTTask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\Program Files\McAfee\MSK\MskSrver.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\dlcdcoms.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
c:\program files\mcafee\msc\mcuimgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089FD14D-132B-48FC-8861-0048AE113215} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O2 - BHO: (no name) - {4D25F921-B9FE-4682-BF72-8AB8210D6D75} - C:\Program Files\MyWaySA\SrchAsDe\deSrcAs.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: McAfee SiteAdvisor - {0BF43445-2F28-4351-9252-17FE6E806AA0} - C:\Program Files\SiteAdvisor\6253\SiteAdv.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [dlcdmon.exe] "C:\Program Files\Dell Photo AIO Printer 944\dlcdmon.exe"
O4 - HKLM\..\Run: [MemoryCardManager] C:\Program Files\Dell Photo AIO Printer 944\memcard.exe
O4 - HKLM\..\Run: [MskAgentexe] C:\Program Files\McAfee\MSK\MskAgent.exe
O4 - HKLM\..\Run: [SiteAdvisor] C:\Program Files\SiteAdvisor\6253\SiteAdv.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [DLCDCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCDtime.dll,_RunDLLEntry@16
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DellTransferAgent] "C:\Documents and Settings\All Users\Application Data\Dell\TransferAgent\TransferAgent.exe"
O4 - HKCU\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe
O23 - Service: dlcd_device - Unknown owner - C:\WINDOWS\system32\dlcdcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: McAfee SpamKiller Service (MSK80Service) - McAfee Inc. - C:\Program Files\McAfee\MSK\MskSrver.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
--
End of file - 10515 bytes
----------------------------------------------------
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 8:52:25 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/03/2008
Kaspersky Anti-Virus database records: 654320
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 58125
Number of viruses found: 21
Number of infected objects: 94
Number of suspicious objects: 0
Duration of the scan process: 00:52:30
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\tempIpRules.xdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\RBLDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFRC.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Application Data\ApplicationHistory\TransferAgent.exe.91f03f4d.ini.inuse Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\History\History.IE5\MSHist012008032220080323\index.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\temp\~DF1886.tmp Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\temp\~DF8B09.tmp Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\temp\~DF8B47.tmp Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\temp\~DFEA2E.tmp Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\Documents and Settings\Greg and Gloria's\My Documents\My Received Files\photo_722-jpg.zip.vir/foto-652-JPEG.zip Infected: Trojan.Win32.Pakes.byj skipped
C:\QooBox\Quarantine\C\Documents and Settings\Greg and Gloria's\My Documents\My Received Files\photo_722-jpg.zip.vir ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\Program Files\Common Files\CROSOF~1\services.exe.vir Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\QooBox\Quarantine\C\Program Files\ComPlus Applications\meqyx777444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.e skipped
C:\QooBox\Quarantine\C\Program Files\ComPlus Applications\meqyx821058.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\QooBox\Quarantine\C\Program Files\JavaCore\JavaCore.exe.vir Infected: not-a-virus:AdWare.Win32.Insider.b skipped
C:\QooBox\Quarantine\C\Program Files\NoDNS\NoDNS.exe.vir Infected: Trojan-Downloader.Win32.Agent.kji skipped
C:\QooBox\Quarantine\C\VundoFix Backups\ckrnqwlx.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\khfcday.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\VundoFix Backups\mljklkh.dll.bad.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\b152.exe_tobedeleted.vir Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mljklkh.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-20_183920.71.zip/pmnnl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-20_183920.71.zip ZIP: infected - 1 skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\SDFix\backups\backups.zip/backups/b104.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\SDFix\backups\backups.zip/backups/b104.exe Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\SDFix\backups\backups.zip/backups/nvcoi.exe Infected: Trojan-Downloader.Win32.Agent.ltf skipped
C:\SDFix\backups\backups.zip ZIP: infected - 5 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP10\A0009415.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP11\A0009508.exe Infected: not-a-virus:AdWare.Win32.Insider.b skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP11\A0009510.exe Infected: Trojan-Downloader.Win32.Agent.kji skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP11\A0009512.exe Infected: Trojan-Downloader.Win32.PurityScan.fj skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP11\A0009518.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP11\A0009526.dll Infected: not-a-virus:AdWare.Win32.TTC.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP11\A0009527.dll Infected: not-a-virus:AdWare.Win32.TTC.d skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\A0009697.exe Infected: Trojan-Downloader.Win32.Agent.ltf skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\A0009698.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\A0009698.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\A0009698.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\A0009698.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\A0009702.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\A0009702.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\A0009702.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\A0009702.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP12\A0009703.exe Infected: Trojan-Downloader.Win32.Agent.ltf skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP14\change.log Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002020.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002020.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002020.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002020.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002042.exe Infected: not-a-virus:AdWare.Win32.Insider.d skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002043.exe Infected: not-a-virus:AdWare.Win32.Insider.d skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002044.exe Infected: Trojan-Dropper.Win32.Agent.eso skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002045.exe Infected: Trojan-Downloader.Win32.Agent.kha skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP2\A0002047.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP3\A0003014.exe Infected: Trojan-Downloader.Win32.Agent.lak skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP4\A0004046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0005046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0007046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP5\A0008046.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\A0009063.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\A0009074.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP6\A0009075.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009097.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.e skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009097.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009149.exe Infected: Trojan-Downloader.Win32.Agent.lbx skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009150.exe Infected: Trojan-Downloader.Win32.Agent.kha skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009152.exe Infected: not-a-virus:AdWare.Win32.Insider.d skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009153.exe Infected: not-a-virus:AdWare.Win32.Insider.c skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009169.exe Infected: not-a-virus:Downloader.Win32.Agent.ak skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009171.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009172.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009172.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP7\A0009173.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009338.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009339.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jxa skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009340.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009341.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009342.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009343.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009344.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009347.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009349.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009350.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009351.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009352.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009353.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009355.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009356.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009357.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009358.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009359.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009361.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009362.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009363.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009364.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009365.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009366.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009368.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009369.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009370.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009371.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP9\A0009372.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{48185DA1-EB40-41ED-B0C0-06AB58CD0796}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{CC1FAA8E-D372-45B0-A21B-3AF83ED60BA2}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_6x6uZyNWrlwozxn Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_h0FzyqP4ErsTM1t Object is locked skipped
C:\WINDOWS\TEMP\sqlite_0IQ9oIaBZRnoC4V Object is locked skipped
C:\WINDOWS\TEMP\sqlite_cw9U6xFgSCPzeuk Object is locked skipped
C:\WINDOWS\TEMP\sqlite_DEF2NdlX9gpXns9 Object is locked skipped
C:\WINDOWS\TEMP\sqlite_M9dUfhgsg4muDkd Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
----------------------------------------
A couple of notes:
1) I see Kaspersky still shows some virus presence
2) After running the CFScript through ComboFix, it ended with the log open in notepad, as expected. But when I closed Notepad, I only had the Windows wallpaper... no icons on the desktop, no Start button, task bar, or system tray. About the only thing I could do was use CNTL-ALT-DEL to get something I could use to reboot. Reboot brought everything back. Is that significant?
Thanks again, Steam.
~Dan
steamwiz
2008-03-22, 17:20
HI
You're as good as clean now
Only things found by Kaspersky are in Quarantine/backups ... we'll get rid of those now ...
In order to delete the files when executing the script, Combofix has to temporarily terminate explorer.exe ...
This results in no icons on the desktop, no Start button, task bar, or system tray untill explorer is restarted ...
I suspect Combofix set itself up to reboot, but didn't for some reason, maybe you touched the mouse or did something ?
Anyway it's no problem, once you rebooted, everything will have been reset ...
Please do this now :-
Go to Start > Run > copy and paste ComboFix /u into the Open: box & press OK
http://img.photobucket.com/albums/v624/29wood/Clipboard01-1.gif
THEN ...
Find & delete the :-
C:\SDFix ... folder
SDFix.exe from your desktop
THEN ...
This will clear all your infected restore points...
Turn off (Disable) System Restore in XP :-
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer.
Then...
Turn on (enable) System Restore :-
Follow the same procedure, but this time uncheck Turn off System Restore
if you have any problem with this... here's a link to instructions :-
Disabling or enabling Windows XP System Restore >
http://service1.symantec.com/SUPPORT/tsgeninfo.nsf/docid/2001111912274039?OpenDocument&src=sec_doc_nam
-
THEN...
Run a new KASPERSKY ONLINE SCAN & the REPORT should come back CLEAN...
steam
Thanks, Steam. The Kapersky report shows no malware detected (Report attached below)...
I have a few questions for you, if you don't mind...
1) I still have the matter of the window opening to C:\Program Files\Dell on boot, that I can't figure out how to eliminate. I've looked in the following places:
- Start > Programs > Start Up
- c:\documents and settings\...\Start Menu\Programs\Startup
- msconfig
- regedt32
Suggestions on how to find where this is coming from?
2) When I got a clean bill of health from Spybot, I thought I was done. You saw something that indicated (correctly) that there was much left to get rid of. Is there something that I should have been able to pick up on that indicated that I was still deep in trouble and needed some expert help? I guess I appreciate your help and don't want to waste your time unnecessarily, but still want to be sure that I can recognize when I need help from you and/or your colleagues.
3) McAfee SecurityCenter...
In Add or Remove Programs, there are two entries:
McAfee Security Center
McAfee Uninstaller
Are you aware of any issues uninstalling it by clicking Change/Remove on the first of those entries?
4) I would like your recommendation a combination of products to protect the owner of this machine. I'm thinking of installing AVGFree, ZoneAlarm Free, and Spybot with everything turned on. Does that make sense or is that a bad idea? My greatest concern is the ability of the owner and his family to understand when to "allow" and when to "disallow" access. I can handle getting a few phone calls from him when he has questions, but I also expect his children to get frustrated and just say "OK" to warnings.
Thanks,
~Dan
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 22, 2008 1:01:24 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 22/03/2008
Kaspersky Anti-Virus database records: 654607
-------------------------------------------------------------------------------
Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true
Scan Target - My Computer:
C:\
D:\
E:\
Scan Statistics:
Total number of scanned objects: 56704
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:51:05
Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\tempIpRules.xdb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\MSKWMDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\RBLDB.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSK\settingsdb.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR10.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Application Data\Gtek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Application Data\ApplicationHistory\TransferAgent.exe.91f03f4d.ini.inuse Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\History\History.IE5\MSHist012008032220080323\index.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\temp\~DF45F9.tmp Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\temp\~DF51A4.tmp Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\temp\~DF51B7.tmp Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\temp\~DFD256.tmp Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Greg and Gloria's\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{7A23C5CD-92CA-4493-8090-DCE004A1F046}.crmlog Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_c1291a2njX8DBVK Object is locked skipped
C:\WINDOWS\TEMP\mcmsc_obK7Dhq3RFhMmnk Object is locked skipped
C:\WINDOWS\TEMP\sqlite_CY8vdkEWOd1ht9v Object is locked skipped
C:\WINDOWS\TEMP\sqlite_hauwRyHijCi2RvX Object is locked skipped
C:\WINDOWS\TEMP\sqlite_Ouhk9YfaLeaf5bb Object is locked skipped
C:\WINDOWS\TEMP\sqlite_ZhPqsQHhUTkY9Cv Object is locked skipped
C:\WINDOWS\TEMP\sqlite_zmlOLQH49CIbpjJ Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
Scan process completed.
steamwiz
2008-03-23, 22:31
HI
RE: 1) window opening to C:\Program Files\Dell on boot,
See if this helps ...
http://windowsxp.mvps.org/dellfolder.htm
-
2) It's only the experience of looking at logs for over 10 years that enables me to see if anything is there which shouldn't be, you have to rely in your scanners & anti-malware programs to do that for you ... unless you get a "gut feeling" that something is wring, then seek help.
-
3) McAfee SecurityCenter...
Yes uninstall from add/remove programs ...
Any problems, use the uninstaller ...
http://service.mcafee.com/FAQDocument.aspx?id=107083&lc=1033
-
4) What you suggest sounds very similar to my own setup .. with Zonealarm it's a case of allowing any programs you know need access to the net ... iexplore etc, any up-daters which need to download updates, just allow what you recognise, usually ones which pop-up immediately after you yourself have instigated something ... the time to disallow is when you are doing something or surfing & you get a pop-up saying something is trying to access the net ... remember, if you say NO then find out later that you should have said yes, it's a simple enough matter to change your decision in Zonealarm ... but if you say YES when you should have said NO .... it's too late ... you're infected... so when in doubt ... SAY NO
There are a lot of other programs you can install to improve your security, take a look at this article by Tony Klein :-
http://forums.spybot.info/showthread.php?t=279
steam