PDA

View Full Version : Infected Compter. Possibly geeda?


dvlinsd88
2008-03-30, 00:28
Hello,
Firstly I am grateful for any help I receive for my problems. Thank you so much and it is a truly wonderful deed the people of this website are doing. Keep it up!
Well a while back I managed to infect my computer with a whole bunch of viruses. I initially cleaned some of it up with Norton Anti-Virus and Spybot but quickly noticed that the problem had not completely gone. So I turned to this website and went through all the initial steps with the Kaspersky and HJT scans. The main problem I seem to have is that every time I restarted the computer, the same infections kept getting caught and removed by Norton (geeda.dll). Additionally, every time I tried to open any file or program the system invoked an installer for a (seemingly random) program. So I rushed to quickly cancel the computer from installing microsoft office or something else. Well I don't want to end up with any long-winded speeches, so here are the scans I have done:

*Note: Though the scans are dated March 9, I have not turned on the computer since that time and am currently on another computer.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 09, 2008 2:26:14 PM
Operating System: Microsoft Windows XP Professional, (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/03/2008
Kaspersky Anti-Virus database records: 618846
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 97576
Number of viruses found: 14
Number of infected objects: 65
Number of suspicious objects: 0
Duration of the scan process: 01:50:02

Infected Object Name / Virus Name / Last Action
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\skqrdcrm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\kaouonmx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ncjglqfn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\L9A61.tmp Infected: Trojan-Downloader.Win32.Small.ijp skipped
C:\WINDOWS\system32\wvuusqo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\geeda.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wvuroon.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbyqgvme.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\nnnkljj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\lkbqochq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\keaqsmel.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\LucentIKESvc.log Object is locked skipped
C:\WINDOWS\Temp\ja.com Infected: Trojan-Dropper.Win32.Agent.atn skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08D80000.VBN Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08D80001.VBN Infected: Virus.Win32.Trats.d skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temp\Temporary Internet Files\Content.IE5\GBGXGPKD\l[1].htm Infected: Trojan-Downloader.VBS.Small.co skipped
C:\Documents and Settings\User\Local Settings\Temp\Temporary Internet Files\Content.IE5\IJIV4BUV\l[1].php/packed Infected: Trojan-Downloader.VBS.Small.co skipped
C:\Documents and Settings\User\Local Settings\Temp\Temporary Internet Files\Content.IE5\IJIV4BUV\l[1].php GZIP: infected - 1 skipped
C:\Documents and Settings\User\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\User\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\User\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d691a6b-7124f8fd.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6d691a6b-7124f8fd.zip ZIP: infected - 1 skipped
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-2f8a51f4/vmain.class Infected: Exploit.Java.Gimsh.b skipped
C:\Documents and Settings\User\Application Data\Sun\Java\Deployment\cache\6.0\52\1c9644b4-2f8a51f4 ZIP: infected - 1 skipped
C:\Documents and Settings\User\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\User\ntuser.dat Object is locked skipped
C:\Documents and Settings\Mera\Local Settings\Temporary Internet Files\Content.IE5\01K345OP\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Mera\Local Settings\Temporary Internet Files\Content.IE5\GHI1KL45\m7[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\debug.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\debug.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\error.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\error.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\hips.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\hips.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\ids.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\ids.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\network.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\network.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\system.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\system.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\warning.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\warning.log.idx Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\web.log Object is locked skipped
C:\Program Files\Kerio\Personal Firewall 4\logs\web.log.idx Object is locked skipped
C:\Program Files\IPSec Client\Log\FW_Session.log Object is locked skipped
C:\Program Files\IPSec Client\Log\logipsec.log Object is locked skipped
C:\Program Files\WinBudget\bin\crap.1165812330.old/data0000.bin Infected: Trojan-Clicker.Win32.BHO.r skipped
C:\Program Files\WinBudget\bin\crap.1165812330.old EmbeddedEXE: infected - 1 skipped
C:\Program Files\WinBudget\bin\crap.1165961625.old/data0000.bin Infected: Trojan-Clicker.Win32.BHO.r skipped
C:\Program Files\WinBudget\bin\crap.1165961625.old EmbeddedEXE: infected - 1 skipped
C:\Program Files\WinBudget\bin\crap.1165961625.old UPX: infected - 1 skipped
C:\Program Files\WinBudget\bin\crap.1165961625.old PE_Patch.UPX: infected - 1 skipped
C:\Program Files\WinBudget\bin\crap.1165986709.old/data0000.bin Infected: Trojan-Clicker.Win32.BHO.r skipped
C:\Program Files\WinBudget\bin\crap.1165986709.old EmbeddedEXE: infected - 1 skipped
C:\Program Files\WinBudget\bin\crap.1165986709.old UPX: infected - 1 skipped
C:\Program Files\WinBudget\bin\crap.1165986709.old PE_Patch.UPX: infected - 1 skipped
C:\Program Files\QdrModule\QdrModule12.exe Infected: not-a-virus:AdWare.Win32.Agent.aev skipped
C:\Program Files\QdrPack\QdrPack12 .exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\Program Files\QdrPack\QdrPack12.exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0845NAV~.TMP Object is locked skipped
C:\Program Files\Symantec AntiVirus\SAVRT\0635NAV~.TMP Object is locked skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP546\A0120853.exe Infected: not-a-virus:AdWare.Win32.Agent.aev skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP546\A0120854.exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP547\A0122086.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP547\change.log Object is locked skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0111662.exe Infected: not-a-virus:AdWare.Win32.Agent.aev skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0111664.exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0111725.exe Infected: not-a-virus:AdWare.Win32.Agent.aev skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0111727.exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0112725.exe Infected: not-a-virus:AdWare.Win32.Agent.aev skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0112727.exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0112754.exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0112780.exe Infected: not-a-virus:AdWare.Win32.Agent.aev skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0112782.exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0112802.exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0113774.exe Infected: not-a-virus:AdWare.Win32.Agent.aev skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0113778.exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0113797.exe Infected: not-a-virus:AdWare.Win32.Agent.adm skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0117187.DLL Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0118280.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP543\A0118280.exe NSIS: infected - 1 skipped
C:\43.tmp/stream/data0002 Infected: not-a-virus:Downloader.Win32.Agent.q skipped
C:\43.tmp/stream/data0003 Infected: not-a-virus:AdWare.Win32.AdBand.c skipped
C:\43.tmp/stream Infected: not-a-virus:AdWare.Win32.AdBand.c skipped
C:\43.tmp NSIS: infected - 3 skipped
D:\System Volume Information\_restore{FF8778E9-8BCF-47A6-AE69-E0579573171D}\RP547\change.log Object is locked skipped
D:\Family\Alex\Codecs and Installation\BSINSTALL.exe/WISE0023.BIN/data0001.cab/VVSN.exe Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
D:\Family\Alex\Codecs and Installation\BSINSTALL.exe/WISE0023.BIN/data0001.cab Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
D:\Family\Alex\Codecs and Installation\BSINSTALL.exe/WISE0023.BIN Infected: not-a-virus:AdWare.Win32.SaveNow.z skipped
D:\Family\Alex\Codecs and Installation\BSINSTALL.exe/WISE0027.BIN Infected: not-a-virus:AdTool.Win32.WhenU.a skipped
D:\Family\Alex\Codecs and Installation\BSINSTALL.exe WiseSFX: infected - 4 skipped
D:\Family\Alex\Codecs and Installation\BSINSTALL.exe WiseSFXDropper: infected - 4 skipped

Scan process completed.
dvlinsd88
2008-03-30, 00:29
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:01:18 PM, on 3/9/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Documents and Settings\User\Desktop\HiJackThis.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
C:\Program Files\IPSec Client\LucentIKESvc.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe
C:\Program Files\IPSec Client\LucentIKE.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Kerio\Personal Firewall 4\kpf4gui.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Common Files\Ulead Systems\AutoDetector\Monitor.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [DLA] C:\WINDOWS\System32\DLA\DLACTRLW.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunServices: [Microsoft Windows DLL Services Configuration] windir32.exe
O4 - HKLM\..\RunServices: [Windows Plug and Play Service 32 BIT] winmanager32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Policies\Explorer\Run: [{50EE23CF-09DB-1033-0809-020410020001}] "C:\Program Files\Common Files\{50EE23CF-09DB-1033-0809-020410020001}\Update.exe" te-110-12-0000104
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Mary\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O20 - AppInit_DLLs:
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kerio Personal Firewall 4 (KPF4) - Kerio Technologies - C:\Program Files\Kerio\Personal Firewall 4\kpf4ss.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LucentIKE - Unknown owner - C:\Program Files\IPSec Client\LucentIKESvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6372 bytes
pskelley
2008-03-30, 18:16
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are badly infected and this is likely the reason why:
http://forums.spybot.info/showthread.php?t=425

Multiple infections but this one may be the worse:
http://www.liutilities.com/products/wintaskspro/processlibrary/windir32/
windir32.exe is a process which is registered as the WORM_RBOT.BRQ worm. This virus is distributed via the Internet through e-mail and comes in the form of an e-mail message, in the hopes that you open its hostile attachment. The worm has its own SMTP engine which means it gathers E-mails from your local computer and re-distributes itself. In worst cases this worm can allow attackers to access your computer, stealing passwords and personal data.

A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

One or more of the identified infections is a backdoor trojan.
This allows hackers to remotely control your computer, steal critical system information and Download and Execute files
I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.
Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall
http://www.dslreports.com/faq/10063

Update Your Windows XP.
You are currently using an unpatched version of Windows XP.
Before attempting to remove malware, it is CRITICAL that you update to Service Pack 1a.
Get SP1a here : http://www.microsoft.com/windowsxp/downloads/updates/sp1/default.mspx
You should also get SP2, but NOT NOW, rather only after your machine is clean.
After updating your Windows to SP1a, post a new HijackThis log please, using the Post Reply button.

Thanks
dvlinsd88
2008-03-30, 19:03
Oh boy, alright. Thank you very much for your help, I really do appreciate it. I did not think the damage was so bad, but I am glad I had disconnected the internet from that computer before and after the scans were done.
I was also wondering, since I can not find my old Windows XP Professional disk I will be ordering a new one. I was thinking of getting the latest version of Windows XP. Is this advisable or should I just get an older version of XP Professional and then install sp1a?
pskelley
2008-03-30, 19:09
I have both XP Home and XP Pro and I am not sure if you can purchase with SP1 or SP2 already part of the OS or not. They should be able to tell you that where you purchase or ask here:
http://support.microsoft.com/
dvlinsd88
2008-04-02, 08:18
Thank you for all your help. I have re-installed windows and spybot. I don't think there should be any more problems as I have reformatted the partitions on my computer. Apparently the XP version I purchased came with sp2... (who knew?) I have also done a new HTJ scan:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:13:05 AM, on 4/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wpabaln.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\Family\Desktop\HiJackThis.exe

O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

--
End of file - 1387 bytes

Thank you once again for all your help. I really appreciate it. I will check back to make sure there arent anymore problems left.
pskelley
2008-04-02, 14:30
There should not be if you reformatted, but this does not look like a complete HJT log?
If it is, it is clean. I suggest you update Internet Explorer as soon as possible for the extra security it gives you.
http://www.microsoft.com/windows/products/winfamily/ie/default.mspx

You should not even be going online without a antivirus program installed and running, here are free ones if needed (install ONLY one)
http://free.grisoft.com/freeweb.php/doc/2/
http://www.avast.com/eng/avast_4_home.html
http://www.free-av.com/

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.