PDA

View Full Version : oxc0000005 rundll32.exe application error and virus problem



marz1
2008-06-02, 16:53
Hi a couple of days now when restart screen is blank and theres no desktop i have get in through task manger.
this is the error i get : application failed to load rrundll32.exe application error)

also get this error also:
/idlist,:0:3612,C:\Documents
---------------------------
Windows cannot find '/idlist,:0:3612,C:\Documents'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button, and then click Search.
---------------------------
OK
---------------------------

i have run spybot and immunised all the problems, and here are the hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:54 PM, on 6/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Analog Devices\SoundMAX\smax4.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Download Manager\IDMan.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: IDM Helper - {0055C089-8582-441B-A0BF-17B458C2A3A8} - C:\Program Files\Internet Download Manager\IDMIECC.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23ECC6ED-FB2D-4148-9950-DDC6C8D8AA8F} - C:\WINDOWS\system32\opnMGYOh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [BM4fe432c5] Rundll32.exe "C:\WINDOWS\system32\jpuwanen.dll",s
O4 - HKLM\..\Run: [4cd70159] rundll32.exe "C:\WINDOWS\system32\hyepldsk.dll",b
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA6473] command /c del "C:\WINDOWS\system32\opnMGYOh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1105] cmd /c del "C:\WINDOWS\system32\opnMGYOh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA716] command /c del "C:\WINDOWS\system32\opnMGYOh.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8924] cmd /c del "C:\WINDOWS\system32\opnMGYOh.dll_old"
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKCU\..\RunOnce: [SpybotDeletingB2605] command /c del "C:\WINDOWS\system32\opnMGYOh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9290] cmd /c del "C:\WINDOWS\system32\opnMGYOh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6842] command /c del "C:\WINDOWS\system32\opnMGYOh.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6603] cmd /c del "C:\WINDOWS\system32\opnMGYOh.dll_old"
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download all links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\__c00AC3D1.dat
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 8084 bytes
please advise what elso i should do next.

pskelley
2008-06-04, 00:16
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.
This can be a tough infection to remove so do not expect fast or easy.

please advise what elso i should do next.
Start by reading the directions, they are pinned (sticky) to the top of this forum and posted above. I would like to see the required Kaspersky Online Scan (KOS) but since you did not post it and I can see you have at least a Vundo infection, I'll look at it later. If you still need help, this is what I need you to do.

1) System Configuration Utility (MSConfig) is in Selective Startup mode, return it to Normal Mode until we finish, then you can return to SS to save your resources.

2) Remove any old copies of combofix before you proceed.

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the combofix log and a new HJT log.

Tutorial
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks

marz1
2008-06-04, 00:31
oops forgot to post the Kaspersky scan:


------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, June 03, 2008 6:58:25 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 2/06/2008
Kaspersky Anti-Virus database records: 821972
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
G:\

Scan Statistics:
Total number of scanned objects: 135999
Number of viruses found: 4
Number of infected objects: 17
Number of suspicious objects: 0
Duration of the scan process: 01:25:22

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0932_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\0933_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\093c_pdm_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\093c_pdm_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mario\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\mario\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mario\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temp\IMG9.tmp Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temp\~DFE790.tmp Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temp\~DFE7C1.tmp Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\172BJ9D6\kb456456[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\AH15NCJS\kb516107[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\M6O9KPEP\css4[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.wti skipped
C:\Documents and Settings\mario\My Documents\software\video converters\DVD to AVI DivX MPEG Ripper 2.55 (100% Working!)\dvdripper.exe/data0000.cab/DvD2AVI.exe Infected: Trojan-Downloader.Win32.Agent.rip skipped
C:\Documents and Settings\mario\My Documents\software\video converters\DVD to AVI DivX MPEG Ripper 2.55 (100% Working!)\dvdripper.exe/data0000.cab Infected: Trojan-Downloader.Win32.Agent.rip skipped
C:\Documents and Settings\mario\My Documents\software\video converters\DVD to AVI DivX MPEG Ripper 2.55 (100% Working!)\dvdripper.exe Rsrc-Package: infected - 2 skipped
C:\Documents and Settings\mario\ntuser.dat Object is locked skipped
C:\Documents and Settings\mario\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\found.000\dir0000.chk\28[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\29[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\48[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\49[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\bang4[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\c[2].gif Object is locked skipped
C:\found.000\dir0000.chk\details[1].png Object is locked skipped
C:\found.000\dir0000.chk\de[1].gif Object is locked skipped
C:\found.000\dir0000.chk\divider_content[1].gif Object is locked skipped
C:\found.000\dir0000.chk\dlop2[1].png Object is locked skipped
C:\found.000\dir0000.chk\dl[1].htm Object is locked skipped
C:\found.000\dir0000.chk\dottedline[2].gif Object is locked skipped
C:\found.000\dir0000.chk\dot_clear[1].gif Object is locked skipped
C:\found.000\dir0000.chk\download[1].gif Object is locked skipped
C:\found.000\dir0000.chk\drugs-go-btn[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ebaysup_e5571au[1].js Object is locked skipped
C:\found.000\dir0000.chk\facebook[1].gif Object is locked skipped
C:\found.000\dir0000.chk\fark[1].gif Object is locked skipped
C:\found.000\dir0000.chk\firefox[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ga[1].js Object is locked skipped
C:\found.000\dir0000.chk\GlobalNavVjo23_Ebay_e557i6324624_en_AU[1].css Object is locked skipped
C:\found.000\dir0000.chk\h0[1].png Object is locked skipped
C:\found.000\dir0000.chk\hd_tab_sel_bg[1].gif Object is locked skipped
C:\found.000\dir0000.chk\icon1[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconBlueStar_25x25[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconCkoutBlue_16x16[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconClose_20x20[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconCOD_20x20_nobubble[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconFdbkNtrBlu_20x20[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconFixedprice_16x16[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconRelistGry_16x16[1].gif Object is locked skipped
C:\found.000\dir0000.chk\imageCACO53PD.jpg Object is locked skipped
C:\found.000\dir0000.chk\imgHdrCatsBg2[1].gif Object is locked skipped
C:\found.000\dir0000.chk\imgHdrMainNavLft3[1].gif Object is locked skipped
C:\found.000\dir0000.chk\imgHdrSearchLft[1].gif Object is locked skipped
C:\found.000\dir0000.chk\importantNote[1].gif Object is locked skipped
C:\found.000\dir0000.chk\jquery[1].js Object is locked skipped
C:\found.000\dir0000.chk\kopfbild_4_text[1].gif Object is locked skipped
C:\found.000\dir0000.chk\languages[1].css Object is locked skipped
C:\found.000\dir0000.chk\last_box_bot[1].gif Object is locked skipped
C:\found.000\dir0000.chk\links_oben[1].gif Object is locked skipped
C:\found.000\dir0000.chk\links_unten[1].gif Object is locked skipped
C:\found.000\dir0000.chk\logo[1].gif Object is locked skipped
C:\found.000\dir0000.chk\logo[1].png Object is locked skipped
C:\found.000\dir0000.chk\main_bg_bottom[1].gif Object is locked skipped
C:\found.000\dir0000.chk\moot[1].gif Object is locked skipped
C:\found.000\dir0000.chk\newdisc_1[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ninemsn_logo[1].png Object is locked skipped
C:\found.000\dir0000.chk\ninemsn_logo_ft[1].gif Object is locked skipped
C:\found.000\dir0000.chk\Notify_Me_1[1].gif Object is locked skipped
C:\found.000\dir0000.chk\oakes_slim[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\ONS813_150x36_NewLogo[1].gif Object is locked skipped
C:\found.000\dir0000.chk\opera[1].gif Object is locked skipped
C:\found.000\dir0000.chk\otp[1].gif Object is locked skipped
C:\found.000\dir0000.chk\rambo,emule,en,0[1].htm Object is locked skipped
C:\found.000\dir0000.chk\ratingsTopBot_bg[1].gif Object is locked skipped
C:\found.000\dir0000.chk\related_2_Flourish[1].gif Object is locked skipped
C:\found.000\dir0000.chk\renderPersonalisation[1].htm Object is locked skipped
C:\found.000\dir0000.chk\repoffline[1].gif Object is locked skipped
C:\found.000\dir0000.chk\rotate[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\s719878650500[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s74265829330994[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s74795033196289[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s78180267520196[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s79308363849660[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s79737610745436[1].gif Object is locked skipped
C:\found.000\dir0000.chk\savedsearchemail_e5571au[1].js Object is locked skipped
C:\found.000\dir0000.chk\saved_ads[1].js Object is locked skipped
C:\found.000\dir0000.chk\scoopeo[1].gif Object is locked skipped
C:\found.000\dir0000.chk\search[1].htm Object is locked skipped
C:\found.000\dir0000.chk\Search[1].js Object is locked skipped
C:\found.000\dir0000.chk\search_attrib_bottom_left[1].gif Object is locked skipped
C:\found.000\dir0000.chk\second_tile[1].gif Object is locked skipped
C:\found.000\dir0000.chk\second_top_pokertrainer[1].gif Object is locked skipped
C:\found.000\dir0000.chk\sec_rightcorner[1].gif Object is locked skipped
C:\found.000\dir0000.chk\shadow_page_left[1].gif Object is locked skipped
C:\found.000\dir0000.chk\signin_footer_e5571au[1].js Object is locked skipped
C:\found.000\dir0000.chk\sony-trackingtag-top[1].js Object is locked skipped
C:\found.000\dir0000.chk\spacer[1].gif Object is locked skipped
C:\found.000\dir0000.chk\starrating[1].gif Object is locked skipped
C:\found.000\dir0000.chk\stumbleit[1].gif Object is locked skipped
C:\found.000\dir0000.chk\stylef[1].css Object is locked skipped
C:\found.000\dir0000.chk\stylesheet.tv.titlesite.lightbg[1].css Object is locked skipped
C:\found.000\dir0000.chk\st[1] Object is locked skipped
C:\found.000\dir0000.chk\st[1].gif Object is locked skipped
C:\found.000\dir0000.chk\st[2] Object is locked skipped
C:\found.000\dir0000.chk\s[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s_61cd56050ff893c747c87767b56430ec[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\s_code[1].js Object is locked skipped
C:\found.000\dir0000.chk\tab_bg_anywhere[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\tab_bg_tournaments[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\tab_green_68[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ThatsMoreLikeIt[1].gif Object is locked skipped
C:\found.000\dir0000.chk\thefix_header[1].swf Object is locked skipped
C:\found.000\dir0000.chk\theshack2[1].gif Object is locked skipped
C:\found.000\dir0000.chk\th_debi-1[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\titel_kostenlosesoftware[1].gif Object is locked skipped
C:\found.000\dir0000.chk\titel_service-hotline[1].gif Object is locked skipped
C:\found.000\dir0000.chk\title_worldRecord[1].gif Object is locked skipped
C:\found.000\dir0000.chk\top12_header_bg[1].gif Object is locked skipped
C:\found.000\dir0000.chk\TopLayer.v2p[1].js Object is locked skipped
C:\found.000\dir0000.chk\topline2[1].gif Object is locked skipped
C:\found.000\dir0000.chk\top_02[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\top_03[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\top_bg[1].png Object is locked skipped
C:\found.000\dir0000.chk\top_gradiant[1].gif Object is locked skipped
C:\found.000\dir0000.chk\transparent[1].png Object is locked skipped
C:\found.000\dir0000.chk\trk[1].gif Object is locked skipped
C:\found.000\dir0000.chk\tv.widenav.header_dropdown_bg[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\us[1].gif Object is locked skipped
C:\found.000\dir0000.chk\us[2].gif Object is locked skipped
C:\found.000\dir0000.chk\videoByTag[2].aspx Object is locked skipped
C:\found.000\dir0000.chk\wellnessGlossary_top[1].gif Object is locked skipped
C:\found.000\dir0000.chk\whqg[1].htm Object is locked skipped
C:\found.000\dir0000.chk\wikibits[1].js Object is locked skipped
C:\found.000\dir0000.chk\wong[1].png Object is locked skipped
C:\found.000\dir0000.chk\your_comments[1].gif Object is locked skipped
C:\found.000\dir0000.chk\zoozle5[1].gif Object is locked skipped
C:\Program Files\BitComet\Downloads\DVD to AVI DivX MPEG Ripper 2.55 (100% Working!)\dvdripper.exe/data0000.cab/DvD2AVI.exe Infected: Trojan-Downloader.Win32.Agent.rip skipped
C:\Program Files\BitComet\Downloads\DVD to AVI DivX MPEG Ripper 2.55 (100% Working!)\dvdripper.exe/data0000.cab Infected: Trojan-Downloader.Win32.Agent.rip skipped
C:\Program Files\BitComet\Downloads\DVD to AVI DivX MPEG Ripper 2.55 (100% Working!)\dvdripper.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP375\A0054018.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP375\A0054022.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP376\A0054068.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP377\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hyepldsk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\WINDOWS\system32\jpuwanen.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\WINDOWS\system32\ndjphqer.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpu skipped
C:\WINDOWS\system32\oghubgxw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xvwujfrs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

Thanks should i wait for your response or run combofix first?
Cheers Marz

marz1
2008-06-04, 00:34
This is a scan i done earlier in the week, this is what Kaspersky picked up if its any use to you:
Thanks again


Protection : running
--------------------
Total scanned: 9805
Detected: 23
Untreated: 0
Attacks blocked: 0
Start time: 6/2/2008 12:38:52 AM
Duration: 18:40:29


Detected
--------
Status Object
------ ------
not found: virus Heur.Invader (modification) File: C:\Documents and Settings\mario\My Documents\Downloads\Compressed\New crack reflexive.zip/New crack reflexive/r_lnch.exe
blocked: phishing address http://*.capnoe.net/* URL: http://www.bendigobank.com.au.capnoe.net/banking/BBLIBanking/form.aspx?session=7593769757576776942226286323064862855811261221683941236&id=60160334
detected: riskware Invader (loader) Running process: C:\Program Files\Internet Download Manager\IEMonitor.exe
blocked: phishing address http://*.yelp.fj.cn/* URL: http://advertisers.seek.com.au.yelp.fj.cn/onlineform/systemdl/form.ascx?session=4270884332922726051637189606885149221747314993923&id=633921860
detected: riskware Hidden data sending Running process: C:\Program Files\Steam\Steam.exe
blocked: phishing address http://www.lastdays.biz/lastdays.html URL: http://www.lastdays.biz/lastdays.html
deleted: Trojan program Trojan-Downloader.Win32.Zlob.nfc File: C:\Documents and Settings\mario\My Documents\Downloads\Programs\setup.exe//data0007//PE_Patch.UPX//UPX
deleted: virus Virus.VBS.Small.f Email message: [From:"paypal" <paypal@security.com>][Subject:Security Center : Paypal][Time:2008/05/17 12:57:59]\text/html
detected: riskware Hidden data sending Running process: C:\Program Files\Internet Explorer\iexplore.exe
disinfected: virus Virus.VBS.Small.f Email message: [From:"paypal" <paypal@security.com>][Subject:Security Center : Paypal][Time:2008/05/27 06:39:58]\text/html
deleted: Trojan program Trojan.Win32.Agent.cmn File: C:\Documents and Settings\mario\Shared\Magic ISO Maker 5.3 Build 229 Crack.zip/Crack.exe
deleted: adware not-a-virus:AdWare.Win32.Agent.zk File: C:\Documents and Settings\mario\Shared\magic iso crack 5.2.zip/Setup.exe//PE_Patch.UPX//UPX
not found: virus P2P-Worm.Win32.Agent.bm File: C:\Documents and Settings\mario\Shared\Magic ISO 5.41 crack.rar/Setup+Patch.exe//Armadillo
not found: virus P2P-Worm.Win32.VB.dw File: C:\Documents and Settings\mario\Shared\KASPERSKY ANTI-VIRUS 7 0 1 325(With 100 NEW SERIAL KEYS).zip/Setup.exe//UPX
not found: Trojan program Trojan-Downloader.Win32.VB.dck File: C:\Documents and Settings\mario\Shared\Kaspersky Anti-Virus 7.0.1.325 (keys untill 2010).zip/Setup.exe
detected: riskware Hidden data sending Running process: C:\WINDOWS\pchealth\helpctr\binaries\helpctr.exe
detected: riskware Invader (loader) Running process: C:\Program Files\Xfire\Xfire.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.pnv File: C:\RECYCLER\S-1-5-21-1935655697-527237240-725345543-1003\Dc13.zip/any video converter/any-video-converter.exe//data0000.cab/key.exe
disinfected: adware not-a-virus:AdWare.Win32.Virtumonde.pnv File: C:\RECYCLER\S-1-5-21-1935655697-527237240-725345543-1003\Dc15.zip
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.pnv File: C:\RECYCLER\S-1-5-21-1935655697-527237240-725345543-1003\Dc12\any-video-converter.exe
deleted: adware not-a-virus:AdWare.Win32.Virtumonde.pnv File: C:\RECYCLER\S-1-5-21-1935655697-527237240-725345543-1003\Dc12\any-video-converter.exe//data0000.cab/key.exe
detected: riskware Hidden data sending Running process: C:\WINDOWS\explorer.exe
detected: riskware Hidden data sending Running process: C:\WINDOWS\Explorer.exe

pskelley
2008-06-04, 01:04
C:\Program Files\BitComet\Downloads\DVD to AVI DivX MPEG Ripper 2.55 (100% Working!)\dvdripper.exe/data0000.cab/DvD2AVI.exe ------> Trojan-Downloader.Win32.Agent.rip
http://www.google.com/search?hl=en&q=Trojan-Downloader.Win32.Agent.rip&btnG=Google+Search
Kaspersky is finding this file is infected, you can scan it to be sure here: http://virusscan.jotti.org/
If it is infected, delete it. The balance of the instructions I posted can be followed.

Thanks

marz1
2008-06-04, 15:27
Hi again ive done all the necesarry steps, then tried to run combofix, but it wont open at all, it tries to open then i get
'application failed rundll32.exe
'application failed cmd.exe

This is running in normal mode windows

What can i do now?
Cheerss MArz

pskelley
2008-06-04, 15:36
Make sure you are reading and following these directions, I can not help if you do not.

The hackers block combofix, so what I want you to do is delete combofix from your computer and start over. When you get to this point, follow the directions to rename combofix.exe and then proceed with the instructions I posted earlier.

http://i266.photobucket.com/albums/ii277/sUBs_/combofix/CF_download_rename.gif

Thanks

marz1
2008-06-04, 16:45
Hi again ive uninstalled combofix and downloaded it again i renamed it like you said combo-fix.exe i click on it, te click Run and still gives me the same errors.

pskelley
2008-06-04, 16:50
combo-fix.exe <<< that file name box does not say that? It says this: combo-fix try it again like that. If that does not work, try it is safe mode:

http://spyware-free.us/tutorials/safemode/
:sad:

marz1
2008-06-04, 17:09
sorry about before i actually have renamed it combo-fix, i also tried it in Safe Mode and still got the same problem also.
I cant get many programs to work they all get that error message.

pskelley
2008-06-04, 17:36
Download Malwarebytes' Anti-Malware to your desktop.
http://www.besttechie.net/tools/mbam-setup.exe

* Double-click mbam-setup.exe and follow the prompts to install the program.
* Be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform FULL SCAN, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad. Please save it to a convenient location. The log can also be opened by going to Start > All Programs > Malwarebytes' Anti-Malware > Logs > log-date.txt
* Please post contents of that file & a new HJT log in your next reply.

marz1
2008-06-04, 18:44
ok that worked, here are the log

Malwarebytes' Anti-Malware 1.14
Database version: 821

1:37:56 AM 6/5/2008
mbam-log-6-5-2008 (01-37-56).txt

Scan type: Full Scan (C:\|)
Objects scanned: 171860
Time elapsed: 45 minute(s), 4 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 1
Registry Keys Infected: 4
Registry Values Infected: 2
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 13

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\__c0081DDD.dat (Trojan.Agent) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\4cd70159 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM4fe432c5 (Trojan.Agent) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs (Trojan.Agent) -> Data: c:\windows\system32\__c0081ddd.dat -> Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\ndjphqer.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\172BJ9D6\kb456456[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\M6O9KPEP\kb713501[1] (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP375\A0054016.exe (Trojan.LowZones) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP375\A0054022.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP376\A0054065.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP376\A0054068.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hgGywUkl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hyepldsk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xvwujfrs.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c006DF57.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\__c0081DDD.dat (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\__c00AC3D1.dat (Trojan.Agent) -> Quarantined and deleted successfully.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:21 AM, on 6/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\NetMeter\NetMeter.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Windows Live Toolbar\msn_sl.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {23ECC6ED-FB2D-4148-9950-DDC6C8D8AA8F} - C:\WINDOWS\system32\opnMGYOh.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 7250 bytes

pskelley
2008-06-04, 19:06
That's just a start, we may still need to get combofix to run but perhaps if we get some junk off the computer it might be able to run.

See this: http://www.bleepingcomputer.com/startups/NetMeter.exe-3644.html

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

Start > Control Panel > Add Remove programs and uninstall NetMeter

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {23ECC6ED-FB2D-4148-9950-DDC6C8D8AA8F} - C:\WINDOWS\system32\opnMGYOh.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKCU\..\Run: [C:\Program Files\NetMeter\NetMeter.exe] C:\Program Files\NetMeter\NetMeter.exe

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\Program Files\NetMeter\ <<< delete that folder and contents.

5) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Run a new Kaspersky Online Scan using these settings:

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here, with a new HJT log and some feedback from you. How is the computer running?

Thanks

marz1
2008-06-05, 01:48
it was late 2am last night, mbam worked well getting rid of the stuff it found, it seemed the pc is runnign faster and it even booted up normally with no errors ill have to do the rest of the stuff you listed tonight . Thanks

marz1
2008-06-05, 17:07
ok after doing all that and running atf cleaner, then Kaspersky, here are the logs, they picked up a few things.

KASPERSKY ONLINE SCANNER REPORT
Friday, June 06, 2008 12:02:22 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/06/2008
Kaspersky Anti-Virus database records: 831078
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\

Scan Statistics:
Total number of scanned objects: 135599
Number of viruses found: 4
Number of infected objects: 12
Number of suspicious objects: 2
Duration of the scan process: 01:19:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mario\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\mario\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Application Data\Identities\{AD35E344-7A91-482B-AC09-A39106A14589}\Microsoft\Outlook Express\Deleted Items.dbx/[From <paypal@securesuite.net>][Date Tue, 3 Jun 2008 20:51:40 +0200]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\mario\Local Settings\Application Data\Identities\{AD35E344-7A91-482B-AC09-A39106A14589}\Microsoft\Outlook Express\Deleted Items.dbx MailMSOutlook5: suspicious - 1 skipped
C:\Documents and Settings\mario\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mario\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\History\History.IE5\MSHist012008060520080606\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temp\~DFEF9C.tmp Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temp\~DFEFBA.tmp Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\AH15NCJS\kb516107[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\SQ45K2DT\kb514355[1] Infected: Trojan.Win32.Monder.gen skipped
C:\Documents and Settings\mario\ntuser.dat Object is locked skipped
C:\Documents and Settings\mario\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\found.000\dir0000.chk\28[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\29[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\48[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\49[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\bang4[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\c[2].gif Object is locked skipped
C:\found.000\dir0000.chk\details[1].png Object is locked skipped
C:\found.000\dir0000.chk\de[1].gif Object is locked skipped
C:\found.000\dir0000.chk\divider_content[1].gif Object is locked skipped
C:\found.000\dir0000.chk\dlop2[1].png Object is locked skipped
C:\found.000\dir0000.chk\dl[1].htm Object is locked skipped
C:\found.000\dir0000.chk\dottedline[2].gif Object is locked skipped
C:\found.000\dir0000.chk\dot_clear[1].gif Object is locked skipped
C:\found.000\dir0000.chk\download[1].gif Object is locked skipped
C:\found.000\dir0000.chk\drugs-go-btn[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ebaysup_e5571au[1].js Object is locked skipped
C:\found.000\dir0000.chk\facebook[1].gif Object is locked skipped
C:\found.000\dir0000.chk\fark[1].gif Object is locked skipped
C:\found.000\dir0000.chk\firefox[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ga[1].js Object is locked skipped
C:\found.000\dir0000.chk\GlobalNavVjo23_Ebay_e557i6324624_en_AU[1].css Object is locked skipped
C:\found.000\dir0000.chk\h0[1].png Object is locked skipped
C:\found.000\dir0000.chk\hd_tab_sel_bg[1].gif Object is locked skipped
C:\found.000\dir0000.chk\icon1[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconBlueStar_25x25[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconCkoutBlue_16x16[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconClose_20x20[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconCOD_20x20_nobubble[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconFdbkNtrBlu_20x20[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconFixedprice_16x16[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconRelistGry_16x16[1].gif Object is locked skipped
C:\found.000\dir0000.chk\imageCACO53PD.jpg Object is locked skipped
C:\found.000\dir0000.chk\imgHdrCatsBg2[1].gif Object is locked skipped
C:\found.000\dir0000.chk\imgHdrMainNavLft3[1].gif Object is locked skipped
C:\found.000\dir0000.chk\imgHdrSearchLft[1].gif Object is locked skipped
C:\found.000\dir0000.chk\importantNote[1].gif Object is locked skipped
C:\found.000\dir0000.chk\jquery[1].js Object is locked skipped
C:\found.000\dir0000.chk\kopfbild_4_text[1].gif Object is locked skipped
C:\found.000\dir0000.chk\languages[1].css Object is locked skipped
C:\found.000\dir0000.chk\last_box_bot[1].gif Object is locked skipped
C:\found.000\dir0000.chk\links_oben[1].gif Object is locked skipped
C:\found.000\dir0000.chk\links_unten[1].gif Object is locked skipped
C:\found.000\dir0000.chk\logo[1].gif Object is locked skipped
C:\found.000\dir0000.chk\logo[1].png Object is locked skipped
C:\found.000\dir0000.chk\main_bg_bottom[1].gif Object is locked skipped
C:\found.000\dir0000.chk\moot[1].gif Object is locked skipped
C:\found.000\dir0000.chk\newdisc_1[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ninemsn_logo[1].png Object is locked skipped
C:\found.000\dir0000.chk\ninemsn_logo_ft[1].gif Object is locked skipped
C:\found.000\dir0000.chk\Notify_Me_1[1].gif Object is locked skipped
C:\found.000\dir0000.chk\oakes_slim[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\ONS813_150x36_NewLogo[1].gif Object is locked skipped
C:\found.000\dir0000.chk\opera[1].gif Object is locked skipped
C:\found.000\dir0000.chk\otp[1].gif Object is locked skipped
C:\found.000\dir0000.chk\rambo,emule,en,0[1].htm Object is locked skipped
C:\found.000\dir0000.chk\ratingsTopBot_bg[1].gif Object is locked skipped
C:\found.000\dir0000.chk\related_2_Flourish[1].gif Object is locked skipped
C:\found.000\dir0000.chk\renderPersonalisation[1].htm Object is locked skipped
C:\found.000\dir0000.chk\repoffline[1].gif Object is locked skipped
C:\found.000\dir0000.chk\rotate[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\s719878650500[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s74265829330994[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s74795033196289[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s78180267520196[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s79308363849660[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s79737610745436[1].gif Object is locked skipped
C:\found.000\dir0000.chk\savedsearchemail_e5571au[1].js Object is locked skipped
C:\found.000\dir0000.chk\saved_ads[1].js Object is locked skipped
C:\found.000\dir0000.chk\scoopeo[1].gif Object is locked skipped
C:\found.000\dir0000.chk\search[1].htm Object is locked skipped
C:\found.000\dir0000.chk\Search[1].js Object is locked skipped
C:\found.000\dir0000.chk\search_attrib_bottom_left[1].gif Object is locked skipped
C:\found.000\dir0000.chk\second_tile[1].gif Object is locked skipped
C:\found.000\dir0000.chk\second_top_pokertrainer[1].gif Object is locked skipped
C:\found.000\dir0000.chk\sec_rightcorner[1].gif Object is locked skipped
C:\found.000\dir0000.chk\shadow_page_left[1].gif Object is locked skipped
C:\found.000\dir0000.chk\signin_footer_e5571au[1].js Object is locked skipped
C:\found.000\dir0000.chk\sony-trackingtag-top[1].js Object is locked skipped
C:\found.000\dir0000.chk\spacer[1].gif Object is locked skipped
C:\found.000\dir0000.chk\starrating[1].gif Object is locked skipped
C:\found.000\dir0000.chk\stumbleit[1].gif Object is locked skipped
C:\found.000\dir0000.chk\stylef[1].css Object is locked skipped
C:\found.000\dir0000.chk\stylesheet.tv.titlesite.lightbg[1].css Object is locked skipped
C:\found.000\dir0000.chk\st[1] Object is locked skipped
C:\found.000\dir0000.chk\st[1].gif Object is locked skipped
C:\found.000\dir0000.chk\st[2] Object is locked skipped
C:\found.000\dir0000.chk\s[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s_61cd56050ff893c747c87767b56430ec[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\s_code[1].js Object is locked skipped
C:\found.000\dir0000.chk\tab_bg_anywhere[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\tab_bg_tournaments[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\tab_green_68[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ThatsMoreLikeIt[1].gif Object is locked skipped
C:\found.000\dir0000.chk\thefix_header[1].swf Object is locked skipped
C:\found.000\dir0000.chk\theshack2[1].gif Object is locked skipped
C:\found.000\dir0000.chk\th_debi-1[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\titel_kostenlosesoftware[1].gif Object is locked skipped
C:\found.000\dir0000.chk\titel_service-hotline[1].gif Object is locked skipped
C:\found.000\dir0000.chk\title_worldRecord[1].gif Object is locked skipped
C:\found.000\dir0000.chk\top12_header_bg[1].gif Object is locked skipped
C:\found.000\dir0000.chk\TopLayer.v2p[1].js Object is locked skipped
C:\found.000\dir0000.chk\topline2[1].gif Object is locked skipped
C:\found.000\dir0000.chk\top_02[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\top_03[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\top_bg[1].png Object is locked skipped
C:\found.000\dir0000.chk\top_gradiant[1].gif Object is locked skipped
C:\found.000\dir0000.chk\transparent[1].png Object is locked skipped
C:\found.000\dir0000.chk\trk[1].gif Object is locked skipped
C:\found.000\dir0000.chk\tv.widenav.header_dropdown_bg[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\us[1].gif Object is locked skipped
C:\found.000\dir0000.chk\us[2].gif Object is locked skipped
C:\found.000\dir0000.chk\videoByTag[2].aspx Object is locked skipped
C:\found.000\dir0000.chk\wellnessGlossary_top[1].gif Object is locked skipped
C:\found.000\dir0000.chk\whqg[1].htm Object is locked skipped
C:\found.000\dir0000.chk\wikibits[1].js Object is locked skipped
C:\found.000\dir0000.chk\wong[1].png Object is locked skipped
C:\found.000\dir0000.chk\your_comments[1].gif Object is locked skipped
C:\found.000\dir0000.chk\zoozle5[1].gif Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP375\A0054015.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP375\A0054018.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP378\A0054170.exe/data0000.cab/DvD2AVI.exe Infected: Trojan-Downloader.Win32.Agent.rip skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP378\A0054170.exe/data0000.cab Infected: Trojan-Downloader.Win32.Agent.rip skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP378\A0054170.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP379\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cxnipvdu.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\jpuwanen.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\WINDOWS\system32\oghubgxw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\WINDOWS\system32\rhheoart.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xqlpadls.dll Infected: Trojan.Win32.Monder.gen skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:33 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\XpertVision\TBPanel.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O4 - HKLM\..\Run: [JMB36X Configure] C:\WINDOWS\system32\JMRaidTool.exe boot
O4 - HKLM\..\Run: [AsusStartupHelp] C:\Program Files\ASUS\AASP\1.00.15\AsRunHelp.exe
O4 - HKLM\..\Run: [Gainward] C:\Program Files\XpertVision\TBPanel.exe /A
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SoundMAX] "C:\Program Files\Analog Devices\SoundMAX\smax4.exe" /tray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [fssui] "C:\Program Files\Windows Live\Family Safety\fssui.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: EPSON Status Monitor 3 Environment Check 2.lnk = C:\WINDOWS\system32\spool\drivers\w32x86\3\E_SRCV02.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Blog This - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra 'Tools' menuitem: &Blog This in Windows Live Writer - {219C3416-8CB2-491a-A3C7-D9FCDDC9D600} - C:\Program Files\Windows Live\Writer\WriterBrowserExtension.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 6799 bytes


ok what next?

pskelley
2008-06-05, 17:21
Thanks for returning your information, let's see if we can finish manually, if not we will need to run a tool.

Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 12:04:33 AM, on 6/6/2008

C:\Program Files\Java\jre1.6.0_05\ <<< update your Java program, see this:
http://forums.spybot.info/showpost.php?p=12880&postcount=2

KASPERSKY ONLINE SCANNER (KOS) REPORT Friday, June 06, 2008 12:02:22 AM

(ATF-Cleaner should have cleaned your Temporary Internet Files? Are you sure you chose "Select All" Navigate to that TIF folder and delete the contents)

C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\AH15NCJS\kb516107[1]
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\SQ45K2DT\kb514355[1]

(delete the files in RED)

C:\WINDOWS\system32\cxnipvdu.dll
C:\WINDOWS\system32\jpuwanen.dll
C:\WINDOWS\system32\oghubgxw.dll
C:\WINDOWS\system32\rhheoart.dll
C:\WINDOWS\system32\xqlpadls.dll

Run another KOS to make sure you are clean, I do not need to see a clean scan result.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

marz1
2008-06-06, 00:20
Hi again thanks for the help i did exactly ask you instructed again and ran kaspersky agin also heres the log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, June 06, 2008 7:07:37 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/06/2008
Kaspersky Anti-Virus database records: 831078
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 135961
Number of viruses found: 4
Number of infected objects: 11
Number of suspicious objects: 2
Duration of the scan process: 01:30:47

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\mario\Application Data\Microsoft\MSNLiveFav\LiveFavorites.xml Object is locked skipped
C:\Documents and Settings\mario\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Application Data\Identities\{AD35E344-7A91-482B-AC09-A39106A14589}\Microsoft\Outlook Express\Deleted Items.dbx/[From <paypal@securesuite.net>][Date Tue, 3 Jun 2008 20:51:40 +0200]/html Suspicious: Trojan-Spy.HTML.Fraud.gen skipped
C:\Documents and Settings\mario\Local Settings\Application Data\Identities\{AD35E344-7A91-482B-AC09-A39106A14589}\Microsoft\Outlook Express\Deleted Items.dbx MailMSOutlook5: suspicious - 1 skipped
C:\Documents and Settings\mario\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\mario\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\History\History.IE5\MSHist012008060620080607\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temp\IMG4A10.tmp Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temp\~DFEF9C.tmp Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temp\~DFEFBA.tmp Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\AH15NCJS\ff189c[1].jpg Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\AH15NCJS\kb516107[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\C52L6JT0\bind[1].htm Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\XUN6E2YK\3[1].wmv Object is locked skipped
C:\Documents and Settings\mario\ntuser.dat Object is locked skipped
C:\Documents and Settings\mario\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Downloads\03.wmv.GetRight Object is locked skipped
C:\found.000\dir0000.chk\28[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\29[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\48[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\49[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\bang4[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\c[2].gif Object is locked skipped
C:\found.000\dir0000.chk\details[1].png Object is locked skipped
C:\found.000\dir0000.chk\de[1].gif Object is locked skipped
C:\found.000\dir0000.chk\divider_content[1].gif Object is locked skipped
C:\found.000\dir0000.chk\dlop2[1].png Object is locked skipped
C:\found.000\dir0000.chk\dl[1].htm Object is locked skipped
C:\found.000\dir0000.chk\dottedline[2].gif Object is locked skipped
C:\found.000\dir0000.chk\dot_clear[1].gif Object is locked skipped
C:\found.000\dir0000.chk\download[1].gif Object is locked skipped
C:\found.000\dir0000.chk\drugs-go-btn[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ebaysup_e5571au[1].js Object is locked skipped
C:\found.000\dir0000.chk\facebook[1].gif Object is locked skipped
C:\found.000\dir0000.chk\fark[1].gif Object is locked skipped
C:\found.000\dir0000.chk\firefox[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ga[1].js Object is locked skipped
C:\found.000\dir0000.chk\GlobalNavVjo23_Ebay_e557i6324624_en_AU[1].css Object is locked skipped
C:\found.000\dir0000.chk\h0[1].png Object is locked skipped
C:\found.000\dir0000.chk\hd_tab_sel_bg[1].gif Object is locked skipped
C:\found.000\dir0000.chk\icon1[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconBlueStar_25x25[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconCkoutBlue_16x16[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconClose_20x20[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconCOD_20x20_nobubble[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconFdbkNtrBlu_20x20[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconFixedprice_16x16[1].gif Object is locked skipped
C:\found.000\dir0000.chk\iconRelistGry_16x16[1].gif Object is locked skipped
C:\found.000\dir0000.chk\imageCACO53PD.jpg Object is locked skipped
C:\found.000\dir0000.chk\imgHdrCatsBg2[1].gif Object is locked skipped
C:\found.000\dir0000.chk\imgHdrMainNavLft3[1].gif Object is locked skipped
C:\found.000\dir0000.chk\imgHdrSearchLft[1].gif Object is locked skipped
C:\found.000\dir0000.chk\importantNote[1].gif Object is locked skipped
C:\found.000\dir0000.chk\jquery[1].js Object is locked skipped
C:\found.000\dir0000.chk\kopfbild_4_text[1].gif Object is locked skipped
C:\found.000\dir0000.chk\languages[1].css Object is locked skipped
C:\found.000\dir0000.chk\last_box_bot[1].gif Object is locked skipped
C:\found.000\dir0000.chk\links_oben[1].gif Object is locked skipped
C:\found.000\dir0000.chk\links_unten[1].gif Object is locked skipped
C:\found.000\dir0000.chk\logo[1].gif Object is locked skipped
C:\found.000\dir0000.chk\logo[1].png Object is locked skipped
C:\found.000\dir0000.chk\main_bg_bottom[1].gif Object is locked skipped
C:\found.000\dir0000.chk\moot[1].gif Object is locked skipped
C:\found.000\dir0000.chk\newdisc_1[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ninemsn_logo[1].png Object is locked skipped
C:\found.000\dir0000.chk\ninemsn_logo_ft[1].gif Object is locked skipped
C:\found.000\dir0000.chk\Notify_Me_1[1].gif Object is locked skipped
C:\found.000\dir0000.chk\oakes_slim[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\ONS813_150x36_NewLogo[1].gif Object is locked skipped
C:\found.000\dir0000.chk\opera[1].gif Object is locked skipped
C:\found.000\dir0000.chk\otp[1].gif Object is locked skipped
C:\found.000\dir0000.chk\rambo,emule,en,0[1].htm Object is locked skipped
C:\found.000\dir0000.chk\ratingsTopBot_bg[1].gif Object is locked skipped
C:\found.000\dir0000.chk\related_2_Flourish[1].gif Object is locked skipped
C:\found.000\dir0000.chk\renderPersonalisation[1].htm Object is locked skipped
C:\found.000\dir0000.chk\repoffline[1].gif Object is locked skipped
C:\found.000\dir0000.chk\rotate[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\s719878650500[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s74265829330994[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s74795033196289[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s78180267520196[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s79308363849660[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s79737610745436[1].gif Object is locked skipped
C:\found.000\dir0000.chk\savedsearchemail_e5571au[1].js Object is locked skipped
C:\found.000\dir0000.chk\saved_ads[1].js Object is locked skipped
C:\found.000\dir0000.chk\scoopeo[1].gif Object is locked skipped
C:\found.000\dir0000.chk\search[1].htm Object is locked skipped
C:\found.000\dir0000.chk\Search[1].js Object is locked skipped
C:\found.000\dir0000.chk\search_attrib_bottom_left[1].gif Object is locked skipped
C:\found.000\dir0000.chk\second_tile[1].gif Object is locked skipped
C:\found.000\dir0000.chk\second_top_pokertrainer[1].gif Object is locked skipped
C:\found.000\dir0000.chk\sec_rightcorner[1].gif Object is locked skipped
C:\found.000\dir0000.chk\shadow_page_left[1].gif Object is locked skipped
C:\found.000\dir0000.chk\signin_footer_e5571au[1].js Object is locked skipped
C:\found.000\dir0000.chk\sony-trackingtag-top[1].js Object is locked skipped
C:\found.000\dir0000.chk\spacer[1].gif Object is locked skipped
C:\found.000\dir0000.chk\starrating[1].gif Object is locked skipped
C:\found.000\dir0000.chk\stumbleit[1].gif Object is locked skipped
C:\found.000\dir0000.chk\stylef[1].css Object is locked skipped
C:\found.000\dir0000.chk\stylesheet.tv.titlesite.lightbg[1].css Object is locked skipped
C:\found.000\dir0000.chk\st[1] Object is locked skipped
C:\found.000\dir0000.chk\st[1].gif Object is locked skipped
C:\found.000\dir0000.chk\st[2] Object is locked skipped
C:\found.000\dir0000.chk\s[1].gif Object is locked skipped
C:\found.000\dir0000.chk\s_61cd56050ff893c747c87767b56430ec[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\s_code[1].js Object is locked skipped
C:\found.000\dir0000.chk\tab_bg_anywhere[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\tab_bg_tournaments[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\tab_green_68[1].gif Object is locked skipped
C:\found.000\dir0000.chk\ThatsMoreLikeIt[1].gif Object is locked skipped
C:\found.000\dir0000.chk\thefix_header[1].swf Object is locked skipped
C:\found.000\dir0000.chk\theshack2[1].gif Object is locked skipped
C:\found.000\dir0000.chk\th_debi-1[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\titel_kostenlosesoftware[1].gif Object is locked skipped
C:\found.000\dir0000.chk\titel_service-hotline[1].gif Object is locked skipped
C:\found.000\dir0000.chk\title_worldRecord[1].gif Object is locked skipped
C:\found.000\dir0000.chk\top12_header_bg[1].gif Object is locked skipped
C:\found.000\dir0000.chk\TopLayer.v2p[1].js Object is locked skipped
C:\found.000\dir0000.chk\topline2[1].gif Object is locked skipped
C:\found.000\dir0000.chk\top_02[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\top_03[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\top_bg[1].png Object is locked skipped
C:\found.000\dir0000.chk\top_gradiant[1].gif Object is locked skipped
C:\found.000\dir0000.chk\transparent[1].png Object is locked skipped
C:\found.000\dir0000.chk\trk[1].gif Object is locked skipped
C:\found.000\dir0000.chk\tv.widenav.header_dropdown_bg[1].jpg Object is locked skipped
C:\found.000\dir0000.chk\us[1].gif Object is locked skipped
C:\found.000\dir0000.chk\us[2].gif Object is locked skipped
C:\found.000\dir0000.chk\videoByTag[2].aspx Object is locked skipped
C:\found.000\dir0000.chk\wellnessGlossary_top[1].gif Object is locked skipped
C:\found.000\dir0000.chk\whqg[1].htm Object is locked skipped
C:\found.000\dir0000.chk\wikibits[1].js Object is locked skipped
C:\found.000\dir0000.chk\wong[1].png Object is locked skipped
C:\found.000\dir0000.chk\your_comments[1].gif Object is locked skipped
C:\found.000\dir0000.chk\zoozle5[1].gif Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP375\A0054015.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP375\A0054018.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP378\A0054170.exe/data0000.cab/DvD2AVI.exe Infected: Trojan-Downloader.Win32.Agent.rip skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP378\A0054170.exe/data0000.cab Infected: Trojan-Downloader.Win32.Agent.rip skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP378\A0054170.exe Rsrc-Package: infected - 2 skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP379\A0054580.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP379\A0054581.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP379\A0054582.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP379\A0054583.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.wpv skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP379\A0054584.dll Infected: Trojan.Win32.Monder.gen skipped
C:\System Volume Information\_restore{5A6B157B-DD5E-4FE0-BF8B-44DF4DA82A7C}\RP379\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped

Scan process completed.

pskelley
2008-06-06, 00:36
Humm...these were not showing before? Perhaps the settings were not exactly correct? Possible you had System Restore turned off? We believe a bad SR point is better than no SR point, let's do this.

This is a bad trojan that is in the TIF folder. Delete everything in there but be 100% sure to delete what I highlite in red.

C:\Documents and Settings\mario\Local Settings\Temporary Internet Files\Content.IE5\AH15NCJS\kb516107[1] ------> AdWare.Win32.Virtumonde.wpv skipped

(this is infected email, I believe it is only one?...delete it)
C:\Documents and Settings\mario\Local Settings\Application Data\Identities\{AD35E344-7A91-482B-AC09-A39106A14589}\Microsoft\Outlook Express\Deleted Items.dbx/[From <paypal@securesuite.net>][Date Tue, 3 Jun 2008 20:51:40 +0200]/html <------Trojan-Spy.HTML.Fraud.gen
C:\Documents and Settings\mario\Local Settings\Application Data\Identities\{AD35E344-7A91-482B-AC09-A39106A14589}\Microsoft\Outlook Express\Deleted Items.dbx MailMSOutlook5: suspicious - 1

Once that is done, empty the Recycle Bin and restart.

These instructions will clean the infected System Restore files.

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Thanks

marz1
2008-06-06, 17:47
Hi thankyou so much ive done everything you said and Kaspersky came up with no virus or anything else. Computer is running fine.
Only one thing how do i get rid of the windows recovery console each time i reboot before windows it prompts me for the option to go into windows or recovery console?

Cheers Marz

pskelley
2008-06-06, 18:20
Recovery Console stays on the computer, I personally believe Microsoft
should install it with the Operating System by default. In the event of a catastrophic failure it will allow you to recover. You are the first person I have had say they are being prompted to use it? Perhaps you can find information to stop that here:
http://support.microsoft.com/kb/314058
http://support.microsoft.com/kb/307654
When you find out, send me a PM: http://forums.spybot.info/private.php?do=newpm&u=233
so I will know how to tell other members if it happens again.

Thanks