Page 1 of 4 1234 LastLast
Results 1 to 10 of 32

Thread: Smitfraud-C & Virtumondo and who knows what else...

  1. #1
    Junior Member
    Join Date
    Dec 2007
    Posts
    19

    Default Smitfraud-C & Virtumondo and who knows what else...

    Here I am, another newbie with the Smifraud & Virtumondo and who knows what else sort of problems, desperate for your help. I have read the "Before you Post" information 8 or 10 times and have followed your directions:

    1. Installed the updated Spybot Search & Destroy from your link.
    2. Ran the Kapersky Online Scanner from your link (took 4.5 hours)
    3. Ran Spybot-S&D in safe Mode (second scan had no items in red, although the files scanned included the Smitfraud, Virtumondo and Zlob files as they scanned past)
    4. Downloaded Hijack This from your link and ran it.
    5. Attached the HJT Log below
    6. Will open a new post to cut and paste the Kapersky Log.

    _____________

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:39:29 PM, on 12/7/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\AOL\1146972531\ee\AOLSoftware.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    c:\program files\common files\aol\1146972531\ee\anotify.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146972531\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [2473da49] rundll32.exe "C:\WINDOWS\system32\notdgylt.dll",b
    O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - S-1-5-18 Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Penny\Local Settings\Temp\{3747A7BB-AFFE-4369-8595-78694C8F431F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe (User 'SYSTEM')
    O4 - .DEFAULT Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Penny\Local Settings\Temp\{3747A7BB-AFFE-4369-8595-78694C8F431F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe (User 'Default user')
    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Penny\Local Settings\Temp\{3747A7BB-AFFE-4369-8595-78694C8F431F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.16/ttinst.cab
    O21 - SSODL: E404Helper - {0c3866ff-54a3-4e0e-b60f-71316ee441ca} - e404d.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe (file missing)
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 10340 bytes

  2. #2
    Junior Member
    Join Date
    Dec 2007
    Posts
    19

    Default

    Here is the Kapersky Log - it did not fit on one post....Part deux to come.

    KASPERSKY ONLINE SCANNER REPORT
    Friday, December 07, 2007 2:12:00 AM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 7/12/2007
    Kaspersky Anti-Virus database records: 474926


    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true

    Scan Target My Computer
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\

    Scan Statistics
    Total number of scanned objects 116989
    Number of viruses found 33
    Number of infected objects 117
    Number of suspicious objects 0
    Duration of the scan process 04:54:01

    Infected Object Name Virus Name Last Action
    C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\ph Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\AOL\ACS\1.0\variable Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\80e036836d922801b28302ec373a654c_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ca4063441a962dd12645a852cb49a2b6_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Confid.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Content.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Privacy.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\Restrict.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\WebHist.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\Shared\QBackup\index.qbs Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBConfig.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDebug.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBDetect.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBNotify.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBRefr.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetCfg2.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetDev.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetLoc.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBSetUsr.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBStHash.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\BBValid.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPPolicy.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStart.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SPBBC\SPStop.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtErEvt.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtETmp\FEF81432.TMP Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtMoEvt.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtNvEvt.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtScEvt.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtTxFEvt.log Object is locked skipped

    C:\Documents and Settings\All Users\Application Data\Symantec\SRTSP\SrtViEvt.log Object is locked skipped

    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\Mr Martin\Local Settings\Temp\sseskubs.exe Infected: Trojan.Win32.Obfuscated.kp skipped

    C:\Documents and Settings\Mr Martin\Local Settings\Temporary Internet Files\Content.IE5\868CPWJT\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped

    C:\Documents and Settings\Mr Martin\Local Settings\Temporary Internet Files\Content.IE5\EYZ43MI1\ffr[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjj skipped

    C:\Documents and Settings\Mr Martin\Local Settings\Temporary Internet Files\Content.IE5\N90O8XRE\ffr[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjj skipped

    C:\Documents and Settings\Mr Martin\Local Settings\Temporary Internet Files\Content.IE5\O1I4YZUP\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

    C:\Documents and Settings\Olivia\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-7d932a69-24c5d093.zip/VaannnaaBaa.class Infected: Trojan.Java.ClassLoader.as skipped

    C:\Documents and Settings\Olivia\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\ehp2_stdneh.jar-7d932a69-24c5d093.zip ZIP: infected - 1 skipped

    C:\Documents and Settings\Olivia\Local Settings\Temp\juhkhfev.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped

    C:\Documents and Settings\Olivia\Local Settings\Temp\oaqushki.exe Infected: Trojan.Win32.Obfuscated.kp skipped

    C:\Documents and Settings\Olivia\Local Settings\Temp\ykgyioyd.exe Infected: Trojan.Win32.Obfuscated.kp skipped

    C:\Documents and Settings\Olivia\Local Settings\Temporary Internet Files\Content.IE5\LV5AA233\ptch[1] Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped

    C:\Documents and Settings\Penny\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt.log Object is locked skipped

    C:\Documents and Settings\Penny\Application Data\GTek\GTUpdate\AUpdate\DellSupport\DSAgnt_GTActions.log Object is locked skipped

    C:\Documents and Settings\Penny\Application Data\GTek\GTUpdate\AUpdate\DellSupport\gdql_d_DSAgnt.log Object is locked skipped

    C:\Documents and Settings\Penny\Application Data\GTek\GTUpdate\AUpdate\DellSupport\glog.log Object is locked skipped

    C:\Documents and Settings\Penny\Cookies\index.dat Object is locked skipped

    C:\Documents and Settings\Penny\Local Settings\Application Data\AOL\UserProfiles\All Users\cls\common.cls Object is locked skipped

    C:\Documents and Settings\Penny\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped

    C:\Documents and Settings\Penny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

    C:\Documents and Settings\Penny\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

    C:\Documents and Settings\Penny\Local Settings\History\History.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\Penny\Local Settings\History\History.IE5\MSHist012007120620071207\index.dat Object is locked skipped

    C:\Documents and Settings\Penny\Local Settings\Temp\kclfflpq.exe Infected: Trojan.Win32.Obfuscated.kp skipped

    C:\Documents and Settings\Penny\Local Settings\Temp\olsrfhyi.exe Infected: Trojan.Win32.Obfuscated.kp skipped

    C:\Documents and Settings\Penny\Local Settings\Temp\~DF8677.tmp Object is locked skipped

    C:\Documents and Settings\Penny\Local Settings\Temp\~DF8689.tmp Object is locked skipped

    C:\Documents and Settings\Penny\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

    C:\Documents and Settings\Penny\Local Settings\Temporary Internet Files\Content.IE5\OHVS78FM\ffr[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.bjj skipped

    C:\Documents and Settings\Penny\Local Settings\Temporary Internet Files\Content.IE5\UEUE4V4K\landing[3].htm Object is locked skipped

    C:\Documents and Settings\Penny\NTUSER.DAT Object is locked skipped

    C:\Documents and Settings\Penny\ntuser.dat.LOG Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\Bonus\Log\Shazam.log Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAD.dat Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWADMT.dat Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.dat Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\coShared\WA\1.7\NCOWAS.ldb Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped

    C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped

    C:\Program Files\Internet Explorer\msimg32.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

    C:\Program Files\Norton 360\Log\AutoProtect.log Object is locked skipped

    C:\Program Files\Norton 360\Log\AVContext.log Object is locked skipped

    C:\Program Files\Norton 360\Log\AVManual.log Object is locked skipped

    C:\Program Files\Norton 360\Log\Backup.log Object is locked skipped

    C:\Program Files\Norton 360\Log\CUInternetPageViewHistory.log Object is locked skipped

    C:\Program Files\Norton 360\Log\CUInternetSearchHistory.log Object is locked skipped

    C:\Program Files\Norton 360\Log\CUInternetTempFiles.log Object is locked skipped

    C:\Program Files\Norton 360\Log\CUWindowsTempFiles.log Object is locked skipped

    C:\Program Files\Norton 360\Log\EmailScan.log Object is locked skipped

    C:\Program Files\Norton 360\Log\InternetSecurity.log Object is locked skipped

    C:\Program Files\Norton 360\Log\ISIntrusionPrevented.log Object is locked skipped

    C:\Program Files\Norton 360\Log\ISIOTraffic.log Object is locked skipped

    C:\Program Files\Norton 360\Log\ISNewNetwork.log Object is locked skipped

    C:\Program Files\Norton 360\Log\LiveUpdate.log Object is locked skipped

    C:\Program Files\Norton 360\Log\NCO.log Object is locked skipped

    C:\Program Files\Norton 360\Log\VABrowserSettings.log Object is locked skipped

    C:\Program Files\Norton 360\Log\VAIPAddresses.log Object is locked skipped

    C:\Program Files\Norton 360\Log\VAWeakPasswords.log Object is locked skipped

    C:\Program Files\Norton 360\Log\WDFScanner.log Object is locked skipped

    C:\Program Files\spoolsv.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\10.tmp/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\10.tmp/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\10.tmp NSIS: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\10.tmp CryptFF.b: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\11.tmp/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\11.tmp/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\11.tmp NSIS: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\11.tmp CryptFF.b: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\12.tmp Infected: Trojan-Downloader.Win32.Agent.cbx skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\13.tmp Infected: Trojan.Win32.BHO.ab skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\14.tmp/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\14.tmp/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\14.tmp NSIS: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\14.tmp CryptFF.b: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\15.tmp/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\15.tmp/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\15.tmp NSIS: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\15.tmp CryptFF.b: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1A.tmp Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\1B.tmp Infected: Trojan-Downloader.Win32.Agent.eus skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3.tmp Infected: Trojan-Downloader.Win32.Tiny.id skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\39C.tmp Infected: Trojan-Downloader.Win32.Small.buy skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3A2.tmp Infected: not-a-virus:AdWare.Win32.Virtumonde.apx skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3A3.tmp Infected: Trojan.Win32.BHO.ab skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3A4.tmp Infected: Trojan.Win32.BHO.ab skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3A5.tmp/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3A5.tmp/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3A5.tmp NSIS: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3A5.tmp CryptFF.b: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3A6.tmp/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3A6.tmp/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3A6.tmp NSIS: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3A6.tmp CryptFF.b: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3AA.tmp Infected: Trojan.Win32.BHO.ab skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3AB.tmp Infected: Trojan.Win32.BHO.ab skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3AC.tmp/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3AC.tmp/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3AC.tmp NSIS: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3AC.tmp CryptFF.b: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3AD.tmp/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3AD.tmp/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3AD.tmp NSIS: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3AD.tmp CryptFF.b: infected - 2 skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3B1.tmp Infected: Trojan-Clicker.Win32.Small.jf skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3B8.tmp Infected: Trojan-Downloader.Win32.PurityScan.ey skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3B9.tmp Infected: Trojan.Win32.Agent.bnj skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3BA.tmp Infected: Trojan.Win32.Agent.bnj skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3BC.tmp Infected: Trojan-Downloader.Win32.Agent.erf skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3BF.tmp Infected: Trojan-Downloader.Win32.Obfuscated.n skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3C0.tmp Infected: Trojan-Downloader.Win32.Agent.eus skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\3C1.tmp Infected: Trojan-Downloader.Win32.Tiny.id skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\D.tmp Infected: Trojan.Win32.BHO.ab skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\E.tmp Infected: Trojan.Win32.BHO.ab skipped

    C:\Program Files\Trend Micro\Internet Security 12\Quarantine\F.tmp Infected: Trojan.Win32.BHO.ab skipped

  3. #3
    Junior Member
    Join Date
    Dec 2007
    Posts
    19

    Default

    Kapersky - Part Deux

    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP425\A0180466.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP425\A0180466.exe NSIS: infected - 1 skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP425\A0180469.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP425\A0180517.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP425\A0180518.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP425\A0180519.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP425\A0180568.exe Infected: Trojan-Downloader.Win32.Agent.fjx skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP425\A0180591.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP425\A0180592.EXE Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP425\A0180593.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP427\A0181675.exe Infected: Trojan-Clicker.Win32.VB.vx skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP427\A0181677.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP427\A0181678.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP428\A0181762.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP428\A0181767.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0181812.dll Infected: not-a-virus:FraudTool.Win32.UltimateDefender.r skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0181856.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0181857.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0181858.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0181860.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0181860.exe NSIS: infected - 1 skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0181861.exe Infected: Trojan-Clicker.Win32.VB.vx skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0181862.exe Infected: Trojan-Clicker.Win32.VB.vx skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0181863.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0182865.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0182866.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0182869.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0182869.exe NSIS: infected - 1 skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0182870.exe Infected: Trojan-Downloader.Win32.VB.bto skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0182871.exe Infected: Trojan-Downloader.Win32.Alphabet.gen skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0182872.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0182873.exe Infected: not-a-virus:Downloader.Win32.UltimateFix.e skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0182874.exe Infected: Trojan.Win32.Obfuscated.kp skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0182875.exe Infected: Trojan.Win32.Obfuscated.kp skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP429\A0182881.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.art skipped

    C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP433\change.log Object is locked skipped

    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

    C:\WINDOWS\ModemLog_Intel(R) 537EP V9x DF PCI Modem.txt Object is locked skipped

    C:\WINDOWS\pfirewall.log Object is locked skipped

    C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6222556B-BB9A-4CAF-A4A8-BE6B39F81B26}.crmlog Object is locked skipped

    C:\WINDOWS\SchedLgU.Txt Object is locked skipped

    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

    C:\WINDOWS\Sti_Trace.log Object is locked skipped

    C:\WINDOWS\system32\aitxlyim.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped

    C:\WINDOWS\system32\ardodthq.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ae skipped

    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\DEFAULT Object is locked skipped

    C:\WINDOWS\system32\config\default.LOG Object is locked skipped

    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped

    C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped

    C:\WINDOWS\system32\config\SAM Object is locked skipped

    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\SECURITY Object is locked skipped

    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped

    C:\WINDOWS\system32\config\software.LOG Object is locked skipped

    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

    C:\WINDOWS\system32\config\SYSTEM Object is locked skipped

    C:\WINDOWS\system32\config\system.LOG Object is locked skipped

    C:\WINDOWS\system32\cygohvjf.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped

    C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped

    C:\WINDOWS\system32\drivers\core.sys Object is locked skipped

    C:\WINDOWS\system32\e404d.dll Infected: Trojan-Dropper.Win32.Agent.ctx skipped

    C:\WINDOWS\system32\fqwpucgr.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.af skipped

    C:\WINDOWS\system32\h323log.txt Object is locked skipped

    C:\WINDOWS\system32\lkyxmvua.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped

    C:\WINDOWS\system32\pksrxcuy.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped

    C:\WINDOWS\system32\rvoammlq.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped

    C:\WINDOWS\system32\tlquivkw.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped

    C:\WINDOWS\system32\vbkqttwd.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ag skipped

    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

    C:\WINDOWS\Temp\cc2B.tmp Object is locked skipped

    C:\WINDOWS\Temp\JET56B3.tmp Object is locked skipped

    C:\WINDOWS\Temp\JET645F.tmp Object is locked skipped

    C:\WINDOWS\wiadebug.log Object is locked skipped

    C:\WINDOWS\wiaservc.log Object is locked skipped

    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    C:\ZwinkySetup2.2.60.11.exe/mwsSetup.Zwinky.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bc skipped

    C:\ZwinkySetup2.2.60.11.exe CAB: infected - 1 skipped

    Scan process completed.

  4. #4
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.
    The Waiting Room
    http://forums.spybot.info/forumdisplay.php?f=37

    I'd like to try to help you but you have some real issues. First, You have a Vundo infection which can be hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.
    You probably have a Smitfraud infection also, and most of the junk in the Kaspersky scan is in quarantine folders. We also have this issue to take care of.

    You are running two antivirus programs at the same time and this is not a good thing. They conflict with each other and you will be less safe than if you ran one good program and maintained it properly.
    http://service1.symantec.com/SUPPORT...00031316555206
    "Microsoft recommends that you have only one anti-virus program installed on your computer."
    http://www.washingtonpost.com/wp-dyn...120300087.html
    http://www.smartcomputing.com/editor...8s07/38s07.asp

    C:\Program Files\Common Files\Symantec Shared\
    C:\Program Files\Trend Micro\Internet Security 12\
    Keep the one you wish to use and uninstall the other

    See this: http://forums.spybot.info/showpost.p...80&postcount=2
    C:\Program Files\Java\j2re1.4.2_03\ <<< BADLY out of date and likely the reason you are infected. Download the newest Java version and uninstall all old versions in Add Remove programs.

    When you get to this point, read the directions again so you know what you are doing and do this:

    1) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rrename HJT, call it QCLady.exe that will work. After a restart we should be able to see the infection.

    2) http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

    Search:
    Double-click SmitfraudFix.exe
    Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consultin...rocessutil.htm

    Post the C:\rapport.txt and a new HJT log. Please keep this computer offline except when troubleshooting until we get it clean, the junk will download more.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  5. #5
    Junior Member
    Join Date
    Dec 2007
    Posts
    19

    Default Your first steps completed...What's next?

    OK, I do not want to make a mistake

    I installed Norton 360 4 days before finally begging for help - did not realize that PC-Cillin had to be removed and not just shut off - that has now been removed.

    I have Downloaded the newest Java version and uninstalled all old versions in Add Remove programs.

    I have renamed the HJT to QCLady.exe

    I have downloaded Smitfraudfix and followed ONLY the directions you gave.

    I am ready, willing and able to follow your directions and will ask if I have any question on any portion of your directions. This computer will be off and I will be monitoring the forum on my laptop to be able to get to work as soon as we see your post.

    "Thanks" just does not say it!

    Below is the C:\Rapport.txt and a new HJT log will be posted in the next post so it fits in one....

    SmitFraudFix v2.265

    Scan done at 20:08:23.80, Wed 12/12/2007
    Run from C:\Documents and Settings\Penny\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\1146972531\ee\AOLSoftware.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    hosts file corrupted !

    127.0.0.1 legal-at-spybot.info
    127.0.0.1 www.legal-at-spybot.info

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Penny


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Penny\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Penny\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
    DNS Server Search Order: 24.124.0.193
    DNS Server Search Order: 24.124.0.194
    DNS Server Search Order: 24.124.0.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{8A75A941-39D4-41E0-A51D-330B5FA825EF}: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{8A75A941-39D4-41E0-A51D-330B5FA825EF}: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

  6. #6
    Junior Member
    Join Date
    Dec 2007
    Posts
    19

    Default And the New HJT Log

    I just realized that I ran the SmitfraudFix BEFORE I re-booted so I ran it again and it is at the bottom, just in case it makes a difference in the information it gives you.

    NEW HJT LOG:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 8:45:25 PM, on 12/12/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\1146972531\ee\AOLSoftware.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\Trend Micro\HijackThis\QCLady.exe.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://mysearch.myway.com/jsp/dellsidebar.jsp?p=DE
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O2 - BHO: (no name) - {0260B890-FED9-491A-B053-40751046ADCC} - C:\Program Files\Windows NT\savexog83122.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1A02F70F-6393-4A7B-8622-3C025C32292E} - (no file)
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
    O2 - BHO: (no name) - {31E70333-F8EF-48AC-B529-FA2CED9C8A61} - (no file)
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7CE05D2A-800E-4C57-9BBA-940BE81954DC} - C:\Program Files\Windows NT\savexog4444.dll (file missing)
    O2 - BHO: (no name) - {826E84BA-6DB4-4984-AE3F-879BDEBD7309} - C:\WINDOWS\system32\vtsts.dll
    O2 - BHO: (no name) - {854E5276-E749-46B3-AF26-CC67C375B9B3} - (no file)
    O2 - BHO: (no name) - {8E281CB3-2B90-4689-B96E-8A4458B93761} - C:\Program Files\Windows NT\savexog555077.dll (file missing)
    O2 - BHO: (no name) - {A25724D8-3680-45D4-9CBC-0A196A808E15} - (no file)
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146972531\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [2473da49] rundll32.exe "C:\WINDOWS\system32\notdgylt.dll",b
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Penny\Local Settings\Temp\{3747A7BB-AFFE-4369-8595-78694C8F431F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.16/ttinst.cab
    O21 - SSODL: E404Helper - {0c3866ff-54a3-4e0e-b60f-71316ee441ca} - e404d.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe (file missing)
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\umnxbgul.exe (file missing)
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 10459 bytes

    _________________________________________

    SmitFraudFix v2.265

    Scan done at 20:42:49.18, Wed 12/12/2007
    Run from C:\Documents and Settings\Penny\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in normal mode

    »»»»»»»»»»»»»»»»»»»»»»»» Process

    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\1146972531\ee\AOLSoftware.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\cmd.exe

    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    hosts file corrupted !

    127.0.0.1 legal-at-spybot.info
    127.0.0.1 www.legal-at-spybot.info

    »»»»»»»»»»»»»»»»»»»»»»»» C:\


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


    »»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Penny


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Penny\Application Data


    »»»»»»»»»»»»»»»»»»»»»»»» Start Menu


    »»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Penny\FAVORI~1


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop


    »»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


    »»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


    »»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
    "Source"="About:Home"
    "SubscribedURL"="About:Home"
    "FriendlyName"="My Current Home Page"


    »»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
    "AppInit_DLLs"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Rustock



    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    Description: Intel(R) PRO/100 VE Network Connection - Packet Scheduler Miniport
    DNS Server Search Order: 24.124.0.193
    DNS Server Search Order: 24.124.0.194
    DNS Server Search Order: 24.124.0.1

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{8A75A941-39D4-41E0-A51D-330B5FA825EF}: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{8A75A941-39D4-41E0-A51D-330B5FA825EF}: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{8A75A941-39D4-41E0-A51D-330B5FA825EF}: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1


    »»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


    »»»»»»»»»»»»»»»»»»»»»»»» End

  7. #7
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning your information and the feedback, please read and follow the directions carefully.

    1) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
    http://russelltexas.com/malware/teatimer.htm

    2) You have an infected Java cache:
    C:\Documents and Settings\Olivia\Application Data\Sun\Java\Deployment\cache\ <<< follow these directions to clean it:
    http://support.f-secure.com/enu/home...avacache.shtml


    3) Smitfraudfix found this problem:
    »»»»»»»»»»»»»»»»»»»»»»»» hosts
    hosts file corrupted !

    We need to fix it first, in the next C:\rapport.txt the hosts file will be very large, I would like you to edit the hosts file out of the report before you post the report, to save space. Please mention you have done this to remind me.

    http://siri.geekstogo.com/SmitfraudFix.php <<< tutorial if needed

    Clean:
    Reboot your computer in Safe Mode (before the Windows icon appears, tap the F8 key continually)
    Double-click SmitfraudFix.exe
    Select 2 and hit Enter to delete infect files.
    You will be prompted: Do you want to clean the registry ? answer Y (yes) and hit Enter in order to remove the Desktop background and clean registry keys associated with the infection.
    The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found): Replace infected file ? answer Y (yes) and hit Enter to restore a clean file.
    A reboot may be needed to finish the cleaning process. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Optional:
    To restore Trusted and Restricted site zone, select 3 and hit Enter.
    You will be prompted: Restore Trusted Zone ? answer Y (yes) and hit Enter to delete trusted zone.
    Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

    Post the C:\rapport.txt and a new HJT log.

    Thanks

    We have a ways to go and still have not started on the Vundo infection. Be sure you keep the computer offline except when troubleshooting the infections.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  8. #8
    Junior Member
    Join Date
    Dec 2007
    Posts
    19

    Default New Rapport Log and new HJT Log

    I followed the new set of directions:

    1.) Turned off Tea Timer
    2.) Removed infected Java cache
    3.) Performed the Smitfraud.exe clean you listed.

    New rapport log is attached next - Note that the Hosts file is edited out of the report as you requested.

    Next after that is the new HJT Log.

    _________

    New rapport log



    SmitFraudFix v2.265

    Scan done at 23:19:13.54, Thu 12/13/2007
    Run from C:\Documents and Settings\Penny\Desktop\SmitfraudFix
    OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
    The filesystem type is NTFS
    Fix run in safe mode

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll

    »»»»»»»»»»»»»»»»»»»»»»»» Killing process


    »»»»»»»»»»»»»»»»»»»»»»»» hosts

    (.....NOTE - Hosts files deleted as requested......)

    »»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

    S!Ri's WS2Fix: LSP not Found.


    »»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

    GenericRenosFix by S!Ri


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


    »»»»»»»»»»»»»»»»»»»»»»»» DNS

    HKLM\SYSTEM\CCS\Services\Tcpip\..\{8A75A941-39D4-41E0-A51D-330B5FA825EF}: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\..\{8A75A941-39D4-41E0-A51D-330B5FA825EF}: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CS3\Services\Tcpip\..\{8A75A941-39D4-41E0-A51D-330B5FA825EF}: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1
    HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.124.0.193 24.124.0.194 24.124.0.1


    »»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


    »»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
    !!!Attention, following keys are not inevitably infected!!!

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "System"=""


    »»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

    Registry Cleaning done.

    »»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
    !!!Attention, following keys are not inevitably infected!!!

    SrchSTS.exe by S!Ri
    Search SharedTaskScheduler's .dll


    »»»»»»»»»»»»»»»»»»»»»»»» End

    ________________________________________


    New HJT Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:28:04 PM, on 12/13/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\1146972531\ee\AOLSoftware.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\QCLady.exe.exe
    C:\WINDOWS\system32\wuauclt.exe

    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O2 - BHO: (no name) - {0260B890-FED9-491A-B053-40751046ADCC} - C:\Program Files\Windows NT\savexog83122.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1A02F70F-6393-4A7B-8622-3C025C32292E} - (no file)
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
    O2 - BHO: (no name) - {31E70333-F8EF-48AC-B529-FA2CED9C8A61} - (no file)
    O2 - BHO: {da3c12ee-d2d4-77d8-84f4-2f215bf524e5} - {5e425fb5-12f2-4f48-8d77-4d2dee21c3ad} - C:\WINDOWS\system32\lpuvlavb.dll
    O2 - BHO: (no name) - {6080FBFC-F341-46AF-9A97-A8B2A0A51F94} - C:\WINDOWS\system32\vtsts.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7CE05D2A-800E-4C57-9BBA-940BE81954DC} - C:\Program Files\Windows NT\savexog4444.dll (file missing)
    O2 - BHO: (no name) - {826E84BA-6DB4-4984-AE3F-879BDEBD7309} - (no file)
    O2 - BHO: (no name) - {854E5276-E749-46B3-AF26-CC67C375B9B3} - (no file)
    O2 - BHO: (no name) - {8E281CB3-2B90-4689-B96E-8A4458B93761} - C:\Program Files\Windows NT\savexog555077.dll (file missing)
    O2 - BHO: (no name) - {A25724D8-3680-45D4-9CBC-0A196A808E15} - (no file)
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146972531\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [2473da49] rundll32.exe "C:\WINDOWS\system32\mafjctsd.dll",b
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Penny\Local Settings\Temp\{3747A7BB-AFFE-4369-8595-78694C8F431F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.16/ttinst.cab
    O21 - SSODL: E404Helper - {0c3866ff-54a3-4e0e-b60f-71316ee441ca} - e404d.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe (file missing)
    O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\umnxbgul.exe (file missing)
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 9410 bytes

  9. #9
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks for returning you information, remember to stay offline except when troubleshooting, the junk will download more. Let's go after this Vundo infection now, read and follow the directions carefully.

    1) Thanks to Atribune and any others who helped with this fix.

    http://vundofix.atribune.org/ <<< tutorial

    "Download VundoFix" to your Desktop

    http://www.atribune.org/ccount/click.php?id=4

    Double-click VundoFix.exe to run it.
    When VundoFix opens, click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will reboot your computer, click OK.
    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
    the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

    (wait until you finish to post reports and logs)

    2) Thanks to sUBs and anyone else who helped with this fix.

    Download ComboFix from Here or Here to your Desktop
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Post the Vundofix.txt, combofix log and a new HJT log.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006

  10. #10
    Junior Member
    Join Date
    Dec 2007
    Posts
    19

    Default Vundofix.txt and new JHT Log - Combofix, no

    I am so glad you are walking me through this. Now that it is Friday, I can repond much quicker than waiting thru my 7am-6pm days!

    Ran the VundoFix and the log is attached.

    The ComboFix downloaded and ran, only I never got a completion or a log. It stated that it should take 10 minutes, but could take twice that - well, the blue screen sat on "Deleting Files/Folders" notation, with a blinking curser, for 1 hour the first time and I let it sit 2 hours the second time. There is no log within the C: drive in conjunction with the Combofix program.

    Ran a new HJT Log and it is below the VundoFix log.

    ______________________________________



    VundoFix V6.7.0

    Checking Java version...

    Java version is 1.4.2.3
    Old versions of java are exploitable and should be removed.

    Scan started at 6:01:04 PM 12/14/2007

    Listing files found while scanning....

    C:\windows\system32\ststv.bak1
    C:\windows\system32\ststv.bak2
    C:\windows\system32\ststv.ini
    C:\windows\system32\ststv.ini2
    C:\windows\system32\ststv.tmp
    C:\windows\system32\vtsts.dll

    Beginning removal...

    Attempting to delete C:\windows\system32\ststv.bak1
    C:\windows\system32\ststv.bak1 Has been deleted!

    Attempting to delete C:\windows\system32\ststv.bak2
    C:\windows\system32\ststv.bak2 Has been deleted!

    Attempting to delete C:\windows\system32\ststv.ini
    C:\windows\system32\ststv.ini Has been deleted!

    Attempting to delete C:\windows\system32\ststv.ini2
    C:\windows\system32\ststv.ini2 Has been deleted!

    Attempting to delete C:\windows\system32\ststv.tmp
    C:\windows\system32\ststv.tmp Has been deleted!

    Attempting to delete C:\windows\system32\vtsts.dll
    C:\windows\system32\vtsts.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    ______________________________________

    New HJT Log

    ______________________________________

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 22:07, on 2007-12-14
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\wanmpsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\AOL\1146972531\ee\AOLSoftware.exe
    C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
    C:\Program Files\DellSupport\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Trend Micro\HijackThis\QCLady.exe.exe

    R3 - URLSearchHook: (no name) - {4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
    O2 - BHO: (no name) - {0260B890-FED9-491A-B053-40751046ADCC} - C:\Program Files\Windows NT\savexog83122.dll (file missing)
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {1A02F70F-6393-4A7B-8622-3C025C32292E} - (no file)
    O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\NppBho.dll
    O2 - BHO: (no name) - {31E70333-F8EF-48AC-B529-FA2CED9C8A61} - (no file)
    O2 - BHO: (no name) - {5E91C713-C4AB-478A-A745-63C229D450FA} - C:\WINDOWS\system32\vtsts.dll (file missing)
    O2 - BHO: {6194d655-e323-c7e8-ce84-4cbd2f79bcf5} - {5fcb97f2-dbc4-48ec-8e7c-323e556d4916} - C:\WINDOWS\system32\ckcocois.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O2 - BHO: (no name) - {7CE05D2A-800E-4C57-9BBA-940BE81954DC} - C:\Program Files\Windows NT\savexog4444.dll (file missing)
    O2 - BHO: (no name) - {826E84BA-6DB4-4984-AE3F-879BDEBD7309} - (no file)
    O2 - BHO: (no name) - {854E5276-E749-46B3-AF26-CC67C375B9B3} - (no file)
    O2 - BHO: (no name) - {8E281CB3-2B90-4689-B96E-8A4458B93761} - C:\Program Files\Windows NT\savexog555077.dll (file missing)
    O2 - BHO: (no name) - {A25724D8-3680-45D4-9CBC-0A196A808E15} - (no file)
    O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.7\UIBHO.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1146972531\ee\AOLSoftware.exe
    O4 - HKLM\..\Run: [DLCCCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\DLCCtime.dll,_RunDLLEntry@16
    O4 - HKLM\..\Run: [dlccmon.exe] "C:\Program Files\Dell Photo AIO Printer 924\dlccmon.exe"
    O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
    O4 - HKLM\..\Run: [2473da49] rundll32.exe "C:\WINDOWS\system32\oeawcfbg.dll",b
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AROReminder] C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem
    O4 - Startup: RollerCoaster Tycoon 3 Registration.lnk = C:\Documents and Settings\Penny\Local Settings\Temp\{3747A7BB-AFFE-4369-8595-78694C8F431F}\{907B4640-266B-4A21-92FB-CD1A86CD0F63}\ATR1.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: America Online 9.0 Tray Icon.lnk = C:\Program Files\America Online 9.0\aoltray.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w2/pr02...s/MSNPUpld.cab
    O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/down.../OTOYAX29b.cab
    O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://a.download.toontown.com/sv1.0.30.16/ttinst.cab
    O21 - SSODL: E404Helper - {0c3866ff-54a3-4e0e-b60f-71316ee441ca} - e404d.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
    O23 - Service: dlcc_device - Unknown owner - C:\WINDOWS\system32\dlcccoms.exe (file missing)
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Unknown owner - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe (file missing)
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

    --
    End of file - 9391 bytes

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •