Results 1 to 3 of 3

Thread: "Fresh" install from XP factory disc may not be so fresh

  1. 2007-12-18, 21:55 #1
    Lokomani
    Lokomani is offline
    Junior Member
    Join Date
    Dec 2007
    Posts
    2

    Default "Fresh" install from XP factory disc may not be so fresh

    I just loaded my comp back from some factory setting discs, and it's already infected. Here's the HJT Log

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 3:43:13 PM, on 12/18/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\arservice.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\ehome\ehtray.exe
    C:\WINDOWS\ARPWRMSG.EXE
    C:\Program Files\DISC\DISCover.exe
    C:\Program Files\DISC\DiscUpdMgr.exe
    C:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Documents and Settings\HP_Administrator\My Documents\?ppPatch\r?ndll.exe
    C:\Program Files\Router\Router.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\DISC\DiscStreamHub.exe
    C:\WINDOWS\system32\wuauclt.exe
    c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\HP\KBD\KBD.EXE
    c:\windows\system\hpsysdrv.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TY...ION&pf=desktop
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [AlwaysReady Power Message APP] ARPWRMSG.EXE
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [HPHUPD08] c:\Program Files\HP\Digital Imaging\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\hphupd08.exe
    O4 - HKLM\..\Run: [DISCover] C:\Program Files\DISC\DISCover.exe
    O4 - HKLM\..\Run: [DiscUpdateManager] C:\Program Files\DISC\DiscUpdMgr.exe
    O4 - HKLM\..\Run: [DMAScheduler] "c:\Program Files\HP DigitalMedia Archive\DMAScheduler.exe"
    O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
    O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [HPBootOp] "C:\Program Files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" /run
    O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPwuSchd2.exe
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [horygy] C:\Program Files\Movie Maker\horygy77798.exe
    O4 - HKLM\..\Run: [a8399b67] rundll32.exe "C:\WINDOWS\system32\hklsxrdp.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [igndlm.exe] C:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
    O4 - HKCU\..\Run: [Scbu] "C:\DOCUME~1\HP_ADM~1\APPLIC~1\CROSOF~1.NET\csrss.exe" -vt yazb
    O4 - HKCU\..\Run: [QdrModule10] "C:\Program Files\QdrModule\QdrModule10.exe"
    O4 - HKCU\..\Run: [Rqv] "C:\Documents and Settings\HP_Administrator\My Documents\?ppPatch\r?ndll.exe"
    O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\HP_Administrator\Application Data\WinTouch\WinTouch.exe
    O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\HP_Administrator\Application Data\Microsoft\fttmn.exe
    O4 - HKCU\..\Run: [Router] C:\Program Files\Router\Router.exe
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - .DEFAULT User Startup: Pin.lnk = C:\hp\bin\CLOAKER.EXE (User 'Default user')
    O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
    O4 - Global Startup: Updates From HP.lnk = C:\Program Files\Updates from HP\9972322\Program\Updates from HP.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra 'Tools' menuitem: Internet Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://*.trymedia.com (HKLM)
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
    O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (CDownloadCtrl Object) - http://www.fileplanet.com/fpdlmgr/ca..._2.3.6.108.cab
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1197685919515
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - c:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O24 - Desktop Component 0: (no name) - C:\Program Files\WindowsUpdate\profsy.html

    --
    End of file - 11535 bytes


    The Kaspersky log is too long to put in this post, read below pls.
  2. 2007-12-18, 21:55 #2
    Lokomani
    Lokomani is offline
    Junior Member
    Join Date
    Dec 2007
    Posts
    2

    Default

    And here's the Kaspersky Log

    Tuesday, December 18, 2007 2:39:49 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 18/12/2007
    Kaspersky Anti-Virus database records: 486393
    Scan Settings
    Scan using the following antivirus database extended
    Scan Archives true
    Scan Mail Bases true
    Scan Target My Computer
    C:\
    D:\
    E:\
    F:\
    G:\
    H:\
    I:\
    Scan Statistics
    Total number of scanned objects 94399
    Number of viruses found 24
    Number of infected objects 42
    Number of suspicious objects 0
    Duration of the scan process 01:12:38

    Infected Object Name Virus Name Last Action
    C:\Documents and Settings\All Users\Application Data\Microsoft\eHome\logs\ehRecvr.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\komxdyvp.default\cert8.db Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\komxdyvp.default\history.dat Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\komxdyvp.default\key3.db Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\komxdyvp.default\parent.lock Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\komxdyvp.default\search.sqlite Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\komxdyvp.default\urlclassifier2.sqlite Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-49afdd7a.zip/vmain.class Infected: Exploit.Java.Gimsh.b skipped
    C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-6b13a7e7-49afdd7a.zip ZIP: infected - 1 skipped
    C:\Documents and Settings\HP_Administrator\Application Data\Sun\Java\Deployment\log\plugin150_05.trace Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\DiscStreamHub.exe.fddeaf63.ini.inuse Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\ApplicationHistory\DiscUpdMgr.exe.f0c5ac89.ini.inuse Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\komxdyvp.default\Cache\_CACHE_001_ Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\komxdyvp.default\Cache\_CACHE_002_ Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\komxdyvp.default\Cache\_CACHE_003_ Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\komxdyvp.default\Cache\_CACHE_MAP_ Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\History\History.IE5\MSHist012007121820071219\index.dat Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\camg-77798.exe/data0004 Infected: not-a-virus:AdWare.Win32.TTC.c skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\camg-77798.exe NSIS: infected - 1 skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\D462.tmp/stream/data0001 Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\D462.tmp/stream/data0002 Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\D462.tmp/stream Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\D462.tmp NSIS: infected - 3 skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hpodvd09.log Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\hsperfdata_HP_Administrator\1856 Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\MBDownloader_876923.exe Infected: not-a-virus:AdWare.Win32.NetNucleus.b skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mit37F.tmp/Mirar_VC_Setup_876923.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mit37F.tmp CAB: infected - 1 skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mit37F.tmp.cab/Mirar_VC_Setup_876923.exe Infected: not-a-virus:AdWare.Win32.Mirar.i skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\mit37F.tmp.cab CAB: infected - 1 skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\_hphtra07.log Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temp\~DF26A7.tmp Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\4HTNN1QF\n14042[1].htm Infected: Trojan-Downloader.JS.Agent.amu skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\CV3B3GQB\!update-4395[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\CV3B3GQB\n14041[1].htm Infected: Trojan-Downloader.JS.Agent.amu skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\W8CZVIWX\n14043[1].htm Infected: Trojan-Downloader.JS.Agent.amu skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\W8CZVIWX\n14046[1].htm Infected: Trojan-Downloader.JS.Agent.amu skipped
    C:\Documents and Settings\HP_Administrator\Local Settings\Temporary Internet Files\Content.IE5\W8CZVIWX\n14048[1].htm Infected: Trojan-Downloader.JS.Agent.amu skipped
    C:\Documents and Settings\HP_Administrator\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\HP_Administrator\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\clnr0.dll Infected: Trojan.Win32.Gorshok.a skipped
    C:\Program Files\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
    C:\Program Files\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\AntiSpam\Log\Spam.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcrst.dll Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDALRT.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDCON.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDDBG.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDFW.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDIDS.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SNDSYS.log Object is locked skipped
    C:\Program Files\Outerinfo\FF\components\FF.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
    C:\Program Files\QdrDrive\QdrDrive8.dll Infected: not-a-virus:AdWare.Win32.AdBand.e skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.dat Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\chandir.idx Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.dat Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\chn.idx Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\D0000000.FCS Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\inuse.txt Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\L0000001.FCS Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\main.log Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.dat Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs.idx Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.dat Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_die.idx Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.dat Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_dnd.idx Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.dat Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_ext.idx Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.dat Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\prs_rcv.idx Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.dat Object is locked skipped
    C:\Program Files\Updates from HP\9972322\Users\Default\Data\storydb.idx Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP10\A0002649.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP10\A0002649.exe/stream/data0004 Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP10\A0002649.exe/stream Infected: not-a-virus:AdWare.Win32.Mostofate.u skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP10\A0002649.exe NSIS: infected - 3 skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP10\A0002650.exe Infected: Trojan-Downloader.Win32.Agent.cbx skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP10\A0002651.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP10\A0002652.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP10\A0002653.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP10\A0003643.dll Infected: Trojan.Win32.Gorshok.a skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP12\A0003729.exe Infected: Trojan-Downloader.Win32.Agent.ezc skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP12\A0003733.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.apn skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP12\A0003779.exe Infected: Trojan-Downloader.Win32.PurityScan.eg skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP12\A0003847.dll Infected: Trojan.Win32.Gorshok.a skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP12\A0003868.exe Infected: not-a-virus:AdWare.Win32.Agent.vv skipped
    C:\System Volume Information\_restore{106CF321-99A3-4E3A-9103-1BD027606A99}\RP12\change.log Object is locked skipped
    C:\WINDOWS\b111.exe Infected: Trojan-Downloader.Win32.Agent.fjv skipped
    C:\WINDOWS\b122.exe Infected: Trojan-Downloader.Win32.Agent.erf skipped
    C:\WINDOWS\b151.exe Infected: Trojan-Downloader.Win32.Agent.fjn skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{9DF809C8-1EFD-492D-AD33-0F8023790269}.crmlog Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{E2BCB99E-C3D3-43D5-8273-C634482D5D26}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\hklsxrdp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
    C:\WINDOWS\system32\LogFiles\HTTPERR\httperr1.log Object is locked skipped
    C:\WINDOWS\system32\ssqpo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bxe skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\xjrmrgow.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
    C:\WINDOWS\Temp\Perflib_Perfdata_2c8.dat Object is locked skipped
    C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    Scan process completed.
  3. 2007-12-20, 13:12 #3
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
    "BEFORE you POST" (READ this Procedure before Requesting Assistance)
    http://forums.spybot.info/showthread.php?t=288
    All advice given is taken at your own risk.
    Please make sure you have read this information so we are on the same page.

    I will say first that it is very difficult for me to believe a Vundo infection came from factory install disks. Have a look at how easy it is to get that infection:
    http://www.theregister.com/2007/05/1...e_malware_map/
    http://redtape.msnbc.com/2007/05/the_next_net_th.html

    Having looked at the infection I would say if this came from a
    XP factory disc
    you want to contact whoever you purchased the computer from and get your money back.

    You have a Vundo infection which can be hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.
    And that's not all, I also see Wintouch, PurityScan/OIN, and several pieces of junk I can not even identify. This junk will download more, if you wish to proceed, you need to keep the computer offline except when your are troubleshooting.

    I need some information first, read and follow all directions carefully.

    http://siri.geekstogo.com/SmitfraudFix.php <<< download Smitfraudfix from here and follow ONLY these directions.

    Search:
    Double-click SmitfraudFix.exe
    Select 1 and hit Enter to create a report of the infected files. The report can be found at the root of the system drive, usually at C:\rapport.txt

    Note: process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool". It is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
    http://www.beyondlogic.org/consultin...rocessutil.htm

    Post only the C:\rapport.txt

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules