New Thread: What's yrndlcit.exe?

**itsleo** · 2008-01-18, 18:38

Originally Posted by CalamityJane

Hi Leo,

Welcome back! Yes, you posted ok. Maybe it's that you need to make sure you have logged into your account when trying to post? Any way, it did take. I've got your logs here and going over them now. Give me a few minutes to review them.

No, it was definitely online and logged in... and the buble turned green after I posted... of course, one can't edit one's posts here, so I couldn't add the yep... it's strange, alright. I was going to go back to my usual Firefox instead of IE (used for the KAV) but something erased 3 FF .dll's (that happened when I first installed FF on this computer last year when I got it... it almost looks like IE is doing it, because I wasn't doing any AV stuff... whatever, it's a side issue).

Thanks, Jane.

**CalamityJane** · 2008-01-18, 18:48

Here is the KAV scan results (not good!)

------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, January 17, 2008 4:45:17 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 17/01/2008
Kaspersky Anti-Virus database records: 517094
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 52505
Number of viruses found: 23
Number of infected objects: 114
Number of suspicious objects: 2
Duration of the scan process: 00:58:24

Infected Object Name / Virus Name / Last Action
C:\Deckard\System Scanner\backup\DOCUME~1\SHIRLE~1\LOCALS~1\Temp\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Desktop\ipscan.exe Infected: not-a-virus:NetTool.Win32.Portscan.c skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Desktop\vnc-4_1_2-x86_win32.exe Inno: infected - 4 skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\My Documents\My Pictures\Setup.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ax skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\ntuser.dat Object is locked skipped
C:\Documents and Settings\SHIRLEY WILLIAMS\ntuser.dat.LOG Object is locked skipped
C:\ja.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\removed\Broadchump\Client Foundation\CFD.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\Program Files\removed\Dell Support\DSAgnt.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\QooBox\Quarantine\C\Program Files\MSN Gaming Zone\lavu.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\MSN Gaming Zone\lavu441.dll.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\Program Files\MSN Gaming Zone\profsy.html.vir Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\hokesotu4444.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\Program Files\Windows Media Player\hokesotu83122.dll.vir Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\cavnfmkr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ipv6monk.dll.vir Infected: Trojan-Spy.Win32.BZub.ic skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\mssdvoql.exe.vir Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dll.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dll3f2tjw.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dllewfwe334f.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\rsvp32_2.dllewfweff.vir Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\QooBox\Quarantine\C\WINDOWS\tk58.exe.vir Infected: Trojan.Win32.BHO.ab skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\QooBox\Quarantine\C\WINDOWS\TTC-4444.exe.vir NSIS: infected - 1 skipped
C:\QooBox\Quarantine\catchme2008-01-15_150933.27.zip/cbxyyww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\QooBox\Quarantine\catchme2008-01-15_150933.27.zip ZIP: infected - 1 skipped
\ashell3\ntsc3plyr.exe Infected: not-a-virus:AdWare.Win32.Agent.co skipped
C:\shit\bbc5\gstdrvr8.exe Infected: Trojan.Win32.Pakes.bvs skipped
C:\shit\doc4\mmildot83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\shit\doc4\mmildot83122.exe NSIS: infected - 1 skipped
C:\shit\mrofinu1000106.exe Infected: Trojan-Downloader.Win32.Agent.fuc skipped
C:\shit\mrofinu572.exe Infected: Trojan-Downloader.Win32.Agent.fuc skipped
C:\shit\rex2\monidnpr3.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\shit\Temp\ja.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\shit\U0hJUkxFWSBXSUxMSUFNUw\asappsrv.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\shit\U0hJUkxFWSBXSUxMSUFNUw\command.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059952.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059952.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059953.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059954.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059960.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059968.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059968.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059969.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0059970.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP307\A0060960.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060970.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060970.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060971.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060978.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060988.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060988.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060989.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP308\A0060990.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP309\A0060994.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP309\A0060995.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP309\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP310\A0061013.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061038.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061038.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061039.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061040.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061046.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP311\A0061056.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061089.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061089.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061090.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0061091.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0062084.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063090.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063090.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063091.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP313\A0063092.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063121.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063131.dll Infected: not-a-virus:AdTool.Win32.MyWebSearch skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063137.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063147.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063147.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063148.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063149.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\A0063153.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP314\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063172.dll Infected: Trojan-Proxy.Win32.Agent.ly skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063177.dll Infected: Trojan-Spy.Win32.BZub.ic skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063178.exe Infected: Trojan-Downloader.Win32.Agent.gwe skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063179.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063180.dll Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063181.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063182.dll Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063183.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063194.exe Infected: Trojan.Win32.BHO.ab skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063195.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063195.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP315\A0063199.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP318\change.log Object is locked skipped
C:\WINDOWS\Debug\oakley.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\horrible\cbxyyww.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bmd skipped
C:\WINDOWS\horrible\hrjxgroq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\imetrkcv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\nvpqsmo.dll Infected: not-a-virus:AdWare.Win32.Agent.wx skipped
C:\WINDOWS\horrible\ocduwffh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\tejsngcs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\horrible\vhijifno.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINDOWS\LastGood\System32\ctfmon.exe Infected: Trojan-Downloader.Win32.Agent.awf skipped
C:\WINDOWS\lola.exe Infected: Trojan-Downloader.Win32.Agent.bhc skipped
C:\WINDOWS\MEMORY.DMP Object is locked skipped
C:\WINDOWS\run2.exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\WINDOWS\run2.exe NSIS: infected - 1 skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{4098AEB7-9611-4C3C-B248-7C861B1FBA74}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\SYSTEM32\WBEM\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\v030817.exe Infected: Trojan-Downloader.Win32.Agent.bhc skipped
C:\WINDOWS\WIADEBUG.LOG Object is locked skipped
C:\WINDOWS\WIASERVC.LOG Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\winup3824.exe Infected: Trojan-Downloader.Win32.Agent.bhc skipped
C:\WINDOWS\zup.exe Infected: Trojan-Proxy.Win32.Agent.ly skipped

Scan process completed.
..................
I'll come back with a reply on what I see there

**CalamityJane** · 2008-01-18, 18:50

True the VNC program is not a trojan (says so, infact with the tag of "Not a Virus" - Remote Admin tool) is just pointing out to you that you have remote admin tool installed because some malware can deposit those on an infected machine for malicious purposes, but it can also be installed by a user on purpose. If that is that the case and you did install that on purpose it is fine to ignore the VNC "detection". But the others, ugh! This machine has been very badly infected and likely done damage to the system that may be not be fixable at this point.

The numerous trojans on there are alarming and very nasty. It is more than just Vundo. Many program files have been infected to run the virus when you run those programs (trojan awf)

If you have been considering a reformat/reinstall this would be a good reason to wipe the machine and start over with a fresh install.

Is there some reason that wasn't done before the machine was put up for auction?

I hope there wasn't any sensitive data left on that machine because at least one of the trojans found by KAV is a password and information stealer (family of trojans named Bzub): These types of trojans compromise system security by providing authentication information (logon, passwords, credit card numbers, etc.) to malicious users. This trojan steals the logon information of some Online Bank accounts. Aside from that, it also steals e-mail accounts and passwords that are stored in the user's computer system.

What do you wish to do? I can't guarantee we can get this all cleaned up with satisfactory results because of the damage to system and program files I already see there.

**itsleo** · 2008-01-18, 20:14

Hi, Jane - if you're willing, let's try to clean it up. In the following, I explain why I'd like to try, and why it's not a problem if you want to decline... it's my usual verbosity gone amok, so feel free to skip it!

This machine doesn't get used for much other 're willing, than 'net connection, and that normally with FF and Thunderbird... I also used it for Open Office work, mostly writer and calc. Although slightly flakey, it wasn't manifesting any great problems until just before the holidays when an acquaintance asked me to help her create some biz-card size handouts for campaigning... I made her a two-sided 2 x 10 standard biz-card document using OO writer and saved as .doc for her Office, but she was having trouble with it on her computer - I had noticed that MS Office was on here although I'd never used it, so I ran Word (which is what she uses, although I advise everyone to use OO) on this computer (never before used any of the MS Office on here) to try to walk her through editing and printing (and to see if it worked on Word more or less same as on Writer)... and I recall that when I ran Word, it popped up some MS-looking window wanting to register something to do with Office, which I simply closed... and that's when the grand fiasco began! As I said, I basically never used any of the other programs, so that's probably why it hung together for so long... I'm guessing that Word was (is) infected along with all the others.

Other than OS files, I don't really care a lot about disinfecting Office or most of the rest of it - I can reinstall clean versions of Mozilla and Open Office - I'm more concerned that the sh!t on here doesn't get loose and infect my XP Pro system, so I'd be perfectly happy to erase as much of the infected stuff as possible (realizing that the registry will then be full of orphans and have to be cleaned out).

This is a Dell notebook, and it does have the handy-dandy MS XP sticker on the bottom. with the product key, so I presume I could install XP again without any extreme hassles, although I've never installed XP from scratch... I do have XP install discs, although not the ones for this box. Since I mainly use this for 'net access and writing (almost all of my programming work is done on Linux and I do use this computer for PUtty to ssh to those computers) I am thinking that if we need to burn it down, I will try to reinstall XP and if that turns into a rat's nest, I'll install a Linux (FC 7 preferably, but my FC 7 install DVD only works on dual-layer capable DVD drives and I think this one won't handle it - maybe there's a way around that)... Mozilla and Open Office work just fine on Linux (I use them on a SuSE notebook all the time).

Still, I'd like to try to disinfect (and then lock it up safe), if you have the time and the inclination, at least partly because so many of my friends and neighbors are Windowers and this storm of malware is all over the place (my two younger sons are pretty staunch Mac users, so they have a tendency to ignore the whole mess... if I were into music and video as they are, I'd probably go the same way... you?)

So... if you will, let's try to clean it... and if you say no, I will most certainly understand!

Thanks, again!

**itsleo** · 2008-01-18, 20:16

Originally Posted by CalamityJane

True the VNC program is not a trojan (says so, infact with the tag of "Not a Virus" - Remote Admin tool) is just pointing out to you that you have remote admin tool installed

Sure - I knew that, but I wasn't sure if you were referring to it, or to the logmein, or something other, tha's all!

Thanks!

**CalamityJane** · 2008-01-18, 20:48

We have a number things to consider here.

1. The prior state of this computer and the information that is contained on it - obviously belongs to a former user and has not been wiped. Meanwhile it was infected with a information stealing trojan...compromised - hacked. Owned by someone else. This computer may have other people's data on it and that needs to be addressed (the compromise is a past event that has happened already.) Information may have been stolen from it and passed on to malicious strangers for use in data theft, identify theft, etc. That info may have ended up in the hands of a malicious attacker - do you understand that? I'm concerned if these machines are being auctioned without being wiped first, especially if they came from a government office. Is there government data still on there. The profile certainly is and that may likely be compromised as well.

2. The current state of the machine. You need to keep this off the net as much as possible and only where necessary. Do you have a clean computer from which you can connect to the net to get instructions?

3. I'm going to have to back through these logs posted to see what all has been done to it by the malware authors and what might be able to be fixed, some of which we may never know. It doesn't sound like you can do a reinstall unless you have recovery disks from Dell somewhere and it may be difficult to replace system files if they were totally wiped out.

4. Does this machine even validate as genuine Windows? If not, we won't be able to get you the SP2 update that it needs (and subsequent windows critical security updates). Even if we can clean this up, operating at your current level of XP SP1 is a security risk and certainly is vulnerable to future attack. Do you understand the importance of the fact it does not have Windows SP2 at all.

**CalamityJane** · 2008-01-18, 21:04

This machine has numerous difficult to remove trojans, it's going to take quite a few steps to address them.

First, the awf trojan infects valid software programs so it continues to run and respawn if you run any of the affected programs. Therefore I need a report from this free tool to try identify which ones have been infected and where the clean backups might be (if they are there)

You should be able to download these from a clean computer and put them on CD or removable media to transfer to the affected machine so that you can keep it off the net.

Click here to download FindAWF.exe and save it to your desktop.
http://noahdfear.geekstogo.com/FindAWF.exe

* Double-click on the FindAWF.exe file to run it.
* It will open a command prompt and ask you to "Press any key to continue".
* You will be presented with a Menu.

* Press 1 then press Enter.
* Come back here to this thread and copy and paste the contents of the AWF.txt file in your next reply.

.........................
Next tool:

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

There will be more, but let's see what those produce before going to the next step.

**itsleo** · 2008-01-18, 21:23

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Fri 01/18/2008
The current time is: 14:12:09.99

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\REMOVED\DELLSU~1\BAK

07/19/2004 07:51 AM 306,688 DSAgnt.exe
1 File(s) 306,688 bytes

Directory of C:\PROGRA~1\LOGMEIN\X86\UPDATE\3-00-606.BAK

05/25/2007 02:21 PM 3,993,935 template.rab
04/05/2007 10:55 AM 5,759 WapClients.cfg
2 File(s) 3,999,694 bytes

Directory of C:\PROGRA~1\REMOVED\BROADC~1\CLIENT~1\BAK

09/10/2002 09:26 PM 368,706 CFD.exe
1 File(s) 368,706 bytes

Directory of C:\PROGRA~1\REMOVED\DELL\ACCESS~1\BAK

11/01/2002 04:47 PM 208,560 dadapp.exe
1 File(s) 208,560 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

24588 Jan 25 2007 "C:\Program Files\removed\Dell Support\DSAgnt.exe"
306688 Jul 19 2004 "C:\Program Files\removed\Dell Support\bak\DSAgnt.exe"
4817711 Nov 27 2007 "C:\Program Files\LogMeIn\template.rab"
3993935 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\template.rab"
5750 Nov 27 2007 "C:\Program Files\LogMeIn\WapClients.cfg"
5759 Apr 5 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\WapClients.cfg"
87352 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIinit.dll"
80696 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIinit.dll"
87352 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIinit.dll"
14912 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIinit.dll"
63040 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIinit.dll"
23736 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr.dll"
34104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr.dll"
23736 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr.dll"
24000 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr.dll"
10040 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr2.dll"
13112 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr2.dll"
10040 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr2.dll"
13376 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr2.dll"
10304 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr2.dll"
21496 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIport.dll"
24376 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIport.dll"
21496 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIport.dll"
29248 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIport.dll"
26176 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIport.dll"
17720 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinter.dll"
15160 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinter.dll"
21568 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinter.dll"
16960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinter.dll"
18744 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinterui.dll"
15752 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinterui.dll"
22080 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinterui.dll"
12192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinterui.dll"
30008 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIproc.dll"
28472 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIproc.dll"
28472 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\LMIproc.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIproc.dll"
30784 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIproc.dll"
83288 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIRfsClientNP.dll"
87384 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIRfsClientNP.dll"
83288 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIRfsClientNP.dll"
87648 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIRfsClientNP.dll"
83552 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIRfsClientNP.dll"
4743480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeIn.dll"
3892536 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeIn.dll"
3332672 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeIn.dll"
2635328 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeIn.dll"
540480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.dll"
460096 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.dll"
517192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeInSystray.dll"
443976 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.dll"
1284416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\openssl.exe"
869696 Nov 27 2007 "C:\Program Files\LogMeIn\x86\openssl.exe"
1284680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\openssl.exe"
869960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\openssl.exe"
945984 Nov 27 2007 "C:\Program Files\LogMeIn\x64\raabout.exe"
697664 Nov 27 2007 "C:\Program Files\LogMeIn\x86\raabout.exe"
1014344 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\raabout.exe"
730696 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\raabout.exe"
475136 Nov 27 2007 "C:\Program Files\LogMeIn\x64\racodec.ax"
319488 Nov 27 2007 "C:\Program Files\LogMeIn\x86\racodec.ax"
483840 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\racodec.ax"
327680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\racodec.ax"
240952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rahook.dll"
193848 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rahook.dll"
239680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rahook.dll"
194112 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rahook.dll"
827200 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rainst.exe"
599360 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rainst.exe"
824392 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rainst.exe"
599624 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rainst.exe"
120128 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ramaint.exe"
116032 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ramaint.exe"
119368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ramaint.exe"
112200 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ramaint.exe"
55104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ra_reboot.exe"
58688 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ra_reboot.exe"
55368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ra_reboot.exe"
58952 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ra_reboot.exe"
112952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rntfywnd.dll"
111928 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rntfywnd.dll"
113216 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rntfywnd.dll"
112192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rntfywnd.dll"
42552 Feb 1 1993 "C:\JP\ZIP.EXE"
324416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\zip.exe"
226624 Nov 27 2007 "C:\Program Files\LogMeIn\x86\zip.exe"
42552 Feb 1 1993 "C:\Documents and Settings\SHIRLEY WILLIAMS\My Documents\JP\ZIP.EXE"
324680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\zip.exe"
226888 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\zip.exe"
87352 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIinit.dll"
80696 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIinit.dll"
87352 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIinit.dll"
14912 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIinit.dll"
63040 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIinit.dll"
23736 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr.dll"
34104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr.dll"
23736 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr.dll"
24000 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr.dll"
10040 Nov 27 2007 "C:\WINDOWS\SYSTEM32\lmimirr2.dll"
13112 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMImirr2.dll"
10040 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMImirr2.dll"
13376 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMImirr2.dll"
10304 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMImirr2.dll"
21496 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIport.dll"
24376 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIport.dll"
21496 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIport.dll"
29248 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIport.dll"
26176 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIport.dll"
17720 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinter.dll"
15160 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinter.dll"
21568 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinter.dll"
16960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinter.dll"
15160 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinter.dll"
18744 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIprinterui.dll"
15752 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinterui.dll"
22080 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIprinterui.dll"
12192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinternt.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinterui.dll"
16696 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinterui.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\LMIprinterdat.dll"
16960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinterui.dll"
16696 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\DRIVERS\W32X86\3\LMIprinterdat.dll"
21264 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprinteruint.dll"
16448 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprinteruint.dll"
30008 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIproc.dll"
28472 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIproc.dll"
28472 Nov 27 2007 "C:\WINDOWS\SYSTEM32\SPOOL\PRTPROCS\W32X86\LMIproc.dll"
34368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIproc.dll"
30784 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIproc.dll"
24024 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIprocnt.dll"
17472 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIprocnt.dll"
83288 Nov 27 2007 "C:\WINDOWS\SYSTEM32\LMIRfsClientNP.dll"
87384 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LMIRfsClientNP.dll"
83288 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LMIRfsClientNP.dll"
87648 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LMIRfsClientNP.dll"
83552 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LMIRfsClientNP.dll"
4743480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeIn.dll"
3892536 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeIn.dll"
3332672 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeIn.dll"
2635328 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeIn.dll"
540480 Nov 27 2007 "C:\Program Files\LogMeIn\x64\LogMeInSystray.dll"
460096 Nov 27 2007 "C:\Program Files\LogMeIn\x86\LogMeInSystray.dll"
517192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\LogMeInSystray.dll"
443976 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\LogMeInSystray.dll"
1284416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\openssl.exe"
869696 Nov 27 2007 "C:\Program Files\LogMeIn\x86\openssl.exe"
1284680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\openssl.exe"
869960 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\openssl.exe"
945984 Nov 27 2007 "C:\Program Files\LogMeIn\x64\raabout.exe"
697664 Nov 27 2007 "C:\Program Files\LogMeIn\x86\raabout.exe"
1014344 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\raabout.exe"
730696 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\raabout.exe"
475136 Nov 27 2007 "C:\Program Files\LogMeIn\x64\racodec.ax"
319488 Nov 27 2007 "C:\Program Files\LogMeIn\x86\racodec.ax"
483840 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\racodec.ax"
327680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\racodec.ax"
240952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rahook.dll"
193848 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rahook.dll"
239680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rahook.dll"
194112 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rahook.dll"
12088 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rahook9x.dll"
12352 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rahook9x.dll"
827200 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rainst.exe"
599360 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rainst.exe"
824392 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rainst.exe"
599624 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rainst.exe"
120128 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ramaint.exe"
116032 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ramaint.exe"
119368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ramaint.exe"
112200 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ramaint.exe"
55104 Nov 27 2007 "C:\Program Files\LogMeIn\x64\ra_reboot.exe"
58688 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ra_reboot.exe"
55368 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\ra_reboot.exe"
58952 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ra_reboot.exe"
172352 Nov 27 2007 "C:\Program Files\LogMeIn\x86\ra_sc.exe"
172616 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\ra_sc.exe"
112952 Nov 27 2007 "C:\Program Files\LogMeIn\x64\rntfywnd.dll"
111928 Nov 27 2007 "C:\Program Files\LogMeIn\x86\rntfywnd.dll"
113216 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\rntfywnd.dll"
112192 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\rntfywnd.dll"
42552 Feb 1 1993 "C:\JP\ZIP.EXE"
324416 Nov 27 2007 "C:\Program Files\LogMeIn\x64\zip.exe"
226624 Nov 27 2007 "C:\Program Files\LogMeIn\x86\zip.exe"
42552 Feb 1 1993 "C:\Documents and Settings\SHIRLEY WILLIAMS\My Documents\JP\ZIP.EXE"
324680 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x64\zip.exe"
226888 May 25 2007 "C:\Program Files\LogMeIn\x86\update\3-00-606.bak\x86\zip.exe"
24588 Jan 25 2007 "C:\Program Files\removed\Broadchump\Client Foundation\CFD.exe"
368706 Sep 10 2002 "C:\Program Files\removed\Broadchump\Client Foundation\bak\CFD.exe"
208560 Nov 1 2002 "C:\Program Files\removed\Dell\AccessDirect\bak\dadapp.exe"

end of report

**itsleo** · 2008-01-18, 21:52

SDFix: Version 1.127

Run by SHIRLEY WILLIAMS on Fri 01/18/2008 at 02:32 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\SMTSMX~1.DLL - Deleted
C:\WINDOWS\SYSTEM32\SPMSMT~1.DLL - Deleted
C:\PROGRA~1\MSNGAM~1\LAVU - Deleted
C:\PROGRA~1\MSNGAM~1\LAVU441 - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

catchme 0.3.1344.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 14:38:16
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:
---------------

File Backups: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

Tue 2 Aug 2005 187,904 A.SHR --- "C:\shit\U0hJUkxFWSBXSUxMSUFNUw\asappsrv.dll"
Tue 2 Aug 2005 293,888 A.SHR --- "C:\shit\U0hJUkxFWSBXSUxMSUFNUw\command.exe"
Fri 4 Jan 2008 1,043,800 A.SH. --- "C:\WINDOWS\horrible\ommudpvh.tmp"
Sat 27 Jan 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 17 Jan 2008 7,531,128 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\631bea423a2590540110f7e11fcbd692\BIT1.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch2\lock.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch3\lock.tmp"
Sat 28 May 2005 8 A..H. --- "C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch4\lock.tmp"

Finished!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:51:05 PM, on 1/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\LogMeIn\x86\RaMaint.exe
C:\Program Files\LogMeIn\x86\LogMeIn.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\NOTEPAD.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Logitech\iTouch\iTouch.exe
C:\Program Files\LogMeIn\x86\LogMeInSystray.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\NETGEAR\WG111v2 Configuration Utility\RtlWake.exe
C:\WINDOWS\System32\LVComS.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\cmd.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://co.brewster.tx.us/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [PrinTray] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\printray.exe
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [zBrowser Launcher] C:\Program Files\Logitech\iTouch\iTouch.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [LogMeIn GUI] "C:\Program Files\LogMeIn\x86\LogMeInSystray.exe"
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: WG111v2 Smart Wizard Wireless Setting.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O10 - Unknown file in Winsock LSP: rsvp32_2.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {AA299E98-6FB5-409F-99D3-D30D749F4864} (kasRmtHlp Class) - http://kaseya.hardintech.com/inc/kaxRemote.dll
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{C4A43124-5643-4FFD-9FBF-74BB08C30948}: NameServer = 68.94.156.1,68.94.157.1
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: LogMeIn Maintenance Service (LMIMaint) - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\RaMaint.exe
O23 - Service: LogMeIn - LogMeIn, Inc. - C:\Program Files\LogMeIn\x86\LogMeIn.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 6857 bytes

**tashi** · 2008-01-18, 22:19

Sorry to slip in here.

Originally Posted by CalamityJane

We have a number things to consider here.

1. The prior state of this computer and the information that is contained on it - obviously belongs to a former user and has not been wiped. Meanwhile it was infected with a information stealing trojan...compromised - hacked. Owned by someone else. This computer may have other people's data on it and that needs to be addressed (the compromise is a past event that has happened already.) Information may have been stolen from it and passed on to malicious strangers for use in data theft, identify theft, etc. That info may have ended up in the hands of a malicious attacker - do you understand that? I'm concerned if these machines are being auctioned without being wiped first, especially if they came from a government office. Is there government data still on there. The profile certainly is and that may likely be compromised as well.

2. The current state of the machine. You need to keep this off the net as much as possible and only where necessary. Do you have a clean computer from which you can connect to the net to get instructions?

3. I'm going to have to back through these logs posted to see what all has been done to it by the malware authors and what might be able to be fixed, some of which we may never know. It doesn't sound like you can do a reinstall unless you have recovery disks from Dell somewhere and it may be difficult to replace system files if they were totally wiped out.

4. Does this machine even validate as genuine Windows? If not, we won't be able to get you the SP2 update that it needs (and subsequent windows critical security updates). Even if we can clean this up, operating at your current level of XP SP1 is a security risk and certainly is vulnerable to future attack. Do you understand the importance of the fact it does not have Windows SP2 at all.

itsleo, please respond to those questions and also my PM, thank you.

Thread: New Thread: What's yrndlcit.exe?

Thread Tools

Display

Posting Permissions