Page 3 of 3 FirstFirst 123
Results 21 to 26 of 26

Thread: virtumonde problems

  1. 2008-03-09, 14:49 #21
    robbie2527
    robbie2527 is offline
    Junior Member
    Join Date
    Mar 2008
    Posts
    14

    Default

    fsbl lof first:

    03/09/08 13:34:22 [Info]: BlackLight Engine 1.0.67 initialized
    03/09/08 13:34:22 [Info]: OS: 5.1 build 2600 (Service Pack 2)
    03/09/08 13:34:22 [Note]: 7019 4
    03/09/08 13:34:22 [Note]: 7005 0
    03/09/08 13:34:26 [Note]: 7006 0
    03/09/08 13:34:26 [Note]: 7022 0
    03/09/08 13:34:26 [Note]: 7011 544
    03/09/08 13:34:27 [Note]: 7026 0
    03/09/08 13:34:27 [Note]: 7026 0
    03/09/08 13:34:29 [Note]: FSRAW library version 1.7.1024
    03/09/08 13:39:51 [Note]: 2000 1012
    03/09/08 13:40:06 [Note]: 7007 0


    Managed to delete the dmukb.exe file using Safe Mode, tried then to fix the two items from the HJT log, although having done that they both still appear to be there, log attached:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 13:45:05, on 09/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
    C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\WINDOWS\System32\PhnxCDSvr.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
    C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
    O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Picture Package VCD Maker.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
    O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yaho...1/yregucfg.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{046EC07B-EAC4-4E85-9420-64177DEC1AA1}: NameServer = 85.255.113.90 85.255.112.74
    O17 - HKLM\System\CS1\Services\Tcpip\..\{046EC07B-EAC4-4E85-9420-64177DEC1AA1}: NameServer = 85.255.113.90 85.255.112.74
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\System32\PhnxCDSvr.exe

    --
    End of file - 7645 bytes
  2. 2008-03-09, 15:02 #22
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Thanks...BlackLight is clean, remove the tool from your computer.

    You may have needed to do a reboot to clean that information (dmukb.exe) now that it is gone, try HJT on those items again. If they are still there, then try this:

    In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be avaiable on some systems
    Next Go start run type cmd and hit OK
    type ipconfig /flushdns
    then hit enter, type exit hit enter
    (that space between g and / is needed)

    If that does not work, contact your Internet Service Provider, explain what your issue is, and that you were badly infeced. Ask for their help resetting your information.

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
  3. 2008-03-09, 15:16 #23
    robbie2527
    robbie2527 is offline
    Junior Member
    Join Date
    Mar 2008
    Posts
    14

    Default

    Shutting down and restarting seems to have worked, did not do this between deleting dmukb.exe and runnig HJT before, new log attached:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:12:34, on 09/03/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Ahead\InCD\InCDsrv.exe
    C:\WINDOWS\system32\spoolsv.exe
    c:\program files\mcafee.com\agent\mcdetect.exe
    c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\VTTimer.exe
    C:\WINDOWS\system32\VTtrayp.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
    C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
    C:\Program Files\Ahead\InCD\InCD.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
    C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
    C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
    C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
    C:\WINDOWS\System32\PhnxCDSvr.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
    O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
    O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
    O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
    O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
    O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
    O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
    O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
    O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
    O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
    O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
    O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
    O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
    O4 - Global Startup: Picture Package Menu.lnk = ?
    O4 - Global Startup: Picture Package VCD Maker.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
    O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yaho...1/yregucfg.cab
    O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/...toUploader.cab
    O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/sof...iveXPlugin.cab
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
    O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
    O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
    O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
    O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
    O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
    O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\System32\PhnxCDSvr.exe

    --
    End of file - 7368 bytes
  4. 2008-03-09, 15:25 #24
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    Let's run a last Kaspersky to make sure nothing is hiding. Remove all programs we downloaded for the cleanup you have not removed. (you may keep ATF-Cleaner if you wish) then run Kaspersky using these settings.

    * The program will launch and then begin downloading the latest definition files:
    * Once the files have been downloaded click on NEXT
    * Now click on Scan Settings
    * In the scan settings make that the following are selected:
    * Scan using the following Anti-Virus database:
    * Standard
    * Scan Options:
    * Scan Archives
    * Scan Mail Bases
    * Click OK
    * Now under select a target to scan:
    * Select My Computer
    * This will program will start and scan your system.
    * The scan will take a while so be patient and let it run.
    * Once the scan is complete it will display if your system has been infected.
    * Now click on the Save as Text button:
    * Save the file to your desktop.

    Then post it here. <<< I do not need to see a clean scan result. I will post this information for you now so you can benefit from it.

    Some good information for you:
    http://users.telenet.be/bluepatchy/m...wcomputer.html
    http://www.microsoft.com/windowsxp/u...s/mcgill1.mspx

    Here is some great information from experts in this field that will help you stay clean and safe online.
    http://users.telenet.be/bluepatchy/m...revention.html
    http://forums.spybot.info/showthread.php?t=279
    http://russelltexas.com/malware/allclear.htm
    http://forum.malwareremoval.com/viewtopic.php?t=14
    http://www.bleepingcomputer.com/forums/topict2520.html
    http://cybercoyote.org/security/not-admin.shtml

    http://www.malwarecomplaints.info/

    Thanks...pskelley
    Safer Networking Forums
    http://www.spybot.info/en/donate/index.html
    If you are reading this information...thank a teacher,
    If you are reading it in English...thank a soldier.
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
  5. 2008-03-09, 16:27 #25
    robbie2527
    robbie2527 is offline
    Junior Member
    Join Date
    Mar 2008
    Posts
    14

    Default

    Unfortunately not a clean scan, so here it is attached, vundo seams to have gone though, many thanks for all your help so far

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Sunday, March 09, 2008 3:23:04 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 9/03/2008
    Kaspersky Anti-Virus database records: 561097
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: standard
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\

    Scan Statistics:
    Total number of scanned objects: 56443
    Number of viruses found: 10
    Number of infected objects: 51
    Number of suspicious objects: 0
    Duration of the scan process: 00:50:12

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
    C:\Documents and Settings\Andrew\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Andrew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Andrew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Andrew\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Andrew\Local Settings\History\History.IE5\MSHist012008030920080310\index.dat Object is locked skipped
    C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Andrew\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Andrew\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Andrew\UserData\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\BT Broadband Basic Help\log\mpbtn.log Object is locked skipped
    C:\Program Files\Phoenix Technologies\cME\Guard\monitor.log Object is locked skipped
    C:\Program Files\Phoenix Technologies\cME\Guard\repair.log Object is locked skipped
    C:\RECYCLER\S-1-5-21-448539723-1645522239-839522115-1003\Dc2.exe Infected: Trojan.Win32.Small.fb skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0033995.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0033996.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0033997.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034006.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034007.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034008.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034022.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034023.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034024.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034030.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034031.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034032.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP502\A0034044.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP502\A0034045.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP502\A0034046.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP503\A0034071.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP503\A0034072.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP503\A0034073.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034080.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034081.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034082.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034093.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034094.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034095.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034114.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034115.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034116.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034123.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034124.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034125.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP506\A0034131.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP506\A0034132.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP506\A0034133.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP507\A0034170.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP507\A0034171.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP507\A0034172.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034180.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034187.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034188.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034189.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034195.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034196.exe Infected: Trojan.Win32.Obfuscated.oy skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034197.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034201.exe Infected: Trojan-Downloader.Win32.Zlob.hxe skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034202.exe Infected: Trojan-Downloader.Win32.Zlob.hwt skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034205.exe Infected: Trojan-Downloader.Win32.Zlob.hwr skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034206.dll Infected: Trojan-Downloader.Win32.Zlob.hxd skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034207.exe Infected: Trojan-Downloader.Win32.Zlob.hxf skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP511\A0035384.exe Infected: Trojan-Downloader.Win32.Zlob.hwt skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP516\A0035519.dll Infected: Trojan-Downloader.Win32.Agent.jbo skipped
    C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP521\change.log Object is locked skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
  6. 2008-03-09, 16:58 #26
    pskelley
    pskelley is offline
    In Memoriam -Always in our heart pskelley's Avatar
    Join Date
    Oct 2005
    Location
    Clearwater, Florida
    Posts
    20,247

    Default

    KASPERSKY ONLINE SCANNER REPORT Sunday, March 09, 2008 3:23:04 PM

    1) C:\RECYCLER\ <<< empty the Recycle Bin on the Desktop.

    2) Restart the computer

    3) Clean infected System Restore files.
    Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    Reboot

    Turn ON System Restore,
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK.

    4) Safe surfing:
    http://www.google.com/search?hl=en&q...ng&btnG=Search

    Thanks
    MS-MVP Consumer Security 2007-08-09
    Proud Member ASAP
    UNITE Member 2006
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules