KillSec still lives on - please can someone help me?

F

Fizzy

New member
Hi, I posted before, the link is http://forums.spybot.info/showthread.php?t=4023I have managed to get rid of Teslaplus, Avenue A & Media Plex but KillSec is a die hard trojan that I just cannot fix. Please can someone please help me, I have tried everything! Thank you.

Here is a copy of my HJT log:


Logfile of HijackThis v1.99.1
Scan saved at 12:46:27 PM, on 4/27/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Hijackthis\HijackThis.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\System32\vxgame6.exe3584.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O20 - Winlogon Notify: s_reg - notifysb.dll (file missing)
O21 - SSODL: ubtlbr - {847EF305-A06E-4C41-856B-A677631B0CDE} - ubtlbr.dll (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 
Sorry to post again, it seems that as soon as I think I have gotten rid of the 4 trojans I had, they are back again when I have run spybot a couple of times - it cleans them up again but how come they are coming back? Any suggestions?
 
Can we see a fresh Hijackthis log please? :)

I'll be glad to help you from here on out
 
Hi, thanks for you help. Please find attached my up-to-date HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 1:01:36 PM, on 4/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\System32\vxgame6.exe3584.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O20 - Winlogon Notify: directpt - directpt.dll (file missing)
O20 - Winlogon Notify: s_reg - notifysb.dll (file missing)
O21 - SSODL: ubtlbr - {847EF305-A06E-4C41-856B-A677631B0CDE} - ubtlbr.dll (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 
Make sure your PC is configured to show hidden files
How to Show Hidden Files
http://www.xtra.co.nz/help/0,,4155-1916458,00.html

Click Start.

Open My Computer.

Select the Tools menu and click Folder Options.

Select the View Tab.

Under the Hidden files and folders heading select Show hidden files and folders.

Uncheck the Hide protected operating system files (recommended) option.

Click Yes to confirm.

Click OK.
.......................................
Open HijackThis and choose to do a *scan only*. When it finishes, place a checkmark next to the following and then press the *fix checked* button


O4 - HKCU\..\Run: [WinMedia] "C:\WINDOWS\System32\vxgame6.exe3584.exe"

O20 - Winlogon Notify: directpt - directpt.dll (file missing)

O20 - Winlogon Notify: s_reg - notifysb.dll (file missing)

O21 - SSODL: ubtlbr - {847EF305-A06E-4C41-856B-A677631B0CDE} - ubtlbr.dll (file missing)

Delete this file marked in bold:
C:\WINDOWS\System32\vxgame6.exe3584.exe

Reboot your computer.

Next -

Please download Rootkit Revealer
http://www.sysinternals.com/utilities/rootkitrevealer.html
(link is at the very bottom of the page)

Unzip it to your desktop.
Open the rootkitrevealer folder and double-click rootkitrevealer.exe
Click the Scan button (bottom right)
It may take a while to scan (don't do any other tasks or surfing while it's running)
When it's done, go up to File > Save. Choose to save it to your desktop.
Open rootkitrevealer.txt on your desktop and copy the entire contents and paste them here

Then please also post a fresh HijackThis log.
 
Not sure that this is what you need, the pc was acting a little 'off' after the scan, also I could not find a file called C:\WINDOWS\System32\vxgame6.exe3584.exe

Here is the RootitReveal log

C:\WINDOWS\System32\vxgame6.exe3584.exe



Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 2:53:27 PM, on 4/29/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\System32\ctfmon.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
 
There should be more info from the Rootkit Revealer to go with that file, however, let's use this tool:

Post a report from this tool. Download Blacklight from F-Secure
F-Secure Blacklight: http://www.f-secure.com/blacklight/try.shtml
Doubleclick on bibeta.exe to run it.
Click the *I accept* button near the bottom of that page.
click > scan then > next, next again then exit
there will be a new text file near blacklite.Post it please. The text file is named:
fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
!!Do not rename any files yet
 
Does this look right?


04/29/06 15:44:05 [Info]: BlackLight Engine 1.0.36 initialized
04/29/06 15:44:05 [Info]: OS: 5.1 build 2600 (Service Pack 1)
04/29/06 15:44:05 [Note]: 7019 4
04/29/06 15:44:05 [Note]: 7005 0
04/29/06 15:44:11 [Note]: 7006 0
04/29/06 15:44:11 [Note]: 7011 1812
04/29/06 15:44:11 [Note]: 7026 0
04/29/06 15:44:11 [Note]: 7026 0
04/29/06 15:44:17 [Note]: FSRAW library version 1.7.1015
04/29/06 15:45:25 [Note]: 7007 0
 
Yes, that's good for Blacklight. But I don't see any files listed.

Was RootkitRevealer blank? The way your post was written it looked like it had listed the file:
Here is the RootitReveal log

C:\WINDOWS\System32\vxgame6.exe3584.exe
Click to expand...
:scratch:
 
OK, this rootkit log is huge so it may take a couple of posts:

C:\Documents and Settings\Fiona\Cookies\fiona@advertising[1].txt 4/29/2006 4:21 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@barrons[1].txt 4/29/2006 4:21 PM 441 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@counter1.sextracker[1].txt 4/29/2006 4:32 PM 93 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@dell[1].txt 4/29/2006 4:26 PM 204 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@doubleclick[1].txt 4/29/2006 4:21 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@finance.yahoo[1].txt 4/29/2006 4:24 PM 77 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@free[1].txt 4/29/2006 4:28 PM 236 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@questionmarket[1].txt 4/29/2006 4:21 PM 221 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@revsci[2].txt 4/29/2006 4:20 PM 249 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@sexlist[1].txt 4/29/2006 4:34 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@sextracker[1].txt 4/29/2006 4:32 PM 113 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@www.xnxx[1].txt 4/29/2006 4:28 PM 65 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@www.xnxx[2].txt 4/29/2006 4:28 PM 383 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Cookies\fiona@yahoo[1].txt 4/29/2006 4:22 PM 82 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\03[1].jpg 4/29/2006 4:29 PM 6.69 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\1007[1].jpg 4/29/2006 4:34 PM 100.74 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\10990[2].html 4/29/2006 4:22 PM 41.96 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\10[1].jpg 4/29/2006 4:29 PM 6.80 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\11[1].jpg 4/29/2006 4:29 PM 4.86 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\157[1].htm 4/29/2006 4:29 PM 6.62 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\16[1].jpg 4/29/2006 4:29 PM 6.24 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\16x16_smiley-wink[1].gif 4/29/2006 4:26 PM 413 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\170x40406[1].gif 4/29/2006 4:20 PM 11.29 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\3[2].gif 4/29/2006 4:33 PM 589 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\420mkt[2].html 4/29/2006 4:24 PM 40.02 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\45009381_39247.13473159.bigthumb[1].gif 4/29/2006 4:28 PM 1.92 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\45585055_90890.11843420.bigthumb[1].gif 4/29/2006 4:28 PM 3.20 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\7[1].gif 4/29/2006 4:33 PM 568 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\_;ord=1146345883622648[1] 4/29/2006 4:24 PM 5.11 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\A_bol_30dayIFP_79_39[1].gif 4/29/2006 4:21 PM 18.42 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\Alicia_Rhodes_003[1].jpg 4/29/2006 4:32 PM 2.63 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\Amy_Reid_001[1].jpg 4/29/2006 4:32 PM 3.65 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\an[1].jpg 4/29/2006 4:28 PM 2.24 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\assparade_01[1].gif 4/29/2006 4:34 PM 17.81 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\at_btn_svc_170x40[1].gif 4/29/2006 4:20 PM 6.56 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\b-tourfinal07202004115253[1].gif 4/29/2006 4:20 PM 5.18 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\B_barronsBlank[1].gif 4/29/2006 4:21 PM 178 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\back[1].gif 4/29/2006 4:31 PM 317 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\back[1].jpg 4/29/2006 4:29 PM 28.45 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\backtoxnxx[1].gif 4/29/2006 4:28 PM 1.93 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\barrons[1].css 4/29/2006 4:20 PM 16.71 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\barrons[2].css 4/29/2006 4:20 PM 16.71 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\BarronsEntryPopup[1].gif 4/29/2006 4:20 PM 37.59 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\BarronsExitPopup[1].gif 4/29/2006 4:21 PM 36.60 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\bgImage4x11[1].gif 4/29/2006 4:20 PM 69 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\bisex[1].jpg 4/29/2006 4:28 PM 4.56 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\bolmarkpromo06[1].gif 4/29/2006 4:20 PM 5.58 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\boo[1].jpg 4/29/2006 4:28 PM 5.25 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\bookmark[1].gif 4/29/2006 4:28 PM 3.10 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\bookmarkthispage[1].gif 4/29/2006 4:28 PM 1.96 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\Breaking_News[1].gif 4/29/2006 4:20 PM 528 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\butpornstars04[1].gif 4/29/2006 4:32 PM 914 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\butsupermodels05[1].gif 4/29/2006 4:32 PM 1.02 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\button_find[1].gif 4/29/2006 4:25 PM 279 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\butwhatsnew[1].gif 4/29/2006 4:32 PM 1.52 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\CA0DQL9E.swf 4/29/2006 4:24 PM 44.14 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\CAOXI7S5.gif 4/29/2006 4:24 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\CAXSCR5H.swf 4/29/2006 4:20 PM 29.89 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\CAY7G1EJ.gif 4/29/2006 4:22 PM 43 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\chu[1].jpg 4/29/2006 4:28 PM 4.44 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\context[1] 4/29/2006 4:21 PM 4.47 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\Daisy_Dukes_001[1].jpg 4/29/2006 4:32 PM 2.92 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dcf-title[1].gif 4/29/2006 4:26 PM 1.73 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\devil_06[1].jpg 4/29/2006 4:33 PM 826 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\devil_14[1].jpg 4/29/2006 4:33 PM 323 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\devil_29[1].jpg 4/29/2006 4:33 PM 498 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dm_client_barrons[1].js 4/29/2006 4:20 PM 10.16 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dsc_0093[1].jpg 4/29/2006 4:31 PM 5.84 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dsc_0118[1].jpg 4/29/2006 4:31 PM 6.90 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dsc_0122[1].jpg 4/29/2006 4:31 PM 7.03 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dsc_0145[1].jpg 4/29/2006 4:31 PM 5.11 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dsc_0148[1].jpg 4/29/2006 4:31 PM 132.51 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\dvd2[1].gif 4/29/2006 4:33 PM 1.34 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\e[1].htm 4/29/2006 4:33 PM 7.21 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\environment-sunset[1].gif 4/29/2006 4:26 PM 1.36 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\expandable_nav_inst_off[1].gif 4/29/2006 4:25 PM 118 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\expandable_nav_small_off[1].gif 4/29/2006 4:25 PM 118 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\external[1].png 4/29/2006 4:21 PM 165 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\f2[1].gif 4/29/2006 4:28 PM 1.36 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\f3[1].gif 4/29/2006 4:28 PM 1.33 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\f9[1].gif 4/29/2006 4:28 PM 1.39 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\fr_index_left[1].js 4/29/2006 4:32 PM 8.32 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\fr_index_right[1].js 4/29/2006 4:32 PM 8.36 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\free-flag[1].gif 4/29/2006 4:24 PM 125 bytes Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\freeones[1].htm 4/29/2006 4:32 PM 48.49 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\front;famil=news;msrc=null;null;u=SatApr29172042EDT200601263925099;sz=120x600;ptile=1;ord=1610161016101610;[1] 4/29/2006 4:21 PM 4.67 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\gang[1].jpg 4/29/2006 4:28 PM 4.99 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\gnavb_200602071227[2].css 4/29/2006 4:24 PM 6.04 KB Hidden from Windows API.
C:\Documents and Settings\Fiona\Local Settings\Temporary Internet Files\Content.IE5\0DY38DIJ\google[1] 4/29/2006 4:10 PM 4.03 KB Visible in Windows API, but not in MFT or directory inde
 
Ok, important instruction here is not to do anything else with the computer while scanning with Rootkit Revealer. The huge report comes as a result of your surfing while scan runs. Just start the scan and don't do any other tasks until it is finished. :)
 
Hi Sorry about that horrid log, I told my husband not to use the computer and he has now confessed to using it :mad:

I have banned him from touching it today and am running another scan - will post when it is finished. Thanks.
 
Ah, ok Fizzy...surfing while scanning would explain it LOL. Will wait for the next log :bigthumb:
 
New log and also HJT log;

C:\System Volume Information\catalog.wci\00010003.ci 4/30/2006 10:46 AM 212.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\00010003.dir 4/30/2006 10:46 AM 1.02 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffc.000 4/30/2006 10:05 AM 240 bytes Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.001 4/30/2006 10:05 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffc.002 4/30/2006 10:05 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
C:\System Volume Information\catalog.wci\CiFLfffd.000 4/30/2006 10:46 AM 240 bytes Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.001 4/30/2006 10:46 AM 64.00 KB Hidden from Windows API.
C:\System Volume Information\catalog.wci\CiFLfffd.002 4/30/2006 10:46 AM 64.00 KB Hidden from Windows API.
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb 4/30/2006 10:39 AM 64.00 KB Visible in Windows API, but not in MFT or directory index.
 
Logfile of HijackThis v1.99.1
Scan saved at 12:08:29 PM, on 4/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\System32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\Documents and Settings\Fiona\Local Settings\Temp\wz6c1\RootkitRevealer.exe
C:\DOCUME~1\Fiona\LOCALS~1\Temp\FJQPUFWL.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: FJQPUFWL - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Fiona\LOCALS~1\Temp\FJQPUFWL.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RQXCFD - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Fiona\LOCALS~1\Temp\RQXCFD.exe
 
Great, that file not listed on RootkitRevealer. It all looks ok.

Are you seeing any problems remaining on your end?
 
OK,

I have run Spybot again and this is what it has found:

KillSec - 3 registry key entries
Advertising.com - 1 cookie
SexList - 1 cookie
SexTracker - 1 cookie

I have no idea how they got there, I thought spybot would protect against it but I also have Antispyware but all it does is sometimes alert me to a change in a host file.

Spybot will go on and fix all the problems but KillSec, which consistently comes back on a SB report....................but then, eventually I will have other entries coming up, like all the ones today which are new - what the heck is going on? Is it going to be easier for me just to admit defeat and totally re-format my HD?

Thanks.
 
Also, here is my HJT Log, after I have cleaned using SB and I have also deleted all my cookies and internet files - I think it looks different.

Logfile of HijackThis v1.99.1
Scan saved at 1:19:04 PM, on 4/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\brsvc01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\brss01a.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cisvc.exe
c:\progra~1\mcafee\mcafee antispyware\massrv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
c:\progra~1\mcafee.com\vso\mcvsescn.exe
C:\progra~1\mcafee\MCAFEE~1\masalert.exe
C:\WINDOWS\System32\ctfmon.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
C:\WINDOWS\System32\nvsvc32.exe
c:\PROGRA~1\mcafee.com\vso\mcshield.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
c:\progra~1\mcafee.com\vso\mcvsftsn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = www.google.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] C:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [_AntiSpyware] c:\progra~1\mcafee\MCAFEE~1\masalert.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1145070034968
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://cdn.messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O18 - Protocol: pure-go - {4746C79A-2042-4332-8650-48966E44ABA8} - C:\Program Files\Common Files\Pure Networks Shared\puresp.dll
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\System32\brsvc01a.exe
O23 - Service: McAfee AntiSpyware Service - McAfee, Inc. - c:\progra~1\mcafee\mcafee antispyware\massrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - McAfee, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Pure Networks Net2Go Service (nmraapache) - Unknown owner - C:\Program Files\Pure Networks\Network Magic\WebServer\bin\nmraapache.exe" -k runservice (file missing)
O23 - Service: Pure Networks Network Magic Service (nmservice) - Pure Networks, Inc. - C:\Program Files\Pure Networks\Network Magic\nmsrvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: RQXCFD - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Fiona\LOCALS~1\Temp\RQXCFD.exe
 
Your HijackThis log looks fine. That's because there is no active infection (that's all it looks for).

The 3 registry keys are not an active infection with no files to go with them.

And cookies are not a critical threat - they are also not an infection.

What error does Spybot give and what are the registry entries giving a problem?

This is really only down to some minor cleanup, not an active infection at this point. Now if really you want reformat at this point, I think it's over-reacting. :(
 
You must log in or register to reply here.
Back
Top