virtumonde problems

Status
Not open for further replies.
fsbl lof first:

03/09/08 13:34:22 [Info]: BlackLight Engine 1.0.67 initialized
03/09/08 13:34:22 [Info]: OS: 5.1 build 2600 (Service Pack 2)
03/09/08 13:34:22 [Note]: 7019 4
03/09/08 13:34:22 [Note]: 7005 0
03/09/08 13:34:26 [Note]: 7006 0
03/09/08 13:34:26 [Note]: 7022 0
03/09/08 13:34:26 [Note]: 7011 544
03/09/08 13:34:27 [Note]: 7026 0
03/09/08 13:34:27 [Note]: 7026 0
03/09/08 13:34:29 [Note]: FSRAW library version 1.7.1024
03/09/08 13:39:51 [Note]: 2000 1012
03/09/08 13:40:06 [Note]: 7007 0


Managed to delete the dmukb.exe file using Safe Mode, tried then to fix the two items from the HJT log, although having done that they both still appear to be there, log attached:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:45:05, on 09/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\PhnxCDSvr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/yregucfg/2005_6_10_1/yregucfg.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{046EC07B-EAC4-4E85-9420-64177DEC1AA1}: NameServer = 85.255.113.90 85.255.112.74
O17 - HKLM\System\CS1\Services\Tcpip\..\{046EC07B-EAC4-4E85-9420-64177DEC1AA1}: NameServer = 85.255.113.90 85.255.112.74
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\System32\PhnxCDSvr.exe

--
End of file - 7645 bytes
 
Thanks...BlackLight is clean, remove the tool from your computer.

You may have needed to do a reboot to clean that information (dmukb.exe) now that it is gone, try HJT on those items again. If they are still there, then try this:

In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

If that does not work, contact your Internet Service Provider, explain what your issue is, and that you were badly infeced. Ask for their help resetting your information.

Thanks
 
Shutting down and restarting seems to have worked, did not do this between deleting dmukb.exe and runnig HJT before, new log attached:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:12:34, on 09/03/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\mcafee.com\agent\mcdetect.exe
c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\WINDOWS\system32\VTtrayp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE
C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Menu\SonyTray.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\Program Files\BT Broadband Basic Help\bin\mpbtn.exe
C:\WINDOWS\System32\PhnxCDSvr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: McAfee VirusScan - {BA52B914-B692-46c4-B683-905236F6F655} - c:\progra~1\mcafee.com\vso\mcvsshl.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [RestoreIT!] "C:\Program Files\Phoenix Technologies\cME\RPro\ XP\VBPTASK.EXE" VBStart
O4 - HKLM\..\Run: [Guard] "C:\Program Files\Phoenix Technologies\cME\Guard\Guard.exe" /background
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\mcupdate.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo R240 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAHE.EXE /P30 "EPSON Stylus Photo R240 Series" /O6 "USB001" /M "Stylus Photo R240"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BT Broadband Basic Help.lnk = C:\Program Files\BT Broadband Basic Help\bin\matcli.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1803B9EF-9905-4F34-AFC4-05D1BAB28801} (RegUserCfgUI Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/controls/yregucfg/2005_6_10_1/yregucfg.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/win/ActiveXPlugin.cab
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: McAfee WSC Integration (McDetect.exe) - McAfee, Inc - c:\program files\mcafee.com\agent\mcdetect.exe
O23 - Service: McAfee.com McShield (McShield) - Unknown owner - c:\PROGRA~1\mcafee.com\vso\mcshield.exe
O23 - Service: McAfee Task Scheduler (McTskshd.exe) - McAfee, Inc - c:\PROGRA~1\mcafee.com\agent\mctskshd.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - McAfee, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\System32\PhnxCDSvr.exe

--
End of file - 7368 bytes
 
Let's run a last Kaspersky to make sure nothing is hiding. Remove all programs we downloaded for the cleanup you have not removed. (you may keep ATF-Cleaner if you wish) then run Kaspersky using these settings.

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here. <<< I do not need to see a clean scan result. I will post this information for you now so you can benefit from it.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.
 
Unfortunately not a clean scan, so here it is attached, vundo seams to have gone though, many thanks for all your help so far

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, March 09, 2008 3:23:04 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 9/03/2008
Kaspersky Anti-Virus database records: 561097
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 56443
Number of viruses found: 10
Number of infected objects: 51
Number of suspicious objects: 0
Duration of the scan process: 00:50:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee.com\Agent\Logs\TaskScheduler\McTskshd000.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\Andrew\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Andrew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Andrew\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Andrew\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andrew\Local Settings\History\History.IE5\MSHist012008030920080310\index.dat Object is locked skipped
C:\Documents and Settings\Andrew\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Andrew\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Andrew\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Andrew\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\BT Broadband Basic Help\log\mpbtn.log Object is locked skipped
C:\Program Files\Phoenix Technologies\cME\Guard\monitor.log Object is locked skipped
C:\Program Files\Phoenix Technologies\cME\Guard\repair.log Object is locked skipped
C:\RECYCLER\S-1-5-21-448539723-1645522239-839522115-1003\Dc2.exe Infected: Trojan.Win32.Small.fb skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0033995.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0033996.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0033997.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034006.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034007.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034008.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034022.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034023.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034024.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034030.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034031.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP501\A0034032.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP502\A0034044.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP502\A0034045.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP502\A0034046.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP503\A0034071.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP503\A0034072.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP503\A0034073.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034080.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034081.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034082.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034093.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034094.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP504\A0034095.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034114.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034115.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034116.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034123.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034124.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP505\A0034125.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP506\A0034131.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP506\A0034132.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP506\A0034133.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP507\A0034170.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP507\A0034171.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP507\A0034172.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034180.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034187.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034188.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034189.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034195.dll Infected: Trojan-Downloader.Win32.Zlob.hxh skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034196.exe Infected: Trojan.Win32.Obfuscated.oy skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034197.exe Infected: Trojan-Downloader.Win32.Zlob.hxg skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034201.exe Infected: Trojan-Downloader.Win32.Zlob.hxe skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034202.exe Infected: Trojan-Downloader.Win32.Zlob.hwt skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034205.exe Infected: Trojan-Downloader.Win32.Zlob.hwr skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034206.dll Infected: Trojan-Downloader.Win32.Zlob.hxd skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP508\A0034207.exe Infected: Trojan-Downloader.Win32.Zlob.hxf skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP511\A0035384.exe Infected: Trojan-Downloader.Win32.Zlob.hwt skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP516\A0035519.dll Infected: Trojan-Downloader.Win32.Agent.jbo skipped
C:\System Volume Information\_restore{ED49C7FF-C687-45D7-BA5B-DC8446FEA3BB}\RP521\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 
KASPERSKY ONLINE SCANNER REPORT Sunday, March 09, 2008 3:23:04 PM

1) C:\RECYCLER\ <<< empty the Recycle Bin on the Desktop.

2) Restart the computer

3) Clean infected System Restore files.
Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

4) Safe surfing:
http://www.google.com/search?hl=en&q=safe+surfing&btnG=Search

Thanks:bigthumb:
 
Status
Not open for further replies.
Back
Top