Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Baylies hijackthis log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Baylies hijackthis log

Unread postby dan12 » March 18th, 2008, 9:03 pm

ok, will know better when I've researched the log,
Seems a lot of trouble for you to go through, your friend will owe you one :D
dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Re: Baylies hijackthis log

Unread postby wolfenstien » March 18th, 2008, 9:19 pm

Its not a problem.... Hey, you are doing you part for free... and I am doing mine.... no biggie really.
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm

Re: Baylies hijackthis log

Unread postby dan12 » March 19th, 2008, 4:38 am

May be best to connect to the net now ;)

Download and Install CCleaner
  • Download CCleaner from here . Choose the Slim version.
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish

-------------------------------

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
( Do not use the Registry block to clean anything with this program. It is for experts only and it is risky).
  • Select Cleaner Settings.
    Check Internet Explorer, Windows Explorer, and System so that all items are checked. In the Advanced section, have a check only on Old PreFetch Data.
  • Click on the Options block on the left. Select Advanced.
    Uncheck Only delete files in Windows Temp folders older than 48 hours.
  • Set Cookie Retention.
    Click on the Options block on the left, then choose Cookies.
    Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.
  • Run Cleaning Scan. Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.

__________________

1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
   
    Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ruiz]

    


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

________________

Run malwarebytes for me again!


please do an online scan with Kaspersky Online Scanner

Click on Kaspersky Online Scanner

You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (If available otherwise Standard)
  • Scan Options:
  • Scan Archives
  • Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Please include in your next post:
  • Combofix log txt
  • Malwarebytes log
  • Kaspersky scan log
  • New highjackthis log

Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby wolfenstien » March 19th, 2008, 5:33 pm

ComboFix log:

ComboFix 08-03-14.4 - Admin 2008-03-19 15:58:51.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.627 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2008-02-19 to 2008-03-19 )))))))))))))))))))))))))))))))
.

2008-03-19 15:49 . 2008-03-19 15:49 <DIR> d-------- C:\Program Files\CCleaner
2008-03-17 19:34 . 2008-03-17 19:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-03-17 19:33 . 2008-03-17 19:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 19:33 . 2008-03-17 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 16:54 . 2008-03-17 16:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-03-14 06:13 . 2008-03-14 06:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-14 06:12 . 2008-03-14 06:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-14 06:00 . 2008-03-14 06:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-03-14 04:14 . 2008-03-14 04:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-14 04:14 . 2008-03-14 04:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-14 01:59 . 2008-03-19 15:44 4,374 --a------ C:\WINDOWS\system32\Config.MPF
2008-03-14 01:56 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-03-14 01:53 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-14 01:53 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-14 01:53 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-03-14 01:53 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-14 01:53 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-03-14 01:52 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-03-14 01:51 . 2008-03-14 01:52 <DIR> d-------- C:\Program Files\McAfee.com
2008-03-14 01:51 . 2008-03-14 02:01 <DIR> d-------- C:\Program Files\McAfee
2008-03-14 01:51 . 2008-03-14 01:56 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-14 01:16 . 2008-03-14 01:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-14 01:02 . 2008-03-14 01:02 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2008-03-14 00:44 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-14 00:44 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-14 00:44 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-14 00:44 . 2007-12-06 22:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-14 00:44 . 2007-12-06 22:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-14 00:44 . 2007-12-06 22:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-14 00:44 . 2007-12-06 22:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-14 00:44 . 2007-12-06 22:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-14 00:44 . 2007-12-06 07:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-14 00:40 . 2007-08-13 19:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-14 00:18 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-13 23:45 . 2008-03-14 00:58 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-13 23:29 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-13 23:27 . 2008-03-17 18:17 <DIR> d-------- C:\WINDOWS\peernet
2008-03-13 23:26 . 2008-03-13 23:26 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-13 23:22 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-13 23:20 . 2008-03-13 23:20 <DIR> d-------- C:\WINDOWS\EHome
2008-03-13 23:17 . 2004-08-04 01:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-03-13 23:17 . 2004-08-02 15:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-03-13 23:17 . 2004-08-02 15:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-03-13 23:06 . 2008-03-13 23:06 215 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-13 23:02 . 2004-08-04 03:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-03-13 23:02 . 2004-08-04 03:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-03-13 23:02 . 2004-08-04 03:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-03-13 23:02 . 2004-08-04 03:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2008-03-13 23:02 . 2007-03-08 11:36 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2008-03-13 22:56 . 2004-08-04 03:56 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2008-03-13 22:52 . 2008-03-13 23:01 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-03-13 22:52 . 2008-03-13 22:52 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-13 22:52 . 2004-01-10 01:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-03-13 22:44 . 2008-03-13 22:44 <DIR> d-------- C:\WINDOWS\system32\bits
2008-03-08 00:02 . 2008-03-08 00:02 <DIR> d--hs---- C:\Documents and Settings\Administrator\UserData
2008-03-08 00:02 . 2004-08-04 03:56 438,784 --a------ C:\WINDOWS\system32\xpob2res.dll
2008-03-08 00:02 . 2004-08-04 03:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-03-08 00:02 . 2004-08-04 03:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-03-08 00:02 . 2004-08-04 03:56 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-03-08 00:02 . 2004-08-04 03:56 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2008-03-07 23:04 . 2008-03-07 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-03-07 23:01 . 2008-03-07 23:01 61,224 --a------ C:\Documents and Settings\Bailey\GoToAssistDownloadHelper.exe
2008-03-07 22:01 . 2008-03-07 22:01 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-03-07 21:41 . 2008-03-14 01:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-07 21:41 . 2008-03-14 21:08 2,430 --a------ C:\WINDOWS\WinInit.Ini
2008-03-05 22:34 . 2008-03-07 10:37 0 ---hs---- C:\Documents and Settings\Bailey\Application Data\0047cf333f146ee683017927e4c506bb6ccc0fb8840ba1e2bc.dat
2008-03-05 19:50 . 2008-03-14 05:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2008-03-05 19:45 . 2008-03-05 19:45 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-17 22:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-14 10:14 --------- d-----w C:\Program Files\Lavasoft
2008-03-14 10:14 --------- d-----w C:\Documents and Settings\Bailey\Application Data\Lavasoft
2008-03-14 09:03 --------- d-----w C:\Program Files\Sync Manager
2008-03-14 08:09 --------- d-----w C:\Program Files\Opera
2008-03-08 04:01 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\Gtek
2008-02-28 21:38 --------- d-----w C:\Documents and Settings\Bailey\Application Data\LimeWire
2008-02-06 00:44 --------- d-----w C:\Program Files\MySpace
2008-02-06 00:44 --------- d-----w C:\Program Files\AIM
2008-02-06 00:44 --------- d-----w C:\Documents and Settings\Bailey\Application Data\Aim
.

((((((((((((((((((((((((((((( snapshot@2008-03-16_20.32.35.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 07:56:45 151,552 -c--a-w C:\WINDOWS\system32\dllcache\sqldb20.dll
+ 2004-08-04 07:56:45 462,848 -c--a-w C:\WINDOWS\system32\dllcache\sqlqp20.dll
+ 2004-08-04 07:56:45 110,592 -c--a-w C:\WINDOWS\system32\dllcache\sqlse20.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bailey^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Bailey\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bailey^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\Bailey\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-07-13 22:10 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMon]
C:\WINDOWS\System32\CTF\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 22:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-06-18 01:24 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-06-18 01:24 131072 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2005-02-25 20:28 212992 C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-07 19:14 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 20:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2006-10-12 04:10 49263 C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Agent]
C:\Program Files\Sync Manager\agent\syncagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 13:49 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"MDM"=2 (0x2)
"helpsvc"=2 (0x2)
"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 05:40:33 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-14 05:52:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-19 15:59:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-19 16:00:37
ComboFix-quarantined-files.txt 2008-03-19 20:00:28
ComboFix2.txt 2008-03-17 22:18:36
ComboFix3.txt 2008-03-17 00:32:56
.
2008-03-14 02:45:16 --- E O F ---


_________________________________________________

Malwarebytes log:

Malwarebytes' Anti-Malware 1.08
Database version: 471

Scan type: Full Scan (C:\|D:\|E:\|)
Objects scanned: 85233
Time elapsed: 13 minute(s), 52 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP476\A0056623.ico (Malware.Trace) -> Quarantined and deleted successfully.


__________________________

Kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, March 19, 2008 5:30:22 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/03/2008
Kaspersky Anti-Virus database records: 641323
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 59309
Number of viruses found: 14
Number of infected objects: 60
Number of suspicious objects: 0
Duration of the scan process: 00:39:56

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\25d03aae.default\cert8.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\25d03aae.default\history.dat Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\25d03aae.default\key3.db Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\25d03aae.default\parent.lock Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\25d03aae.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\25d03aae.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\25d03aae.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\25d03aae.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\25d03aae.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Mozilla\Firefox\Profiles\25d03aae.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ca35a016dac51183e2c70be62f6d20a1_69fa0b1a-cab7-429f-a7f1-963a38acac37 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d220f653baf1c6d00efd0b68a084eb7a_69fa0b1a-cab7-429f-a7f1-963a38acac37 Object is locked skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file6 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe Inno: infected - 5 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file6 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar RAR: infected - 6 skipped
C:\Documents and Settings\Bailey\Application Data\Opera\Opera\profile\cache4\opr0RTTL.htm/packed Infected: not-a-virus:Downloader.JS.WinFixer.a skipped
C:\Documents and Settings\Bailey\Application Data\Opera\Opera\profile\cache4\opr0RTTL.htm GZIP: infected - 1 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file6 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe Inno: infected - 5 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file6 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar RAR: infected - 6 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Morpheus\morpheustoolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Program Files\RealVNC\VNC4\vncclipboard.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\QooBox\Quarantine\C\2107xg.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.ah skipped
C:\QooBox\Quarantine\C\Documents and Settings\Bailey\Application Data\CURITY~1\sрoolsv.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\QooBox\Quarantine\C\Documents and Settings\Bailey\Application Data\evjhv.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.ah skipped
C:\QooBox\Quarantine\C\WINDOWS\FNTS~1\dνdplay.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\enhsbbtn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hwyvepim.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nptqkigh.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ajx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ptryiiyj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sblnycuq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wqwqvtxu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-16_203129.56.zip/fsvgaa.sys Infected: Rootkit.Win32.Agent.to skipped
C:\QooBox\Quarantine\catchme2008-03-16_203129.56.zip/mllmj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\catchme2008-03-16_203129.56.zip ZIP: infected - 2 skipped
C:\RECYCLER\S-1-5-21-725345543-1078145449-839522115-1003\Dc94\Content.IE5\45QRG5MZ\ctxad-546[1].0000 Infected: not-a-virus:AdWare.Win32.BetterInternet.cl skipped
C:\RECYCLER\S-1-5-21-725345543-1078145449-839522115-1003\Dc94\Content.IE5\WPUZ016R\ctxad-536[1].0000 Infected: not-a-virus:AdWare.Win32.BetterInternet.ct skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP470\A0056123.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.as skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP470\A0056124.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.an skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP470\A0056125.DLL Infected: not-a-virus:AdTool.Win32.MyWebSearch.i skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP475\A0056417.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP475\A0056418.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP475\A0056419.dll Infected: not-a-virus:AdWare.Win32.Agent.ajx skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP475\A0056420.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP475\A0056421.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP475\A0056422.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP476\A0056537.exe Infected: Trojan-Downloader.Win32.FraudLoad.ah skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP476\A0056538.exe Infected: Trojan-Downloader.Win32.FraudLoad.ah skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP478\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{B5668997-8547-4972-831E-945332494A40}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_liDd7k5AuLgaxJL Object is locked skipped
C:\WINDOWS\Temp\mcafee_VD39DcsKh9OXdm7 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_gYclCtiSr8LMVAr Object is locked skipped
C:\WINDOWS\Temp\mcmsc_KveShu7DesMVe2o Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP478\change.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP478\change.log Object is locked skipped

Scan process completed.

_____________________________________

new HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:33:48 PM, on 3/19/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\mcafee\msc\mcuimgr.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\HJT\remove.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://url.adtrgt.com/cpv.jsp?p=112194& ... Id=7155727
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4946006875
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7723 bytes
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm

Re: Baylies hijackthis log

Unread postby dan12 » March 20th, 2008, 6:33 am

I have a little work to do on your returned logs, in the meantime can you update the java on this machine.

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://url.adtrgt.com/cpv.jsp?p=112194& ... Id=7155727

WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit



Your Java is out of date Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 5.
  • Scroll down to where it says " Java Runtime Environment (JRE) 6 Update 5".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.

Post a HJT log
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby wolfenstien » March 20th, 2008, 10:35 am

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:34:10 AM, on 3/20/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
C:\Program Files\Messenger\msmsgs.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\svchost.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Administrator\Desktop\HJT\remove.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe (User 'Default user')
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 2.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 4946006875
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcafee.com/molbin/iss-l ... cfscan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - C:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 7582 bytes
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm

Re: Baylies hijackthis log

Unread postby dan12 » March 20th, 2008, 9:00 pm

We are getting there, was encouraging to see the returned logs.


  • Download CF-DeQuarantine.exe and place it in C:\QooBox

  • Drag/Drop the following into CF-DeQuarantine.exe
    [indent]C:\WINDOWS\provisioning[/indent]


Edit: I think we will only need the folder which should reinstate files within!
________________________


1. Close any open browsers.

2. Open notepad and copy/paste the text in the quotebox below into it:

Code: Select all
   File::
"C:\Program Files\Morpheus\morpheustoolbar.exe"
"C:\Documents and Settings\Bailey\Application Data\Opera\Opera\profile\cache4\opr0RTTL.htm"

    Folder::
"C:\Documents and Settings\All Users\Application Data\Rabio"
C:\WINDOWS\pss\RABCO
   

      


Save this as CFScript.txt, in the same location as ComboFix.exe


Image

Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at "C:\ComboFix.txt"

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


Create a new System Restore Point
This is a good time to clear your existing system restore points and establish a new clean restore point:
  • Go to Start > All Programs > Accessories > System Tools > System Restore
  • Select Create a restore point, and Ok it.
  • Next, go to Start > Run and type in cleanmgr
  • Select the More options tab
  • Choose the option to clean up system restore and OK it.
This will remove all restore points except the new one you just created.


Empty recycle bin.

Do me another kaspersky scan please.

Then check this folder out for me, I want to know all the files above are back in this folder:

C:\WINDOWS\provisioning
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby wolfenstien » March 21st, 2008, 10:55 am

ok, i DLd CF-DeQuarantine.exe to C:\QooBox but when I went to C:\Windows\provisioning I cannot find a folder named provisioning. I have 4 folders in the windows directory starting with a P. So I moved on to the next step, here is the log from combofix:

ComboFix 08-03-14.4 - Admin 2008-03-21 10:01:12.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.575 [GMT -4:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt
* Created a new restore point

FILE ::
"C:\Program Files\Morpheus\morpheustoolbar.exe"
C:\Program Files\Morpheus\morpheustoolbar.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Rabio
C:\Program Files\Morpheus\morpheustoolbar.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-20 10:33 . 2008-03-20 10:33 <DIR> d-------- C:\Program Files\Java
2008-03-20 10:33 . 2008-03-20 10:33 <DIR> d-------- C:\Program Files\Common Files\Java
2008-03-20 10:33 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-03-19 16:29 . 2008-03-19 16:29 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-19 16:29 . 2008-03-19 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-19 15:49 . 2008-03-19 15:49 <DIR> d-------- C:\Program Files\CCleaner
2008-03-17 19:34 . 2008-03-17 19:34 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-03-17 19:33 . 2008-03-17 19:33 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-03-17 19:33 . 2008-03-17 19:33 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-03-17 16:54 . 2008-03-17 16:54 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Ahead
2008-03-14 06:13 . 2008-03-14 06:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-03-14 06:12 . 2008-03-14 06:12 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-03-14 06:00 . 2008-03-14 06:00 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2008-03-14 04:14 . 2008-03-14 04:14 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-03-14 04:14 . 2008-03-14 04:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-14 01:59 . 2008-03-20 10:30 4,374 --a------ C:\WINDOWS\system32\Config.MPF
2008-03-14 01:56 . 2006-03-03 11:07 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2008-03-14 01:53 . 2008-02-06 09:51 171,400 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2008-03-14 01:53 . 2007-06-25 14:54 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2008-03-14 01:53 . 2007-06-25 10:57 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2008-03-14 01:53 . 2007-06-25 10:57 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2008-03-14 01:53 . 2007-06-25 10:57 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2008-03-14 01:52 . 2007-03-02 14:16 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2008-03-14 01:51 . 2008-03-14 01:52 <DIR> d-------- C:\Program Files\McAfee.com
2008-03-14 01:51 . 2008-03-14 02:01 <DIR> d-------- C:\Program Files\McAfee
2008-03-14 01:51 . 2008-03-14 01:56 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-03-14 01:16 . 2008-03-14 01:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Talkback
2008-03-14 01:02 . 2008-03-14 01:02 <DIR> dr-h----- C:\Documents and Settings\Administrator\Application Data\yahoo!
2008-03-14 00:44 . 2007-12-06 22:21 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-03-14 00:44 . 2007-06-30 23:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-03-14 00:44 . 2007-06-30 23:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-03-14 00:44 . 2007-12-06 22:21 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-03-14 00:44 . 2007-12-06 22:21 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-03-14 00:44 . 2007-12-06 22:21 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-03-14 00:44 . 2007-12-06 22:21 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-03-14 00:44 . 2007-12-06 22:21 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-03-14 00:44 . 2007-12-06 07:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2008-03-14 00:40 . 2007-08-13 19:54 33,792 --a--c--- C:\WINDOWS\system32\dllcache\custsat.dll
2008-03-14 00:18 . 2007-07-09 09:09 584,192 -----c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2008-03-13 23:45 . 2008-03-14 00:58 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2008-03-13 23:29 . 2004-08-04 03:56 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2008-03-13 23:27 . 2008-03-17 18:17 <DIR> d-------- C:\WINDOWS\peernet
2008-03-13 23:26 . 2008-03-13 23:26 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-03-13 23:22 . 2006-09-06 18:43 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2008-03-13 23:20 . 2008-03-13 23:20 <DIR> d-------- C:\WINDOWS\EHome
2008-03-13 23:17 . 2004-08-04 01:56 11,776 --a------ C:\WINDOWS\system32\spnpinst.exe
2008-03-13 23:17 . 2004-08-02 15:20 7,208 --a------ C:\WINDOWS\system32\secupd.sig
2008-03-13 23:17 . 2004-08-02 15:20 4,569 --a------ C:\WINDOWS\system32\secupd.dat
2008-03-13 23:06 . 2008-03-13 23:06 215 --a------ C:\WINDOWS\system32\MRT.INI
2008-03-13 23:02 . 2004-08-04 03:56 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2008-03-13 23:02 . 2004-08-04 03:56 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2008-03-13 23:02 . 2004-08-04 03:56 265,728 --a------ C:\WINDOWS\system32\h323.tsp
2008-03-13 23:02 . 2004-08-04 03:56 77,312 --a------ C:\WINDOWS\system32\browser.dll
2008-03-13 23:02 . 2007-03-08 11:36 40,960 --a------ C:\WINDOWS\system32\mf3216.dll
2008-03-13 22:56 . 2004-08-04 03:56 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2008-03-13 22:52 . 2008-03-13 23:01 <DIR> d--h-c--- C:\WINDOWS\$xpsp1hfm$
2008-03-13 22:52 . 2008-03-13 22:52 <DIR> d-------- C:\Program Files\MSXML 4.0
2008-03-13 22:52 . 2004-01-10 01:11 26,112 --a------ C:\WINDOWS\system32\xpsp1hfm.exe
2008-03-13 22:44 . 2008-03-13 22:44 <DIR> d-------- C:\WINDOWS\system32\bits
2008-03-08 00:02 . 2008-03-08 00:02 <DIR> d--hs---- C:\Documents and Settings\Administrator\UserData
2008-03-08 00:02 . 2004-08-04 03:56 438,784 --a------ C:\WINDOWS\system32\xpob2res.dll
2008-03-08 00:02 . 2004-08-04 03:56 351,232 --a------ C:\WINDOWS\system32\winhttp.dll
2008-03-08 00:02 . 2004-08-04 03:56 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2008-03-08 00:02 . 2004-08-04 03:56 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2008-03-08 00:02 . 2004-08-04 03:56 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2008-03-07 23:04 . 2008-03-07 23:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Citrix
2008-03-07 23:01 . 2008-03-07 23:01 61,224 --a------ C:\Documents and Settings\Bailey\GoToAssistDownloadHelper.exe
2008-03-07 22:01 . 2008-03-07 22:01 <DIR> d-------- C:\WINDOWS\McAfee.com
2008-03-07 21:41 . 2008-03-14 01:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-03-07 21:41 . 2008-03-14 21:08 2,430 --a------ C:\WINDOWS\WinInit.Ini
2008-03-05 22:34 . 2008-03-07 10:37 0 ---hs---- C:\Documents and Settings\Bailey\Application Data\0047cf333f146ee683017927e4c506bb6ccc0fb8840ba1e2bc.dat
2008-03-05 19:45 . 2008-03-05 19:45 <DIR> d-------- C:\WINDOWS\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 14:01 --------- d-----w C:\Program Files\Morpheus
2008-03-17 22:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2008-03-14 10:14 --------- d-----w C:\Program Files\Lavasoft
2008-03-14 10:14 --------- d-----w C:\Documents and Settings\Bailey\Application Data\Lavasoft
2008-03-14 09:03 --------- d-----w C:\Program Files\Sync Manager
2008-03-14 08:09 --------- d-----w C:\Program Files\Opera
2008-03-08 04:01 --------- d--h--w C:\Documents and Settings\Administrator\Application Data\Gtek
2008-02-28 21:38 --------- d-----w C:\Documents and Settings\Bailey\Application Data\LimeWire
2008-02-06 00:44 --------- d-----w C:\Program Files\MySpace
2008-02-06 00:44 --------- d-----w C:\Program Files\AIM
2008-02-06 00:44 --------- d-----w C:\Documents and Settings\Bailey\Application Data\Aim
.

((((((((((((((((((((((((((((( snapshot@2008-03-16_20.32.35.34 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 07:56:45 151,552 -c--a-w C:\WINDOWS\system32\dllcache\sqldb20.dll
+ 2004-08-04 07:56:45 462,848 -c--a-w C:\WINDOWS\system32\dllcache\sqlqp20.dll
+ 2004-08-04 07:56:45 110,592 -c--a-w C:\WINDOWS\system32\dllcache\sqlse20.dll
- 2006-10-12 06:35:14 49,248 ----a-w C:\WINDOWS\system32\java.exe
+ 2008-02-22 05:23:35 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2006-10-12 06:35:24 53,346 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2008-02-22 05:23:39 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2006-10-12 08:10:56 127,078 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2008-02-22 06:33:32 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2005-05-24 16:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
+ 2007-08-29 19:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
+ 2007-08-29 19:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
+ 2008-03-21 08:58:07 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_a8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Kodak EasyShare software.lnk
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^Bailey^Start Menu^Programs^Startup^Morpheus.lnk]
path=C:\Documents and Settings\Bailey\Start Menu\Programs\Startup\Morpheus.lnk
backup=C:\WINDOWS\pss\Morpheus.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^Bailey^Start Menu^Programs^Startup^RABCO - Auto Update.lnk]
path=C:\Documents and Settings\Bailey\Start Menu\Programs\Startup\RABCO - Auto Update.lnk
backup=C:\WINDOWS\pss\RABCO - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
--a------ 2004-07-13 22:10 339968 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMon]
C:\WINDOWS\System32\CTF\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
--a------ 2006-08-28 22:57 395776 C:\Program Files\Dell Support\DSAgnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-02-23 16:45 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
--a------ 2004-06-18 01:24 53248 C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
--a------ 2004-06-18 01:24 131072 C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 12:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PhotoShow Deluxe Media Manager]
--a------ 2005-02-25 20:28 212992 C:\PROGRA~1\Nero\data\xtras\mssysmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-11-07 19:14 155648 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2003-10-31 20:42 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMAXPnP]
--a------ 2004-10-14 15:42 1404928 C:\Program Files\Analog Devices\Core\smax4pnp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Agent]
C:\Program Files\Sync Manager\agent\syncagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-01-19 13:49 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"WZCSVC"=2 (0x2)
"MDM"=2 (0x2)
"helpsvc"=2 (0x2)
"Browser"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\Common Files\\McAfee\\MNA\\McNASvc.exe"=


.
Contents of the 'Scheduled Tasks' folder
"2008-03-15 05:40:33 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-03-14 05:52:20 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 10:02:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-21 10:02:48
ComboFix-quarantined-files.txt 2008-03-21 14:02:41
ComboFix2.txt 2008-03-19 20:00:37
ComboFix3.txt 2008-03-17 22:18:36
ComboFix4.txt 2008-03-17 00:32:56
.
2008-03-14 02:45:16 --- E O F ---



++++++++++++++++++++++++++++++++++++++++
++++++++++++++++

I made a new restore point and cleaned all old ones....

and here is the new kaspersky log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Friday, March 21, 2008 10:48:07 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 21/03/2008
Kaspersky Anti-Virus database records: 651364
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 52768
Number of viruses found: 10
Number of infected objects: 46
Number of suspicious objects: 0
Duration of the scan process: 00:37:59

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012008032120080322\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ca35a016dac51183e2c70be62f6d20a1_69fa0b1a-cab7-429f-a7f1-963a38acac37 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d220f653baf1c6d00efd0b68a084eb7a_69fa0b1a-cab7-429f-a7f1-963a38acac37 Object is locked skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file6 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.exe Inno: infected - 5 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file6 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\All Users\Documents\my docs\DOWNLOAD\vnc-E4_2_7-x86_win32.rar RAR: infected - 6 skipped
C:\Documents and Settings\Bailey\Application Data\Opera\Opera\profile\cache4\opr0RTTL.htm/packed Infected: not-a-virus:Downloader.JS.WinFixer.a skipped
C:\Documents and Settings\Bailey\Application Data\Opera\Opera\profile\cache4\opr0RTTL.htm GZIP: infected - 1 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe/file6 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.exe Inno: infected - 5 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file1 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file2 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file3 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file5 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe/file6 Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar/vnc-E4_2_7-x86_win32.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Documents and Settings\Bailey\My Documents\DOWNLOAD\vnc-E4_2_7-x86_win32.rar RAR: infected - 6 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\RealVNC\VNC4\vncclipboard.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Program Files\RealVNC\VNC4\vncconfig.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\Program Files\RealVNC\VNC4\winvnc4.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.427 skipped
C:\Program Files\RealVNC\VNC4\wm_hooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.4 skipped
C:\QooBox\Quarantine\C\2107xg.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.ah skipped
C:\QooBox\Quarantine\C\Documents and Settings\Bailey\Application Data\CURITY~1\sрoolsv.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\QooBox\Quarantine\C\Documents and Settings\Bailey\Application Data\evjhv.exe.vir Infected: Trojan-Downloader.Win32.FraudLoad.ah skipped
C:\QooBox\Quarantine\C\Program Files\Morpheus\morpheustoolbar.exe.vir Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\QooBox\Quarantine\C\WINDOWS\FNTS~1\dνdplay.exe.vir Infected: not-a-virus:AdWare.Win32.PurityScan.gw skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\enhsbbtn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hwyvepim.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nptqkigh.dll.vir Infected: not-a-virus:AdWare.Win32.Agent.ajx skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ptryiiyj.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\sblnycuq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wqwqvtxu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\RECYCLER\S-1-5-21-725345543-1078145449-839522115-1003\Dc94\Content.IE5\45QRG5MZ\ctxad-546[1].0000 Infected: not-a-virus:AdWare.Win32.BetterInternet.cl skipped
C:\RECYCLER\S-1-5-21-725345543-1078145449-839522115-1003\Dc94\Content.IE5\WPUZ016R\ctxad-536[1].0000 Infected: not-a-virus:AdWare.Win32.BetterInternet.ct skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{7B7A5753-97E7-4880-B884-EE2453BDAA19}\RP485\change.log Object is locked skipped
C:\WINDOWS\CSC\00000001 Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{33571188-7826-4CB0-88F2-B707EDC7B893}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_hjf47Z1Oqe044pO Object is locked skipped
C:\WINDOWS\Temp\mcmsc_DSeyrxWHmFPUza2 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_umtscn8zmpsUY8J Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_a8.dat Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm

Re: Baylies hijackthis log

Unread postby dan12 » March 21st, 2008, 5:10 pm

Ok, what we need to do is reinstate the folder C:\WINDOWS\provisioning

You have already put "CF-DeQuarantine.exe" in this folder C:\QooBox << This folder which is what you need to do.

The folder we want "provisioning" is in either QooBox
C:\QooBox\Quarantine << or it could be in here

----------------------------

Click start then Run, type or copy and paste the following into the run box:
Code: Select all
Nircmd emptybin

Click ok.

---------------------------

Can you go manually to this file and delete it.
Right click start, In the drop down menu click "Explore" Then navigate to each file\ folder in the left hand pane, which will reveal its content in the right hand pane, highlight file or folder right click and Delete, if present:

C:\Documents and Settings\Bailey\Application Data\Opera\Opera\profile\cache4\opr0RTTL.htm

Run a further kav scan I'm just after clearing those that kav is flagging up.
Let me know how you get on with the provisioning folder and how the machine is?
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby wolfenstien » March 22nd, 2008, 1:23 pm

Ok, the Provisioning folder is in the quarantine folder.... I drag and drop Provisioning to the main QooBox folder and then drag and drop it into the CF-DeQuarantine.exe file. It pops up a graph showing ComboFix working and then does nothing.... no windows or anything else pop up... inside the provisioning\schemas folders there is 18 files all double extension named; example: branding.xdr.vir
Do you want me to now move the Provisioning folder back to the c:\windows directory? or put it back into the quarantine directory where i found it?

I will run the kaspersky scan a bit later today when i am able to run the network cable without my son tripping over it...
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm

Re: Baylies hijackthis log

Unread postby dan12 » March 22nd, 2008, 1:53 pm

Ok, at least we know it's there, I need to consult the developer of the tool as I want this to be right so leave things as they are.
and will get back to you :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby dan12 » March 22nd, 2008, 2:37 pm

What I'd like you to do for me is verify that the vir file extensions are indeed renamed?
If you can let me know don't do anything else, just leave things where they are.
dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby wolfenstien » March 22nd, 2008, 7:25 pm

I am not sure what you are asking.... for me to verify that they have been renamed.... Deduction tells me that if these files were originally in the windows directory, and were moved to a quarantine folder in the root, then the program that moved them renamed them to the vir (virus) extention.... I have no idea of how to verify this...
wolfenstien
Banned Member
 
Posts: 58
Joined: March 15th, 2008, 9:57 pm

Re: Baylies hijackthis log

Unread postby dan12 » March 22nd, 2008, 10:46 pm

That's ok, at the moment I'm relaying information from the developer.
I'm waiting for him to get back to me.
The bulk of our clean up is done, just these loose ends to tie up.
Any problems with machine?
Hope not to keep you waiting too long :)
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Baylies hijackthis log

Unread postby dan12 » March 23rd, 2008, 4:41 am

Open notepad and copy and paste this text in it:

Code: Select all
@echo off
Vfind -tf "%cd%\*" >"%tmp%\log.txt"
notepad "%tmp%\log.txt"


Save this as Vfind.bat,choose to save it as *all files Place the batch file into the "Provisioning" folder (wherever it's located now. Do not move it anymore)Doubleclick Vfind.bat& post the contents of the log that's produced.

dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 28 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware