Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Nasty Infection

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Re: Nasty Infection

Unread postby dan12 » May 26th, 2008, 4:56 pm

Hi, Glen. copy/paste this into Start > Run

C:\WINDOWS\ERDNT\Hiv-backup\erdnt.exe

Then reboot & run CF once more
Thanks dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

Re: Nasty Infection

Unread postby gman33 » May 26th, 2008, 5:49 pm

Dan,

I'd love to, but I can't get to "Start" "Run" because "Run" has been removed from the "Start" menu. As I mentioned earlier, everything on the right side of the "Start" menu is blank. Do you know another way I can access the "Run" feature?

Thanks,
Glen
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby dan12 » May 26th, 2008, 6:22 pm

Hi, Glen, I'm going to have a chat with the developer on the recent issues.
So bare with me and I will get back to you when I've heard from him.
Have you tried the "windows key" and "R" on the keyboard?
Thanks dan :)
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby gman33 » May 26th, 2008, 8:42 pm

Dan,

The "Windows"+"R" did work. I wasn't aware of that feature. Thanks.

Here is the result of the new CF.



ComboFix 08-05-24.1 - Glen 2008-05-26 20:37:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.204 [GMT -4:00]
Running from: C:\Documents and Settings\Glen\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Glen\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\eope.exe
C:\WINDOWS\mdtgkswr.exe
C:\WINDOWS\system32\fcccbxvu.dll
.

((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-25 14:16 . 2008-05-25 14:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-25 14:16 . 2008-05-25 14:16 <DIR> d-------- C:\Documents and Settings\Glen\Application Data\Malwarebytes
2008-05-25 14:16 . 2008-05-25 14:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-25 14:16 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-25 14:16 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-24 06:52 . 2008-05-24 06:52 135 --a------ C:\WINDOWS\wininit.ini
2008-05-24 02:03 . 2008-05-24 02:03 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-05-24 02:03 . 2008-05-24 02:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-23 20:17 . 2008-05-23 20:17 <DIR> d-------- C:\Program Files\Antivirus 2008 PRO
2008-05-23 09:00 . 2008-02-12 13:45 45,568 --a------ C:\WINDOWS\system32\lmdimon.dll
2008-05-22 22:04 . 2008-05-22 22:05 <DIR> d-------- C:\Program Files\VASST
2008-05-14 22:54 . 2008-05-14 23:03 13,030 --a------ C:\PDOXUSRS.NET
2008-05-14 22:53 . 2008-05-14 22:53 <DIR> d-------- C:\Program Files\Enable Computing
2008-05-14 22:53 . 2008-05-14 22:53 <DIR> d-------- C:\Program Files\Common Files\Borland Shared
2008-05-14 22:53 . 2008-05-14 22:53 <DIR> d-------- C:\Program Files\Borland
2008-05-14 22:47 . 2008-05-14 22:47 <DIR> d-------- C:\Documents and Settings\Glen\Application Data\Free-backup.info
2008-05-14 22:47 . 2001-01-05 04:42 351,232 --a------ C:\WINDOWS\system32\ibmgr.cpl
2008-05-14 22:47 . 2001-01-05 04:41 346,624 --a------ C:\WINDOWS\system32\gds32.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 00:33 --------- d-----w C:\Documents and Settings\Glen\Application Data\OpenOffice.org2
2008-05-24 21:49 --------- d-----w C:\Program Files\Mozilla Thunderbird
2008-05-23 23:22 --------- d-----w C:\Documents and Settings\All Users\Application Data\Sony
2008-05-23 23:21 --------- d-----w C:\Program Files\Sony
2008-05-23 23:19 --------- d-----w C:\Program Files\Sony Setup
2008-05-22 18:09 --------- d-----w C:\Documents and Settings\Glen\Application Data\gtk-2.0
2008-05-15 21:21 --------- d-----w C:\Documents and Settings\Glen\Application Data\AdobeUM
2008-04-22 01:54 --------- d-----w C:\Program Files\Rental Property Manager 2
2008-04-22 00:44 --------- d-----w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-17 19:33 --------- d-----w C:\Program Files\Opera
2008-04-08 21:45 --------- d-----w C:\Program Files\OpenOffice.org 2.3
2008-04-08 21:44 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( snapshot@2008-05-25_ 9.42.36.16 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-25 13:33:28 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-27 00:31:17 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16603FAE-E08D-4209-85BA-C4D573B3D0A5}]
C:\WINDOWS\system32\opnnkjkh.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-04-18 19:55 262401]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"MplSetUp"="C:\Program Files\RMClient\MplSetUp.exe" [2000-11-04 21:09 40960]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 05:25 144784]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-10-22 12:22 7700480]
"nwiz"="nwiz.exe" [2006-10-22 12:22 1622016 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2006-10-22 12:22 86016]

C:\Documents and Settings\Glen\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 21:57:56 393216]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\AutorunsDisabled
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-10-24 00:37:56 217194]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-10-11 19:47:47 110592]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\eMule\\emule.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"4662:TCP"= 4662:TCP:eMule TCP
"4672:UDP"= 4672:UDP:eMule UDP

R0 Pnp680r;Silicon Image SiI 0680 Medley Raid Controller;C:\WINDOWS\system32\DRIVERS\pnp680r.sys [2002-05-31 16:35]
R2 InterBaseGuardian;InterBase Guardian;C:\Program Files\Borland\InterBase\bin\ibguard.exe [2001-01-05 04:41]
R2 NvNdis;NVIDIA NDIS IO Control Driver;C:\WINDOWS\system32\Drivers\NvNdis.sys [2004-12-13 09:44]
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe" [2007-02-10 06:29]
R3 InterBaseServer;InterBase Server;C:\Program Files\Borland\InterBase\bin\ibserver.exe [2001-01-05 04:40]

*Newly Created Service* - CATCHME
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-26 20:40:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-26 20:42:44
ComboFix-quarantined-files.txt 2008-05-27 00:42:29
ComboFix2.txt 2008-05-25 17:55:48
ComboFix3.txt 2008-05-25 13:43:50

Pre-Run: 73,173,082,112 bytes free
Post-Run: 73,161,715,712 bytes free

114 --- E O F --- 2008-05-16 22:44:24
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby dan12 » May 27th, 2008, 1:23 am

Hi, Glen,
How are the settings from the start menu?
will be later when back with you as I have to work.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby gman33 » May 27th, 2008, 7:44 am

Dan, the "Start Menu" is still the same. It appears that I could now get the items missing on the right side back by going to "Start Menu > Properties > Customize > Advanced", but I've held off doing it until you say its alright to change the settings. I also noticed from the CF log that there appears to be two entries:

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"= 1 (0x1)
"NoStartMenuMorePrograms"= 1 (0x1)

one of which has disabled my "Start > Programs" button. I think both of these need to be disabled. Again, I have not made any modifications waiting for your instructions. Actually, my computer has been visually acting completely normal now except for these three things:

1. "Start Menu" issue above. Plus the local drives do not show up under "My Computer"
2. "System Tray Clock" has been altered. It appears like this, "07:40 : VIRUS ALERT!"
3. Theres an icon in the system tray that says, "Unable to complete genuine Windows validation."

I've left my computer on through this entire process and have only rebooted when asked. Just let me know how you would like me to process.

Thanks,
Glen
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby dan12 » May 27th, 2008, 2:51 pm

Hi, Glen, back with you

Copy/paste the following text into a new Notepad document. (You must use Notepad, NOT Wordpad). Make sure that you have NO blank lines at the beginning of the document before REGEDIT4 and ONE blank line at the end of the document as shown in the codebox text:

Code: Select all
REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{16603FAE-E08D-4209-85BA-C4D573B3D0A5}]
[-HKEY_CLASSES_ROOT\CLSID\{16603FAE-E08D-4209-85BA-C4D573B3D0A5}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=-
"NoStartMenuMorePrograms"=-
"NoDrives"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe"=-
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=-




Save it to your desktop as Fixme.reg. Save it as follows...
File Type: "All Files" (not as a text document or it wont work).
Name: Fixme.reg

Locate Fixme.reg on your desktop and double-click it. When asked if you want to merge with the registry, click YES. Wait for the merged successfully prompt.


Then for your other issues go here
_________________


1 - Kaspersky Online Scan
With the exception of Internet Explorer, which must be used for this scan, keep ALL programs closed
Please do an online scan with >Kaspersky Online Scanner<. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75%. Once the licence accepted, reset to 100%.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings
  • In the scan settings make sure that the following are selected:
    o Scan using the following Anti-Virus database:
    + Extended (If available otherwise Standard)
    o Scan Options:
    + Scan Archives
    + Scan Mail Bases
  • Click OK
  • Now under select a target to scan select My Computer
  • The scan will take a while so be patient and let it run.
  • Please do not use your computer while the scan is running. Once the scan is complete it will display if your system has been infected.
  • Click the Save Report As... button (see red arrow below)

    Image

  • In the Save as... prompt, select Desktop
  • In the File name box, name the file KasScan-ddmmyy (or similar)
  • In the Save as type prompt, select Text file (see below)

    Image

  • Copy and paste the report in your next post.
Note: It is recommended to disable onboard antivirus program and antispyware programs while performing scans so there are no conflicts and to speed up scan time.
Please don't go surfing while your resident protection is disabled!
Once scan is finished remember to re-enable resident antivirus protection along with whatever antispyware application you use.

Let me know how you got on and post kaspersky report and a new HJT log.
dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby gman33 » May 27th, 2008, 4:54 pm

Dan, Registry was edited and now running Kaspersky's Online Scan. The scan has been running for 1h:15m and is only 4% complete, so I post the results whenever the scan finishes. Don't worry, I'm using an alternate computer for this post.

Glen
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby gman33 » May 27th, 2008, 10:29 pm

Dan, here are the results of the Kasparsky Scan and the HJT log.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, May 27, 2008 22:14: VIRUS PMLERT!
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 27/05/2008
Kaspersky Anti-Virus database records: 801559
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
H:\

Scan Statistics:
Total number of scanned objects: 99617
Number of viruses found: 32
Number of infected objects: 91
Number of suspicious objects: 0
Duration of the scan process: 05:49:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Glen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-025912-195.dll Infected: Trojan-Downloader.Win32.ConHook.tb skipped
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-025912-564.dll Infected: Trojan.Win32.Vapsup.fog skipped
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-102751-209.dll Infected: Trojan-Downloader.Win32.ConHook.tb skipped
C:\Documents and Settings\Glen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Glen\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Glen\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Glen\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Glen\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Glen\My Documents\eMule Downloads\Incoming\VASST Ultimate S 3.0.3 The Ultimate plug-in for Sony Vegas software-3.0.3\VASST Ultimate S 3.0.3 The Ultimate plug-in for Sony Vegas software-3.0.3\Ultimate\AxHelper\axhelper.exe Infected: not-a-virus:PSWTool.Win32.IEPassView.l skipped
C:\Documents and Settings\Glen\My Documents\eMule Downloads\Incoming\VASST Ultimate S 3.0.3 The Ultimate plug-in for Sony Vegas software-3.0.3.rar/VASST Ultimate S 3.0.3 The Ultimate plug-in for Sony Vegas software-3.0.3/Ultimate/AxHelper/axhelper.exe Infected: not-a-virus:PSWTool.Win32.IEPassView.l skipped
C:\Documents and Settings\Glen\My Documents\eMule Downloads\Incoming\VASST Ultimate S 3.0.3 The Ultimate plug-in for Sony Vegas software-3.0.3.rar RAR: infected - 1 skipped
C:\Documents and Settings\Glen\My Documents\Glen's Documents\Chroma\downloads\Ares\setup_ares.exe/data0020/NHInstall.exe Infected: not-a-virus:AdWare.Win32.NavExcel.d skipped
C:\Documents and Settings\Glen\My Documents\Glen's Documents\Chroma\downloads\Ares\setup_ares.exe/data0020/v2.0.4b.cab/NHelper.dll Infected: not-a-virus:AdWare.Win32.NavExcel.g skipped
C:\Documents and Settings\Glen\My Documents\Glen's Documents\Chroma\downloads\Ares\setup_ares.exe/data0020/v2.0.4b.cab/NHUninstaller.exe Infected: not-a-virus:AdWare.Win32.NavExcel skipped
C:\Documents and Settings\Glen\My Documents\Glen's Documents\Chroma\downloads\Ares\setup_ares.exe/data0020/v2.0.4b.cab/NHUpdater.exe Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Glen\My Documents\Glen's Documents\Chroma\downloads\Ares\setup_ares.exe/data0020/v2.0.4b.cab Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Glen\My Documents\Glen's Documents\Chroma\downloads\Ares\setup_ares.exe/data0020 Infected: not-a-virus:AdWare.Win32.NavExcel.b skipped
C:\Documents and Settings\Glen\My Documents\Glen's Documents\Chroma\downloads\Ares\setup_ares.exe/data0021 Infected: not-a-virus:AdWare.Win32.NavExcel.i skipped
C:\Documents and Settings\Glen\My Documents\Glen's Documents\Chroma\downloads\Ares\setup_ares.exe NSIS: infected - 7 skipped
C:\Documents and Settings\Glen\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Glen\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temp\Perflib_Perfdata_6bc.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe Infected: not-a-virus:FraudTool.Win32.VirusIsolator.l skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG Object is locked skipped
C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_168.trc Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\eope.exe.vir Infected: Trojan.Win32.Vapsup.foc skipped
C:\QooBox\Quarantine\C\WINDOWS\gnowmebk.dll.vir Infected: Trojan.Win32.Vapsup.fof skipped
C:\QooBox\Quarantine\C\WINDOWS\mdtgkswr.exe.vir Infected: Trojan.Win32.Vapsup.foe skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fcccbxvu.dll.vir Infected: Trojan-Downloader.Win32.ConHook.tb skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\opnnkjkh.dll.vir Infected: Worm.Win32.AutoRun.dwi skipped
C:\QooBox\Quarantine\catchme2008-05-25_ 93132.05.zip/ddcDssQK.dll Infected: Worm.Win32.AutoRun.dwi skipped
C:\QooBox\Quarantine\catchme2008-05-25_ 93132.05.zip ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP238\A0015425.exe Infected: Trojan-Downloader.Win32.Zlob.nwb skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP238\A0015426.exe Infected: Trojan-Downloader.Win32.Zlob.nwb skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP238\A0016474.exe Infected: not-a-virus:FraudTool.Win32.VirusIsolator.l skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP238\A0016475.dll Infected: Trojan.Win32.Vapsup.fog skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP238\A0016479.exe Infected: not-a-virus:FraudTool.Win32.VirusIsolator.l skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP238\A0016484.dll Infected: Trojan.Win32.Vapsup.fot skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP238\A0016485.dll Infected: Trojan.Win32.Vapsup.fod skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP241\A0016601.dll Infected: Trojan.Win32.Vapsup.fof skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP243\A0016721.exe Infected: Trojan.Win32.Vapsup.foc skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP243\A0016722.exe Infected: Trojan.Win32.Vapsup.foe skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP243\A0016723.dll Infected: Trojan-Downloader.Win32.ConHook.tb skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP243\A0016724.dll Infected: Worm.Win32.AutoRun.dwi skipped
C:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP245\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\Music\KazaaUpdate151.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Music\KazaaUpdate151.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Music\KazaaUpdate151.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Music\KazaaUpdate151.exe/data0008/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
D:\Music\KazaaUpdate151.exe/data0008 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
D:\Music\KazaaUpdate151.exe/data0011 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
D:\Music\KazaaUpdate151.exe/data0012 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
D:\Music\KazaaUpdate151.exe/data0018/bdeinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
D:\Music\KazaaUpdate151.exe/data0018 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
D:\Music\KazaaUpdate151.exe/data0019/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
D:\Music\KazaaUpdate151.exe/data0019 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
D:\Music\KazaaUpdate151.exe/data0022/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
D:\Music\KazaaUpdate151.exe/data0022 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
D:\Music\KazaaUpdate151.exe/data0023/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
D:\Music\KazaaUpdate151.exe/data0023 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
D:\Music\KazaaUpdate151.exe/data0026/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
D:\Music\KazaaUpdate151.exe/data0026 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
D:\Music\KazaaUpdate151.exe/data0027/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
D:\Music\KazaaUpdate151.exe/data0027 Infected: Trojan.Win32.Krepper.y skipped
D:\Music\KazaaUpdate151.exe/data0029/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
D:\Music\KazaaUpdate151.exe/data0029/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
D:\Music\KazaaUpdate151.exe/data0029 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
D:\Music\KazaaUpdate151.exe Inno: infected - 22 skipped
D:\Music\kmd133_en.exe/data0006/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Music\kmd133_en.exe/data0006/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Music\kmd133_en.exe/data0006 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Music\kmd133_en.exe/data0008 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
D:\Music\kmd133_en.exe/data0009/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.aa skipped
D:\Music\kmd133_en.exe/data0009/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
D:\Music\kmd133_en.exe/data0009 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
D:\Music\kmd133_en.exe/data0010/data0002 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
D:\Music\kmd133_en.exe/data0010 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
D:\Music\kmd133_en.exe/data0012/dlder.exe Infected: Trojan.Win32.Dlder.a skipped
D:\Music\kmd133_en.exe/data0012/setup.exe Infected: Trojan.Win32.Dlder.a skipped
D:\Music\kmd133_en.exe/data0012 Infected: Trojan.Win32.Dlder.a skipped
D:\Music\kmd133_en.exe/data0014/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
D:\Music\kmd133_en.exe/data0014 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
D:\Music\kmd133_en.exe/data0017 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
D:\Music\kmd133_en.exe/data0021 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
D:\Music\kmd133_en.exe/data0022/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
D:\Music\kmd133_en.exe/data0022 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
D:\Music\kmd133_en.exe/data0025/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
D:\Music\kmd133_en.exe/data0025 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
D:\Music\kmd133_en.exe/data0026/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
D:\Music\kmd133_en.exe/data0026 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
D:\Music\kmd133_en.exe/data0029/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
D:\Music\kmd133_en.exe/data0029 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
D:\Music\kmd133_en.exe/data0030/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
D:\Music\kmd133_en.exe/data0030 Infected: Trojan.Win32.Krepper.y skipped
D:\Music\kmd133_en.exe/data0032/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
D:\Music\kmd133_en.exe/data0032/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
D:\Music\kmd133_en.exe/data0032 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
D:\Music\kmd133_en.exe Inno: infected - 29 skipped
D:\Music\kmd171gu_en.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Music\kmd171gu_en.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Music\kmd171gu_en.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
D:\Music\kmd171gu_en.exe Inno: infected - 3 skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{CEE28861-0B56-44B8-B470-BB85E346D7C3}\RP245\change.log Object is locked skipped

Scan process completed.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:26: VIRUS ALERT!, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Glen\Desktop\HJT\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {16603FAE-E08D-4209-85BA-C4D573B3D0A5} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2044452499
O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://unimart.dvrdns.org:3002/ActiveView.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2046273627
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6014 bytes


Thanks,
Glen
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby dan12 » May 28th, 2008, 2:41 pm

Run HijackThis, select Do a system scan only and place checks against the following entries (if they are still present)

O2 - BHO: (no name) - {16603FAE-E08D-4209-85BA-C4D573B3D0A5} - (no file)
WITH ALL OTHER WINDOWS CLOSED Click on Fix Checked and exit


Download OTMoveIt2 by Old Timer and save it to your Desktop.
  • Double-click OTMoveIt2.exe to run it.
  • Copy the lines in the codebox below.
Code: Select all
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-025912-195.dll
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-025912-564.dll
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-102751-209.dll
C:\Documents and Settings\Glen\My Documents\eMule Downloads\Incoming\VASST Ultimate S 3.0.3 The Ultimate plug-in for Sony Vegas software-3.0.3\VASST Ultimate S 3.0.3 The Ultimate plug-in for Sony Vegas software-3.0.3\Ultimate\AxHelper\axhelper.exe
C:\Documents and Settings\Glen\My Documents\eMule Downloads\Incoming\VASST Ultimate S 3.0.3 The Ultimate plug-in for Sony Vegas software-3.0.3.rar
C:\Documents and Settings\Glen\My Documents\Glen's Documents\Chroma\downloads\Ares\setup_ares.exe
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe
D:\Music\KazaaUpdate151.exe
D:\Music\kmd133_en.exe
D:\Music\kmd171gu_en.exe
    

  • Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste.
  • Click the red Moveit! button.
  • Copy everything in the Results window (under the green bar), and paste it in your next reply.
  • Close OTMoveIt2



Update Java Runtime Environment (JRE)

Your JRE is out of date. The current version is Java Runtime Environment (JRE) 6 Update 6.

  1. Click on Start > Control Panel and double click on Add/Remove Programs. Locate jre1.6.0_05\ and click on Change/Remove to uninstall it.
  2. Repeat for these old versions of JRE:
      <Remove any older versions >
  3. Click here to visit Java's website.
  4. Scroll down to Java Runtime Environment (JRE) 6 Update 6. Click on Download.
  5. Select Windows from the drop-down list for Platform.
  6. Select Multi-language from the drop-down list for Language.
  7. Check (tick) I agree to the Java SE Runtime Environment 6 License Agreement box and click on Continue.
  8. Click on jre-6u6-windows-i586-p.exe link to download it and save this to a convenient location.
  9. Run this installation to update your Java.

post a new HJT log and otmoveit2 report, let me know how things are now.
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby gman33 » May 28th, 2008, 3:17 pm

Dan, everything has been working much better, it not normal. I followed you link to help me remove the "VIRUS ALERT!" in the system tray and I have also gotten everything on my "Start" menu back. I just finished updating Java, I thought I had it set to auto update. I also uninstalled the previous versions.

When I ran the OTMoveIT2, my anti-virus caught a few things as it ran. I wasn't sure if I was suppose to have disabled my anti-virus before running it, but at that point it was too late. I clicked "Deny Access" when the popped up.

Anyway, things are looking great. I really appreciate all of your help and your willingness to stay with me on this.

Here are the results you asked for...

LoadLibrary failed for C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-025912-195.dll
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-025912-195.dll NOT unregistered.
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-025912-195.dll moved successfully.
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-025912-564.dll NOT unregistered.
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-025912-564.dll moved successfully.
LoadLibrary failed for C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-102751-209.dll
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-102751-209.dll NOT unregistered.
C:\Documents and Settings\Glen\Desktop\backups\backup-20080524-102751-209.dll moved successfully.
File/Folder C:\Documents and Settings\Glen\My Documents\eMule Downloads\Incoming\VASST Ultimate S 3.0.3 The Ultimate plug-in for Sony Vegas software-3.0.3\VASST Ultimate S 3.0.3 The Ultimate plug-in for Sony Vegas software-3.0.3\Ultimate\AxHelper\axhelper.exe not found.
C:\Documents and Settings\Glen\My Documents\eMule Downloads\Incoming\VASST Ultimate S 3.0.3 The Ultimate plug-in for Sony Vegas software-3.0.3.rar moved successfully.
C:\Documents and Settings\Glen\My Documents\Glen's Documents\Chroma\downloads\Ares\setup_ares.exe moved successfully.
C:\Program Files\Antivirus 2008 PRO\antivirus-2008pro.exe moved successfully.
D:\Music\KazaaUpdate151.exe moved successfully.
D:\Music\kmd133_en.exe moved successfully.
D:\Music\kmd171gu_en.exe moved successfully.
File/Folder not found.

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05282008_145741


and HJT...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:14 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
C:\Program Files\Borland\InterBase\bin\ibguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Borland\InterBase\bin\ibserver.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\WINDOWS\system32\WISPTIS.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Documents and Settings\Glen\Desktop\HJT\HiJackThis.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MplSetUp] C:\Program Files\RMClient\MplSetUp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: AutorunsDisabled
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partne ... nicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 2044452499
O16 - DPF: {66F7F252-3FE1-4650-B1E5-94B2A38271C5} (ActiveView Control) - http://unimart.dvrdns.org:3002/ActiveView.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 2046273627
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: EPSON V3 Service4(01) (EPSON_PM_RPCV4_01) - SEIKO EPSON CORPORATION - C:\Documents and Settings\All Users\Application Data\EPSON\EPW!3 SSRP\E_S40RP7.EXE
O23 - Service: InterBase Guardian (InterBaseGuardian) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibguard.exe
O23 - Service: InterBase Server (InterBaseServer) - Inprise Corporation - C:\Program Files\Borland\InterBase\bin\ibserver.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5948 bytes
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby dan12 » May 28th, 2008, 3:34 pm

That's looking a lot better, will be back with you in an hour or so.Not too much to do now.
Regards dan
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby dan12 » May 28th, 2008, 5:52 pm

Sorry for delay my connection droped for a short while.
Let'sclean up some tools we used.


UNINSTALL COMBOFIX

  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK.
  • Note the space between the X and the U, it needs to be there.
  • Image
You can also delete any logs we have produced, and empty your Recycle bin.
And just to make sure it doesn't run:

Close all windows and try typing this command directly in and see if ComboFix runs.

Remember to use the " marks and there is a space between exe" and /killall

Start > Run > type "%userprofile%\desktop\combofix.exe" /killall

If ComboFix runs, please post the log.


Let me know that went ok
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire

Re: Nasty Infection

Unread postby gman33 » May 28th, 2008, 6:22 pm

Okay, ComboFix.exe is uninstalled and it did not run when I tried to run "%userprofile%\desktop\combofix.exe" /killall

Cleaned up all of the logs created.

Things are looking good!

Thanks,
Glen
gman33
Regular Member
 
Posts: 19
Joined: May 24th, 2008, 3:25 am

Re: Nasty Infection

Unread postby dan12 » May 28th, 2008, 6:32 pm

Double click on OTMoveIt2.

Click on CleanUp!.

You will receive a prompt that it has finished downloaded a list. Click OK.

After this, it will prompt you to restart your computer. Please restart your computer.

post when carried out
User avatar
dan12
MRU Honors Grad Emeritus
 
Posts: 6123
Joined: March 30th, 2006, 3:22 am
Location: Leicestershire
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 54 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware