Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Win32.Trojan.RX found

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Unread postby Elrond » June 20th, 2007, 3:08 am

Will do my best. It has been time consuming to sort through all the logs. will be back with you today.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem
Advertisement
Register to Remove

Unread postby Elrond » June 20th, 2007, 7:04 am

  1. Go to http://virusscan.jotti.org
    Put this line into the white textbox:
    C:\WINDOWS\system32\tjlgcygp.exe

    Click Submit.

    Repeat for the following
    C:\WINDOWS\system32\wfexmevf.dll
    C:\WINDOWS\system32\wdhbikdw.dll


    Please post the results of this scan to this thread.
  2. Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

    O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\wdhbikdw.dll
    O2 - BHO: (no name) - {778158B6-813B-46AA-B5E7-542E6C466E0a} - C:\WINDOWS\system32\wknniuvq.dll
    O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j0251839.exe


    Click on Fix Checked when finished and exit HijackThis.
    1. Open notepad and copy/paste the text in the quotebox below into it:

      File::
      C:\WINDOWS\180ax.exe
      C:\WINDOWS\2020search.dll
      C:\WINDOWS\2020search2.dll
      C:\WINDOWS\764.exe
      C:\WINDOWS\7search.dll
      C:\WINDOWS\bi.dll
      C:\WINDOWS\Biprep.exe
      C:\WINDOWS\bjam.dll
      C:\WINDOWS\bokja.exe
      C:\WINDOWS\cdsm32.dll
      C:\WINDOWS\flt.dll
      C:\WINDOWS\mspphe.dll
      C:\WINDOWS\mssvr.exe
      C:\WINDOWS\pbar.dll
      C:\WINDOWS\saiemod.dll
      C:\WINDOWS\salm.exe
      C:\WINDOWS\satmat.exe
      C:\WINDOWS\stcloader.exe
      C:\WINDOWS\SUSP.exe
      C:\WINDOWS\swin32.dll
      C:\WINDOWS\sysrlb32.exe
      C:\WINDOWS\updatetc.exe
      C:\WINDOWS\voiceip.dll
      C:\WINDOWS\vxddsk.exe
      C:\WINDOWS\wml.exe
      C:\WINDOWS\system32\bszip.dll
      C:\WINDOWS\system32\gtv_sd.bin
      C:\WINDOWS\system32\j0251839.exe
      C:\WINDOWS\system32\msorcl32.exe
      C:\WINDOWS\system32\msdn_lib.dll
      C:\WINDOWS\system32\MSIXU.DLL
      C:\WINDOWS\system32\sl.bin
      C:\WINDOWS\system32\srjqyxbs.exe
      C:\WINDOWS\system32\tmrsrv32.exe
      C:\WINDOWS\system32\tjlgcygp.exe
      C:\WINDOWS\system32\vxddsk.exe
      C:\WINDOWS\system32\wdhbikdw.dll
      C:\WINDOWS\system32\WER8274.DLL
      C:\WINDOWS\system32\wfexmevf.dll
      C:\WINDOWS\system32\wknniuvq.dll
      C:\WINDOWS\system32\wml.exe


      Registry::
      [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      "DisableTaskMgr"=dword:00000000

      [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System]
      "DisableTaskMgr"=dword:00000000



    2. Save this as ComboFix-Do.txt


      Image
    3. Refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe
    4. ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
    5. When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
    CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
  3. Please do a new HijackThis scan and pot the log together with the log from Combofix.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby the commissioner » June 20th, 2007, 9:23 am

1.

C:\WINDOWS\system32\tjlgcygp.exe

Scan taken on 20 Jun 2007 13:12:09 (GMT)
A-Squared
Found Trojan.Win32.Agent.anr
AntiVir
Found TR/Agent.anr.1
ArcaVir
Found Trojan.Agent.Anr
Avast
Found Win32:Agent-HZS
AVG Antivirus
Found Generic4.SLZ
BitDefender
Found Trojan.LowZones.SA
ClamAV
Found Trojan.Agent-4537
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Downloader.AIMR
F-Secure Anti-Virus
Found Trojan.Win32.Agent.anr
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Agent.anr
NOD32
Found Win32/Agent.ANR
Norman Virus Control
Found W32/Agent.BQSQ
Panda Antivirus
Found Trj/Lowzones.TP
Rising Antivirus
Found nothing
VirusBuster
Found Trojan.Lowzones.FI
VBA32
Found Trojan.Win32.Agent.anr

C:\WINDOWS\system32\wfexmevf.dll

Scan taken on 20 Jun 2007 13:17:10 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dldr.ConHook.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Trojan.BHO.AR
ClamAV
Found nothing
Dr.Web
Found Adware.Crew
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Packed.Win32.Morphine.a (probable variant)
Fortinet
Found nothing
Kaspersky Anti-Virus
Found Packed.Win32.Morphine.a (probable variant)
NOD32
Found probably a variant of Win32/Adware.BHO.V application (probable variant)
Norman Virus Control
Found W32/BHO.QG
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Adware.Crew



C:\WINDOWS\system32\wdhbikdw.dll

Scan taken on 20 Jun 2007 13:19:52 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Vundo.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found Generic5.GQ
BitDefender
Found nothing
ClamAV
Found Trojan.Packed-7
Dr.Web
Found Trojan.Virtumod
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.Virtumonde.kj
NOD32
Found Win32/BHO.G
Norman Virus Control
Found Vundo.gen30
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found Adware.Vundo.Gen!Pac.14
VBA32
Found Trojan.Win32.BHO.G






Thats all I got right now cuz I got to run. I will post everything else later.
the commissioner
Regular Member
 
Posts: 21
Joined: June 17th, 2007, 12:53 am

Unread postby the commissioner » June 20th, 2007, 9:38 am

ComboFix Log



ComboFix 07-06-13.7 - C:\Documents and Settings\Ed\Desktop\ComboFix.exe
"Ed" - 2007-06-19 9:27:14 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Ed\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\install.log
C:\WINDOWS\764.exe
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\wmvds32.dll


((((((((((((((((((((((((( Files Created from 2007-05-19 to 2007-06-19 )))))))))))))))))))))))))))))))


2007-06-18 23:48 <DIR> d-------- C:\Program Files\SDFix
2007-06-18 18:28 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-18 16:28 <DIR> d-------- C:\DOCUME~1\Ed\Norton Internet Security 2004 KG
2007-06-18 15:57 <DIR> d-------- C:\Program Files\Common Files\Symantec Shared
2007-06-18 15:57 <DIR> d-------- C:\DOCUME~1\Ed\APPLIC~1\Symantec
2007-06-18 15:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-06-17 21:27 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-17 21:27 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-17 15:32 125,972 --a------ C:\WINDOWS\system32\wknniuvq.dll
2007-06-15 00:20 769 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-06-15 00:20 45,056 --a------ C:\WINDOWS\mmfs.dll
2007-06-15 00:20 2,560 --a------ C:\WINDOWS\Runservice.exe
2007-06-15 00:18 <DIR> d-------- C:\Program Files\Fast Break College Basketball 2003
2007-06-14 22:19 18,432 --a------ C:\WINDOWS\sysrlb32.exe
2007-06-14 22:11 <DIR> d-------- C:\Program Files\Microsoft Windows OneCare Live
2007-06-14 22:11 <DIR> d-------- C:\295342b9a569274ccc90
2007-06-14 21:42 9,728 --a------ C:\WINDOWS\vxddsk.exe
2007-06-14 21:42 8,704 --a------ C:\WINDOWS\bi.dll
2007-06-14 21:42 31,488 --a------ C:\WINDOWS\pbar.dll
2007-06-14 21:42 30,976 --a------ C:\WINDOWS\satmat.exe
2007-06-14 21:42 30,976 --a------ C:\WINDOWS\Biprep.exe
2007-06-14 21:42 28,928 --a------ C:\WINDOWS\flt.dll
2007-06-14 21:42 28,160 --a------ C:\WINDOWS\bjam.dll
2007-06-14 21:42 27,648 --a------ C:\WINDOWS\bokja.exe
2007-06-14 21:42 25,600 --a------ C:\WINDOWS\SUSP.exe
2007-06-14 21:42 23,808 --a------ C:\WINDOWS\cdsm32.dll
2007-06-14 21:42 23,552 --a------ C:\WINDOWS\wml.exe
2007-06-14 21:42 23,552 --a------ C:\WINDOWS\mssvr.exe
2007-06-14 21:42 23,296 --a------ C:\WINDOWS\mspphe.dll
2007-06-14 21:42 22,016 --a------ C:\WINDOWS\system32\wml.exe
2007-06-14 21:42 19,968 --a------ C:\WINDOWS\updatetc.exe
2007-06-14 21:42 19,968 --a------ C:\WINDOWS\swin32.dll
2007-06-14 21:42 19,456 --a------ C:\WINDOWS\2020search2.dll
2007-06-14 21:42 17,408 --a------ C:\WINDOWS\system32\WER8274.DLL
2007-06-14 21:42 17,152 --a------ C:\WINDOWS\salm.exe
2007-06-14 21:42 16,896 --a------ C:\WINDOWS\7search.dll
2007-06-14 21:42 15,360 --a------ C:\WINDOWS\stcloader.exe
2007-06-14 21:42 15,360 --a------ C:\WINDOWS\2020search.dll
2007-06-14 21:42 12,800 --a------ C:\WINDOWS\180ax.exe
2007-06-14 21:42 12,288 --a------ C:\WINDOWS\voiceip.dll
2007-06-14 21:42 12,288 --a------ C:\WINDOWS\system32\MSIXU.DLL
2007-06-14 21:42 12 --a------ C:\WINDOWS\system32\sl.bin
2007-06-14 21:42 11,008 --a------ C:\WINDOWS\saiemod.dll
2007-06-14 21:42 10,240 --a------ C:\WINDOWS\system32\vxddsk.exe
2007-06-14 21:41 25,088 --a------ C:\WINDOWS\system32\msdn_lib.dll
2007-06-14 21:41 12 --a------ C:\WINDOWS\system32\gtv_sd.bin
2007-06-14 21:09 125,972 --a------ C:\WINDOWS\system32\wfexmevf.dll
2007-06-13 23:39 62,516 --a------ C:\WINDOWS\system32\wdhbikdw.dll
2007-06-11 10:02 8,192 --a------ C:\WINDOWS\system32\j0251839.exe
2007-06-11 10:02 13,844 --a------ C:\WINDOWS\system32\srjqyxbs.exe
2007-06-08 01:17 2,580 --a------ C:\WINDOWS\system32\tjlgcygp.exe
2007-06-02 19:22 <DIR> d-------- C:\DOCUME~1\Ed\APPLIC~1\Sony Corporation
2007-06-02 19:21 6,097 --a------ C:\WINDOWS\system32\drivers\sonyhcb.sys
2007-06-02 19:21 53,248 --a------ C:\WINDOWS\system32\SONYHCY.DLL
2007-06-02 19:21 38,739 --a------ C:\WINDOWS\system32\drivers\sonyhcc.sys
2007-06-02 19:21 3,654 --a------ C:\WINDOWS\system32\drivers\Sonyhcp.dll
2007-06-02 19:21 299,923 --a------ C:\WINDOWS\system32\drivers\sonyhcs.sys
2007-06-02 19:21 102,220 --a------ C:\WINDOWS\system32\drivers\sonypvs1.sys
2007-06-02 19:21 <DIR> d-------- C:\Drivers
2007-06-02 19:17 <DIR> d-------- C:\Program Files\Sony
2007-06-02 17:50 2,003,176 --a------ C:\DOCUME~1\Ed\WindowsInstaller-KB884016-v2-x86.exe
2007-06-02 17:50 120,464 --a------ C:\DOCUME~1\Ed\FL_Client_Installer.exe
2007-05-31 02:44 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 02:44 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 02:44 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 02:44 740,442 --a------ C:\WINDOWS\system32\DivX.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-19 13:02:56 -------- d-----w C:\DOCUME~1\Ed\APPLIC~1\Skype
2007-06-18 04:55:10 -------- d-----w C:\Program Files\Trillian
2007-06-02 23:22:02 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-02 21:52:45 -------- d-----w C:\Program Files\QuickTime
2007-06-01 21:09:06 -------- d-----w C:\Program Files\DivX
2007-05-31 06:45:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-17 03:14:29 -------- d-----w C:\Program Files\AC3Filter
2007-05-17 03:11:05 -------- d-----w C:\Program Files\GPL MPEG Decoder
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-08 00:41:47 -------- d-----w C:\Program Files\support.com
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-03-27 07:55:31 129,784 ----a-w C:\WINDOWS\system32\pxafs.dll
2007-03-27 07:55:31 118,520 ----a-w C:\WINDOWS\system32\pxinsi64.exe
2007-03-27 07:55:31 116,472 ----a-w C:\WINDOWS\system32\pxcpyi64.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 14:28]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WCOLOREAL"="C:\Program Files\COMPAQ\Coloreal\coloreal.exe" [2001-09-26 12:30]
"CPQEASYACC"="C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe" [2001-08-15 14:50]
"WorksFUD"="" []
"Microsoft Works Portfolio"="C:\Program Files\Microsoft Works\WksSb.exe" [2000-07-13 16:00]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [2000-07-13 16:00]
"srmclean"="C:\Cpqs\Scom\srmclean.exe" [2001-07-24 17:34]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-08-14 02:27]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-08-25 00:25]
"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe" [2006-09-07 13:19]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 13:54]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-08-14 21:39]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-12-01 01:49]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"ares"="C:\Program Files\Ares\Ares.exe" [2006-07-15 06:34]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{db8863af-2908-11db-8a87-806d6172696f}]
AutoRun\command- F:\CDSTART.EXE


Contents of the 'Scheduled Tasks' folder
2006-11-19 07:33:29 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp psc 2170 series#1155534445.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-19 09:31:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [8096]


scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-19 9:32:32
C:\ComboFix-quarantined-files.txt ... 2007-06-19 09:32
C:\ComboFix2.txt ... 2007-06-18 23:40

--- E O F ---




HJT Log



Logfile of HijackThis v1.99.1
Scan saved at 9:35:42 AM, on 6/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\WINDOWS\system32\msorcl32.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\system32\j0251839.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Hijackthis\MyScanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redir ... 01&lc=0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {0A1AAF6B-6FCD-4DB6-8E02-EB2F0ACA55B6} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b47946.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j0251839.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
the commissioner
Regular Member
 
Posts: 21
Joined: June 17th, 2007, 12:53 am

Unread postby Elrond » June 21st, 2007, 3:06 am

Did you copy the text from the quote box to a new notepad page and save it as ComboFix-Do and place it on your Desktop next to the ComboFix icon? Did you then drag the ComboFix-Do icon over to the Combofix icon and drop it onto the ComboFix icon? I am asking because there are signs that this was not done or that something is very wrong and I need to know which ome it is. If something is not clear or if you misunderstood something please let me know. If you by mistake missed one of the steps in this process please repeat points 3 and 4 from my last post.

If you did all the steps correctly please let me know because then I will have to write up a different set of instructions and discuss what happened with the author of the tool we are using.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby the commissioner » June 21st, 2007, 8:46 am

I have done all the steps correctly.
the commissioner
Regular Member
 
Posts: 21
Joined: June 17th, 2007, 12:53 am

Unread postby Elrond » June 21st, 2007, 1:02 pm

OK we will have to do this a different way.

  1. Please open Notepad. Make sure that Word Wrap is turned off (click the Format menu and uncheck Word Wrap). Now copy the text in the codebox to Notepad.

    Code: Select all
    sc stop DNSCacheReader 
    sc delete DNSCacheReader


    Click on File > Save As....

    In the File Name box, copy and paste in fix.bat
    In the Save as type box, select All Files from the drop-down list.

    Click Save.

    Double click on fix.bat. A Command Prompt window will open and close quickly. That is normal.
  2. Copy/paste the following text inside the code box into a new notepad document. It must be Notepad, not wordpad. Make sure the wordwrap is unchecked in Format.
    Code: Select all
    REGEDIT4
    
    [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] 
    "DisableTaskMgr"=dword:00000000 
    
    [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System] 
    "DisableTaskMgr"=dword:00000000
    
    


    Save it to your desktop as fixme.reg Save it as File Type All Files. Double click fixme.reg and answer yes when asked to merge it into the registry.

    Make sure that there is no space before REGEDIT4, and there is a single space after the last line.


    • Download OTMoveIt by OldTimer from here
    • Double click on OTMoveIt to start OTMoveIt
      Image
    • Untick the option to Unregister Dll's and Ocx's (1)
    • Select the contents of the below codebox, then press Ctrl+C to copy it to the clipboard
      Code: Select all
       
      C:\WINDOWS\180ax.exe 
      C:\WINDOWS\2020search.dll 
      C:\WINDOWS\2020search2.dll 
      C:\WINDOWS\764.exe 
      C:\WINDOWS\7search.dll 
      C:\WINDOWS\bi.dll 
      C:\WINDOWS\Biprep.exe 
      C:\WINDOWS\bjam.dll 
      C:\WINDOWS\bokja.exe 
      C:\WINDOWS\cdsm32.dll 
      C:\WINDOWS\flt.dll 
      C:\WINDOWS\mspphe.dll 
      C:\WINDOWS\mssvr.exe 
      C:\WINDOWS\pbar.dll 
      C:\WINDOWS\saiemod.dll 
      C:\WINDOWS\salm.exe 
      C:\WINDOWS\satmat.exe 
      C:\WINDOWS\stcloader.exe 
      C:\WINDOWS\SUSP.exe 
      C:\WINDOWS\swin32.dll 
      C:\WINDOWS\sysrlb32.exe 
      C:\WINDOWS\updatetc.exe 
      C:\WINDOWS\voiceip.dll 
      C:\WINDOWS\vxddsk.exe 
      C:\WINDOWS\wml.exe 
      C:\WINDOWS\system32\bszip.dll 
      C:\WINDOWS\system32\gtv_sd.bin 
      C:\WINDOWS\system32\j0251839.exe
      C:\WINDOWS\system32\msorcl32.exe 
      C:\WINDOWS\system32\msdn_lib.dll 
      C:\WINDOWS\system32\MSIXU.DLL 
      C:\WINDOWS\system32\sl.bin 
      C:\WINDOWS\system32\srjqyxbs.exe 
      C:\WINDOWS\system32\tmrsrv32.exe
      C:\WINDOWS\system32\tjlgcygp.exe 
      C:\WINDOWS\system32\vxddsk.exe 
      C:\WINDOWS\system32\wdhbikdw.dll 
      C:\WINDOWS\system32\WER8274.DLL 
      C:\WINDOWS\system32\wfexmevf.dll 
      C:\WINDOWS\system32\wknniuvq.dll 
      C:\WINDOWS\system32\wml.exe [/b]
      
    • In OTMoveIt Right click on the box labelled Paste List of Files/Folders to be Moved
    • Click Paste (2)
    • Click MoveIt! (3)
    • Copy and paste the contents of the results box (4) as a reply to this topic
  3. Restart the computer in normal mode
  4. Run anew HijackThis log and post the log together with the log from OTMoveIt
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby the commissioner » June 21st, 2007, 11:53 pm

OTMoveIt Log


C:\WINDOWS\180ax.exe moved successfully.
C:\WINDOWS\2020search.dll moved successfully.
C:\WINDOWS\2020search2.dll moved successfully.
File/Folder C:\WINDOWS\764.exe not found.
C:\WINDOWS\7search.dll moved successfully.
C:\WINDOWS\bi.dll moved successfully.
C:\WINDOWS\Biprep.exe moved successfully.
C:\WINDOWS\bjam.dll moved successfully.
C:\WINDOWS\bokja.exe moved successfully.
C:\WINDOWS\cdsm32.dll moved successfully.
C:\WINDOWS\flt.dll moved successfully.
C:\WINDOWS\mspphe.dll moved successfully.
C:\WINDOWS\mssvr.exe moved successfully.
C:\WINDOWS\pbar.dll moved successfully.
C:\WINDOWS\saiemod.dll moved successfully.
C:\WINDOWS\salm.exe moved successfully.
C:\WINDOWS\satmat.exe moved successfully.
C:\WINDOWS\stcloader.exe moved successfully.
C:\WINDOWS\SUSP.exe moved successfully.
C:\WINDOWS\swin32.dll moved successfully.
C:\WINDOWS\sysrlb32.exe moved successfully.
C:\WINDOWS\updatetc.exe moved successfully.
C:\WINDOWS\voiceip.dll moved successfully.
C:\WINDOWS\vxddsk.exe moved successfully.
C:\WINDOWS\wml.exe moved successfully.
File/Folder C:\WINDOWS\system32\bszip.dll not found.
C:\WINDOWS\system32\gtv_sd.bin moved successfully.
C:\WINDOWS\system32\j0251839.exe moved successfully.
C:\WINDOWS\system32\msorcl32.exe moved successfully.
C:\WINDOWS\system32\msdn_lib.dll moved successfully.
C:\WINDOWS\system32\MSIXU.DLL moved successfully.
C:\WINDOWS\system32\sl.bin moved successfully.
C:\WINDOWS\system32\srjqyxbs.exe moved successfully.
C:\WINDOWS\system32\tmrsrv32.exe moved successfully.
C:\WINDOWS\system32\tjlgcygp.exe moved successfully.
C:\WINDOWS\system32\vxddsk.exe moved successfully.
C:\WINDOWS\system32\wdhbikdw.dll moved successfully.
C:\WINDOWS\system32\WER8274.DLL moved successfully.
C:\WINDOWS\system32\wfexmevf.dll moved successfully.
C:\WINDOWS\system32\wknniuvq.dll moved successfully.
C:\WINDOWS\system32\wml.exe moved successfully.

Created on 06/20/2007 23:50:29
the commissioner
Regular Member
 
Posts: 21
Joined: June 17th, 2007, 12:53 am

Unread postby the commissioner » June 22nd, 2007, 12:01 am

Logfile of HijackThis v1.99.1
Scan saved at 11:57:57 PM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
C:\Program Files\Microsoft Works\WksSb.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Compaq\Easy Access Button Support\CPQEADM.EXE
C:\COMPAQ\CPQINET\CPQInet.exe
C:\PROGRA~1\Compaq\EASYAC~1\BttnServ.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpoevm08.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Hijackthis\MyScanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://runonce.msn.com/?v=msgrv75
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://store.presario.net/scripts/redir ... 01&lc=0409
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\COMPAQ\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [CPQEASYACC] C:\Program Files\Compaq\Easy Access Button Support\StartEAK.exe
O4 - HKLM\..\Run: [Microsoft Works Portfolio] C:\Program Files\Microsoft Works\WksSb.exe /AllUsers
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKLM\..\Run: [srmclean] C:\Cpqs\Scom\srmclean.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: hp psc 2000 Series.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpobnz08.exe
O4 - Global Startup: hpoddt01.exe.lnk = ?
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Support - {0A1AAF6B-6FCD-4DB6-8E02-EB2F0ACA55B6} - C:\Program Files\Internet Explorer\SIGNUP\Presario.htm (file missing) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://store.presario.net/scripts/redirectors/presario/storeredir2.dll?s=consumerfav&c=3c01&lc=0409
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by114fd.bay114.hotmail.msn.com/r ... nPUpld.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Me ... b31267.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZI ... b47946.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/So ... b31267.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/aol ... _en_dl.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Compaq Advisor (Compaq_RBA) - NeoPlanet - C:\Program Files\Compaq\Compaq Advisor\bin\compaq-rba.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: PCTEL Speaker Phone (Pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
the commissioner
Regular Member
 
Posts: 21
Joined: June 17th, 2007, 12:53 am

Unread postby Elrond » June 22nd, 2007, 2:03 am

It looks good. The junk is gone from the logs.

This scan needs to be done in Internet Explorer.

Go here to run an online scannner from Kaspersky.

  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log as "KAV.txt" to the desktop.


Is your taskmanager OK? Click on Alt Ctrl Delete at the same time. Does this open the TaskManager?
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby the commissioner » June 22nd, 2007, 8:48 am

Im doing ur steps just as im typin this...Im leaving tom morning therefore today is the last day we can try to clean my comp. :(
the commissioner
Regular Member
 
Posts: 21
Joined: June 17th, 2007, 12:53 am

Unread postby Elrond » June 22nd, 2007, 10:17 am

The Kasperski scan is really only a last checkup. Get the log to me as soon as possible and also let me know how the computer is behaving.
As soon as I have checked the Kasperski log I will let you know if you can go ahead with the rest of the post.

Your computer seems cleanand we will believe that it is so if Kasperski does not show anything serious and if ithe computer is behaving as it should.

I will have to go off-line in a bit less then 2 hours and will not be back until tomorrow your time about 19:30 and I am waiting for that last log that I hope to go through before that time.

However if I can not get back to you in time before you leave I will give you some instructions to remove the debrie that is left over from the clean up. I am also giving you some advise on how to keep the computer clean and safe.

If your computer is behaving normally now you can go ahead and do the following:
Clean up with OTMoveIt:
Open OTMoveIt once more
Close all other programs as this step will require a reboot
On the OTMoveIt main screen, press the CleanUp! button
Say Yes to the prompt and then allow the program to reboot your computer.

You can also remove Combofix, Fix.bat, fixme.reg, SDFix.

This is my normal post for when you are clean - which you now seem to be.

  1. Clean out Temporary Files etc. Download System Security Suite from http://www.igorshpak.net/software/3ssetup104.zip. Extract it from the zip file into a folder and double click on sss.exe. Check the boxes under the 'Items to Clear' tab and click 'Clear Selected Items'. Reboot when prompted. It is a good idea to do this every few weeks as a lot of junk collects there over time.

    Now that you apear to have a clean computer, please follow these simple steps in order to keep your computer clean and secure:
  2. Disable and Enable System Restore. - You are using Windows XP and because infections can hide in System Restore you should disable and re-enable system restore to make sure there are no infected files found in a restore point.
    You can find instructions on how to enable and re enable system restore here: Windows XP System Restore Guide
    Be sure that you enable the system restore again.
  3. Make your Internet Explorer more secure - This can be done by following these simple instructions:
    1. From within Internet Explorer click on the Tools menu and then click on Options.
    2. Click once on the Security tab
    3. Click once on the Internet icon so it becomes highlighted.
    4. Click once on the Custom Level button.
      1. Change the Download signed ActiveX controls to Prompt
      2. Change the Download unsigned ActiveX controls to Disable
      3. Change the Initialise and script ActiveX controls not marked as safe to Disable
      4. Change the Installation of desktop items to Prompt
      5. Change the Launching programs and files in an IFRAME to Prompt
      6. Change the Navigate sub-frames across different domains to Prompt
      7. When all these settings have been made, click on the OK button.
      8. If it prompts you as to whether or not you want to save the settings, press the Yes button.
    5. Next press the Apply button and then the OK to exit the Internet Properties page.
  4. Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future.
  5. Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Once a day is a good idea). If you do not update your anti virus software it will not be able to catch new variants that come out.
  6. Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is susceptible to being hacked and taken over. Simply using a Firewall in its default configuration can lower your risk greatly. Windows Firewall is not recomended.
    Be restrictive with granting access to the internet. If you are unsure if the program really needs the access, test it by denying the access and see if this has any negative effects. If not, make the block permanent.
  7. Never run two Antivirus programs or two Firewalls at the same time. They can interfere with each other and cause problems.
  8. Visit Microsoft's Windows Update Site Frequently or better yet set computer for automatic updates.
  9. Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
  10. Read and follow the sugestions given at this web site by Miekiemoes http://users.telenet.be/bluepatchy/miek ... ntion.html that will give you more information on some of the points above.

Follow this list and your potential for being infected again will reduce dramatically.

Stand up and be Counted.
NOW is the time you can start to hit back at the people who infected you.
Image
Please take the time to go and complain - that forum has a topic for your infection which is Vundo and some bots. Please post as a reply, you do not need to register to do so (but you can if you wish). It will also have a list of other places you can go to to register your complaint, depending on the country you are resident in. Please read the topics and complain, it is only with such complaints to goverment or government agances that something will get done.
Last edited by Elrond on June 22nd, 2007, 10:26 am, edited 1 time in total.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Unread postby the commissioner » June 22nd, 2007, 10:23 am

As soon as the scan finishes I will post it.
the commissioner
Regular Member
 
Posts: 21
Joined: June 17th, 2007, 12:53 am

Unread postby the commissioner » June 22nd, 2007, 10:24 am

And thanks for all your help.
the commissioner
Regular Member
 
Posts: 21
Joined: June 17th, 2007, 12:53 am

Unread postby the commissioner » June 22nd, 2007, 11:44 am

The Tast Manager opens and works fine.



Here's the KAV log





-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, June 21, 2007 11:41:26 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 22/06/2007
Kaspersky Anti-Virus database records: 350971
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 85146
Number of viruses found: 18
Number of infected objects: 83
Number of suspicious objects: 3
Duration of the scan process: 02:49:18

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Works\Portfolio\Sample.wsb Object is locked skipped
C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\cl83wtvx.default\cert8.db Object is locked skipped
C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\cl83wtvx.default\formhistory.dat Object is locked skipped
C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\cl83wtvx.default\history.dat Object is locked skipped
C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\cl83wtvx.default\key3.db Object is locked skipped
C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\cl83wtvx.default\parent.lock Object is locked skipped
C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\cl83wtvx.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Ed\Application Data\Mozilla\Firefox\Profiles\cl83wtvx.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Ed\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Ares\My Shared Folder\adobe flash professional cs3 v9 0 with working keygen.zip/Setup.exe Infected: P2P-Worm.Win32.VB.dw skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Ares\My Shared Folder\adobe flash professional cs3 v9 0 with working keygen.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Messenger\edmondku89@hotmail.com\SharingMetadata\Logs\Dfsr00005.log Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Messenger\edmondku89@hotmail.com\SharingMetadata\pending.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Messenger\edmondku89@hotmail.com\SharingMetadata\Working\database_1CE4_B966_E4B9_42B6\dfsr.db Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Messenger\edmondku89@hotmail.com\SharingMetadata\Working\database_1CE4_B966_E4B9_42B6\fsr.log Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Messenger\edmondku89@hotmail.com\SharingMetadata\Working\database_1CE4_B966_E4B9_42B6\fsrtmp.log Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Messenger\edmondku89@hotmail.com\SharingMetadata\Working\database_1CE4_B966_E4B9_42B6\tmp.edb Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows Live Contacts\edmondku89@hotmail.com\real\members.stg Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Microsoft\Windows Live Contacts\edmondku89@hotmail.com\shadow\members.stg Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Mozilla\Firefox\Profiles\cl83wtvx.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Mozilla\Firefox\Profiles\cl83wtvx.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Mozilla\Firefox\Profiles\cl83wtvx.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Application Data\Mozilla\Firefox\Profiles\cl83wtvx.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\History\History.IE5\MSHist012007062120070622\index.dat Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\~DF111E.tmp Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\~DF112D.tmp Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\~DFE762.tmp Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temp\~DFE7AA.tmp Object is locked skipped
C:\Documents and Settings\Ed\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Ed\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Ed\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Hijackthis\backups\backup-20070619-092442-107.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\Program Files\Hijackthis\backups\backup-20070619-092442-273.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\Program Files\SDFix\backups\backups.zip/backups/retadpu1000137.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\SDFix\backups\backups.zip/backups/retadpu1000140.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\SDFix\backups\backups.zip/backups/retadpu1000140.exe.tmp Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\Program Files\SDFix\backups\backups.zip ZIP: infected - 3 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\awvvu.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jojaadre.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kfiirdge.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mmhaxqwy.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\otwvbgnh.dll.vir Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\petxalhq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rqmivieb.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\russixxq.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tuvssrr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\voigwekw.dll.vir Infected: Trojan.Win32.BHO.bd skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wmguuwsk.dll.vir Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wmvds32.dll.vir Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP313\A0128874.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP314\A0128977.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP315\A0129096.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP316\A0129120.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP316\A0129121.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP318\A0129728.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP319\A0129766.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP321\A0129816.exe Infected: Backdoor.Win32.EggDrop.v skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP321\A0129817.exe Infected: P2P-Worm.Win32.VB.dw skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP321\A0129870.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP321\A0129911.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP321\A0129935.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP321\A0130935.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP321\A0131935.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP321\A0131936.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP321\A0131958.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP321\A0131968.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP321\A0131991.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP322\A0131997.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP322\A0132086.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP322\A0132110.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP322\A0133086.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP322\A0133108.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP323\A0133115.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP323\A0133126.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP323\A0134148.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP323\A0134169.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP323\A0134199.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP323\A0134225.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0134228.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0134238.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0134306.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0134340.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135396.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135397.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135398.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135399.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135400.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135401.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135402.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135403.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135404.dll Infected: Trojan-Spy.Win32.VBStat.h skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135411.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135412.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135504.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135505.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135523.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135524.exe Infected: Trojan-Downloader.Win32.Agent.bls skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135600.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135630.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135655.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0135687.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP324\A0136078.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP325\A0136094.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP325\A0136131.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP325\A0136139.dll Infected: Trojan-Downloader.Win32.VB.asx skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP326\A0136147.exe Infected: Trojan.Win32.VB.azo skipped
C:\System Volume Information\_restore{3CA41495-F715-4B33-8474-955D02E0A9BC}\RP327\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\mmf.sys Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\sysrlb32.exe Infected: Trojan.Win32.VB.azo skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\j0251839.exe Infected: Trojan.Win32.Agent.aom skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\msdn_lib.dll Infected: Trojan-Downloader.Win32.VB.apq skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\tjlgcygp.exe Infected: Trojan.Win32.Agent.anr skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\tmrsrv32.exe Infected: Trojan-Downloader.Win32.VB.avl skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\wdhbikdw.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kj skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\wfexmevf.dll Suspicious: Packed.Win32.Morphine.a skipped
C:\_OTMoveIt\MovedFiles\WINDOWS\system32\wknniuvq.dll Suspicious: Packed.Win32.Morphine.a skipped
D:\Recycled\Q337751.exe Infected: Trojan-Downloader.Win32.Small.ajy skipped

Scan process completed.
the commissioner
Regular Member
 
Posts: 21
Joined: June 17th, 2007, 12:53 am
Advertisement
Register to Remove

PreviousNext

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 303 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware