Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Please help: See Hijackthis.log

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Please help: See Hijackthis.log

Unread postby skg » November 21st, 2007, 1:37 am

Hi,

My IE seems to infected with some virus. Every time I submit a search using either Yahoo or google search, it opens several unrelated sites. I have symantec antivirus but it doesn't seem to be able to find the virus.

Please review my HijackThis log file. Any help is much appreciated.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 9:36:33 PM, on 11/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\SGandham\Desktop\HiJackThis_v2.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\SGandham\Desktop\Hijack\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5F282770-AB2B-4453-A5CF-91600360503B} - C:\WINDOWS\system32\ddayw.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\tuvtrop.dll
O2 - BHO: {03e9e8f1-d0c6-d4fa-f1d4-806a7606948e} - {e8496067-a608-4d1f-af4d-6c0d1f8e9e30} - C:\WINDOWS\system32\qglpwfpw.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [30445e9e] rundll32.exe "C:\WINDOWS\system32\aiaegepm.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://daz02app257.corp.homestore.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://crm.corp.homestore.net/sales_enu ... Client.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.move.com/dana-cached/set ... tupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.homestore.net
O17 - HKLM\Software\..\Telephony: DomainName = corp.homestore.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.homestore.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.homestore.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
O20 - Winlogon Notify: cryptnet32 - C:\WINDOWS\SYSTEM32\cryptnet32.dll
O20 - Winlogon Notify: tuvtrop - C:\WINDOWS\SYSTEM32\tuvtrop.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 7638 bytes


Thanks,
SKG
skg
Active Member
 
Posts: 11
Joined: November 21st, 2007, 1:25 am
Advertisement
Register to Remove

Re: Please help: See Hijackthis.log

Unread postby Gary R » November 21st, 2007, 7:03 am

Looking over your log, back ASAP.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Please help: See Hijackthis.log

Unread postby Gary R » November 21st, 2007, 7:38 am

Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.


I'm Gary R, I'll be glad to help you with your computer problems.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • Remember, absence of symptoms does not mean the infection is all gone.
If you can do these things, everything should go smoothly.
  • Please note you'll need to have Administrator privileges to perform the fixes. (XP accounts are Administrator by default)

First

You are using the Beta version of HJT from your Desktop. Please delete this version.

Download HJTInstall.exe to your Desktop.
  • Doubleclick HJTInstall.exe to install it.
  • By default it will install to C:\Program Files\Trend Micro\HijackThis .
  • Click on Install.
  • It will create a HijackThis icon on the desktop.
  • Close HijackThis, we don't need a scan at this point.

Please use this version when I ask for any HJT scans.

I'd like you to check a couple of files for Viruses.
C:\WINDOWS\system32\DKabcoms.exe
C:\WINDOWS\SYSTEM32\cryptnet32.dll


  • Click on the Browse button at the top of the screen.
  • Browse to the first file on the list.
  • Click OK.
  • Click Send, and the file will upload to VirusTotal / Jotti, where it will be scanned by several anti-virus programmes.
  • After a while, a window will open, with details of what the scans found.
  • Note details of any viruses found.
  • Repeat for all files on the list, and post me the details please.

Question: I can't find anything definitive on this site corp.homestore.net there are several entries relating to it in your HJT log, do you know what it relates to ?

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.
Note: It is possible that VundoFix will encounter a file it can't remove. In this case, VundoFix will run on reboot. Simply follow the above instructions starting from Click the Scan for Vundo button when VundoFix appears at reboot.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Please help: See Hijackthis.log

Unread postby skg » November 21st, 2007, 9:41 pm

Thank you Gary for your quick response.
I followed the steps you listed.

I ran the files on VirusTotal and cryptnet32.dll came back with report. The other file did not find any issues.



    File cryptnet32.dll received on 11.22.2007 02:29:57 (CET)

    Result: 6/32 (18.75%)

    Antivirus Version Last Update Result
    AhnLab-V3 - - -
    AntiVir - - TR/Crypt.ULPM.Gen
    Authentium - - -
    Avast - - -
    AVG - - -
    BitDefender - - -
    CAT-QuickHeal - - -
    ClamAV - - -
    DrWeb - - -
    eSafe - - -
    eTrust-Vet - - -
    Ewido - - -
    FileAdvisor - - -
    Fortinet - - -
    F-Prot - - W32/Injector.A.gen!Eldorado
    F-Secure - - -
    Ikarus - - -
    Kaspersky - - -
    McAfee - - -
    Microsoft - - -
    NOD32v2 - - -
    Norman - - -
    Panda - - Suspicious file
    Prevx1 - - Heuristic: Suspicious File With Persistence
    Rising - - -
    Sophos - - -
    Sunbelt - - VIPRE.Suspicious
    Symantec - - -
    TheHacker - - -
    VBA32 - - -
    VirusBuster - - -
    Webwasher-Gateway - - Trojan.Crypt.ULPM.Gen
    Additional information
    MD5: 1782b5bf59a5d7f964ca17b8ebde1473


Here is the output of the HJT log.
corp.homestore.net is my company's domain url.
Scan for Vundo did not find any files.





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:36:23 PM, on 11/21/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKLM\..\Run: [30445e9e] rundll32.exe "C:\WINDOWS\system32\aiaegepm.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://daz02app257.corp.homestore.net
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://crm.corp.homestore.net/sales_enu ... Client.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.move.com/dana-cached/set ... tupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.homestore.net
O17 - HKLM\Software\..\Telephony: DomainName = corp.homestore.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.homestore.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.homestore.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6523 bytes

Thanks
SKG
skg
Active Member
 
Posts: 11
Joined: November 21st, 2007, 1:25 am

Re: Please help: See Hijackthis.log

Unread postby Gary R » November 22nd, 2007, 4:41 am

Hi SKG,

Thanks for the information.

Strange, there were things on your last log that definitely indicated a Vundo infection yet they are not there now and you say Vundofix found nothing.

I'm a suspicious soul, so I'd like you to run another scan for me.

  • Download combofix.exe by sUBs to your Desktop.
  • Alternate Download
  • Double click combofix.exe & follow the prompts.
  • When finished, it will produce a log for you. Post that log in your next reply please, along with a new HJT log. (it can also be found at C:\Combofix.txt)
IMPORTANT
  • Do not use your computer while Combofix is running.
  • Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Please help: See Hijackthis.log

Unread postby skg » November 22nd, 2007, 2:57 pm


Hi Gary,

I ran the Combofix and below is the log of it. I also need to mention that lately on startup I am getting a dos window with the following message "The NTDVM CPU has encountered an illegal instruction" for nvapp.exe. I click on close and it goes away.

    ComboFix 07-11-19.3 - skg 2007-11-22 10:08:50.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1298 [GMT -8:00]
    Running from: C:\Documents and Settings\skg\Desktop\ComboFix.exe
    * Created a new restore point
    .

    Unable to gain System Privileges

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\ddayw.dll
    C:\WINDOWS\system32\drivers\npf.sys
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\wyadd.ini
    C:\WINDOWS\system32\wyadd.ini2
    C:\WINDOWS\winshow.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_NPF
    -------\NPF


    ((((((((((((((((((((((((( Files Created from 2007-10-22 to 2007-11-22 )))))))))))))))))))))))))))))))
    .

    2007-11-22 00:22 79,936 --a------ C:\WINDOWS\system32\eqxtdthb.dll
    2007-11-22 00:15 760,184 ---hs---- C:\WINDOWS\system32\lsneptma.ini
    2007-11-22 00:15 84,585 --a------ C:\WINDOWS\system32\amtpensl.dll
    2007-11-21 23:50 <DIR> d-------- C:\Temp\abW9
    2007-11-21 23:50 <DIR> d-------- C:\Temp
    2007-11-21 23:50 36,352 --a------ C:\WINDOWS\system32\cbxutqo.dll
    2007-11-21 21:19 715,679 --ahs---- C:\WINDOWS\system32\oqtydxla.ini
    2007-11-21 21:13 79,936 --a------ C:\WINDOWS\system32\caglcajg.dll
    2007-11-21 17:14 <DIR> d-------- C:\Program Files\Trend Micro
    2007-11-21 17:00 <DIR> d-------- C:\VundoFix Backups
    2007-11-20 21:19 80,960 --a------ C:\WINDOWS\system32\qglpwfpw.dll
    2007-11-20 21:13 845,090 --ahs---- C:\WINDOWS\system32\mpegeaia.ini
    2007-11-19 23:26 0 --a------ C:\WINDOWS\nsreg.dat
    2007-11-19 23:11 295 --a------ C:\Documents and Settings\All Users\Application Data\nvapp.exe
    2007-11-19 21:21 <DIR> d-------- C:\Documents and Settings\skg\Application Data\Apple Computer
    2007-11-19 21:12 689,343 --ahs---- C:\WINDOWS\system32\hdurglpc.ini
    2007-11-19 21:09 83,008 --a------ C:\WINDOWS\system32\joeigcqt.dll
    2007-11-19 00:10 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
    2007-11-19 00:06 <DIR> d-------- C:\WINDOWS\DTS9_KB934458_ENU
    2007-11-19 00:04 <DIR> d-------- C:\WINDOWS\NS9_KB934458_ENU
    2007-11-18 23:53 <DIR> d-------- C:\WINDOWS\SQL9_KB934458_ENU
    2007-11-18 23:43 <DIR> d-------- C:\Program Files\Windows Defender
    2007-11-18 23:32 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
    2007-11-18 21:08 677,141 --ahs---- C:\WINDOWS\system32\mxafyalg.ini
    2007-11-18 21:04 <DIR> d-------- C:\Documents and Settings\DEVSQLSVC\Application Data\Yahoo!
    2007-11-18 02:31 9,216 --a------ C:\WINDOWS\system32\cryptnet32.dll
    2007-11-18 02:31 5,632 --a------ C:\WINDOWS\system32\nview32.dll
    2007-11-18 02:31 5,120 --a------ C:\WINDOWS\system32\nnvapi.dll
    2007-11-18 02:28 <DIR> d-------- C:\WINDOWS\PerfInfo
    2007-11-18 01:27 <DIR> d-------- C:\Program Files\QdrDrive
    2007-11-16 19:40 <DIR> d-------- C:\Program Files\Apple Software Update
    2007-11-16 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2007-11-15 06:40 <DIR> d-------- C:\Program Files\Common Files\NSV
    2007-11-06 15:18 <DIR> d-------- C:\WINDOWS\ms
    2007-11-02 21:51 <DIR> d-------- C:\Documents and Settings\skg\Application Data\IsolatedStorage
    2007-10-23 19:19 <DIR> d-a------ C:\putty
    2007-10-23 16:59 <DIR> d-------- C:\share

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-22 18:21 --------- d-----w C:\Program Files\Symantec AntiVirus
    2007-11-20 05:25 --------- d-----w C:\Program Files\QuickTime
    2007-11-19 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
    2007-11-19 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2007-11-19 08:11 --------- d-----w C:\Program Files\Microsoft SQL Server
    2007-11-19 05:08 79,424 ----a-w C:\WINDOWS\system32\tckcovgg.dll
    2007-11-18 09:27 36,352 ----a-w C:\WINDOWS\system32\tuvtrop.dll
    2007-10-23 03:46 --------- d-----w C:\Program Files\Juniper Networks
    2007-10-23 03:46 --------- d-----w C:\Documents and Settings\skg\Application Data\Juniper Networks
    2007-10-19 17:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
    2007-10-02 23:51 63,024 ----a-w C:\WINDOWS\system32\drivers\NEOFLTR_600_12141.sys
    2007-10-02 23:47 61,510 ----a-w C:\WINDOWS\system32\dsGinaLoader.dll
    2007-10-02 23:32 23,552 ----a-w C:\WINDOWS\system32\drivers\dsNcAdpt.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
    2007-11-18 01:27 36352 --a------ C:\WINDOWS\system32\tuvtrop.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e0da69df-fe78-429b-81f6-8f0f2a8271ca}]
    2007-11-22 00:22 79936 --a------ C:\WINDOWS\system32\eqxtdthb.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 19:17]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 19:13]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 19:17]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 07:04]
    "systray"="C:\Program Files\Dell\Dell Mobile Broadband\systray.exe" [2007-04-13 13:27]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 00:40]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 02:10]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
    "NvMainApp"="C:\Documents and Settings\All Users\Application Data\nvapp.exe" [2007-11-19 23:11]
    "30445e9e"="C:\WINDOWS\system32\amtpensl.dll" [2007-11-22 00:15]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoRecentDocsMenu"= 1 (0x1)

    [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\tuvtrop.dll [2007-11-18 01:27 36352]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet32]
    cryptnet32.dll 2007-11-18 02:31 9216 C:\WINDOWS\system32\cryptnet32.dll
    C:\WINDOWS\system32\NavLogon.dll 2006-06-15 00:40 43760 C:\WINDOWS\system32\NavLogon.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtrop]
    tuvtrop.dll 2007-11-18 01:27 36352 C:\WINDOWS\system32\tuvtrop.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddayw.dll

    R1 NEOFLTR_600_12141;Juniper Networks TDI Filter Driver (NEOFLTR_600_12141);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_600_12141.SYS
    R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
    R2 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe"
    R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
    R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
    R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
    R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;C:\WINDOWS\system32\DRIVERS\nwdelmdm.sys
    R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwdelser.sys
    R3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys
    R3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys
    S3 dkab_device;dkab_device;C:\WINDOWS\system32\DKabcoms.exe -service
    S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-17 03:41:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-11-22 18:23:54 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-22 10:23:46
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
    "ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
    .
    Completion time: 2007-11-22 10:26:31 - machine was rebooted
    .
    --- E O F ---
Here is the latest extract of HJT log after running Combofix.
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 10:30, on 2007-11-22
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\notepad.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
    O4 - HKLM\..\Run: [30445e9e] rundll32.exe "C:\WINDOWS\system32\amtpensl.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://daz02app257.corp.homestore.net
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://crm.corp.homestore.net/sales_enu ... Client.cab
    O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
    O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.move.com/dana-cached/set ... tupSP1.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\Software\..\Telephony: DomainName = corp.homestore.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
    O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 6618 bytes

Here is symantec anti virus Auto-protect log.


    Risk,Filename,Original Location,Status,Date
    Downloader,search[2].htm,C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\OZ6RE96P\,Infected,2007-11-07 11:16:34 PM
    Downloader,rMa13yy2218.exe,C:\WINDOWS\system32\rMa13yy\,Infected,2007-11-18 2:29:46 AM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-18 8:43:13 AM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-18 8:43:15 AM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-18 8:43:17 AM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-18 8:43:17 AM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-18 8:43:18 AM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-18 8:43:18 AM
    Trojan.Peacomm.D,a1b77fc6-7515-40d4-af7d-40b94c27aa39[1].exe,C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\NYSJV5KD\,Infected,2007-11-18 9:03:28 PM
    Trojan.Peacomm.D,.tt1.tmp,C:\DOCUME~1\skg\LOCALS~1\Temp\,Infected,2007-11-18 9:04:15 PM
    Downloader,??????,??????,Infected,2007-11-18 10:11:25 PM
    Downloader,??????,??????,Infected,2007-11-18 10:11:45 PM
    Trojan.Peacomm.D,a1b77fc6-7515-40d4-af7d-40b94c27aa39[1].exe,C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\1GSZHDSP\,Infected,2007-11-18 10:13:32 PM
    Trojan.Peacomm.D,.tt3.tmp,C:\DOCUME~1\skg\LOCALS~1\Temp\,Infected,2007-11-18 10:13:42 PM
    ??????,jvmimpro.jar-502064fb-19618651.zip,C:\Documents and Settings\skg\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\,Still contains 1 infected items,2007-11-18 10:16:27 PM
    Trojan.Peacomm.D,a1b77fc6-7515-40d4-af7d-40b94c27aa39[1].exe,C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\OPDRJGZD\,Infected,2007-11-18 10:41:19 PM
    Trojan.Peacomm.D,.tt1.tmp,C:\DOCUME~1\skg\LOCALS~1\Temp\,Infected,2007-11-18 10:41:23 PM
    Downloader,A0012446.exe,C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP75\,Infected,2007-11-19 10:19:09 AM
    Trojan.Vundo,rpqdshjm.dll,C:\WINDOWS\system32\,Infected,2007-11-19 10:52:07 AM
    Trojan.Vundo,A0013314.dll,C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP80\,Infected,2007-11-19 12:12:18 PM
    Trojan.Peacomm.D,a1b77fc6-7515-40d4-af7d-40b94c27aa39[1].exe,C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\0JNFMK11\,Infected,2007-11-19 5:09:10 PM
    Trojan.Peacomm.D,.tt13.tmp,C:\DOCUME~1\skg\LOCALS~1\Temp\,Infected,2007-11-19 5:09:18 PM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-19 8:50:18 PM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-19 8:50:19 PM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-19 8:50:21 PM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-19 8:50:21 PM
    Trojan.Peacomm.D,a1b77fc6-7515-40d4-af7d-40b94c27aa39[1].exe,C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\GVPNQIJP\,Infected,2007-11-19 8:55:21 PM
    Trojan.Peacomm.D,.tt5.tmp,C:\DOCUME~1\skg\LOCALS~1\Temp\,Infected,2007-11-19 8:55:30 PM
    Trojan.Vundo,??????,??????,Infected,2007-11-19 10:12:06 PM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-19 10:12:14 PM
    Trojan.Peacomm.D,??????,??????,Infected,2007-11-19 10:12:17 PM
    Trojan.Peacomm.D,a1b77fc6-7515-40d4-af7d-40b94c27aa39[1].exe,C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\NYSJV5KD\,Infected,2007-11-19 10:13:57 PM
    Trojan.Peacomm.D,.tt4.tmp,C:\DOCUME~1\skg\LOCALS~1\Temp\,Infected,2007-11-19 10:14:06 PM
    Trojan.Vundo,plgdufri.dll,C:\Documents and Settings\skg\Local Settings\Temp\,Infected,2007-11-20 9:05:37 PM
    Trojan.Vundo,ipswdbmb.dll,C:\Documents and Settings\skg\Local Settings\Temp\,Infected,2007-11-21 9:08:01 PM
    Downloader,rMa02yy1099.exe,C:\WINDOWS\system32\rMa02yy\,Infected,2007-11-21 11:51:24 PM
    Downloader,stany[1].exe,C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\R49H7KWC\,Infected,2007-11-21 11:51:48 PM
    Downloader.MisleadApp,install_en.exe,C:\Documents and Settings\skg\Local Settings\Temp\,Infected,2007-11-22 12:02:01 AM
    Trojan.Vundo,upd32_v14[1],C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\EDLANETW\,Infected,2007-11-22 12:12:06 AM
    Trojan.Vundo,poiu[1],C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\0JNFMK11\,Infected,2007-11-22 12:25:29 AM

Thanks again for all your help.

~SKG
skg
Active Member
 
Posts: 11
Joined: November 21st, 2007, 1:25 am

Re: Please help: See Hijackthis.log

Unread postby Gary R » November 22nd, 2007, 5:09 pm

OK, still a bit to do.

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Code: Select all
Files::
C:\WINDOWS\system32\eqxtdthb.dll
C:\WINDOWS\system32\lsneptma.ini
C:\WINDOWS\system32\amtpensl.dll
C:\WINDOWS\system32\cbxutqo.dll
C:\WINDOWS\system32\oqtydxla.ini
C:\WINDOWS\system32\caglcajg.dll
C:\WINDOWS\system32\qglpwfpw.dll
C:\WINDOWS\system32\mpegeaia.ini
C:\WINDOWS\system32\hdurglpc.ini
C:\WINDOWS\system32\joeigcqt.dll
C:\WINDOWS\system32\mxafyalg.ini
C:\WINDOWS\system32\cryptnet32.dll
C:\WINDOWS\system32\nnvapi.dll
C:\WINDOWS\system32\tckcovgg.dll
C:\WINDOWS\system32\tuvtrop.dll
C:\WINDOWS\system32\ddayw.dll
C:\Documents and Settings\All Users\Application Data\nvapp.exe

Folders::
C:\Temp\abW9
C:\Temp
C:\WINDOWS\PerfInfo
C:\Program Files\QdrDrive
C:\Program Files\Common Files\NSV

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e0da69df-fe78-429b-81f6-8f0f2a8271ca}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"30445e9e"=-
"NvMainApp"=-
[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet32]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtrop]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
  • Click Format and ensure Wordwrap is unchecked.
  • Save as CFScript.txt to your Desktop.
Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please, along with a new HJT log. (it can also be found at C:\Combofix.txt)

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Run a new HJT scan please and send me the log.

Summary of the logs I need from you in your next post:
  • Combofix log
  • Kaspersky log
  • New HJT log


Please post each log separately to prevent them being cut off by the forum post size limiter.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Please help: See Hijackthis.log

Unread postby skg » November 23rd, 2007, 5:26 am

Hi Gary,

This is the combofix log. I am running the second step now....
ComboFix 07-11-19.3 - skg 2007-11-22 23:44:05.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1179 [GMT -8:00]
Running from: C:\Documents and Settings\skg\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\skg\Desktop\CFScript.txt
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\wyadd.ini2
C:\WINDOWS\winshow.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
.

2007-11-22 23:57 <DIR> d-------- C:\Temp\tn3
2007-11-22 23:51 <DIR> d-------- C:\WINDOWS\system32\n8
2007-11-22 23:51 <DIR> d-------- C:\WINDOWS\system32\i2
2007-11-22 23:51 <DIR> d-------- C:\WINDOWS\system32\g2
2007-11-22 23:51 <DIR> d-------- C:\WINDOWS\system32\b1
2007-11-22 23:51 <DIR> d-------- C:\Temp\1cb
2007-11-22 23:51 80,640 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-11-22 23:51 932 --a------ C:\WINDOWS\system32\drivers\core.cache.dsk
2007-11-22 23:14 1,339,681 --ahs---- C:\WINDOWS\system32\yndowkuo.ini
2007-11-22 23:14 84,585 --a------ C:\WINDOWS\system32\oukwodny.dll
2007-11-22 23:08 83,520 --a------ C:\WINDOWS\system32\pkuqrmbu.dll
2007-11-21 23:50 <DIR> d-------- C:\WINDOWS\system32\rMa02yy
2007-11-21 23:50 <DIR> d-------- C:\Temp\abW9
2007-11-21 23:50 <DIR> d-------- C:\Temp
2007-11-21 23:50 36,352 --a------ C:\WINDOWS\system32\cbxutqo.dll
2007-11-21 21:19 715,679 --ahs---- C:\WINDOWS\system32\oqtydxla.ini
2007-11-21 21:13 79,936 --a------ C:\WINDOWS\system32\caglcajg.dll
2007-11-21 20:16 1,165 --a------ C:\WINDOWS\mozver.dat
2007-11-21 17:14 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-21 17:00 <DIR> d-------- C:\VundoFix Backups
2007-11-20 21:19 80,960 --a------ C:\WINDOWS\system32\qglpwfpw.dll
2007-11-19 23:26 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-19 23:11 295 --a------ C:\Documents and Settings\All Users\Application Data\nvapp.exe
2007-11-19 21:21 <DIR> d-------- C:\Documents and Settings\skg\Application Data\Apple Computer
2007-11-19 00:10 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
2007-11-19 00:06 <DIR> d-------- C:\WINDOWS\DTS9_KB934458_ENU
2007-11-19 00:04 <DIR> d-------- C:\WINDOWS\NS9_KB934458_ENU
2007-11-18 23:53 <DIR> d-------- C:\WINDOWS\SQL9_KB934458_ENU
2007-11-18 23:43 <DIR> d-------- C:\Program Files\Windows Defender
2007-11-18 23:32 <DIR> d-------- C:\WINDOWS\system32\bits
2007-11-18 23:32 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
2007-11-18 23:32 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
2007-11-18 21:08 79,424 --a------ C:\WINDOWS\system32\tckcovgg.dll
2007-11-18 21:04 <DIR> d-------- C:\Documents and Settings\DEVSQLSVC\Application Data\Yahoo!
2007-11-18 02:28 <DIR> d-------- C:\WINDOWS\PerfInfo
2007-11-18 01:27 <DIR> d-------- C:\Program Files\QdrDrive
2007-11-18 01:27 36,352 --a------ C:\WINDOWS\system32\tuvtrop.dll
2007-11-16 19:40 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-16 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-15 06:40 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-11-06 15:18 <DIR> d-------- C:\WINDOWS\ms
2007-11-02 21:51 <DIR> d-------- C:\Documents and Settings\skg\Application Data\IsolatedStorage
2007-10-23 19:19 <DIR> d-a------ C:\putty
2007-10-23 16:59 <DIR> d-------- C:\share

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-23 07:55 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-11-23 07:50 37,376 ----a-w C:\WINDOWS\system32\efccded.dll
2007-11-23 07:38 36,352 ----a-w C:\WINDOWS\system32\jkkjigg.dll
2007-11-22 08:22 79,936 ----a-w C:\WINDOWS\system32\eqxtdthb.dll
2007-11-20 06:14 5,632 ----a-w C:\WINDOWS\system32\nview32.dll
2007-11-20 06:14 5,120 ----a-w C:\WINDOWS\system32\nnvapi.dll
2007-11-20 05:25 --------- d-----w C:\Program Files\QuickTime
2007-11-20 05:09 83,008 ----a-w C:\WINDOWS\system32\joeigcqt.dll
2007-11-19 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
2007-11-19 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-11-19 08:11 --------- d-----w C:\Program Files\Microsoft SQL Server
2007-11-18 10:31 9,216 ----a-w C:\WINDOWS\system32\cryptnet32.dll
2007-10-23 03:46 --------- d-----w C:\Program Files\Juniper Networks
2007-10-23 03:46 --------- d-----w C:\Documents and Settings\skg\Application Data\Juniper Networks
2007-10-19 17:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
2007-10-02 23:51 63,024 ----a-w C:\WINDOWS\system32\drivers\NEOFLTR_600_12141.sys
2007-10-02 23:47 61,510 ----a-w C:\WINDOWS\system32\dsGinaLoader.dll
2007-10-02 23:32 23,552 ----a-w C:\WINDOWS\system32\drivers\dsNcAdpt.sys
.

((((((((((((((((((((((((((((( snapshot@2007-11-22_10.25.08.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-16 07:07:10 117,913 ----a-w C:\WINDOWS\system32\n8\ensts2dll.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48ba9342-8004-4f98-a241-f0b021bcf2a3}]
2007-11-22 23:08 83520 --a------ C:\WINDOWS\system32\pkuqrmbu.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
2007-11-18 01:27 36352 --a------ C:\WINDOWS\system32\tuvtrop.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 19:17]
"igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 19:13]
"igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 19:17]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 07:04]
"systray"="C:\Program Files\Dell\Dell Mobile Broadband\systray.exe" [2007-04-13 13:27]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14]
"vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 00:40]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 02:10]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"= 1 (0x1)

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\tuvtrop.dll [2007-11-18 01:27 36352]
C:\WINDOWS\system32\NavLogon.dll 2006-06-15 00:40 43760 C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtrop]
tuvtrop.dll 2007-11-18 01:27 36352 C:\WINDOWS\system32\tuvtrop.dll

R1 core;core;C:\WINDOWS\system32\drivers\core.sys
R1 NEOFLTR_600_12141;Juniper Networks TDI Filter Driver (NEOFLTR_600_12141);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_600_12141.SYS
R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
R2 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe"
R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;C:\WINDOWS\system32\DRIVERS\nwdelmdm.sys
R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwdelser.sys
R3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys
R3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys
S3 dkab_device;dkab_device;C:\WINDOWS\system32\DKabcoms.exe -service
S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 03:41:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-11-23 07:57:43 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-22 23:58:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
"ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
.
Completion time: 2007-11-23 0:01:58 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-22 10:26
.
--- E O F ---
skg
Active Member
 
Posts: 11
Joined: November 21st, 2007, 1:25 am

Re: Please help: See Hijackthis.log

Unread postby skg » November 23rd, 2007, 8:44 am

The second log - KASPERSKY log

<html>
<head>
<title>KASPERSKY ONLINE SCANNER REPORT</title>
<meta http-equiv='Content-Type' content='text/html; charset=utf-8'>
</head>

<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>

<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ONLINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
2007-11-23 04:33<br>
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)<br>
Kaspersky Online Scanner version: 5.0.98.0<br>
Kaspersky Anti-Virus database last update: 23/11/2007<br>
Kaspersky Anti-Virus database records: 464461<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>extended</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
C:\<br>
D:\<br>
Y:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>54100</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>15</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>52</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>0</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>01:51:03</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='200'><b>Virus Name</b></td>
<td width='100'><b>Last Action</b></td>
</tr>
<tr height='20'>
<td height='20'>C:\4da9894165d4025a83db883f803c\%temp%dd_msxml_retMSI.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11182007-234409.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A800000\4FC6A0EA.VBN </td>
<td>Infected: not-a-virus:AdWare.Win32.SecToolBar.k </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A800001\4FC6A2C2.VBN </td>
<td>Infected: Trojan-Downloader.Win32.Tiny.id </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A800002\4FC6A8C6.VBN </td>
<td>Infected: Trojan-Downloader.Win32.VB.bto </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A800005\4FC6A955.VBN </td>
<td>Infected: Trojan-Downloader.Win32.Small.gll </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A800006\4FC6A969.VBN </td>
<td>Infected: Trojan-Dropper.Win32.Agent.chq </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A9C0000\4FDC141A.VBN </td>
<td>Infected: Trojan-Downloader.Win32.VB.bto </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD40000\4FD633B4.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AD40001\4FD633BE.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AFC0000\4FFD3CDB.VBN </td>
<td>Infected: Trojan-Downloader.Win32.Tiny.id </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B080000.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B080001\4F491947.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0B380000\4F79D399.VBN </td>
<td>Infected: Trojan-Downloader.Win32.Agent.fhv </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C3C0000\4F7E79B2.VBN </td>
<td>Infected: not-a-virus:AdWare.Win32.SecToolBar.k </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C440000\4F452973.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C440001\4F452995.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40000.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA40001.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D7C0000\4F7E68A1.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0D7C0001\4F7E68C2.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DCC0000\4FCE7D11.VBN </td>
<td>Infected: Trojan-Downloader.Win32.Tiny.id </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DCC0001\4FCE8384.VBN </td>
<td>Infected: Trojan-Downloader.Win32.VB.bto </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DCC0002\4FCE83BC.VBN </td>
<td>Infected: Trojan-Dropper.Win32.Agent.chq </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E6C0000\4F6D39D5.VBN </td>
<td>Infected: not-a-virus:AdWare.Win32.SecToolBar.k </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E840000\4FC50EAF.VBN </td>
<td>Infected: not-a-virus:AdWare.Win32.SecToolBar.k </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E840001\4FC534E1.VBN </td>
<td>Infected: Trojan-Downloader.Win32.VB.bto </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E840002\4FC53513.VBN </td>
<td>Infected: Trojan-Dropper.Win32.Agent.chq </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E840003\4FC53779.VBN </td>
<td>Infected: not-a-virus:Downloader.Win32.WinFixer.au </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EFC0000.VBN/vmain.class </td>
<td>Infected: Exploit.Java.Gimsh.b </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EFC0000.VBN </td>
<td>ZIP: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0EFC0000.VBN </td>
<td>CryptZ: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F4C0000\4F4FBCA0.VBN </td>
<td>Infected: not-a-virus:AdWare.Win32.SecToolBar.k </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F700000\4F727B0C.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F700001\4F727B2E.VBN </td>
<td>Infected: Packed.Win32.Tibs.dm </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\DEVSQLSVC\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\DEVSQLSVC\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\DEVSQLSVC\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\DEVSQLSVC\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\DEVSQLSVC\Local Settings\Temp\Perflib_Perfdata_228.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\DEVSQLSVC\Local Settings\Temp\Perflib_Perfdata_95c.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\DEVSQLSVC\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\DEVSQLSVC\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\DEVSQLSVC\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Application Data\Mozilla\Firefox\Profiles\43b9s6of.default\cert8.db </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Application Data\Mozilla\Firefox\Profiles\43b9s6of.default\history.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Application Data\Mozilla\Firefox\Profiles\43b9s6of.default\key3.db </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Application Data\Mozilla\Firefox\Profiles\43b9s6of.default\search.sqlite </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Application Data\Mozilla\Firefox\Profiles\43b9s6of.default\urlclassifier2.sqlite </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-396c70dc-1a8864fb.zip/vmain.class </td>
<td>Infected: Exploit.Java.Gimsh.b </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-396c70dc-1a8864fb.zip </td>
<td>ZIP: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Application Data\Sun\Java\Deployment\log\plugin150_09.trace </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Desktop\backups\backup-20071120-202934-471.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.apn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\Application Data\Mozilla\Firefox\Profiles\43b9s6of.default\Cache\_CACHE_001_ </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\Application Data\Mozilla\Firefox\Profiles\43b9s6of.default\Cache\_CACHE_002_ </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\Application Data\Mozilla\Firefox\Profiles\43b9s6of.default\Cache\_CACHE_003_ </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\Application Data\Mozilla\Firefox\Profiles\43b9s6of.default\Cache\_CACHE_MAP_ </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\History\History.IE5\MSHist012007112320071124\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\Temp\hsperfdata_skg\3848 </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\Temp\netvlqlh.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\skg\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\oracle\product\10.1.0\Client_1\oramts\trace\OracleMTSRecoveryService(572).trc </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Juniper Networks\Common Files\NCService.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\master.mdf </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\mastlog.ldf </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\model.mdf </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\modellog.ldf </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdbdata.mdf </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\STAGE.mdf </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\STAGE_log.ldf </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\tempdb.mdf </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\templog.ldf </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log_61.trc </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\SQLAGENT.OUT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Symantec AntiVirus\SAVRT\0540NAV~.TMP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Symantec AntiVirus\SAVRT\0882NAV~.TMP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\MountPointManagerRemoteDatabase </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP82\A0014696.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP82\A0014697.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP83\A0014812.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP83\A0014859.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP83\A0014936.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP83\A0014973.exe/data0006 </td>
<td>Infected: Trojan-Downloader.Win32.VB.bto </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP83\A0014973.exe </td>
<td>NSIS: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP87\A0015160.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP89\A0015253.exe </td>
<td>Infected: Trojan-Downloader.Win32.PurityScan.ey </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{8F5762AB-FD82-4544-A2F2-FAD52C7EC1D9}\RP89\change.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\CSC\00000001 </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Debug\Netlogon.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Debug\PASSWD.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{85EE3B55-5C4D-4C9E-BEC6-4A57D8D2A592}.crmlog </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SchedLgU.Txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SoftwareDistribution\EventCache\{B862724D-94EA-4585-8BA3-3F481C29F777}.bin </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SoftwareDistribution\ReportingEvents.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CatRoot2\edb.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CatRoot2\tmp.edb </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\cbxutqo.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.apx </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\CcmExec.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\CertificateMaintenance.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\ClientIDManagerStartup.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\LocationServices.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\mtrmgr.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\PatchInstall.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\PatchUIMonitor.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\PolicyAgent.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\PolicyAgentProvider.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\PolicyEvaluator.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\Scheduler.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\SrcUpdateMgr.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\Logs\StatusAgent.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000000A.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CertificateMaintenanceEndpoint\0000000A.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000006.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\CTMDTSReply\00000006.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000003.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\execmgr\00000003.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000003.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\InventoryAgent\00000003.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\0000000E.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ReplyLocations\0000000E.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\00000006.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\LS_ScheduledCleanup\00000006.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\MtrMgr\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PatchUIMonitor\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000003.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_Cleanup\00000003.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyDownload\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000003A.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_PolicyEvaluator\0000003A.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000002.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReplyAssignments\00000002.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\00000015.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_RequestAssignments\00000015.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\PolicyAgent_ReRequestPolicy\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\RemoteToolsAgent\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SrcUpdateMgr\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\SWMTRReportGen\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UpdatesInstallMgr\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\EndpointQueues\UploadProtocol\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000000G.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\amp_[http]mp_locationmanager\0000000G.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\direct_paz02sec920_mp_locationmanager\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\direct_paz02sec920_mp_locationmanager\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_ddrendpoint\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_hinvendpoint\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_relayendpoint\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_mp_sinvendpoint\00000001.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\0000000B.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_statusreceiver\0000000B.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\0000000T.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_locationmanager\0000000T.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\00000007.msg </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CCM\ServiceData\Messaging\OutgoingQueues\mp_[http]mp_policymanager\00000007.que </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\AppEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\default </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\default.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SecEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SysEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\drivers\core.cache.dsk </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\drivers\core.sys </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\efccded.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.ath </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\h323log.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\jkkjigg.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.apx </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\MsDtc\MSDTC.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\MsDtc\Trace\dtctrace.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\oukwodny.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\tuvtrop.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.apn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\xfmrgbvr.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\WindowsUpdate.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td colspan='3' height='20'><b>Scan process completed.</b></td>
</tr>
</table>
</body>
</html>
skg
Active Member
 
Posts: 11
Joined: November 21st, 2007, 1:25 am

Re: Please help: See Hijackthis.log

Unread postby skg » November 23rd, 2007, 8:55 am

The third log for HJT

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 04:53, on 2007-11-23
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\System32\svchost.exe
C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\system32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\winshow.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [30445e9e] rundll32.exe "C:\WINDOWS\system32\xfmrgbvr.dll",b
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow.exe"
O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://daz02app257.corp.homestore.net
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://crm.corp.homestore.net/sales_enu ... Client.cab
O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.move.com/dana-cached/set ... tupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.homestore.net
O17 - HKLM\Software\..\Telephony: DomainName = corp.homestore.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.homestore.net
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.homestore.net
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

--
End of file - 6812 bytes
skg
Active Member
 
Posts: 11
Joined: November 21st, 2007, 1:25 am

Re: Please help: See Hijackthis.log

Unread postby Gary R » November 23rd, 2007, 1:19 pm

OK, looks like we missed something last time and a lot of the infection has returned, lets have another go.

Please keep offline until we get you cleaned up, only go online to download any programmes I ask you to, or to post the logs I ask for.

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Code: Select all
Files::
C:\WINDOWS\system32\cbxutqo.dll
C:\WINDOWS\system32\efccded.dll
C:\WINDOWS\system32\jkkjigg.dll
C:\WINDOWS\system32\xfmrgbvr.dll
C:\WINDOWS\system32\yndowkuo.ini
C:\WINDOWS\system32\oukwodny.dll
C:\WINDOWS\system32\pkuqrmbu.dll
C:\WINDOWS\system32\oqtydxla.ini
C:\WINDOWS\system32\caglcajg.dll
C:\WINDOWS\system32\qglpwfpw.dll
C:\Documents and Settings\All Users\Application Data\nvapp.exe
C:\WINDOWS\system32\tckcovgg.dll
C:\WINDOWS\system32\tuvtrop.dll

Folders::
C:\WINDOWS\PerfInfo
C:\Program Files\QdrDrive
C:\Program Files\Common Files\NSV
C:\Temp\abW9
C:\Temp
C:\Temp\tn3
C:\WINDOWS\system32\n8
C:\WINDOWS\system32\i2
C:\WINDOWS\system32\g2
C:\WINDOWS\system32\b1
C:\Temp\1cb
C:\WINDOWS\system32\rMa02yy

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{48ba9342-8004-4f98-a241-f0b021bcf2a3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtrop]

  • Click Format and ensure Wordwrap is unchecked.
  • Save as CFScript.txt to your Desktop.
Image

Refering to the picture above, drag CFScript.txt into ComboFix.exe

Combofix will now process that file.

When finished, it will produce a log for you. Post that log in your next reply please. (it can also be found at C:\Combofix.txt)

I need you to re-name HJT.

  • Go to C:\Program Files\Trend Micro\HijackThis
  • Rename HijackThis.exe to FredFlintstone.exe
  • Run a new scan with HJT (FredFlintstone) and send me the new log please.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Please help: See Hijackthis.log

Unread postby skg » November 23rd, 2007, 6:14 pm

Hi Gary,

Here is the Combofix log

    ComboFix 07-11-19.3 - skg 2007-11-23 13:31:05.3 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1333 [GMT -8:00]
    Running from: C:\Documents and Settings\skg\Desktop\ComboFix.exe
    Command switches used :: C:\Documents and Settings\skg\Desktop\CFScript.txt
    * Created a new restore point
    .

    Unable to gain System Privileges

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Program Files\sstem3~1
    C:\Program Files\sstem3~1\s?stem32\
    C:\Temp\1cb
    C:\Temp\1cb\syscheck.log
    C:\temp\tn3
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\b1
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\g2
    C:\WINDOWS\system32\i2
    C:\WINDOWS\system32\n8
    C:\WINDOWS\system32\n8\ensts2dll.exe
    C:\WINDOWS\system32\opqss.ini
    C:\WINDOWS\system32\opqss.ini2
    C:\WINDOWS\system32\pac.txt
    C:\WINDOWS\system32\ssqpo.dll
    C:\WINDOWS\winshow.exe

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_CORE
    -------\core


    ((((((((((((((((((((((((( Files Created from 2007-10-23 to 2007-11-23 )))))))))))))))))))))))))))))))
    .

    2007-11-23 01:45 83,520 --a------ C:\WINDOWS\system32\accbwxvo.dll
    2007-11-23 00:06 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-11-23 00:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
    2007-11-22 23:50 37,376 --a------ C:\WINDOWS\system32\efccded.dll
    2007-11-22 23:38 36,352 --a------ C:\WINDOWS\system32\jkkjigg.dll
    2007-11-22 00:22 79,936 --a------ C:\WINDOWS\system32\eqxtdthb.dll
    2007-11-22 00:15 1,251,017 --ahs---- C:\WINDOWS\system32\lsneptma.ini
    2007-11-21 23:50 <DIR> d-------- C:\WINDOWS\system32\rMa02yy
    2007-11-21 23:50 <DIR> d-------- C:\Temp\abW9
    2007-11-21 23:50 <DIR> d-------- C:\Temp
    2007-11-21 23:50 36,352 --a------ C:\WINDOWS\system32\cbxutqo.dll
    2007-11-21 21:19 715,679 --ahs---- C:\WINDOWS\system32\oqtydxla.ini
    2007-11-21 21:13 79,936 --a------ C:\WINDOWS\system32\caglcajg.dll
    2007-11-21 20:16 1,165 --a------ C:\WINDOWS\mozver.dat
    2007-11-21 17:14 <DIR> d-------- C:\Program Files\Trend Micro
    2007-11-21 17:00 <DIR> d-------- C:\VundoFix Backups
    2007-11-20 21:13 845,090 --ahs---- C:\WINDOWS\system32\mpegeaia.ini
    2007-11-19 23:26 0 --a------ C:\WINDOWS\nsreg.dat
    2007-11-19 23:11 295 --a------ C:\Documents and Settings\All Users\Application Data\nvapp.exe
    2007-11-19 21:21 <DIR> d-------- C:\Documents and Settings\skg\Application Data\Apple Computer
    2007-11-19 21:12 689,343 --ahs---- C:\WINDOWS\system32\hdurglpc.ini
    2007-11-19 00:10 <DIR> d-------- C:\WINDOWS\SQLTools9_KB934458_ENU
    2007-11-19 00:06 <DIR> d-------- C:\WINDOWS\DTS9_KB934458_ENU
    2007-11-19 00:04 <DIR> d-------- C:\WINDOWS\NS9_KB934458_ENU
    2007-11-18 23:53 <DIR> d-------- C:\WINDOWS\SQL9_KB934458_ENU
    2007-11-18 23:43 <DIR> d-------- C:\Program Files\Windows Defender
    2007-11-18 23:32 <DIR> d-------- C:\WINDOWS\system32\bits
    2007-11-18 23:32 7,168 -----c--- C:\WINDOWS\system32\dllcache\bitsprx4.dll
    2007-11-18 23:32 7,168 --a------ C:\WINDOWS\system32\bitsprx4.dll
    2007-11-18 21:08 677,141 --ahs---- C:\WINDOWS\system32\mxafyalg.ini
    2007-11-18 21:04 <DIR> d-------- C:\Documents and Settings\DEVSQLSVC\Application Data\Yahoo!
    2007-11-18 02:31 9,216 --a------ C:\WINDOWS\system32\cryptnet32.dll
    2007-11-18 02:28 <DIR> d-------- C:\WINDOWS\PerfInfo
    2007-11-18 01:27 <DIR> d-------- C:\Program Files\QdrDrive
    2007-11-16 19:40 <DIR> d-------- C:\Program Files\Apple Software Update
    2007-11-16 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
    2007-11-15 06:40 <DIR> d-------- C:\Program Files\Common Files\NSV
    2007-11-06 15:18 <DIR> d-------- C:\WINDOWS\ms
    2007-11-02 21:51 <DIR> d-------- C:\Documents and Settings\skg\Application Data\IsolatedStorage
    2007-10-23 19:19 <DIR> d-a------ C:\putty
    2007-10-23 16:59 <DIR> d-------- C:\share

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-23 21:43 --------- d-----w C:\Program Files\Symantec AntiVirus
    2007-11-23 09:48 84,585 ----a-w C:\WINDOWS\system32\xfmrgbvr.dll
    2007-11-23 07:14 84,585 ----a-w C:\WINDOWS\system32\oukwodny.dll
    2007-11-23 07:08 83,520 ----a-w C:\WINDOWS\system32\pkuqrmbu.dll
    2007-11-21 05:19 80,960 ----a-w C:\WINDOWS\system32\qglpwfpw.dll
    2007-11-20 05:25 --------- d-----w C:\Program Files\QuickTime
    2007-11-19 19:11 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo!
    2007-11-19 08:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
    2007-11-19 08:11 --------- d-----w C:\Program Files\Microsoft SQL Server
    2007-11-18 09:27 36,352 ----a-w C:\WINDOWS\system32\tuvtrop.dll
    2007-10-23 03:46 --------- d-----w C:\Program Files\Juniper Networks
    2007-10-23 03:46 --------- d-----w C:\Documents and Settings\skg\Application Data\Juniper Networks
    2007-10-19 17:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
    2007-10-02 23:51 63,024 ----a-w C:\WINDOWS\system32\drivers\NEOFLTR_600_12141.sys
    2007-10-02 23:47 61,510 ----a-w C:\WINDOWS\system32\dsGinaLoader.dll
    2007-10-02 23:32 23,552 ----a-w C:\WINDOWS\system32\drivers\dsNcAdpt.sys
    .

    ((((((((((((((((((((((((((((( snapshot@2007-11-22_10.25.08.00 )))))))))))))))))))))))))))))))))))))))))
    .
    + 2005-05-24 20:27:16 213,048 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
    + 2007-08-29 23:47:20 94,208 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
    + 2007-08-29 23:49:54 950,272 ----a-w C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99d0d4a3-defc-4802-b3f7-2c86e5a7480a}]
    2007-11-23 01:45 83520 --a------ C:\WINDOWS\system32\accbwxvo.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
    2007-11-18 01:27 36352 --a------ C:\WINDOWS\system32\tuvtrop.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "igfxtray"="C:\WINDOWS\system32\igfxtray.exe" [2006-03-23 19:17]
    "igfxhkcmd"="C:\WINDOWS\system32\hkcmd.exe" [2006-03-23 19:13]
    "igfxpers"="C:\WINDOWS\system32\igfxpers.exe" [2006-03-23 19:17]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2004-04-26 07:04]
    "systray"="C:\Program Files\Dell\Dell Mobile Broadband\systray.exe" [2007-04-13 13:27]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 16:14]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 00:40]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2006-10-12 02:10]
    "Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
    "30445e9e"="C:\WINDOWS\system32\xfmrgbvr.dll" [2007-11-23 01:48]
    "NvMainApp"="C:\Documents and Settings\All Users\Application Data\nvapp.exe" [2007-11-19 23:11]

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    "NoRecentDocsMenu"= 1 (0x1)

    [hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\tuvtrop.dll [2007-11-18 01:27 36352]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet32]
    cryptnet32.dll 2007-11-18 02:31 9216 C:\WINDOWS\system32\cryptnet32.dll
    C:\WINDOWS\system32\NavLogon.dll 2006-06-15 00:40 43760 C:\WINDOWS\system32\NavLogon.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtrop]
    tuvtrop.dll 2007-11-18 01:27 36352 C:\WINDOWS\system32\tuvtrop.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssqpo.dll

    R1 NEOFLTR_600_12141;Juniper Networks TDI Filter Driver (NEOFLTR_600_12141);\??\C:\WINDOWS\system32\Drivers\NEOFLTR_600_12141.SYS
    R2 CcmExec;SMS Agent Host;C:\WINDOWS\system32\CCM\CcmExec.exe
    R2 MsDtsServer;SQL Server Integration Services;"C:\Program Files\Microsoft SQL Server\90\DTS\Binn\MsDtsSrvr.exe"
    R2 SQLWriter;SQL Server VSS Writer;"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
    R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys
    R3 NWADI;NWADI Bus Enumerator;C:\WINDOWS\system32\DRIVERS\NWADIenum.sys
    R3 NWDellModem;Dell Wireless Mobile Broadband Modem Driver;C:\WINDOWS\system32\DRIVERS\nwdelmdm.sys
    R3 NWDellPort;Dell Wireless Mobile Broadband Status Port Driver;C:\WINDOWS\system32\DRIVERS\nwdelser.sys
    R3 prepdrvr;SMS Process Event Driver;\??\C:\WINDOWS\system32\CCM\prepdrv.sys
    R3 USBCCID;USB Smart Card reader;C:\WINDOWS\system32\DRIVERS\usbccid.sys
    S3 dkab_device;dkab_device;C:\WINDOWS\system32\DKabcoms.exe -service
    S3 PCASp50;PCASp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\PCASp50.sys
    S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-17 03:41:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    "2007-11-23 21:45:48 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
    - C:\Program Files\Windows Defender\MpCmdRun.exe
    .
    **************************************************************************

    catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-23 14:08:07
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\system\ControlSet001\Services\msftesql]
    "ImagePath"="\"C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\msftesql.exe\" -s:MSSQL.1 -f:MSSQLSERVER"
    .
    Completion time: 2007-11-23 14:09:45 - machine was rebooted
    C:\ComboFix2.txt ... 2007-11-23 00:02
    C:\ComboFix3.txt ... 2007-11-22 10:26
    .
    --- E O F ---

and the FredFlintstone log below


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 14:12, on 2007-11-23
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\FredFlintstone.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: {a0847a5e-68c2-7f3b-2084-cfed3a4d0d99} - {99d0d4a3-defc-4802-b3f7-2c86e5a7480a} - C:\WINDOWS\system32\accbwxvo.dll
    O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\tuvtrop.dll
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKLM\..\Run: [30445e9e] rundll32.exe "C:\WINDOWS\system32\xfmrgbvr.dll",b
    O4 - HKLM\..\Run: [NvMainApp] "C:\Documents and Settings\All Users\Application Data\nvapp.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://daz02app257.corp.homestore.net
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://crm.corp.homestore.net/sales_enu ... Client.cab
    O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
    O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.move.com/dana-cached/set ... tupSP1.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\Software\..\Telephony: DomainName = corp.homestore.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O20 - Winlogon Notify: cryptnet32 - C:\WINDOWS\SYSTEM32\cryptnet32.dll
    O20 - Winlogon Notify: tuvtrop - C:\WINDOWS\SYSTEM32\tuvtrop.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
    O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 7347 bytes
skg
Active Member
 
Posts: 11
Joined: November 21st, 2007, 1:25 am

Re: Please help: See Hijackthis.log

Unread postby Gary R » November 23rd, 2007, 7:26 pm

Well, isn't this one being fun, hard to know at this point what I'm missing, lets try a slightly different approach.

Download OTMoveIt by OldTimer to your Desktop.
  • Double click OTMoveIt.exe to launch it.
  • Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.
Code: Select all
C:\WINDOWS\system32\accbwxvo.dll
C:\WINDOWS\system32\efccded.dll
C:\WINDOWS\system32\jkkjigg.dll
C:\WINDOWS\system32\eqxtdthb.dll
C:\WINDOWS\system32\lsneptma.ini
C:\WINDOWS\system32\rMa02yy
C:\Temp\abW9
C:\Temp
C:\WINDOWS\system32\cbxutqo.dll
C:\WINDOWS\system32\oqtydxla.ini
C:\WINDOWS\system32\caglcajg.dll
C:\WINDOWS\system32\mpegeaia.ini
C:\Documents and Settings\All Users\Application Data\nvapp.exe
C:\WINDOWS\system32\hdurglpc.ini
C:\WINDOWS\system32\bits
C:\WINDOWS\system32\mxafyalg.ini
C:\WINDOWS\system32\cryptnet32.dll
C:\WINDOWS\PerfInfo
C:\Program Files\QdrDrive
C:\Program Files\Common Files\NSV
C:\WINDOWS\system32\xfmrgbvr.dll
C:\WINDOWS\system32\oukwodny.dll
C:\WINDOWS\system32\pkuqrmbu.dll
C:\WINDOWS\system32\qglpwfpw.dll
C:\WINDOWS\system32\tuvtrop.dll
C:\WINDOWS\system32\ssqpo.dll

  • Click the Move It button.
  • The list will be processed and the results will appear in the right hand pane.
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • When finished click Exit to exit the programme.
  • A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).
  • Post the log back here please.

  • Click Start > Run type Notepad click OK.
  • This will open an empty Notepad file.
  • Copy/Paste the contents of the box below into Notepad.
Code: Select all
REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99d0d4a3-defc-4802-b3f7-2c86e5a7480a}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"30445e9e"=-
"NvMainApp"=-

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet32]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvtrop]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


  • Click Format and ensure Wordwrap is unchecked.
  • Save as RegFix.reg
  • Save as file type All Files or it won't work.
  • Now double click on RegFix.reg to run it.
  • You will be prompted to allow it to merge with the Registry. Allow it please.

Now run a scan with HJT (FredFlinstone) and send me the log please.

Summary of the logs I need from you in your next post:
  • OTMoveIt log
  • New HJT log


Please post each log separately to prevent them being cut off by the forum post size limiter.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire

Re: Please help: See Hijackthis.log

Unread postby skg » November 24th, 2007, 12:30 pm

Hi Gary,

Yeah, I am starting to wonder if my system is so badly infected that we are going back and forth so many times.
Nevertheless thank you again for your patience and thorough analysis.

Here is the OTMoveIt log
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\accbwxvo.dll
    C:\WINDOWS\system32\accbwxvo.dll NOT unregistered.
    C:\WINDOWS\system32\accbwxvo.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\efccded.dll
    C:\WINDOWS\system32\efccded.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32\efccded.dll scheduled to be moved on reboot.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\jkkjigg.dll
    C:\WINDOWS\system32\jkkjigg.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32\jkkjigg.dll scheduled to be moved on reboot.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\eqxtdthb.dll
    C:\WINDOWS\system32\eqxtdthb.dll NOT unregistered.
    C:\WINDOWS\system32\eqxtdthb.dll moved successfully.
    C:\WINDOWS\system32\lsneptma.ini moved successfully.
    C:\WINDOWS\system32\rMa02yy moved successfully.
    C:\Temp\abW9 moved successfully.
    C:\Temp moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\cbxutqo.dll
    C:\WINDOWS\system32\cbxutqo.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32\cbxutqo.dll scheduled to be moved on reboot.
    C:\WINDOWS\system32\oqtydxla.ini moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\caglcajg.dll
    C:\WINDOWS\system32\caglcajg.dll NOT unregistered.
    C:\WINDOWS\system32\caglcajg.dll moved successfully.
    C:\WINDOWS\system32\mpegeaia.ini moved successfully.
    C:\Documents and Settings\All Users\Application Data\nvapp.exe moved successfully.
    C:\WINDOWS\system32\hdurglpc.ini moved successfully.
    C:\WINDOWS\system32\bits moved successfully.
    C:\WINDOWS\system32\mxafyalg.ini moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\cryptnet32.dll
    C:\WINDOWS\system32\cryptnet32.dll NOT unregistered.
    C:\WINDOWS\system32\cryptnet32.dll moved successfully.
    C:\WINDOWS\PerfInfo moved successfully.
    C:\Program Files\QdrDrive moved successfully.
    C:\Program Files\Common Files\NSV moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\xfmrgbvr.dll
    C:\WINDOWS\system32\xfmrgbvr.dll NOT unregistered.
    C:\WINDOWS\system32\xfmrgbvr.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\oukwodny.dll
    C:\WINDOWS\system32\oukwodny.dll NOT unregistered.
    C:\WINDOWS\system32\oukwodny.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\pkuqrmbu.dll
    C:\WINDOWS\system32\pkuqrmbu.dll NOT unregistered.
    C:\WINDOWS\system32\pkuqrmbu.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\qglpwfpw.dll
    C:\WINDOWS\system32\qglpwfpw.dll NOT unregistered.
    C:\WINDOWS\system32\qglpwfpw.dll moved successfully.
    DllUnregisterServer procedure not found in C:\WINDOWS\system32\tuvtrop.dll
    C:\WINDOWS\system32\tuvtrop.dll NOT unregistered.
    File move failed. C:\WINDOWS\system32\tuvtrop.dll scheduled to be moved on reboot.
    File/Folder C:\WINDOWS\system32\ssqpo.dll not found.

    Created on 11-24-2007 07:48:09


and below is the new HJT log.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 08:05, on 2007-11-24
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Windows Defender\MsMpEng.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\WINDOWS\system32\CCM\CcmExec.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\hkcmd.exe
    C:\WINDOWS\system32\igfxpers.exe
    C:\WINDOWS\system32\igfxsrvc.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
    C:\Program Files\Windows Defender\MSASCui.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Java\jre1.5.0_09\bin\jucheck.exe
    C:\Program Files\Trend Micro\HijackThis\FredFlintstone.exe

    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {4720DC34-6D48-4053-BA1B-66E8FCF88EC3} - C:\WINDOWS\system32\jkhhh.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O2 - BHO: {a0847a5e-68c2-7f3b-2084-cfed3a4d0d99} - {99d0d4a3-defc-4802-b3f7-2c86e5a7480a} - C:\WINDOWS\system32\accbwxvo.dll (file missing)
    O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [systray] C:\Program Files\Dell\Dell Mobile Broadband\systray.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
    O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: http://daz02app257.corp.homestore.net
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/ka ... nicode.cab
    O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
    O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
    O16 - DPF: {48D5324D-D593-47DF-AAE4-18CB09F1F86F} (Siebel High Interactivity Framework) - http://crm.corp.homestore.net/sales_enu ... Client.cab
    O16 - DPF: {8FEFF364-6A5F-4966-A917-A3AC28411659} (SopCore Control) - http://download.sopcast.com/download/SOPCORE.CAB
    O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
    O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://secure.move.com/dana-cached/set ... tupSP1.cab
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\Software\..\Telephony: DomainName = corp.homestore.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = corp.homestore.net
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = corp.homestore.net,sites.homestore.net
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: dkab_device - - C:\WINDOWS\system32\DKabcoms.exe
    O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: OracleMTSRecoveryService - Oracle Corporation - C:\oracle\product\10.1.0\Client_1\bin\omtsreco.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe

    --
    End of file - 7118 bytes

Thanks
skg
Active Member
 
Posts: 11
Joined: November 21st, 2007, 1:25 am

Re: Please help: See Hijackthis.log

Unread postby Gary R » November 25th, 2007, 5:15 am

OK, looking a little better this time. This one has been inordinately stubborn, this infection is not usually so difficult to remove. Still some work to do.

  • Double click OTMoveIt.exe to launch it.
  • Copy/Paste the contents of the box below into the left hand pane of OTMoveIt.
C:\WINDOWS\system32\jkhhh.dll

  • Click the Move It button.
  • The list will be processed and the results will appear in the right hand pane.
  • If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
  • When finished click Exit to exit the programme.
  • A log C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log will be created (where mmddyyyy_hhmmss are numbers giving date and time the log was created).
  • Post the log back here please.

Run a scan with HJT and when finished check the following items (if found).

O2 - BHO: (no name) - {4720DC34-6D48-4053-BA1B-66E8FCF88EC3} - C:\WINDOWS\system32\jkhhh.dll

O2 - BHO: {a0847a5e-68c2-7f3b-2084-cfed3a4d0d99} - {99d0d4a3-defc-4802-b3f7-2c86e5a7480a} - C:\WINDOWS\system32\accbwxvo.dll (file missing)



Now close all open windows and click Fix Checked to remove them.

Please do an online scan with Kaspersky Online Scanner

Note: You must be using Internet Explorer as your browser as it will be necessary to install an Active X component to your computer.

Important If you have previously used Kaspersky Online Scanner (before 8th Aug 2006), you will have to uninstall the old version using Add/Remove Programs in Control Panel before you can use the new version.

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then start to download the latest definition files.
  • Once the scanner is installed and the definitions downloaded, click Next.
  • Now click on Scan Settings.
  • In the scan settings make sure that the following are selected:

    • Scan using the following Anti-Virus database:
      • Extended (If available otherwise Standard)
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK.
  • Now under select a target to scan select My Computer.
  • The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post please.

Note: The Kaspersky online scanner is not yet fully compatible with IE7. You may get returned to a window without the Accept/Decline buttons after allowing the ActiveX control. The buttons are there - you just can't see them! Click on the zoom button (bottom, right of the window) and change it from 100% to 75%. You should now see the buttons. Reset to 100% once the license has been accepted.

Now run a new HJT scan and senc me the log please.

Summary of the logs I need from you in your next post:
  • OTMoveIt log
  • Kaspersky log (text version please)
  • New HJT log


Please post each log separately to prevent them being cut off by the forum post size limiter.
User avatar
Gary R
Administrator
Administrator
 
Posts: 25888
Joined: June 28th, 2005, 11:36 am
Location: Yorkshire
Advertisement
Register to Remove

Next

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 310 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware