1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Spyware/ Malware pretending to be IE/ Windows Security Warnings

Discussion in 'Virus & Other Malware Removal' started by BarryNMD, Nov 6, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. BarryNMD

    BarryNMD Thread Starter

    Joined:
    Oct 19, 2007
    Messages:
    17
    Hey,

    I have (again) a virus pretending to me IE or Microsoft updates. It places shortcuts on my desktop for "Online Security Guide" and "Live Safety Center." Also, my computer is barraged by pop-ups and fake virus/ trojan/ malware/ spyware warnings. Can someone please help me?
     
  2. BarryNMD

    BarryNMD Thread Starter

    Joined:
    Oct 19, 2007
    Messages:
    17
    Here is my HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:00:17 AM, on 11/7/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\htpigdpi.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\NetDrive\wdService.exe
    C:\WINDOWS\csnsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NetDrive\netdrive.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\CheckPoint\Integrity Client\iclient.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.loyola.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\atguuyqe.dll
    O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\NetDrive\netdrive.exe /trayicon
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CheckPoint\Integrity Client\iclient.exe"
    O4 - HKLM\..\Run: [f88f94fc] rundll32.exe "C:\WINDOWS\system32\uoxbmmhh.dll",b
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: DomainService - - C:\WINDOWS\system32\htpigdpi.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    O23 - Service: Windows Zero Adapter (WzaSvc) - Unknown owner - C:\WINDOWS\csnsvc.exe

    --
    End of file - 8545 bytes
     
  3. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Download ComboFix from Here or Here to your Desktop.

    **Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**
    --------------------------------------------------------------------
    1. Close any open browsers.

    2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
      Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
    --------------------------------------------------------------------

    Double click on combofix.exe & follow the prompts.
    • When finished, it will produce a report for you.
    • Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

    **Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**
     
  4. BarryNMD

    BarryNMD Thread Starter

    Joined:
    Oct 19, 2007
    Messages:
    17
    Thank you so much for replying!

    Here is the ComboFix Log:

    ComboFix 07-11-08.1 - El Barry 2007-11-08 15:39:30.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.156 [GMT -5:00]
    Running from: C:\Documents and Settings\El Barry\Desktop\ComboFix.exe
    * Created a new restore point
    .

    Unable to gain System Privileges

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
    C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
    C:\Documents and Settings\El Barry\Desktop\Live Safety Center.lnk
    C:\Documents and Settings\El Barry\Desktop\Online Security Guide.lnk
    C:\Documents and Settings\El Barry\Favorites\Online Security Guide.lnk
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\system32\atguuyqe.dllbox
    C:\WINDOWS\system32\enkaqbsz.dllbox
    C:\WINDOWS\system32\hghhk.bak1
    C:\WINDOWS\system32\hghhk.bak2
    C:\WINDOWS\system32\hghhk.ini
    C:\WINDOWS\system32\khhgh.dll
    C:\WINDOWS\system32\kmmoq.bak1
    C:\WINDOWS\system32\kmmoq.bak2
    C:\WINDOWS\system32\kmmoq.ini
    C:\WINDOWS\system32\rnhqanyx.dll
    C:\WINDOWS\system32\vouibqwv.dllbox
    C:\WINDOWS\system32\wyfjhoaw.dllbox

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_DOMAINSERVICE
    -------\DomainService


    ((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
    .

    2007-11-07 21:58 86,080 --a------ C:\WINDOWS\system32\wtejogke.dll
    2007-11-07 21:52 79,936 --a------ C:\WINDOWS\system32\hrgfphgg.dll
    2007-11-07 21:46 71,232 --a------ C:\WINDOWS\system32\ayemppql.exe
    2007-11-06 21:57 81,472 --a------ C:\WINDOWS\system32\mhtylrue.dll
    2007-11-06 21:48 71,232 --a------ C:\WINDOWS\system32\htpigdpi.exe
    2007-11-06 21:46 145,984 --a------ C:\WINDOWS\system32\atguuyqe.dll
    2007-11-06 21:45 145,984 --a------ C:\WINDOWS\system32\ewekdqot.dll
    2007-11-05 21:57 83,008 --a------ C:\WINDOWS\system32\rajyuaec.dll
    2007-11-04 21:56 78,912 --a------ C:\WINDOWS\system32\xwsaldfy.dll
    2007-11-03 21:58 81,472 --a------ C:\WINDOWS\system32\ouusgwbn.dll
    2007-11-02 21:58 82,496 --a------ C:\WINDOWS\system32\trjhdnmx.dll
    2007-10-25 07:42 <DIR> d-------- C:\Program Files\Windows Desktop Search
    2007-10-22 09:25 <DIR> d-------- C:\Documents and Settings\El Barry\Application Data\gtk-2.0
    2007-10-21 21:21 37,376 -r-hs---- C:\WINDOWS\csnsvc.exe
    2007-10-19 20:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2007-10-19 20:05 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-10-19 20:05 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-10-19 20:05 <DIR> d-------- C:\Documents and Settings\El Barry\Application Data\SUPERAntiSpyware.com
    2007-10-19 19:39 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2007-10-19 19:21 <DIR> d-------- C:\Program Files\Anti-Malware Stuff
    2007-10-19 18:59 <DIR> d-------- C:\Program Files\Trend Micro
    2007-10-17 19:00 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Intel
    2007-10-13 18:06 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
    2007-10-13 17:34 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
    2007-10-13 17:32 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
    2007-10-13 11:00 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
    2007-10-11 14:02 <DIR> d-------- C:\Documents and Settings\El Barry\Application Data\Creative
    2007-10-11 13:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Creative
    2007-10-11 13:37 41,984 --------- C:\WINDOWS\Ctregrun.exe
    2007-10-11 13:28 200,704 --a------ C:\WINDOWS\system32\CTPdeSrv.exe
    2007-10-11 13:25 <DIR> d-------- C:\Program Files\Creative

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2007-11-08 20:50 --------- d-----w C:\Program Files\Symantec AntiVirus
    2007-11-08 20:24 --------- d-----w C:\Documents and Settings\El Barry\Application Data\.purple
    2007-11-07 03:20 --------- d-----w C:\Program Files\CyberLink
    2007-10-31 16:09 --------- d-----w C:\Program Files\Flash
    2007-10-31 16:09 --------- d-----w C:\Program Files\Broadcom
    2007-10-25 12:36 --------- d-----w C:\Program Files\AIM6
    2007-10-25 12:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\AOL Downloads
    2007-10-25 12:24 --------- d-----w C:\Program Files\Viewpoint
    2007-10-25 12:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
    2007-10-14 15:01 --------- d-----w C:\Program Files\Dell
    2007-10-11 18:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-09-18 00:17 --------- d-----w C:\Program Files\AIMFix
    2007-09-11 22:16 --------- d-----w C:\Program Files\Pidgin2.1.1
    2007-09-11 22:16 --------- d-----w C:\Program Files\Pidgin
    2007-09-11 13:24 --------- d-----w C:\Program Files\Ctrax Player
    2007-09-11 13:03 --------- d-----w C:\Program Files\Common Files\AOL
    2007-09-04 03:51 15,874,974 ----a-w C:\Program Files\ia_client.exe
    2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    .

    ((((((((((((((((((((((((((((( [email protected]_20.59.15.63 )))))))))))))))))))))))))))))))))))))))))
    .
    - 2007-09-28 13:06:08 135,168 ----a-w C:\WINDOWS\catchme.exe
    + 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
    - 2007-09-11 12:34:44 38,428 ----a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
    + 2007-10-25 12:24:31 38,428 ----a-w C:\WINDOWS\Downloaded Program Files\unagiuninst.exe
    + 2007-03-13 15:57:10 163,328 ----a-w C:\WINDOWS\erdnt\subs\ERDNT.EXE
    - 2007-08-27 14:19:04 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
    + 2007-10-24 04:24:07 295,606 ----a-r C:\WINDOWS\Installer\{AC76BA86-7AD7-1033-7B44-A81000000003}\SC_Reader.exe
    + 2007-10-20 01:06:18 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
    + 2007-10-20 01:06:18 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
    + 2007-10-20 01:06:18 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
    - 2004-08-04 10:00:00 18,944 -c--a-w C:\WINDOWS\system32\dllcache\mimefilt.dll
    + 2006-09-15 12:36:32 29,696 -c--a-w C:\WINDOWS\system32\dllcache\mimefilt.dll
    - 2004-08-04 10:00:00 103,936 -c--a-w C:\WINDOWS\system32\dllcache\nlhtml.dll
    + 2006-09-15 12:36:32 98,304 -c--a-w C:\WINDOWS\system32\dllcache\nlhtml.dll
    - 2004-08-04 10:00:00 120,832 -c--a-w C:\WINDOWS\system32\dllcache\offfilt.dll
    + 2006-09-15 12:36:32 192,000 -c--a-w C:\WINDOWS\system32\dllcache\offfilt.dll
    - 2006-06-22 18:44:00 2,078,344 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
    + 2007-06-11 20:34:34 2,115,816 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32.dll
    + 2007-06-11 20:34:40 190,696 ----a-w C:\WINDOWS\system32\Macromed\Flash\NPSWF32_FlashUtil.exe
    + 2007-10-31 16:08:55 45,218 ----a-w C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
    - 2004-08-04 10:00:00 18,944 ----a-w C:\WINDOWS\system32\mimefilt.dll
    + 2006-09-15 12:36:32 29,696 ----a-w C:\WINDOWS\system32\mimefilt.dll
    - 2004-08-04 10:00:00 103,936 ----a-w C:\WINDOWS\system32\nlhtml.dll
    + 2006-09-15 12:36:32 98,304 ----a-w C:\WINDOWS\system32\nlhtml.dll
    - 2007-10-18 00:02:13 23,129 ----a-w C:\WINDOWS\system32\nvModes.dat
    + 2007-10-25 12:44:55 23,129 ----a-w C:\WINDOWS\system32\nvModes.dat
    - 2004-08-04 10:00:00 120,832 ----a-w C:\WINDOWS\system32\offfilt.dll
    + 2006-09-15 12:36:32 192,000 ----a-w C:\WINDOWS\system32\offfilt.dll
    - 2007-10-13 22:40:04 71,370 ----a-w C:\WINDOWS\system32\perfc009.dat
    + 2007-11-05 20:46:16 71,370 ----a-w C:\WINDOWS\system32\perfc009.dat
    - 2007-10-13 22:40:04 439,832 ----a-w C:\WINDOWS\system32\perfh009.dat
    + 2007-11-05 20:46:16 439,832 ----a-w C:\WINDOWS\system32\perfh009.dat
    - 2006-09-25 21:58:48 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
    + 2007-01-03 15:21:06 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
    - 2006-10-16 21:10:58 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
    + 2007-01-03 15:21:06 23,856 ----a-w C:\WINDOWS\system32\spupdsvc.exe
    - 2007-04-02 18:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
    + 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
    - 2007-10-20 00:37:04 4,212 ---ha-w C:\WINDOWS\system32\zllictbl.dat
    + 2007-11-08 20:50:30 4,212 ---h--w C:\WINDOWS\system32\zllictbl.dat
    - 2007-10-19 13:46:10 6,294,911 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
    + 2007-11-08 14:27:46 6,605,054 ----a-w C:\WINDOWS\system32\ZoneLabs\spyware.dat
    - 2007-10-19 13:46:10 6,294,911 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
    + 2007-11-08 14:27:46 6,605,054 ----a-w C:\WINDOWS\system32\ZoneLabs\zlasdbup.dat
    .
    -- Snapshot reset to current date --
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
    2007-11-06 21:46 145984 --a------ C:\WINDOWS\system32\atguuyqe.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB38AE55-FC0E-4BC3-9352-E11972FABE04}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\atguuyqe.dll [2007-11-06 21:46 145984]

    [HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
    "{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\atguuyqe.dll [2007-11-06 21:46 145984]

    [HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WebDriveTray"="C:\Program Files\NetDrive\netdrive.exe" [2003-06-04 12:49]
    "DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-12-09 20:29]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2006-03-24 17:14]
    "vptray"="C:\PROGRA~1\SYMANT~1\VPTray.exe" [2006-06-15 01:40]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-07-06 19:52]
    "nwiz"="nwiz.exe" [2005-07-06 19:52 C:\WINDOWS\system32\nwiz.exe]
    "IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-02 00:38]
    "IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-02 00:32]
    "Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13]
    "BCMSMMSG"="BCMSMMSG.exe" [2003-02-24 18:34 C:\WINDOWS\BCMSMMSG.exe]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 03:00]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 18:05]
    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51]
    "Zone Labs Client"="C:\Program Files\CheckPoint\Integrity Client\iclient.exe" [2007-02-26 16:23]
    "f88f94fc"="C:\WINDOWS\system32\wtejogke.dll" [2007-11-07 21:58]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" []
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 05:00]
    "Aim6"="C:\Program Files\AIM6\aim6.exe" [2007-10-04 10:20]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 13:06]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "TSClientMSIUninstaller"=cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs"

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Post-itr Software Notes Lite.lnk - C:\Program Files\3M\PSNLite\PsnLite.exe [2004-06-02 13:04:58]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 12:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\atguuyqe]
    atguuyqe.dll 2007-11-06 21:46 145984 C:\WINDOWS\system32\atguuyqe.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    "Authentication Packages"= msv1_0 C:\WINDOWS\system32\khhgh.dll

    R2 WebDriveFSD;WebDrive File System Driver;\??\C:\Program Files\NetDrive\rffsd.sys
    R2 WzaSvc;Windows Zero Adapter;"C:\WINDOWS\csnsvc.exe"
    S3 vsinstdv;vsinstdv;\??\C:\DOCUME~1\ELBARR~1\LOCALS~1\Temp\{66DBB2E3-2969-4CC5-9DE3-E69180592948}\vsinstdv.sys

    .
    Contents of the 'Scheduled Tasks' folder
    "2007-11-06 00:59:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
    - C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    .
    **************************************************************************

    catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-11-08 16:55:42
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************
    .
    Completion time: 2007-11-08 16:58:24 - machine was rebooted
    C:\ComboFix2.txt ... 2007-10-19 20:02
    .
    --- E O F ---


    And here is the HijackThis Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:00:01 PM, on 11/8/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\NetDrive\wdService.exe
    C:\WINDOWS\csnsvc.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NetDrive\netdrive.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
    C:\Program Files\CheckPoint\Integrity Client\iclient.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.loyola.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\atguuyqe.dll
    O2 - BHO: (no name) - {BB38AE55-FC0E-4BC3-9352-E11972FABE04} - (no file)
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\atguuyqe.dll
    O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\NetDrive\netdrive.exe /trayicon
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CheckPoint\Integrity Client\iclient.exe"
    O4 - HKLM\..\Run: [f88f94fc] rundll32.exe "C:\WINDOWS\system32\wtejogke.dll",b
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: atguuyqe - C:\WINDOWS\SYSTEM32\atguuyqe.dll
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    O23 - Service: Windows Zero Adapter (WzaSvc) - Unknown owner - C:\WINDOWS\csnsvc.exe

    --
    End of file - 9051 bytes
     
  5. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Run HJT again and put a check in the following:

    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\atguuyqe.dll
    O2 - BHO: (no name) - {BB38AE55-FC0E-4BC3-9352-E11972FABE04} - (no file)
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\atguuyqe.dll
    O4 - HKLM\..\Run: [f88f94fc] rundll32.exe "C:\WINDOWS\system32\wtejogke.dll",b
    O20 - Winlogon Notify: atguuyqe - C:\WINDOWS\SYSTEM32\atguuyqe.dll

    Close all applications and browser windows before you click "fix checked".



    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



    Please perform a scan with Kaspersky Webscan Online Virus Scanner

    1. Read the Requirements and Privacy statement, then select "Accept".
    2. A new window will appear promting you to install an ActiveX component from Kaspersky - "Do you want to install this software?".
    3. Click "Yes" or select "Install" to download the ActiveX controls that allows ActiveScan to run.
    4. When the download is complete it will say ready, click "Next".
    5. Click "Scan Settings" and check the option to use the Extended Database if available otherwise Standard).
    6. Click "Scan Options" and select both "Scan Archives" and "Scan Mail Bases".
    7. Click "OK".
    8. Under "Select a target to scan", click on "My Computer".
    9. When the scan is complete choose to save the results as "Save as Text" named kaspersky.txt to your desktop and post them in your next reply.

    Kaspersky does not remove anything but will provide a log of anything it finds. On August 8th, 2006 Kaspersky updated the software used for Free Online Virus Scanner. In order to continue using the online scanner you will need to uninstall the old version (if previously used) from your Add/Remove Programs list and then install the latest version. To do this, follow the steps here and reboot afterwards if your system does not reboot automatically or it will show 'Kaspersky Online Scanner license key was not found!
     
  6. BarryNMD

    BarryNMD Thread Starter

    Joined:
    Oct 19, 2007
    Messages:
    17
    I ran the Kaspersky scan but it closed the window on its own and I did not get the chance to save the log. Should I run it again?
     
  7. BarryNMD

    BarryNMD Thread Starter

    Joined:
    Oct 19, 2007
    Messages:
    17
    Since I've woken up this morning, I have received no pop-ups. I'm not sure if the problem is solved, but I figured I'd leave the update. The virus did this last time, so it may just be how it works. So, I don't truly think it's gone.
     
  8. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Kaspersky does not remove anything so running that did not "fix" anything. Yes please run it again and save the log.
     
  9. BarryNMD

    BarryNMD Thread Starter

    Joined:
    Oct 19, 2007
    Messages:
    17
    here is the kaspersky log:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Friday, November 09, 2007 3:37:26 PM
    Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.98.0
    Kaspersky Anti-Virus database last update: 9/11/2007
    Kaspersky Anti-Virus database records: 455501
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    C:\
    D:\

    Scan Statistics:
    Total number of scanned objects: 42061
    Number of viruses found: 17
    Number of infected objects: 61
    Number of suspicious objects: 0
    Duration of the scan process: 00:51:43

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\Symantec\Common Client\settings.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\01040000\4725E0E4.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aea skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02D80002\47D8825A.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02D80003\47DB2594.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\02D80004\47DC76AF.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\042C0000\472D32D5.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\042C0001\472E0C27.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\042C0002\472E845F.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\042C0003\472FD59C.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\042C0004\473D2ABC.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\042C0005\473D2B22.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08700000\4F7F64F1.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08700001\4F7FBB73.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\08700002\4F7FC50D.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.g skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A8C0000\4FBDC5C0.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A8C0001\4FBDEBC5.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A8C0002\4FBDF31F.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A8C0003\4FBDF496.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A8C0004\4FBE1957.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A8C0005\4FBE2329.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0A8C0006\4FBE23AB.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AB00000\4FB2745E.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AB00001\4FB28E20.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AB00002\4FB30FF3.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AB00003\4FB317C7.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AB00004\4FB31940.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AB00005\4FB31D41.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AB00006\4FB322ED.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AB00007\4FB36CF7.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0AB00008\4FB37077.VBN Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0000.VBN/Baaaaa.class Infected: Trojan.Java.ClassLoader.ap skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0000.VBN/BaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0000.VBN/VaaaaaaaBaa.class Infected: Trojan.Java.ClassLoader.ap skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0000.VBN ZIP: infected - 3 skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C1C0000.VBN CryptZ: infected - 3 skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C2C0000\4F3FC908.VBN Infected: Trojan.Win32.Agent.bck skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C2C0001\4F3D43DC.VBN Infected: Trojan.Win32.Agent.bck skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C2C0002\4F3D4459.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0C440000\4F552A19.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CA00000\4FAF2AE1.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CB40000\4FBD3E8C.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CB40002\4FBE9057.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CB40003\4FBFE13C.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0CDC0003\4FDF30A5.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0DE80000\4FFCC210.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E940001\4FB7ECD0.VBN Infected: not-a-virus:AdWare.Win32.SecToolBar.h skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E940002\4FBC04A4.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aea skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E940007\4FBC18FC.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ady skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E940008\4FBC192F.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.ady skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0E94000E\4FBC1A45.VBN Infected: not-a-virus:AdWare.Win32.Virtumonde.aea skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F540000\4F5DC840.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine\0F980000\4F987D15.VBN Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\Documents and Settings\El Barry\Application Data\3M\PSNotes\PSNData Object is locked skipped
    C:\Documents and Settings\El Barry\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped
    C:\Documents and Settings\El Barry\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\El Barry\Local Settings\Application Data\AOL OCP\AIM\Storage\All Users\localStorage\common.cls Object is locked skipped
    C:\Documents and Settings\El Barry\Local Settings\Application Data\AOL OCP\AIM\Storage\data\thevoodoogod\localStorage\common.cls Object is locked skipped
    C:\Documents and Settings\El Barry\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\El Barry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\El Barry\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\El Barry\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\El Barry\Local Settings\History\History.IE5\MSHist012007110920071110\index.dat Object is locked skipped
    C:\Documents and Settings\El Barry\Local Settings\Temp\~DFBF9D.tmp Object is locked skipped
    C:\Documents and Settings\El Barry\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\El Barry\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\El Barry\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\El Barry\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\CheckPoint\Integrity Client\zlxeap.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\EENGINE\EPERSIST.DAT Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBConfig.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDebug.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBDetect.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBNotify.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBRefr.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetCfg2.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetDev.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetLoc.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSetUsr.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMNot.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMReg.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBSMRSt.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStHash.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBStMSI.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\BBValid.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPPolicy.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStart.log Object is locked skipped
    C:\Program Files\Common Files\Symantec Shared\SPBBC\LOGS\SPStop.log Object is locked skipped
    C:\Program Files\Symantec AntiVirus\SAVRT\0327NAV~.TMP Object is locked skipped
    C:\Program Files\Symantec AntiVirus\SAVRT\0787NAV~.TMP Object is locked skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\rnhqanyx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\vyujgogr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.acf skipped
    C:\qoobox\Quarantine\C\WINDOWS\system32\yeqquccg.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.acx skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{574CD45F-8D1A-4211-A2E5-C815DA3CE818}\RP14\A0014444.dll Infected: Trojan.Win32.BHO.rf skipped
    C:\System Volume Information\_restore{574CD45F-8D1A-4211-A2E5-C815DA3CE818}\RP16\A0014730.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.agh skipped
    C:\System Volume Information\_restore{574CD45F-8D1A-4211-A2E5-C815DA3CE818}\RP16\change.log Object is locked skipped
    C:\WINDOWS\csnsvc.exe Infected: Backdoor.Win32.SdBot.cdg skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\Internet Logs\BNMD.ldb Object is locked skipped
    C:\WINDOWS\Internet Logs\fwdbglog.txt Object is locked skipped
    C:\WINDOWS\Internet Logs\fwpktlog.txt Object is locked skipped
    C:\WINDOWS\Internet Logs\IAMDB.RDB Object is locked skipped
    C:\WINDOWS\Internet Logs\RezNet_1194294666176.RDB Object is locked skipped
    C:\WINDOWS\Internet Logs\tvDebug.log Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system\wibsvc.exe Infected: Backdoor.Win32.SdBot.bzc skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\TEMP\ZLT0080e.TMP Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped
    C:\_OTMoveIt\MovedFiles\WINDOWS\system32\ouusgwbn.dll Infected: Trojan.Win32.BHO.re skipped
    C:\_OTMoveIt\MovedFiles\WINDOWS\system32\trjhdnmx.dll Infected: Trojan.Win32.BHO.rd skipped
    C:\_OTMoveIt\MovedFiles\WINDOWS\system32\xwsaldfy.dll Infected: Trojan.Win32.BHO.rg skipped

    Scan process completed.

    I don't know if this matters, but the first time I ran the scan my computer restarted before it was complete and the next time the scan stopped itself around 85% completion. This log is from the third and final time.
     
  10. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Empty the Symantec AntiVirus Quarantine.

    Delete this folder: C:\qoobox

    Please download the OTMoveIt by OldTimer.
    • Save it to your desktop.
    • Please double-click OTMoveIt.exe to run it.
    • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
    • Click the red Moveit! button.
    • Close OTMoveIt
    If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


    After the restart of the machine post a new hijackthis log and let me know if you are having any problems.
     
  11. BarryNMD

    BarryNMD Thread Starter

    Joined:
    Oct 19, 2007
    Messages:
    17
    Here is the new HJT Log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:04:36 PM, on 11/9/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16544)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\NetDrive\netdrive.exe
    C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\PROGRA~1\SYMANT~1\VPTray.exe
    C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
    C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
    C:\Program Files\Apoint\Apoint.exe
    C:\WINDOWS\BCMSMMSG.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Symantec AntiVirus\DefWatch.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    C:\Program Files\CheckPoint\Integrity Client\iclient.exe
    C:\Program Files\Symantec AntiVirus\SavRoam.exe
    C:\Program Files\Apoint\HidFind.exe
    C:\Program Files\Apoint\Apntex.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\AIM6\aim6.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Pidgin\pidgin.exe
    C:\Program Files\3M\PSNLite\PsnLite.exe
    C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    C:\PROGRA~1\3M\PSNLite\PSNGive.exe
    C:\Program Files\Viewpoint\Common\ViewpointService.exe
    C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    C:\Program Files\NetDrive\wdService.exe
    C:\WINDOWS\csnsvc.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\AIM6\aolsoftware.exe
    C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.loyola.edu/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\atguuyqe.dll (file missing)
    O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\atguuyqe.dll (file missing)
    O4 - HKLM\..\Run: [WebDriveTray] C:\Program Files\NetDrive\netdrive.exe /trayicon
    O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
    O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
    O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
    O4 - HKLM\..\Run: [BCMSMMSG] BCMSMMSG.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\CheckPoint\Integrity Client\iclient.exe"
    O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKCU\..\Run: [Pidgin] C:\Program Files\Pidgin\pidgin.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [TSClientMSIUninstaller] cmd.exe /C "cscript %systemroot%\Installer\TSClientMsiTrans\tscuinst.vbs" (User 'Default user')
    O4 - Global Startup: Post-it® Software Notes Lite.lnk = C:\Program Files\3M\PSNLite\PsnLite.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Save with Download Manager... - file://C:\Program Files\Ctrax Player\DMDownload.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: atguuyqe - atguuyqe.dll (file missing)
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
    O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
    O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
    O23 - Service: WebDrive Service (WebDriveService) - Unknown owner - C:\Program Files\NetDrive\wdService.exe
    O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
    O23 - Service: Windows Zero Adapter (WzaSvc) - Unknown owner - C:\WINDOWS\csnsvc.exe (file missing)

    --
    End of file - 9121 bytes

    So far everything is perfect. However, I am going to wait a day or two (if in fact you don't find anything in the log) to mark this thread as solved. Nevertheless, thank you for all of your help; I can't tell you how much this means to me, a busted poor college student in the middle of research papers :)
     
  12. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I still see csnsvc.exe in the running processes so it doesn't look clean yet.

    Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

    Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
    • In the Processes group click ALL
    • In the Win32 Services group click ALL
    • In the Driver Services group click ALL
    • In the Registry group click ALL
    • In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
    • In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
    • In the File String Search group select ALL
    • in the Additional scans sections please press select ALL
    • Now click the Run Scan button on the toolbar.
    • The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    • When the scan is complete Notepad will open with the report file loaded in it.
    • Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.
    Please post the resulting log here as an attachment.

    • Click on the orange Post a Reply! button
    • scroll down to Manage Attachments
    • Click in the box that says Upload File from your Computer
    • Click the Browse... button and find the file then click open
    • Click the Upload button
    • Wait until you see Current Attachment and your file name
    • Click on Close this window
    • Then submit the reply.
     
  13. BarryNMD

    BarryNMD Thread Starter

    Joined:
    Oct 19, 2007
    Messages:
    17
    I am unable to upload the file since it is too large. I am also unable to split it up because the Browse window won't recognize the 2 files into which the log has been split. Would you like me to copy and paste it?
     
  14. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    I'll pm you...
     
  15. cybertech

    cybertech Retired Moderator

    Joined:
    Apr 16, 2002
    Messages:
    72,115
    Disable SUPERAntiSpyware before you run this fix.


    Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.
    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

    I will review the information when it comes back in.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - Solved Spyware Malware
  1. jennys95
    Replies:
    1
    Views:
    654
  2. rjay13
    Replies:
    0
    Views:
    290
  3. dano_61
    Replies:
    14
    Views:
    919
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/648792

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice