VUNDO infection, help

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

viperstk

Thread Starter
Joined
Jul 10, 2007
Messages
7
I have a persistant VUNDO virus infection that I can not clean. I have McAfee security center and it does not find it on scans.
I run windows XP home. IE 7.
I purchased XoftSpySE and it finds it and removes it but it returns with many cookies. I have multiple pop ups, IE locking up, have to CTL ALT DEL log off and start over ever time.
I stand ready to work this through with you help.
Please help!!

Here is my HJ log file:


Logfile of HijackThis v1.99.1
Scan saved at 2:28:56 AM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\tbctray.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webshots\webshots.scr
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\jwabaxhd.exe
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\utswnffr.dll",forkonce
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://68.52.168.87:1100/img/NetCamPlayerWeb.ocx
O16 - DPF: {1F75C3DC-38E2-4424-A028-217AA4CB43CA} (NetCamMotionDetect Control) - http://192.168.1.105/adm/NetCamMotionDetect.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://mghoward.ourlinksys.com/NetCamPlayerWeb11gv2.cab
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)



Ok, and following advise from others infected with vundo, I ran vundofix.exe. Here is log:




VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Scan started at 8:02:21 AM 7/10/2007

Listing files found while scanning....

C:\windows\system32\atkvyynr.ini
C:\windows\system32\bptxfoyl.ini
C:\windows\system32\cfakwgtn.ini
C:\windows\system32\cvvhmwqq.ini
C:\windows\system32\dwyqnndv.ini
C:\windows\system32\ewxhsaip.dll
C:\windows\system32\fccbcbc.dll
C:\windows\system32\gjkmp.bak1
C:\windows\system32\gjkmp.bak2
C:\windows\system32\gjkmp.ini
C:\windows\system32\gjkmp.ini2
C:\windows\system32\gjkmp.tmp
C:\WINDOWS\system32\hmigknpy.dll
C:\windows\system32\iqiqvoek.ini
C:\windows\system32\keovqiqi.dll
C:\windows\system32\lyofxtpb.dll
C:\windows\system32\npnyxkao.ini
C:\windows\system32\ntgwkafc.dll
C:\windows\system32\oakxynpn.dll
C:\windows\system32\omoynhxr.ini
C:\windows\system32\piashxwe.ini
C:\WINDOWS\system32\pmkjg.dll
C:\windows\system32\qqwmhvvc.dll
C:\windows\system32\rffnwstu.ini
C:\windows\system32\rnyyvkta.dll
C:\windows\system32\rxhnyomo.dll
C:\windows\system32\utswnffr.dll
C:\windows\system32\vdnnqywd.dll
C:\WINDOWS\system32\vrtscrtx.dll
C:\WINDOWS\system32\ypnkgimh.ini

Beginning removal...

Attempting to delete C:\windows\system32\atkvyynr.ini
C:\windows\system32\atkvyynr.ini Has been deleted!

Attempting to delete C:\windows\system32\bptxfoyl.ini
C:\windows\system32\bptxfoyl.ini Has been deleted!

Attempting to delete C:\windows\system32\cfakwgtn.ini
C:\windows\system32\cfakwgtn.ini Has been deleted!

Attempting to delete C:\windows\system32\cvvhmwqq.ini
C:\windows\system32\cvvhmwqq.ini Has been deleted!

Attempting to delete C:\windows\system32\dwyqnndv.ini
C:\windows\system32\dwyqnndv.ini Has been deleted!

Attempting to delete C:\windows\system32\ewxhsaip.dll
C:\windows\system32\ewxhsaip.dll Has been deleted!

Attempting to delete C:\windows\system32\fccbcbc.dll
C:\windows\system32\fccbcbc.dll Has been deleted!

Attempting to delete C:\windows\system32\gjkmp.bak1
C:\windows\system32\gjkmp.bak1 Has been deleted!

Attempting to delete C:\windows\system32\gjkmp.bak2
C:\windows\system32\gjkmp.bak2 Has been deleted!

Attempting to delete C:\windows\system32\gjkmp.ini
C:\windows\system32\gjkmp.ini Has been deleted!

Attempting to delete C:\windows\system32\gjkmp.ini2
C:\windows\system32\gjkmp.ini2 Has been deleted!

Attempting to delete C:\windows\system32\gjkmp.tmp
C:\windows\system32\gjkmp.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\hmigknpy.dll
C:\WINDOWS\system32\hmigknpy.dll Has been deleted!

Attempting to delete C:\windows\system32\iqiqvoek.ini
C:\windows\system32\iqiqvoek.ini Has been deleted!

Attempting to delete C:\windows\system32\keovqiqi.dll
C:\windows\system32\keovqiqi.dll Has been deleted!

Attempting to delete C:\windows\system32\lyofxtpb.dll
C:\windows\system32\lyofxtpb.dll Has been deleted!

Attempting to delete C:\windows\system32\npnyxkao.ini
C:\windows\system32\npnyxkao.ini Has been deleted!

Attempting to delete C:\windows\system32\ntgwkafc.dll
C:\windows\system32\ntgwkafc.dll Has been deleted!

Attempting to delete C:\windows\system32\oakxynpn.dll
C:\windows\system32\oakxynpn.dll Has been deleted!

Attempting to delete C:\windows\system32\omoynhxr.ini
C:\windows\system32\omoynhxr.ini Has been deleted!

Attempting to delete C:\windows\system32\piashxwe.ini
C:\windows\system32\piashxwe.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\pmkjg.dll Has been deleted!

Attempting to delete C:\windows\system32\qqwmhvvc.dll
C:\windows\system32\qqwmhvvc.dll Has been deleted!

Attempting to delete C:\windows\system32\rffnwstu.ini
C:\windows\system32\rffnwstu.ini Has been deleted!

Attempting to delete C:\windows\system32\rnyyvkta.dll
C:\windows\system32\rnyyvkta.dll Has been deleted!

Attempting to delete C:\windows\system32\rxhnyomo.dll
C:\windows\system32\rxhnyomo.dll Has been deleted!

Attempting to delete C:\windows\system32\utswnffr.dll
C:\windows\system32\utswnffr.dll Has been deleted!

Attempting to delete C:\windows\system32\vdnnqywd.dll
C:\windows\system32\vdnnqywd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vrtscrtx.dll
C:\WINDOWS\system32\vrtscrtx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ypnkgimh.ini
C:\WINDOWS\system32\ypnkgimh.ini Has been deleted!

Performing Repairs to the registry.
Done!



And new HJ log:


Logfile of HijackThis v1.99.1
Scan saved at 8:16:06 AM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\tbctray.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {930D35D2-094D-41B9-8E89-D1B76F2C6E97} - C:\WINDOWS\system32\fccbcbc.dll (file missing)
O2 - BHO: (no name) - {F8C2E3C1-DB10-49E9-8201-7374698363BC} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://68.52.168.87:1100/img/NetCamPlayerWeb.ocx
O16 - DPF: {1F75C3DC-38E2-4424-A028-217AA4CB43CA} (NetCamMotionDetect Control) - http://192.168.1.105/adm/NetCamMotionDetect.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://mghoward.ourlinksys.com/NetCamPlayerWeb11gv2.cab
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)


Running SuperAntiSpyware now. Will post log file when complete.
 

askey127

Malware Specialist
Joined
Dec 22, 2006
Messages
3,722
viperstk,
Your log looks a lot better now.
Please don't run anything else until we are done.
-----------------------------------------------------------
Remove log items with HighjackThis. Start HijackThis.
Click Do System Scan Only. When the Scan is complete, Check the following entries:
(Some of these lines may be missing)

O2 - BHO: (no name) - {930D35D2-094D-41B9-8E89-D1B76F2C6E97} - C:\WINDOWS\system32\fccbcbc.dll (file missing)
O2 - BHO: (no name) - {F8C2E3C1-DB10-49E9-8201-7374698363BC} - C:\WINDOWS\system32\pmkjg.dll (file missing)
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked.
----------------------------------------------------------
Download and Install CCleaner
  • Download CCleaner from here
  • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
  • Click OK
  • Click Next
  • Click I agree
  • Click Next
  • Click Install
  • Once the installation has finished, click Finish
Run CCleaner Cleaning Scan. This will remove all Temp files, cookies, and Internet History.
Click on the Cleaner block on the left. Choose the Windows tab.
Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
-----------------------------------------------------------
Retrieve the Installed Programs List from CCleaner
In the Left Pane, click Tools
Verify that Uninstall is highlighted in color, or click on it.
In the lower Right, click Save to Text File.
Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
You can leave the filename as install.txt
Click Save
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
-----------------------------------------------------------
Post a New HJT Log
Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with install.txt from CCleaner.

askey127
 

viperstk

Thread Starter
Joined
Jul 10, 2007
Messages
7
Instructions followed, thanks.

Log file cleaned as instructed with HJ. CCleaner run and install.txt created. Reboot completed. HJ scan and save log file complete.

New HJ Log:

Logfile of HijackThis v1.99.1
Scan saved at 10:59:10 AM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comcast.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://68.52.168.87:1100/img/NetCamPlayerWeb.ocx
O16 - DPF: {1F75C3DC-38E2-4424-A028-217AA4CB43CA} (NetCamMotionDetect Control) - http://192.168.1.105/adm/NetCamMotionDetect.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://mghoward.ourlinksys.com/NetCamPlayerWeb11gv2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)


Install.txt file:

Ace DivX Player
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Flash Player 9 ActiveX
Adobe Photoshop 7.0
Adobe Reader 7.0.8
AllSeaSaver
Apple Mobile Device Support
Apple Software Update
Asmw Eraser Pro
Avanquest update
Battlefield 2(TM)
Battlefield 2: Special Forces
BitLord 1.1
CCleaner (remove only)
CH Gameport Devices
Comcast High-Speed Internet Install Wizard
Compact Wireless-G Internet Video Camera
Company of Heroes
Corel Paint Shop Pro Photo XI
Corel Snapfire Plus
Creative PC-CAM Center
Creative WebCam Monitor
Creative WebCam Pro Driver
Creative WebCam Pro Manual (English)
Dell Picture Studio - Image Expert 2000
Dell ResourceCD
Desktop Doctor
DVD Shrink 3.2
EA Link
Easy CD Creator 5 Platinum
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB926239)
hp instant support
HP Memories Disc
HP Photo and Imaging 2.2 - Scanjet 3970 Series
IE2K
ItsDeductible Express
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 9
Java(TM) SE Runtime Environment 6 Update 1
LiveReg (Symantec Corporation)
LiveUpdate 1.6 (Symantec Corporation)
MapSource - City Select North America v6
MapSource - US Rec Lakes with Fishing Hot Spots East v5
MapSource
McAfee SecurityCenter
MGI PhotoSuite 4 (Remove Only)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft IntelliPoint
Microsoft Office XP Media Content
Microsoft Office XP Small Business
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft XML Parser
Motorola Phone Tools
Motorola Software Update
Motorola USB Drivers
Mozilla Firefox (2.0)
MP3 Rocket
MSXML 4.0 SP2 (KB927978)
Namo WebEditor 4
Namo WebEditor 5
Nero - Burning Rom
Nero 6 Ultra Edition
NVIDIA Drivers
ParetoLogic Privacy Controls
Pinnacle Hollywood FX 4.6
Pinnacle Studio AV/DV
PowerDVD
PQ DVD to iPod Video Suite (remove only)
QuickTime
RealPlayer Basic
RegCure 1.4.0.4
Registry Mechanic 5.0
RegistryCleanFix 2007
Rhapsody Player Engine
Santa Cruz
Security Update for Microsoft .NET Framework 2.0 (KB917283)
Security Update for Microsoft .NET Framework 2.0 (KB922770)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Shockwave Player
Studio 8
SUPERAntiSpyware Professional
TeamSpeak 2 RC2
TiVo Desktop
TurboTax Premier 2004
Ulead Photo Express 4.0 My Custom Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
URGE
WebFldrs XP
Webshots Desktop
WexTech AnswerWorks
Windows Defender Signatures
Windows Defender
Windows Genuine Advantage Notifications (KB905474)
Windows Genuine Advantage Validation Tool (KB892130)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WMAConvert 2.5.3
XoftSpySE
Z Engine


Please advise. Thank you!!!!!!
 

askey127

Malware Specialist
Joined
Dec 22, 2006
Messages
3,722
viperastk,
Last log looks quite good. A bit of cleanup, and a final check:

You should be careful if you have a version of Easy CD Creator and a version of Nero on the same machine.
The two CD-R/W subprograms (DirectCD.exe and InCD.exe, respectively) are not very compatible. They both try to intercept the call to the CD/DVD drive.
Make sure you don't have both of those running at once, and I wouldn't have either one run automatically at startup.
I don't see any issue in your last log regarding this, just a tip for you.
You can pull up Task Manager with Ctrl-Alt-Del anytime to check.

Older versions of Java are subject to attack using known security holes.
-----------------------------------------------------------
Use Add/Remove Programs In Control Panel
From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 9

Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
-----------------------------------------------------
Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log to your Desktop as filename KAV.txt
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

Please post the contents of KAV.txt in your next reply along with any questions or comments.
askey127
 

viperstk

Thread Starter
Joined
Jul 10, 2007
Messages
7
More found...

KAV.TXT

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 10, 2007 3:40:33 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/07/2007
Kaspersky Anti-Virus database records: 360559
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 96702
Number of viruses found: 10
Number of infected objects: 65
Number of suspicious objects: 0
Duration of the scan process: 01:41:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{D8CF38B4-192D-4664-A9EE-A642E49F830D}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Mike Howard\triggers.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.ldb Object is locked skipped
C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.zbd Object is locked skipped
C:\Documents and Settings\Mike Howard\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Temp\JETED20.tmp Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mike Howard\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp/{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp/{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp/{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp Infected: Trojan-Downloader.Java.OpenConnection.ah skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp ZIP: infected - 1 skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010009.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP780\A0037204.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP781\A0037387.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP787\A0039796.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP787\A0039822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0040822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0041836.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0041841.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP789\A0041944.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP789\A0041960.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\change.log Object is locked skipped
C:\VundoFix Backups\fccbcbc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\vrtscrtx.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{0C14B947-4657-48CF-A873-31A2EC21A29B}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\afgeveav.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\akcpvalv.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\bnvitiif.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dqrsrrdp.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\drvvjicx.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\edgmcdxy.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\ejiqnhot.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\evlkwgru.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\fkhmiyfm.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\fwaqigrq.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\gnjkxuuy.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\gqxqfpvs.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\hapabcms.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\hwnhrejk.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\ibirhcxo.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\iknummua.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\ingdggna.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\jkerhyvc.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\jwabaxhd.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\keosukxf.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\kkcpodgc.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\kofqvtvu.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\ldyejaba.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\lgxaxnro.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\lhbteobe.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\lrnnttkk.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\mrioprph.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\msieycst.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\nurnudop.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\oisnyudh.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\pwlfexhu.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\pyknwmom.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\qqaaygog.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\qtwdqlyq.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\qyldkvih.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\rfcedwxi.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\rftnycjy.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\tmuvuhil.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\ttcxothc.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\vcxwygkj.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\vttnifke.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wtijpwqe.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\WINDOWS\Temp\mcafee_HnNez7GIDseS2h4 Object is locked skipped
C:\WINDOWS\Temp\mcafee_SJQ7e9eZcySNbjU Object is locked skipped
C:\WINDOWS\Temp\mcmsc_bhcMGujLJkMWTvy Object is locked skipped
C:\WINDOWS\Temp\mcmsc_jtff5SQCFxmUJVO Object is locked skipped
C:\WINDOWS\Temp\mcmsc_QZUidjGE5MgUSwm Object is locked skipped
C:\WINDOWS\Temp\mcmsc_vwPo2LEAAFc8fZf Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

----

What do I do now? Thanks!
 

askey127

Malware Specialist
Joined
Dec 22, 2006
Messages
3,722
viperstk,
------------------------------------------------
Download and Run ComboFix-----------------------------------------------------
Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log to your Desktop as filename KAV-2nd.txt

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
Please post the log from ComboFix and KAV-2nd.txt from Kaspersky

askey127
 

viperstk

Thread Starter
Joined
Jul 10, 2007
Messages
7
Combo fix log:


"Mike Howard" - 2007-07-10 16:07:13 - ComboFix 07-07-10.1 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\afgeveav.exe
C:\WINDOWS\system32\akcpvalv.exe
C:\WINDOWS\system32\bnvitiif.exe
C:\WINDOWS\system32\dqrsrrdp.exe
C:\WINDOWS\system32\drvvjicx.exe
C:\WINDOWS\system32\edgmcdxy.exe
C:\WINDOWS\system32\ejiqnhot.exe
C:\WINDOWS\system32\evlkwgru.exe
C:\WINDOWS\system32\fkhmiyfm.exe
C:\WINDOWS\system32\fwaqigrq.exe
C:\WINDOWS\system32\gnjkxuuy.exe
C:\WINDOWS\system32\gqxqfpvs.exe
C:\WINDOWS\system32\hapabcms.exe
C:\WINDOWS\system32\hwnhrejk.exe
C:\WINDOWS\system32\ibirhcxo.exe
C:\WINDOWS\system32\iknummua.exe
C:\WINDOWS\system32\ingdggna.exe
C:\WINDOWS\system32\jkerhyvc.exe
C:\WINDOWS\system32\jwabaxhd.exe
C:\WINDOWS\system32\keosukxf.exe
C:\WINDOWS\system32\kkcpodgc.exe
C:\WINDOWS\system32\kofqvtvu.exe
C:\WINDOWS\system32\ldyejaba.exe
C:\WINDOWS\system32\lgxaxnro.exe
C:\WINDOWS\system32\lhbteobe.exe
C:\WINDOWS\system32\lrnnttkk.exe
C:\WINDOWS\system32\mrioprph.exe
C:\WINDOWS\system32\msieycst.exe
C:\WINDOWS\system32\nurnudop.exe
C:\WINDOWS\system32\oisnyudh.exe
C:\WINDOWS\system32\pwlfexhu.exe
C:\WINDOWS\system32\pyknwmom.exe
C:\WINDOWS\system32\qqaaygog.exe
C:\WINDOWS\system32\qtwdqlyq.exe
C:\WINDOWS\system32\qyldkvih.exe
C:\WINDOWS\system32\rfcedwxi.exe
C:\WINDOWS\system32\rftnycjy.exe
C:\WINDOWS\system32\tmuvuhil.exe
C:\WINDOWS\system32\ttcxothc.exe
C:\WINDOWS\system32\vcxwygkj.exe
C:\WINDOWS\system32\vttnifke.exe
C:\WINDOWS\system32\wtijpwqe.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))


2007-07-10 16:06 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-10 13:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-07-10 13:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
2007-07-10 10:31 <DIR> d-------- C:\Program Files\CCleaner
2007-07-10 08:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-10 08:22 <DIR> d-------- C:\DOCUME~1\MIKEHO~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-10 08:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-10 08:02 <DIR> d-------- C:\VundoFix Backups
2007-07-09 23:44 <DIR> d-------- C:\Program Files\RegistryCleanFix
2007-07-07 11:56 406,016 --a------ C:\WINDOWS\system32\PSDrvCheck.exe
2007-07-07 11:56 19,456 --a------ C:\WINDOWS\system32\asapi.dll
2007-07-07 11:56 11,264 --a------ C:\WINDOWS\system32\drivers\asapiW2k.sys
2007-07-07 04:28 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
2007-07-07 04:22 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
2007-07-07 04:22 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
2007-07-07 04:22 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
2007-07-07 04:22 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
2007-07-07 04:22 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
2007-07-07 04:21 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
2007-07-07 04:17 <DIR> d-------- C:\Program Files\McAfee
2007-07-07 04:17 <DIR> d-------- C:\Program Files\Common Files\McAfee
2007-07-07 04:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
2007-07-06 22:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-07-06 22:29 1,156 --a------ C:\WINDOWS\mozver.dat
2007-07-06 22:04 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-05 21:37 <DIR> d-------- C:\Program Files\XoftSpySE
2007-07-05 15:05 <DIR> d-------- C:\Program Files\iTunes
2007-07-05 15:05 <DIR> d-------- C:\Program Files\iPod
2007-07-05 14:57 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-05 14:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-01 22:51 <DIR> d-------- C:\Program Files\Namo
2007-06-27 15:41 <DIR> d-------- C:\DOCUME~1\MIKEHO~1\awc_mghoward
2007-06-27 14:25 <DIR> d-------- C:\Program Files\anywebcam
2007-06-27 14:13 65,536 -ra------ C:\WINDOWS\system32\ctcammgr.dll
2007-06-27 14:13 61,440 -ra------ C:\WINDOWS\ctdrvins.exe
2007-06-27 14:13 53,248 -ra------ C:\WINDOWS\system32\p1030hwx.dll
2007-06-27 14:13 49,152 -ra------ C:\WINDOWS\p1030cfg.exe
2007-06-27 14:13 40,960 -ra------ C:\WINDOWS\system32\p1030ext.dll
2007-06-27 14:13 28,672 -ra------ C:\WINDOWS\system32\p1030pin.dll
2007-06-27 14:13 25,169 -ra------ C:\WINDOWS\system32\drivers\p1030cam.sys
2007-06-27 14:13 24,576 -ra------ C:\WINDOWS\system32\p1030vfw.dll
2007-06-27 14:13 167,661 -ra------ C:\WINDOWS\system32\drivers\p1030vid.sys
2007-06-27 14:13 16,429 -ra------ C:\WINDOWS\system32\p1030usd.dll
2007-06-27 14:04 <DIR> d-------- C:\Program Files\Ulead Systems
2007-06-27 14:01 135,680 --a------ C:\WINDOWS\Webdelc.exe
2007-06-27 14:01 <DIR> d-------- C:\Media
2007-06-27 14:00 <DIR> d-------- C:\CtDriverInstTemp
2007-06-27 13:58 41,984 --a------ C:\WINDOWS\CTREGRUN.EXE
2007-06-27 13:58 <DIR> d-------- C:\Program Files\Creative
2007-06-27 13:52 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-06-27 13:52 <DIR> d-------- C:\WINDOWS\OvtCam
2007-06-24 22:53 5,543 --a------ C:\WINDOWS\system32\drivers\MemAlloc.sys
2007-06-24 22:53 247,936 --a------ C:\WINDOWS\system32\drivers\LStone2k.sys
2007-06-24 22:53 <DIR> d-------- C:\WINDOWS\system32\drivers\Pinnacle
2007-06-24 22:53 <DIR> d-------- C:\WINDOWS\avdv.drv
2007-06-24 22:47 898,736 --------- C:\WINDOWS\system32\Ltr13n.dll
2007-06-24 22:47 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-06-24 22:47 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll
2007-06-24 22:47 32,838 --a------ C:\WINDOWS\system32\Cachex.dll
2007-06-24 22:47 32,768 --a------ C:\WINDOWS\system32\MLPagAx.dll
2007-06-24 22:47 298,168 --------- C:\WINDOWS\system32\Ltrio13n.dll
2007-06-24 22:47 204,881 --a------ C:\WINDOWS\system32\DiskIO.dll
2007-06-24 22:47 155,721 --a------ C:\WINDOWS\system32\RALMain.dll
2007-06-24 22:47 114,759 --------- C:\WINDOWS\system32\Aviprax.dll
2007-06-24 22:43 14,604 --------- C:\WINDOWS\system32\drivers\pfc.sys
2007-06-24 22:42 61,440 --a------ C:\WINDOWS\system32\pclepim1.dll
2007-06-24 22:42 60,416 --------- C:\WINDOWS\system32\miroDV2Bmp.dll
2007-06-24 22:33 <DIR> d-------- C:\My Music
2007-06-24 22:30 57,856 --------- C:\WINDOWS\system32\MASD32.DLL
2007-06-24 22:30 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll
2007-06-24 22:30 27,648 --------- C:\WINDOWS\system32\MA32.DLL
2007-06-24 22:30 196,096 --------- C:\WINDOWS\system32\MACD32.DLL
2007-06-24 22:30 138,752 --------- C:\WINDOWS\system32\MASE32.DLL
2007-06-24 22:30 136,192 --------- C:\WINDOWS\system32\MAMC32.DLL
2007-06-24 22:27 81,920 --------- C:\WINDOWS\system32\vdrmux.dll
2007-06-24 22:27 46,592 --------- C:\WINDOWS\system32\vdrcodec.dll
2007-06-24 22:27 40,960 --a------ C:\WINDOWS\system32\langserv.dll
2007-06-24 22:27 <DIR> d-------- C:\Program Files\Pinnacle
2007-06-24 22:24 14,165 --------- C:\WINDOWS\system32\drivers\Pclepci.sys
2007-06-10 16:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\My Music
2007-06-10 15:37 5,018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-06-10 15:37 168 -r-hs---- C:\WINDOWS\system32\E12B40E443.sys
2007-06-10 15:37 <DIR> d-------- C:\DOCUME~1\MIKEHO~1\APPLIC~1\Corel
2007-06-10 15:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
2007-06-10 15:35 <DIR> d-------- C:\Program Files\Common Files\Corel
2007-06-10 15:31 <DIR> d-------- C:\Program Files\Corel


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-10 13:22:22 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-07 16:56:24 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-07 09:36:24 -------- d-----w C:\Program Files\McAfee.com
2007-07-06 03:21:56 -------- d-----w C:\Program Files\RegCure
2007-07-05 20:31:43 -------- d-----w C:\Program Files\MySpace
2007-07-03 13:08:15 -------- d-----w C:\Program Files\MP3 Rocket
2007-06-25 03:33:47 -------- d-----w C:\Program Files\Common Files\Real
2007-06-25 03:33:37 -------- d-----w C:\Program Files\Real
2007-06-21 19:32:21 -------- d-----w C:\Program Files\QuickTime
2007-06-12 17:31:21 -------- d-----w C:\DOCUME~1\MIKEHO~1\APPLIC~1\MP3Rocket
2007-06-09 21:25:49 -------- d-----w C:\DOCUME~1\MIKEHO~1\APPLIC~1\MSN6
2007-05-21 11:00:50 -------- d-----w C:\Program Files\WMAConvert
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 20:32:24 513,152 ----a-w C:\WINDOWS\system32\WmaCDriverV32.sys
2007-05-15 20:32:24 513,152 ----a-w C:\WINDOWS\system32\drivers\WmaCDriverV32.sys
2007-05-04 19:43:03 114,545 ----a-w C:\WINDOWS\AllSeaSaver Uninstaller.exe
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-01-12 21:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
2006-12-22 16:02 67136 --a------ c:\program files\mcafee\virusscan\scriptcl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"POINTER"="point32.exe" []
"nwiz"="nwiz.exe" [2005-08-02 18:35 C:\WINDOWS\system32\nwiz.exe]
"RegistryMechanic"="" []
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58]
"Creative WebCam Tray"="C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE" [2002-02-25 02:30]
"Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2007-04-03 19:46]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
"RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-06-24 22:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"CreateCD50"="C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.exe" [2001-05-16 09:04]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PicoZip]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
"C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
"C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
"C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide


Contents of the 'Scheduled Tasks' folder
2007-07-05 17:57:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-07 09:20:17 C:\WINDOWS\tasks\McDefragTask.job
2007-07-07 09:20:15 C:\WINDOWS\tasks\McQcTask.job
2007-07-10 07:11:06 C:\WINDOWS\tasks\MP Scheduled Scan.job
2007-07-10 21:14:06 C:\WINDOWS\tasks\RegCure Program Check.job
2007-06-28 08:00:00 C:\WINDOWS\tasks\RegCure.job
2007-07-10 21:16:01 C:\WINDOWS\tasks\Symantec NetDetect.job
2007-07-10 08:00:01 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-10 16:14:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-10 16:18:54 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-10 16:18

--- E O F ---




Kav-2nd log on next post, combined too big.
 

viperstk

Thread Starter
Joined
Jul 10, 2007
Messages
7
Combo log on previous post... too big..


KAV-2nd.txt Log:



-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 10, 2007 6:12:03 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 10/07/2007
Kaspersky Anti-Virus database records: 360559
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 94982
Number of viruses found: 10
Number of infected objects: 107
Number of suspicious objects: 0
Duration of the scan process: 01:47:12

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{D8CF38B4-192D-4664-A9EE-A642E49F830D}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Mike Howard\triggers.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.ldb Object is locked skipped
C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.zbd Object is locked skipped
C:\Documents and Settings\Mike Howard\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\History\History.IE5\MSHist012007071020070711\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Temp\JET8BD1.tmp Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mike Howard\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp/{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp/{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp/{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp Infected: Trojan-Downloader.Java.OpenConnection.ah skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp ZIP: infected - 1 skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\afgeveav.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\akcpvalv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bnvitiif.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\dqrsrrdp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drvvjicx.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\edgmcdxy.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ejiqnhot.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\evlkwgru.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fkhmiyfm.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\fwaqigrq.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gnjkxuuy.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\gqxqfpvs.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hapabcms.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\hwnhrejk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ibirhcxo.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\iknummua.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ingdggna.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jkerhyvc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\jwabaxhd.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\keosukxf.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kkcpodgc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\kofqvtvu.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ldyejaba.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lgxaxnro.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lhbteobe.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\lrnnttkk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\mrioprph.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\msieycst.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\nurnudop.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\oisnyudh.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pwlfexhu.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\pyknwmom.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qqaaygog.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qtwdqlyq.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qyldkvih.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rfcedwxi.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\rftnycjy.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\tmuvuhil.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ttcxothc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vcxwygkj.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\vttnifke.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\wtijpwqe.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
C:\System Volume Information\catalog.wci\00010009.ci Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar Infected: Trojan-Downloader.Win32.Small.eqn skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe RarSFX: infected - 5 skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP780\A0037204.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP781\A0037387.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP787\A0039796.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP787\A0039822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0040822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0041836.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0041841.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP789\A0041944.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP789\A0041960.dll Infected: Trojan.Win32.BHO.bd skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042385.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042386.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042387.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042388.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042389.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042390.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042391.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042392.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042393.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042394.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042395.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042396.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042397.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042398.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042399.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042400.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042401.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042402.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042403.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042404.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042405.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042406.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042407.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042408.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042409.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042410.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042411.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042412.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042413.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042414.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042415.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042416.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042417.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042418.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042419.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042420.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042421.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042422.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042423.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042424.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042425.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042426.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\change.log Object is locked skipped
C:\VundoFix Backups\fccbcbc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\vrtscrtx.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcafee_iR8npigg6StSg9m Object is locked skipped
C:\WINDOWS\Temp\mcafee_qYyPZSdhGVrRu7U Object is locked skipped
C:\WINDOWS\Temp\mcmsc_buL8FRPYa21DW4e Object is locked skipped
C:\WINDOWS\Temp\mcmsc_BXcx4aZPPhF7Nxc Object is locked skipped
C:\WINDOWS\Temp\mcmsc_d2HH9b9o6JDLYVk Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Lux0QpA9167hu8l Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
 

askey127

Malware Specialist
Joined
Dec 22, 2006
Messages
3,722
viperstk,
-----------------------------------------------------------
Folder Deletion
In Windows Explorer (My Computer), navigate to the folder shown below, highlight the folder if found, and press Delete. (This one contains all quarantined infected files.)
C:\Qoobox\
In the case of a folder removal, you may have to first open the folder, choose View, Details, and delete all the underlying files and folders before an entire folder can be deleted.
If you need to delete underlying files in a folder and are unable to do so:
Right click the file set for deletion, and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab.
If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
-----------------------------------------------------------
Run CCleaner Cleaning Scan. This will remove all Temp files, cookies, and Internet History.
Click on the Cleaner block on the left. Choose the Windows tab.
Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
-----------------------------------------------------------
Disable WinXP System Restore
Disable your System Restore to remove malware files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing them. The only way to erase these files is to temporarily disable System Restore. You will lose all previous restore points which are likely to be infected.
- Right-click My Computer, and then click Properties.
- On the System Restore tab, put a Check mark in the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
If you are not prompted to reboot, do it on your own.
-----------------------------------------------------------
After the Reboot,
Enable WinXP System Restore
- Right-click My Computer, and then click Properties.
- On the System Restore tab, Clear the Check mark beside the Turn Off System Restore check box.
- Click OK twice, and then click Yes when you are prompted to restart the computer.
The Disable/Re-enable System Restore sequence is not to be done regularly, but only once after the removal of malware.

-----------------------------------------------------------
Post a New HJT Log
Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.
-----------------------------------------------------
Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
Go here to run an online scannner from Kaspersky.
  • Click on "Kaspersky Online Scanner"
  • A new smaller window will pop up. Press on "Accept". After reading the contents.
  • Now Kaspersky will update the anti-virus database. Let it run.
  • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
  • Then click on "My Computer", and the scan will start.
  • Once finished, save the log to your Desktop as filename KAV-3rd.txt
So please post the KAV-3rd.txt Kaspersky log, and the new HJT log, plus any comments.

askey127
 

viperstk

Thread Starter
Joined
Jul 10, 2007
Messages
7
HJ LOG - (KAV-3rd to follow):


Logfile of HijackThis v1.99.1
Scan saved at 9:08:54 PM, on 7/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\program files\common files\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\system32\PSIService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
C:\Program Files\Ideazon\ZEngine\Zboard.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Webshots\webshots.scr
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Support.com\bin\tgcmd.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comcast.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish.com/SnapfishOutlookImport.cab
O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://68.52.168.87:1100/img/NetCamPlayerWeb.ocx
O16 - DPF: {1F75C3DC-38E2-4424-A028-217AA4CB43CA} (NetCamMotionDetect Control) - http://192.168.1.105/adm/NetCamMotionDetect.cab
O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://mghoward.ourlinksys.com/NetCamPlayerWeb11gv2.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)



KAV-3rd log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, July 10, 2007 10:53:24 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 11/07/2007
Kaspersky Anti-Virus database records: 360737
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 88312
Number of viruses found: 4
Number of infected objects: 8
Number of suspicious objects: 0
Duration of the scan process: 01:40:08

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{D8CF38B4-192D-4664-A9EE-A642E49F830D}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Mike Howard\triggers.log Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.ldb Object is locked skipped
C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.zbd Object is locked skipped
C:\Documents and Settings\Mike Howard\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\History\History.IE5\MSHist012007071020070711\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Temp\JETE25.tmp Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Mike Howard\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Mike Howard\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp/{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp/{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp ZIP: infected - 1 skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp/{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp Infected: Trojan-Downloader.Java.OpenConnection.ah skipped
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp ZIP: infected - 1 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP1\change.log Object is locked skipped
C:\VundoFix Backups\fccbcbc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
C:\VundoFix Backups\vrtscrtx.dll.bad Infected: Trojan.Win32.BHO.bd skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\mcmsc_ccpcc6nXW6AUxOd Object is locked skipped
C:\WINDOWS\Temp\mcmsc_qWk5dtisU9TAwrz Object is locked skipped
C:\WINDOWS\Temp\mcmsc_rr5WOXPUf9GT35r Object is locked skipped
C:\WINDOWS\Temp\mcmsc_SLzjFY7pbwQBr0U Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thanks
 

askey127

Malware Specialist
Joined
Dec 22, 2006
Messages
3,722
viperstk,
-----------------------------------------------------------
Set Your Computer to Show All Files
  1. Click Start.
  2. Click My Computer.
  3. Select the Tools menu and click Folder Options.
  4. Select the View Tab.
  5. Under the Hidden files and folders heading, select Show hidden files and folders.
  6. Uncheck Hide protected operating system files (recommended).
  7. Click Yes to confirm.
  8. Uncheck the Hide file extensions for known file types.
  9. Click OK.
-----------------------------------------------------------
Folder Deletion
In Windows Explorer (My Computer), navigate to the folder shown below, highlight the folder if found, and Delete.
C:\VundoFix Backups\
-----------------------------------------------------------
File Deletion.
In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete.

C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp
C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp

Also delete any other files in that folder having the .tmp extension

If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
Please Note the name and location of any item you cannot delete, or any file not found.
-----------------------------------------------------------
Delete ComboFix
-----------------------------------------------------------
Run CCleaner Cleaning Scan. This will remove all Temp files, cookies, and Internet History.
If it's not already running, Start CCleaner.
Click on the Cleaner block on the left. Choose the Windows tab.
Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
-----------------------------------------------------------
Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.
-----------------------------------------------------------
Install WinPatrol - Download and Install WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
- WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system. It also provides selective cookie management.
-----------------------------------------------------------
Set Your Computer to ReHide System Files
  • Click Start.
  • Click My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View Tab.
  • Under the Hidden files and folders heading, select Do Not Show hidden files and folders.
  • Check Hide protected operating system files (recommended).
  • Check Hide file extensions for known file types.
  • Click Yes to confirm if asked.
  • Click OK.
In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are all UNchecked.

If there are no other problems or questions, you should be good to go.

askey127
 

viperstk

Thread Starter
Joined
Jul 10, 2007
Messages
7
All complete!! Thank you so much for all your help and patience through this! My computer is back! I will be making a donation to this site and will be back in the future if problems arise.
Again, thank you for all your help!!
Mike (viperstk)
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Members online

Top