1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

VUNDO infection, help

Discussion in 'Virus & Other Malware Removal' started by viperstk, Jul 10, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. viperstk

    viperstk Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    7
    I have a persistant VUNDO virus infection that I can not clean. I have McAfee security center and it does not find it on scans.
    I run windows XP home. IE 7.
    I purchased XoftSpySE and it finds it and removes it but it returns with many cookies. I have multiple pop ups, IE locking up, have to CTL ALT DEL log off and start over ever time.
    I stand ready to work this through with you help.
    Please help!!

    Here is my HJ log file:


    Logfile of HijackThis v1.99.1
    Scan saved at 2:28:56 AM, on 7/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\PROGRA~1\McAfee\MPS\mps.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee\MPS\mpsevh.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    C:\Program Files\Ideazon\ZEngine\Zboard.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\tbctray.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webshots\webshots.scr
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\WINDOWS\system32\jwabaxhd.exe
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
    O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\utswnffr.dll",forkonce
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish.com/SnapfishOutlookImport.cab
    O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://68.52.168.87:1100/img/NetCamPlayerWeb.ocx
    O16 - DPF: {1F75C3DC-38E2-4424-A028-217AA4CB43CA} (NetCamMotionDetect Control) - http://192.168.1.105/adm/NetCamMotionDetect.cab
    O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
    O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
    O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://mghoward.ourlinksys.com/NetCamPlayerWeb11gv2.cab
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)



    Ok, and following advise from others infected with vundo, I ran vundofix.exe. Here is log:




    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.9
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.10

    Scan started at 8:02:21 AM 7/10/2007

    Listing files found while scanning....

    C:\windows\system32\atkvyynr.ini
    C:\windows\system32\bptxfoyl.ini
    C:\windows\system32\cfakwgtn.ini
    C:\windows\system32\cvvhmwqq.ini
    C:\windows\system32\dwyqnndv.ini
    C:\windows\system32\ewxhsaip.dll
    C:\windows\system32\fccbcbc.dll
    C:\windows\system32\gjkmp.bak1
    C:\windows\system32\gjkmp.bak2
    C:\windows\system32\gjkmp.ini
    C:\windows\system32\gjkmp.ini2
    C:\windows\system32\gjkmp.tmp
    C:\WINDOWS\system32\hmigknpy.dll
    C:\windows\system32\iqiqvoek.ini
    C:\windows\system32\keovqiqi.dll
    C:\windows\system32\lyofxtpb.dll
    C:\windows\system32\npnyxkao.ini
    C:\windows\system32\ntgwkafc.dll
    C:\windows\system32\oakxynpn.dll
    C:\windows\system32\omoynhxr.ini
    C:\windows\system32\piashxwe.ini
    C:\WINDOWS\system32\pmkjg.dll
    C:\windows\system32\qqwmhvvc.dll
    C:\windows\system32\rffnwstu.ini
    C:\windows\system32\rnyyvkta.dll
    C:\windows\system32\rxhnyomo.dll
    C:\windows\system32\utswnffr.dll
    C:\windows\system32\vdnnqywd.dll
    C:\WINDOWS\system32\vrtscrtx.dll
    C:\WINDOWS\system32\ypnkgimh.ini

    Beginning removal...

    Attempting to delete C:\windows\system32\atkvyynr.ini
    C:\windows\system32\atkvyynr.ini Has been deleted!

    Attempting to delete C:\windows\system32\bptxfoyl.ini
    C:\windows\system32\bptxfoyl.ini Has been deleted!

    Attempting to delete C:\windows\system32\cfakwgtn.ini
    C:\windows\system32\cfakwgtn.ini Has been deleted!

    Attempting to delete C:\windows\system32\cvvhmwqq.ini
    C:\windows\system32\cvvhmwqq.ini Has been deleted!

    Attempting to delete C:\windows\system32\dwyqnndv.ini
    C:\windows\system32\dwyqnndv.ini Has been deleted!

    Attempting to delete C:\windows\system32\ewxhsaip.dll
    C:\windows\system32\ewxhsaip.dll Has been deleted!

    Attempting to delete C:\windows\system32\fccbcbc.dll
    C:\windows\system32\fccbcbc.dll Has been deleted!

    Attempting to delete C:\windows\system32\gjkmp.bak1
    C:\windows\system32\gjkmp.bak1 Has been deleted!

    Attempting to delete C:\windows\system32\gjkmp.bak2
    C:\windows\system32\gjkmp.bak2 Has been deleted!

    Attempting to delete C:\windows\system32\gjkmp.ini
    C:\windows\system32\gjkmp.ini Has been deleted!

    Attempting to delete C:\windows\system32\gjkmp.ini2
    C:\windows\system32\gjkmp.ini2 Has been deleted!

    Attempting to delete C:\windows\system32\gjkmp.tmp
    C:\windows\system32\gjkmp.tmp Has been deleted!

    Attempting to delete C:\WINDOWS\system32\hmigknpy.dll
    C:\WINDOWS\system32\hmigknpy.dll Has been deleted!

    Attempting to delete C:\windows\system32\iqiqvoek.ini
    C:\windows\system32\iqiqvoek.ini Has been deleted!

    Attempting to delete C:\windows\system32\keovqiqi.dll
    C:\windows\system32\keovqiqi.dll Has been deleted!

    Attempting to delete C:\windows\system32\lyofxtpb.dll
    C:\windows\system32\lyofxtpb.dll Has been deleted!

    Attempting to delete C:\windows\system32\npnyxkao.ini
    C:\windows\system32\npnyxkao.ini Has been deleted!

    Attempting to delete C:\windows\system32\ntgwkafc.dll
    C:\windows\system32\ntgwkafc.dll Has been deleted!

    Attempting to delete C:\windows\system32\oakxynpn.dll
    C:\windows\system32\oakxynpn.dll Has been deleted!

    Attempting to delete C:\windows\system32\omoynhxr.ini
    C:\windows\system32\omoynhxr.ini Has been deleted!

    Attempting to delete C:\windows\system32\piashxwe.ini
    C:\windows\system32\piashxwe.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\pmkjg.dll
    C:\WINDOWS\system32\pmkjg.dll Has been deleted!

    Attempting to delete C:\windows\system32\qqwmhvvc.dll
    C:\windows\system32\qqwmhvvc.dll Has been deleted!

    Attempting to delete C:\windows\system32\rffnwstu.ini
    C:\windows\system32\rffnwstu.ini Has been deleted!

    Attempting to delete C:\windows\system32\rnyyvkta.dll
    C:\windows\system32\rnyyvkta.dll Has been deleted!

    Attempting to delete C:\windows\system32\rxhnyomo.dll
    C:\windows\system32\rxhnyomo.dll Has been deleted!

    Attempting to delete C:\windows\system32\utswnffr.dll
    C:\windows\system32\utswnffr.dll Has been deleted!

    Attempting to delete C:\windows\system32\vdnnqywd.dll
    C:\windows\system32\vdnnqywd.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\vrtscrtx.dll
    C:\WINDOWS\system32\vrtscrtx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ypnkgimh.ini
    C:\WINDOWS\system32\ypnkgimh.ini Has been deleted!

    Performing Repairs to the registry.
    Done!



    And new HJ log:


    Logfile of HijackThis v1.99.1
    Scan saved at 8:16:06 AM, on 7/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\PROGRA~1\McAfee\MPS\mps.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\McAfee\MPS\mpsevh.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\WINDOWS\system32\RUNDLL32.EXE
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    C:\Program Files\Ideazon\ZEngine\Zboard.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\WINDOWS\system32\tbctray.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webshots\webshots.scr
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\system32\cidaemon.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
    O2 - BHO: (no name) - {930D35D2-094D-41B9-8E89-D1B76F2C6E97} - C:\WINDOWS\system32\fccbcbc.dll (file missing)
    O2 - BHO: (no name) - {F8C2E3C1-DB10-49E9-8201-7374698363BC} - C:\WINDOWS\system32\pmkjg.dll (file missing)
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
    O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TraySantaCruz] C:\WINDOWS\system32\tbctray.exe
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish.com/SnapfishOutlookImport.cab
    O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://68.52.168.87:1100/img/NetCamPlayerWeb.ocx
    O16 - DPF: {1F75C3DC-38E2-4424-A028-217AA4CB43CA} (NetCamMotionDetect Control) - http://192.168.1.105/adm/NetCamMotionDetect.cab
    O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
    O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
    O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://mghoward.ourlinksys.com/NetCamPlayerWeb11gv2.cab
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)


    Running SuperAntiSpyware now. Will post log file when complete.
     
  2. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    viperstk,
    Your log looks a lot better now.
    Please don't run anything else until we are done.
    -----------------------------------------------------------
    Remove log items with HighjackThis. Start HijackThis.
    Click Do System Scan Only. When the Scan is complete, Check the following entries:
    (Some of these lines may be missing)

    O2 - BHO: (no name) - {930D35D2-094D-41B9-8E89-D1B76F2C6E97} - C:\WINDOWS\system32\fccbcbc.dll (file missing)
    O2 - BHO: (no name) - {F8C2E3C1-DB10-49E9-8201-7374698363BC} - C:\WINDOWS\system32\pmkjg.dll (file missing)
    O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

    Make sure Every other window except HJT is closed (No other tabs showing in the bottom tray), and Click Fix Checked.
    ----------------------------------------------------------
    Download and Install CCleaner
    • Download CCleaner from here
    • Double click on ccsetupXXX_slim.exe to start the installation of CCleaner. (XXX is the version number)
    • Click OK
    • Click Next
    • Click I agree
    • Click Next
    • Click Install
    • Once the installation has finished, click Finish
    Run CCleaner Cleaning Scan. This will remove all Temp files, cookies, and Internet History.
    Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
    -----------------------------------------------------------
    Retrieve the Installed Programs List from CCleaner
    In the Left Pane, click Tools
    Verify that Uninstall is highlighted in color, or click on it.
    In the lower Right, click Save to Text File.
    Pull down the arrow at the top of the Save dialog and choose Desktop as the location.
    You can leave the filename as install.txt
    Click Save
    Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
    -----------------------------------------------------------
    Post a New HJT Log
    Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
    When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply, along with install.txt from CCleaner.

    askey127
     
  3. viperstk

    viperstk Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    7
    Instructions followed, thanks.

    Log file cleaned as instructed with HJ. CCleaner run and install.txt created. Reboot completed. HJ scan and save log file complete.

    New HJ Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 10:59:10 AM, on 7/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\WINDOWS\System32\cisvc.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\PROGRA~1\McAfee\MPS\mps.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\Program Files\McAfee\MPS\mpsevh.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    C:\Program Files\Ideazon\ZEngine\Zboard.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webshots\webshots.scr
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comcast.net
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer presented by Comcast
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
    O4 - HKLM\..\Run: [CTRegRun] C:\WINDOWS\CTRegRun.EXE
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\system32\PSDrvCheck.exe -CheckReg
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish.com/SnapfishOutlookImport.cab
    O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://68.52.168.87:1100/img/NetCamPlayerWeb.ocx
    O16 - DPF: {1F75C3DC-38E2-4424-A028-217AA4CB43CA} (NetCamMotionDetect Control) - http://192.168.1.105/adm/NetCamMotionDetect.cab
    O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
    O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
    O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://mghoward.ourlinksys.com/NetCamPlayerWeb11gv2.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)


    Install.txt file:

    Ace DivX Player
    Ad-Aware SE Personal
    Adobe Download Manager 2.0 (Remove Only)
    Adobe Flash Player 9 ActiveX
    Adobe Photoshop 7.0
    Adobe Reader 7.0.8
    AllSeaSaver
    Apple Mobile Device Support
    Apple Software Update
    Asmw Eraser Pro
    Avanquest update
    Battlefield 2(TM)
    Battlefield 2: Special Forces
    BitLord 1.1
    CCleaner (remove only)
    CH Gameport Devices
    Comcast High-Speed Internet Install Wizard
    Compact Wireless-G Internet Video Camera
    Company of Heroes
    Corel Paint Shop Pro Photo XI
    Corel Snapfire Plus
    Creative PC-CAM Center
    Creative WebCam Monitor
    Creative WebCam Pro Driver
    Creative WebCam Pro Manual (English)
    Dell Picture Studio - Image Expert 2000
    Dell ResourceCD
    Desktop Doctor
    DVD Shrink 3.2
    EA Link
    Easy CD Creator 5 Platinum
    HijackThis 1.99.1
    Hotfix for Windows Media Format 11 SDK (KB929399)
    Hotfix for Windows XP (KB914440)
    Hotfix for Windows XP (KB926239)
    hp instant support
    HP Memories Disc
    HP Photo and Imaging 2.2 - Scanjet 3970 Series
    IE2K
    ItsDeductible Express
    iTunes
    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 1
    J2SE Runtime Environment 5.0 Update 9
    Java(TM) SE Runtime Environment 6 Update 1
    LiveReg (Symantec Corporation)
    LiveUpdate 1.6 (Symantec Corporation)
    MapSource - City Select North America v6
    MapSource - US Rec Lakes with Fishing Hot Spots East v5
    MapSource
    McAfee SecurityCenter
    MGI PhotoSuite 4 (Remove Only)
    Microsoft .NET Framework 1.1
    Microsoft .NET Framework 2.0
    Microsoft Compression Client Pack 1.0 for Windows XP
    Microsoft IntelliPoint
    Microsoft Office XP Media Content
    Microsoft Office XP Small Business
    Microsoft User-Mode Driver Framework Feature Pack 1.0
    Microsoft XML Parser
    Motorola Phone Tools
    Motorola Software Update
    Motorola USB Drivers
    Mozilla Firefox (2.0)
    MP3 Rocket
    MSXML 4.0 SP2 (KB927978)
    Namo WebEditor 4
    Namo WebEditor 5
    Nero - Burning Rom
    Nero 6 Ultra Edition
    NVIDIA Drivers
    ParetoLogic Privacy Controls
    Pinnacle Hollywood FX 4.6
    Pinnacle Studio AV/DV
    PowerDVD
    PQ DVD to iPod Video Suite (remove only)
    QuickTime
    RealPlayer Basic
    RegCure 1.4.0.4
    Registry Mechanic 5.0
    RegistryCleanFix 2007
    Rhapsody Player Engine
    Santa Cruz
    Security Update for Microsoft .NET Framework 2.0 (KB917283)
    Security Update for Microsoft .NET Framework 2.0 (KB922770)
    Security Update for Windows Internet Explorer 7 (KB928090)
    Security Update for Windows Internet Explorer 7 (KB929969)
    Security Update for Windows Internet Explorer 7 (KB933566)
    Security Update for Windows Media Player (KB911564)
    Security Update for Windows Media Player 10 (KB917734)
    Security Update for Windows Media Player 6.4 (KB925398)
    Security Update for Windows Media Player 9 (KB917734)
    Security Update for Windows XP (KB890046)
    Security Update for Windows XP (KB893066)
    Security Update for Windows XP (KB893756)
    Security Update for Windows XP (KB896358)
    Security Update for Windows XP (KB896422)
    Security Update for Windows XP (KB896423)
    Security Update for Windows XP (KB896424)
    Security Update for Windows XP (KB896428)
    Security Update for Windows XP (KB899587)
    Security Update for Windows XP (KB899591)
    Security Update for Windows XP (KB901017)
    Security Update for Windows XP (KB901214)
    Security Update for Windows XP (KB902400)
    Security Update for Windows XP (KB904706)
    Security Update for Windows XP (KB905414)
    Security Update for Windows XP (KB905749)
    Security Update for Windows XP (KB908519)
    Security Update for Windows XP (KB908531)
    Security Update for Windows XP (KB911562)
    Security Update for Windows XP (KB911567)
    Security Update for Windows XP (KB911927)
    Security Update for Windows XP (KB912919)
    Security Update for Windows XP (KB913446)
    Security Update for Windows XP (KB913580)
    Security Update for Windows XP (KB914388)
    Security Update for Windows XP (KB914389)
    Security Update for Windows XP (KB917159)
    Security Update for Windows XP (KB917422)
    Security Update for Windows XP (KB917953)
    Security Update for Windows XP (KB918118)
    Security Update for Windows XP (KB918439)
    Security Update for Windows XP (KB919007)
    Security Update for Windows XP (KB920213)
    Security Update for Windows XP (KB920214)
    Security Update for Windows XP (KB920670)
    Security Update for Windows XP (KB920683)
    Security Update for Windows XP (KB920685)
    Security Update for Windows XP (KB921398)
    Security Update for Windows XP (KB922616)
    Security Update for Windows XP (KB922819)
    Security Update for Windows XP (KB923191)
    Security Update for Windows XP (KB923414)
    Security Update for Windows XP (KB923689)
    Security Update for Windows XP (KB923694)
    Security Update for Windows XP (KB923980)
    Security Update for Windows XP (KB924191)
    Security Update for Windows XP (KB924270)
    Security Update for Windows XP (KB924496)
    Security Update for Windows XP (KB924667)
    Security Update for Windows XP (KB925902)
    Security Update for Windows XP (KB926255)
    Security Update for Windows XP (KB926436)
    Security Update for Windows XP (KB927779)
    Security Update for Windows XP (KB927802)
    Security Update for Windows XP (KB928255)
    Security Update for Windows XP (KB928843)
    Security Update for Windows XP (KB929123)
    Security Update for Windows XP (KB930178)
    Security Update for Windows XP (KB931261)
    Security Update for Windows XP (KB931784)
    Security Update for Windows XP (KB932168)
    Security Update for Windows XP (KB935839)
    Security Update for Windows XP (KB935840)
    Shockwave Player
    Studio 8
    SUPERAntiSpyware Professional
    TeamSpeak 2 RC2
    TiVo Desktop
    TurboTax Premier 2004
    Ulead Photo Express 4.0 My Custom Edition
    Update for Windows XP (KB894391)
    Update for Windows XP (KB898461)
    Update for Windows XP (KB900485)
    Update for Windows XP (KB904942)
    Update for Windows XP (KB910437)
    Update for Windows XP (KB911280)
    Update for Windows XP (KB916595)
    Update for Windows XP (KB920872)
    Update for Windows XP (KB922582)
    Update for Windows XP (KB927891)
    Update for Windows XP (KB930916)
    Update for Windows XP (KB931836)
    URGE
    WebFldrs XP
    Webshots Desktop
    WexTech AnswerWorks
    Windows Defender Signatures
    Windows Defender
    Windows Genuine Advantage Notifications (KB905474)
    Windows Genuine Advantage Validation Tool (KB892130)
    Windows Installer 3.1 (KB893803)
    Windows Internet Explorer 7
    Windows Media Format 11 runtime
    Windows Media Player 11
    Windows XP Hotfix - KB873339
    Windows XP Hotfix - KB885250
    Windows XP Hotfix - KB885835
    Windows XP Hotfix - KB885836
    Windows XP Hotfix - KB885884
    Windows XP Hotfix - KB886185
    Windows XP Hotfix - KB887472
    Windows XP Hotfix - KB887742
    Windows XP Hotfix - KB888113
    Windows XP Hotfix - KB888302
    Windows XP Hotfix - KB890859
    Windows XP Hotfix - KB891781
    Windows XP Service Pack 2
    WinRAR archiver
    WMAConvert 2.5.3
    XoftSpySE
    Z Engine


    Please advise. Thank you!!!!!!
     
  4. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    viperastk,
    Last log looks quite good. A bit of cleanup, and a final check:

    You should be careful if you have a version of Easy CD Creator and a version of Nero on the same machine.
    The two CD-R/W subprograms (DirectCD.exe and InCD.exe, respectively) are not very compatible. They both try to intercept the call to the CD/DVD drive.
    Make sure you don't have both of those running at once, and I wouldn't have either one run automatically at startup.
    I don't see any issue in your last log regarding this, just a tip for you.
    You can pull up Task Manager with Ctrl-Alt-Del anytime to check.

    Older versions of Java are subject to attack using known security holes.
    -----------------------------------------------------------
    Use Add/Remove Programs In Control Panel
    From Start, Settings, Control Panel or Start, Control Panel, click Add/Remove Programs.
    Highlight each Entry, as follows, one by one, if it exists, and choose Remove :

    J2SE Runtime Environment 5.0 Update 10
    J2SE Runtime Environment 5.0 Update 1
    J2SE Runtime Environment 5.0 Update 9

    Take extra care in answering questions posed by any Uninstaller. Some questions may be worded to deceive you into Keeping the program.
    -----------------------------------------------------
    Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
    Go here to run an online scannner from Kaspersky.
    • Click on "Kaspersky Online Scanner"
    • A new smaller window will pop up. Press on "Accept". After reading the contents.
    • Now Kaspersky will update the anti-virus database. Let it run.
    • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
    • Then click on "My Computer", and the scan will start.
    • Once finished, save the log to your Desktop as filename KAV.txt
    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.

    Please post the contents of KAV.txt in your next reply along with any questions or comments.
    askey127
     
  5. viperstk

    viperstk Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    7
    More found...

    KAV.TXT

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Tuesday, July 10, 2007 3:40:33 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.93.0
    Kaspersky Anti-Virus database last update: 10/07/2007
    Kaspersky Anti-Virus database records: 360559
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\

    Scan Statistics:
    Total number of scanned objects: 96702
    Number of viruses found: 10
    Number of infected objects: 65
    Number of suspicious objects: 0
    Duration of the scan process: 01:41:52

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{D8CF38B4-192D-4664-A9EE-A642E49F830D}.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Mike Howard\triggers.log Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.ldb Object is locked skipped
    C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.zbd Object is locked skipped
    C:\Documents and Settings\Mike Howard\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Temp\JETED20.tmp Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Mike Howard\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp/{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp ZIP: infected - 1 skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp/{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp ZIP: infected - 1 skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp/{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp Infected: Trojan-Downloader.Java.OpenConnection.ah skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp ZIP: infected - 1 skipped
    C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
    C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
    C:\System Volume Information\catalog.wci\00010009.ci Object is locked skipped
    C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
    C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
    C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
    C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar Infected: Trojan-Downloader.Win32.Small.eqn skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe RarSFX: infected - 5 skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP780\A0037204.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP781\A0037387.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP787\A0039796.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP787\A0039822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0040822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0041836.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0041841.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP789\A0041944.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP789\A0041960.dll Infected: Trojan.Win32.BHO.bd skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\change.log Object is locked skipped
    C:\VundoFix Backups\fccbcbc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\VundoFix Backups\vrtscrtx.dll.bad Infected: Trojan.Win32.BHO.bd skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\EventCache\{0C14B947-4657-48CF-A873-31A2EC21A29B}.bin Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\afgeveav.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\akcpvalv.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\bnvitiif.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
    C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\dqrsrrdp.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\drvvjicx.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\edgmcdxy.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\ejiqnhot.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\evlkwgru.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\fkhmiyfm.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\fwaqigrq.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\gnjkxuuy.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\gqxqfpvs.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\hapabcms.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\hwnhrejk.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\ibirhcxo.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\iknummua.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\ingdggna.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\jkerhyvc.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\jwabaxhd.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\keosukxf.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\kkcpodgc.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\kofqvtvu.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\ldyejaba.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\lgxaxnro.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\lhbteobe.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\lrnnttkk.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\mrioprph.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\msieycst.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\nurnudop.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\oisnyudh.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\pwlfexhu.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\pyknwmom.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\qqaaygog.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\qtwdqlyq.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\qyldkvih.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\rfcedwxi.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\rftnycjy.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\tmuvuhil.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\ttcxothc.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\vcxwygkj.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\vttnifke.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\system32\wtijpwqe.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\WINDOWS\Temp\mcafee_HnNez7GIDseS2h4 Object is locked skipped
    C:\WINDOWS\Temp\mcafee_SJQ7e9eZcySNbjU Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_bhcMGujLJkMWTvy Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_jtff5SQCFxmUJVO Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_QZUidjGE5MgUSwm Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_vwPo2LEAAFc8fZf Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.

    ----

    What do I do now? Thanks!
     
  6. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    viperstk,
    ------------------------------------------------
    Download and Run ComboFix-----------------------------------------------------
    Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
    Go here to run an online scannner from Kaspersky.
    • Click on "Kaspersky Online Scanner"
    • A new smaller window will pop up. Press on "Accept". After reading the contents.
    • Now Kaspersky will update the anti-virus database. Let it run.
    • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
    • Then click on "My Computer", and the scan will start.
    • Once finished, save the log to your Desktop as filename KAV-2nd.txt

    Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license is accepted, reset to 100%.
    Please post the log from ComboFix and KAV-2nd.txt from Kaspersky

    askey127
     
  7. viperstk

    viperstk Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    7
    Combo fix log:


    "Mike Howard" - 2007-07-10 16:07:13 - ComboFix 07-07-10.1 - Service Pack 2


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\afgeveav.exe
    C:\WINDOWS\system32\akcpvalv.exe
    C:\WINDOWS\system32\bnvitiif.exe
    C:\WINDOWS\system32\dqrsrrdp.exe
    C:\WINDOWS\system32\drvvjicx.exe
    C:\WINDOWS\system32\edgmcdxy.exe
    C:\WINDOWS\system32\ejiqnhot.exe
    C:\WINDOWS\system32\evlkwgru.exe
    C:\WINDOWS\system32\fkhmiyfm.exe
    C:\WINDOWS\system32\fwaqigrq.exe
    C:\WINDOWS\system32\gnjkxuuy.exe
    C:\WINDOWS\system32\gqxqfpvs.exe
    C:\WINDOWS\system32\hapabcms.exe
    C:\WINDOWS\system32\hwnhrejk.exe
    C:\WINDOWS\system32\ibirhcxo.exe
    C:\WINDOWS\system32\iknummua.exe
    C:\WINDOWS\system32\ingdggna.exe
    C:\WINDOWS\system32\jkerhyvc.exe
    C:\WINDOWS\system32\jwabaxhd.exe
    C:\WINDOWS\system32\keosukxf.exe
    C:\WINDOWS\system32\kkcpodgc.exe
    C:\WINDOWS\system32\kofqvtvu.exe
    C:\WINDOWS\system32\ldyejaba.exe
    C:\WINDOWS\system32\lgxaxnro.exe
    C:\WINDOWS\system32\lhbteobe.exe
    C:\WINDOWS\system32\lrnnttkk.exe
    C:\WINDOWS\system32\mrioprph.exe
    C:\WINDOWS\system32\msieycst.exe
    C:\WINDOWS\system32\nurnudop.exe
    C:\WINDOWS\system32\oisnyudh.exe
    C:\WINDOWS\system32\pwlfexhu.exe
    C:\WINDOWS\system32\pyknwmom.exe
    C:\WINDOWS\system32\qqaaygog.exe
    C:\WINDOWS\system32\qtwdqlyq.exe
    C:\WINDOWS\system32\qyldkvih.exe
    C:\WINDOWS\system32\rfcedwxi.exe
    C:\WINDOWS\system32\rftnycjy.exe
    C:\WINDOWS\system32\tmuvuhil.exe
    C:\WINDOWS\system32\ttcxothc.exe
    C:\WINDOWS\system32\vcxwygkj.exe
    C:\WINDOWS\system32\vttnifke.exe
    C:\WINDOWS\system32\wtijpwqe.exe


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_DOMAINSERVICE
    -------\DomainService


    ((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))


    2007-07-10 16:06 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-10 13:42 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
    2007-07-10 13:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Kaspersky Lab
    2007-07-10 10:31 <DIR> d-------- C:\Program Files\CCleaner
    2007-07-10 08:22 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-07-10 08:22 <DIR> d-------- C:\DOCUME~1\MIKEHO~1\APPLIC~1\SUPERAntiSpyware.com
    2007-07-10 08:22 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-07-10 08:02 <DIR> d-------- C:\VundoFix Backups
    2007-07-09 23:44 <DIR> d-------- C:\Program Files\RegistryCleanFix
    2007-07-07 11:56 406,016 --a------ C:\WINDOWS\system32\PSDrvCheck.exe
    2007-07-07 11:56 19,456 --a------ C:\WINDOWS\system32\asapi.dll
    2007-07-07 11:56 11,264 --a------ C:\WINDOWS\system32\drivers\asapiW2k.sys
    2007-07-07 04:28 143,360 --a------ C:\WINDOWS\system32\dunzip32.dll
    2007-07-07 04:22 71,496 --a------ C:\WINDOWS\system32\drivers\mfeavfk.sys
    2007-07-07 04:22 37,480 --a------ C:\WINDOWS\system32\drivers\mfesmfk.sys
    2007-07-07 04:22 34,184 --a------ C:\WINDOWS\system32\drivers\mfebopk.sys
    2007-07-07 04:22 32,008 --a------ C:\WINDOWS\system32\drivers\mferkdk.sys
    2007-07-07 04:22 170,408 --a------ C:\WINDOWS\system32\drivers\mfehidk.sys
    2007-07-07 04:21 109,608 --a------ C:\WINDOWS\system32\drivers\Mpfp.sys
    2007-07-07 04:17 <DIR> d-------- C:\Program Files\McAfee
    2007-07-07 04:17 <DIR> d-------- C:\Program Files\Common Files\McAfee
    2007-07-07 04:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\McAfee
    2007-07-06 22:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
    2007-07-06 22:29 1,156 --a------ C:\WINDOWS\mozver.dat
    2007-07-06 22:04 0 --a------ C:\WINDOWS\nsreg.dat
    2007-07-05 21:37 <DIR> d-------- C:\Program Files\XoftSpySE
    2007-07-05 15:05 <DIR> d-------- C:\Program Files\iTunes
    2007-07-05 15:05 <DIR> d-------- C:\Program Files\iPod
    2007-07-05 14:57 <DIR> d-------- C:\Program Files\Common Files\Apple
    2007-07-05 14:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
    2007-07-01 22:51 <DIR> d-------- C:\Program Files\Namo
    2007-06-27 15:41 <DIR> d-------- C:\DOCUME~1\MIKEHO~1\awc_mghoward
    2007-06-27 14:25 <DIR> d-------- C:\Program Files\anywebcam
    2007-06-27 14:13 65,536 -ra------ C:\WINDOWS\system32\ctcammgr.dll
    2007-06-27 14:13 61,440 -ra------ C:\WINDOWS\ctdrvins.exe
    2007-06-27 14:13 53,248 -ra------ C:\WINDOWS\system32\p1030hwx.dll
    2007-06-27 14:13 49,152 -ra------ C:\WINDOWS\p1030cfg.exe
    2007-06-27 14:13 40,960 -ra------ C:\WINDOWS\system32\p1030ext.dll
    2007-06-27 14:13 28,672 -ra------ C:\WINDOWS\system32\p1030pin.dll
    2007-06-27 14:13 25,169 -ra------ C:\WINDOWS\system32\drivers\p1030cam.sys
    2007-06-27 14:13 24,576 -ra------ C:\WINDOWS\system32\p1030vfw.dll
    2007-06-27 14:13 167,661 -ra------ C:\WINDOWS\system32\drivers\p1030vid.sys
    2007-06-27 14:13 16,429 -ra------ C:\WINDOWS\system32\p1030usd.dll
    2007-06-27 14:04 <DIR> d-------- C:\Program Files\Ulead Systems
    2007-06-27 14:01 135,680 --a------ C:\WINDOWS\Webdelc.exe
    2007-06-27 14:01 <DIR> d-------- C:\Media
    2007-06-27 14:00 <DIR> d-------- C:\CtDriverInstTemp
    2007-06-27 13:58 41,984 --a------ C:\WINDOWS\CTREGRUN.EXE
    2007-06-27 13:58 <DIR> d-------- C:\Program Files\Creative
    2007-06-27 13:52 53,760 --a------ C:\WINDOWS\system32\vfwwdm32.dll
    2007-06-27 13:52 <DIR> d-------- C:\WINDOWS\OvtCam
    2007-06-24 22:53 5,543 --a------ C:\WINDOWS\system32\drivers\MemAlloc.sys
    2007-06-24 22:53 247,936 --a------ C:\WINDOWS\system32\drivers\LStone2k.sys
    2007-06-24 22:53 <DIR> d-------- C:\WINDOWS\system32\drivers\Pinnacle
    2007-06-24 22:53 <DIR> d-------- C:\WINDOWS\avdv.drv
    2007-06-24 22:47 898,736 --------- C:\WINDOWS\system32\Ltr13n.dll
    2007-06-24 22:47 86,016 --a------ C:\WINDOWS\unvise32.exe
    2007-06-24 22:47 73,728 --------- C:\WINDOWS\system32\MMAviAx.dll
    2007-06-24 22:47 32,838 --a------ C:\WINDOWS\system32\Cachex.dll
    2007-06-24 22:47 32,768 --a------ C:\WINDOWS\system32\MLPagAx.dll
    2007-06-24 22:47 298,168 --------- C:\WINDOWS\system32\Ltrio13n.dll
    2007-06-24 22:47 204,881 --a------ C:\WINDOWS\system32\DiskIO.dll
    2007-06-24 22:47 155,721 --a------ C:\WINDOWS\system32\RALMain.dll
    2007-06-24 22:47 114,759 --------- C:\WINDOWS\system32\Aviprax.dll
    2007-06-24 22:43 14,604 --------- C:\WINDOWS\system32\drivers\pfc.sys
    2007-06-24 22:42 61,440 --a------ C:\WINDOWS\system32\pclepim1.dll
    2007-06-24 22:42 60,416 --------- C:\WINDOWS\system32\miroDV2Bmp.dll
    2007-06-24 22:33 <DIR> d-------- C:\My Music
    2007-06-24 22:30 57,856 --------- C:\WINDOWS\system32\MASD32.DLL
    2007-06-24 22:30 49,152 --a------ C:\WINDOWS\system32\PCLEGetGuid.dll
    2007-06-24 22:30 27,648 --------- C:\WINDOWS\system32\MA32.DLL
    2007-06-24 22:30 196,096 --------- C:\WINDOWS\system32\MACD32.DLL
    2007-06-24 22:30 138,752 --------- C:\WINDOWS\system32\MASE32.DLL
    2007-06-24 22:30 136,192 --------- C:\WINDOWS\system32\MAMC32.DLL
    2007-06-24 22:27 81,920 --------- C:\WINDOWS\system32\vdrmux.dll
    2007-06-24 22:27 46,592 --------- C:\WINDOWS\system32\vdrcodec.dll
    2007-06-24 22:27 40,960 --a------ C:\WINDOWS\system32\langserv.dll
    2007-06-24 22:27 <DIR> d-------- C:\Program Files\Pinnacle
    2007-06-24 22:24 14,165 --------- C:\WINDOWS\system32\drivers\Pclepci.sys
    2007-06-10 16:32 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\My Music
    2007-06-10 15:37 5,018 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
    2007-06-10 15:37 168 -r-hs---- C:\WINDOWS\system32\E12B40E443.sys
    2007-06-10 15:37 <DIR> d-------- C:\DOCUME~1\MIKEHO~1\APPLIC~1\Corel
    2007-06-10 15:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Corel
    2007-06-10 15:35 <DIR> d-------- C:\Program Files\Common Files\Corel
    2007-06-10 15:31 <DIR> d-------- C:\Program Files\Corel


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-10 13:22:22 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-07 16:56:24 -------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-07-07 09:36:24 -------- d-----w C:\Program Files\McAfee.com
    2007-07-06 03:21:56 -------- d-----w C:\Program Files\RegCure
    2007-07-05 20:31:43 -------- d-----w C:\Program Files\MySpace
    2007-07-03 13:08:15 -------- d-----w C:\Program Files\MP3 Rocket
    2007-06-25 03:33:47 -------- d-----w C:\Program Files\Common Files\Real
    2007-06-25 03:33:37 -------- d-----w C:\Program Files\Real
    2007-06-21 19:32:21 -------- d-----w C:\Program Files\QuickTime
    2007-06-12 17:31:21 -------- d-----w C:\DOCUME~1\MIKEHO~1\APPLIC~1\MP3Rocket
    2007-06-09 21:25:49 -------- d-----w C:\DOCUME~1\MIKEHO~1\APPLIC~1\MSN6
    2007-05-21 11:00:50 -------- d-----w C:\Program Files\WMAConvert
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-15 20:32:24 513,152 ----a-w C:\WINDOWS\system32\WmaCDriverV32.sys
    2007-05-15 20:32:24 513,152 ----a-w C:\WINDOWS\system32\drivers\WmaCDriverV32.sys
    2007-05-04 19:43:03 114,545 ----a-w C:\WINDOWS\AllSeaSaver Uninstaller.exe
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-17 03:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 03:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 03:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 03:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 03:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 03:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 03:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 03:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-01-12 21:38 63128 --a------ C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-03-14 03:43 501400 --a------ C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7DB2D5A0-7241-4E79-B68D-6309F01C5231}]
    2006-12-22 16:02 67136 --a------ c:\program files\mcafee\virusscan\scriptcl.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "POINTER"="point32.exe" []
    "nwiz"="nwiz.exe" [2005-08-02 18:35 C:\WINDOWS\system32\nwiz.exe]
    "RegistryMechanic"="" []
    "tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [2007-03-07 10:58]
    "Creative WebCam Tray"="C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE" [2002-02-25 02:30]
    "Zboard"="C:\Program Files\Ideazon\ZEngine\Zboard.exe" [2007-04-03 19:46]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-28 09:14]
    "RealTray"="C:\Program Files\Real\RealPlayer\RealPlay.exe" [2007-06-24 22:33]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
    "CreateCD50"="C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.exe" [2001-05-16 09:04]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
    backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
    backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
    C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
    "C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PicoZip]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
    c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoNotify]
    "C:\Program Files\TiVo\Desktop\TiVoNotify.exe" /service /registry /auto:TivoNotify

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoServer]
    "C:\Program Files\TiVo\Desktop\TiVoServer.exe" /service /registry

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TivoTransfer]
    "C:\Program Files\Common Files\TiVo Shared\Transfer\TiVoTransfer.exe" /service /registry /auto:TivoTransfer

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
    "C:\Program Files\Windows Defender\MSASCui.exe" -hide


    Contents of the 'Scheduled Tasks' folder
    2007-07-05 17:57:02 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
    2007-07-07 09:20:17 C:\WINDOWS\tasks\McDefragTask.job
    2007-07-07 09:20:15 C:\WINDOWS\tasks\McQcTask.job
    2007-07-10 07:11:06 C:\WINDOWS\tasks\MP Scheduled Scan.job
    2007-07-10 21:14:06 C:\WINDOWS\tasks\RegCure Program Check.job
    2007-06-28 08:00:00 C:\WINDOWS\tasks\RegCure.job
    2007-07-10 21:16:01 C:\WINDOWS\tasks\Symantec NetDetect.job
    2007-07-10 08:00:01 C:\WINDOWS\tasks\XoftSpySE.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-10 16:14:38
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-10 16:18:54 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-10 16:18

    --- E O F ---




    Kav-2nd log on next post, combined too big.
     
  8. viperstk

    viperstk Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    7
    Combo log on previous post... too big..


    KAV-2nd.txt Log:



    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Tuesday, July 10, 2007 6:12:03 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.93.0
    Kaspersky Anti-Virus database last update: 10/07/2007
    Kaspersky Anti-Virus database records: 360559
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\

    Scan Statistics:
    Total number of scanned objects: 94982
    Number of viruses found: 10
    Number of infected objects: 107
    Number of suspicious objects: 0
    Duration of the scan process: 01:47:12

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{D8CF38B4-192D-4664-A9EE-A642E49F830D}.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Mike Howard\triggers.log Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.ldb Object is locked skipped
    C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.zbd Object is locked skipped
    C:\Documents and Settings\Mike Howard\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\History\History.IE5\MSHist012007071020070711\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Temp\JET8BD1.tmp Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Mike Howard\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp/{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp ZIP: infected - 1 skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp/{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp ZIP: infected - 1 skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp/{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp Infected: Trojan-Downloader.Java.OpenConnection.ah skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp ZIP: infected - 1 skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\afgeveav.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\akcpvalv.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\bnvitiif.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\dqrsrrdp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\drvvjicx.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\edgmcdxy.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\ejiqnhot.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\evlkwgru.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\fkhmiyfm.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\fwaqigrq.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\gnjkxuuy.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\gqxqfpvs.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\hapabcms.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\hwnhrejk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\ibirhcxo.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\iknummua.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\ingdggna.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\jkerhyvc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\jwabaxhd.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\keosukxf.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\kkcpodgc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\kofqvtvu.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\ldyejaba.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\lgxaxnro.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\lhbteobe.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\lrnnttkk.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\mrioprph.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\msieycst.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\nurnudop.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\oisnyudh.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\pwlfexhu.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\pyknwmom.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\qqaaygog.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\qtwdqlyq.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\qyldkvih.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\rfcedwxi.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\rftnycjy.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\tmuvuhil.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\ttcxothc.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\vcxwygkj.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\vttnifke.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\QooBox\Quarantine\C\WINDOWS\system32\wtijpwqe.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\catalog.wci\00000002.ps1 Object is locked skipped
    C:\System Volume Information\catalog.wci\00000002.ps2 Object is locked skipped
    C:\System Volume Information\catalog.wci\00010009.ci Object is locked skipped
    C:\System Volume Information\catalog.wci\cicat.fid Object is locked skipped
    C:\System Volume Information\catalog.wci\cicat.hsh Object is locked skipped
    C:\System Volume Information\catalog.wci\CiCL0001.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiP10000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiP20000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiPT0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiSL0001.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiSP0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiST0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\CiVP0000.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\INDEX.000 Object is locked skipped
    C:\System Volume Information\catalog.wci\propstor.bk1 Object is locked skipped
    C:\System Volume Information\catalog.wci\propstor.bk2 Object is locked skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/keygen.exe Infected: Trojan-Downloader.Win32.LoadAdv.gen skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/crack.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/serial.exe Infected: Trojan.Win32.Dialer.qn skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar/install.exe Infected: Trojan-Downloader.Win32.Small.eqn skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe/data.rar Infected: Trojan-Downloader.Win32.Small.eqn skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP778\A0036962.exe RarSFX: infected - 5 skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP780\A0037204.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP781\A0037387.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP787\A0039796.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP787\A0039822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0040822.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.kp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0041836.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP788\A0041841.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP789\A0041944.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP789\A0041960.dll Infected: Trojan.Win32.BHO.bd skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042385.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042386.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042387.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042388.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042389.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042390.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042391.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042392.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042393.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042394.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042395.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042396.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042397.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042398.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042399.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042400.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042401.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042402.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042403.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042404.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042405.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042406.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042407.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042408.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042409.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042410.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042411.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042412.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042413.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042414.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042415.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042416.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042417.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042418.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042419.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042420.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042421.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042422.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042423.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042424.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042425.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\A0042426.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP793\change.log Object is locked skipped
    C:\VundoFix Backups\fccbcbc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\VundoFix Backups\vrtscrtx.dll.bad Infected: Trojan.Win32.BHO.bd skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\Temp\mcafee_iR8npigg6StSg9m Object is locked skipped
    C:\WINDOWS\Temp\mcafee_qYyPZSdhGVrRu7U Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_buL8FRPYa21DW4e Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_BXcx4aZPPhF7Nxc Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_d2HH9b9o6JDLYVk Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_Lux0QpA9167hu8l Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.
     
  9. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    viperstk,
    -----------------------------------------------------------
    Folder Deletion
    In Windows Explorer (My Computer), navigate to the folder shown below, highlight the folder if found, and press Delete. (This one contains all quarantined infected files.)
    C:\Qoobox\
    In the case of a folder removal, you may have to first open the folder, choose View, Details, and delete all the underlying files and folders before an entire folder can be deleted.
    If you need to delete underlying files in a folder and are unable to do so:
    Right click the file set for deletion, and check Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
    If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab.
    If the exact filename is in there, highlight it and click End Process, then retry Delete.
    Please Note the name and location of any item you cannot delete, or any file not found.
    -----------------------------------------------------------
    Run CCleaner Cleaning Scan. This will remove all Temp files, cookies, and Internet History.
    Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
    Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
    -----------------------------------------------------------
    Disable WinXP System Restore
    Disable your System Restore to remove malware files that have been backed up by Windows. The files in System Restore are protected to prevent any programs changing them. The only way to erase these files is to temporarily disable System Restore. You will lose all previous restore points which are likely to be infected.
    - Right-click My Computer, and then click Properties.
    - On the System Restore tab, put a Check mark in the Turn Off System Restore check box.
    - Click OK twice, and then click Yes when you are prompted to restart the computer.
    If you are not prompted to reboot, do it on your own.
    -----------------------------------------------------------
    After the Reboot,
    Enable WinXP System Restore
    - Right-click My Computer, and then click Properties.
    - On the System Restore tab, Clear the Check mark beside the Turn Off System Restore check box.
    - Click OK twice, and then click Yes when you are prompted to restart the computer.
    The Disable/Re-enable System Restore sequence is not to be done regularly, but only once after the removal of malware.

    -----------------------------------------------------------
    Post a New HJT Log
    Reboot your computer. Start HijackThis. Click Do System Scan and Save a Log File.
    When the Scan is complete, select the whole log (Ctrl-A), copy and paste the log contents in a reply.
    -----------------------------------------------------
    Using Internet Explorer, Please Do an Online Scan with Kaspersky WebScanner.
    Go here to run an online scannner from Kaspersky.
    • Click on "Kaspersky Online Scanner"
    • A new smaller window will pop up. Press on "Accept". After reading the contents.
    • Now Kaspersky will update the anti-virus database. Let it run.
    • Click on "Next">"Scan Settings", and make sure the database is set to "extended". And check both the scan options. Then click OK.
    • Then click on "My Computer", and the scan will start.
    • Once finished, save the log to your Desktop as filename KAV-3rd.txt
    So please post the KAV-3rd.txt Kaspersky log, and the new HJT log, plus any comments.

    askey127
     
  10. viperstk

    viperstk Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    7
    HJ LOG - (KAV-3rd to follow):


    Logfile of HijackThis v1.99.1
    Scan saved at 9:08:54 PM, on 7/10/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    c:\program files\common files\mcafee\mna\mcnasvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    C:\Program Files\McAfee\MPF\MPFSrv.exe
    C:\PROGRA~1\McAfee\MPS\mps.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\system32\PSIService.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe
    C:\PROGRA~1\mcafee.com\agent\mcagent.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\McAfee\MPS\mpsevh.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Microsoft Hardware\Mouse\point32.exe
    C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    C:\Program Files\Ideazon\ZEngine\Zboard.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Real\RealPlayer\RealPlay.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Webshots\webshots.scr
    C:\Program Files\iPod\bin\iPodService.exe
    C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
    C:\Program Files\Support.com\bin\tgcmd.exe
    C:\Program Files\Hijackthis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.comcast.net
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :0
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\program files\mcafee\virusscan\scriptcl.dll
    O4 - HKLM\..\Run: [POINTER] point32.exe
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
    O4 - HKLM\..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
    O4 - HKLM\..\Run: [Zboard] C:\Program Files\Ideazon\ZEngine\Zboard.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - Startup: Webshots.lnk = C:\Program Files\Webshots\Launcher.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
    O16 - DPF: {10E0E75E-6701-4134-9D95-C0942ED1F1C8} (Snapfish Outlook Import ActiveX Control) - http://www1.snapfish.com/SnapfishOutlookImport.cab
    O16 - DPF: {1D9EFA3B-4E85-41A8-9092-14012CD447C9} (NetCamPlayerWeb Control) - http://68.52.168.87:1100/img/NetCamPlayerWeb.ocx
    O16 - DPF: {1F75C3DC-38E2-4424-A028-217AA4CB43CA} (NetCamMotionDetect Control) - http://192.168.1.105/adm/NetCamMotionDetect.cab
    O16 - DPF: {2871FC9B-5E34-4AAE-9E9C-EBD1652D5C92} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
    O16 - DPF: {2DFF31F9-7893-4922-AF66-C9A1EB4EBB31} (Rhapsody Player Engine) - http://forms.real.com/real/player/d.../mrkt/rhapx/RhapsodyPlayerEngine_Inst_Win.cab
    O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.webshots.com/html/atx/wsaxcontrol.cab
    O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
    O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - http://download.mcafee.com/molbin/shared/mcinsctl/4,0,0,101/mcinsctl.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - http://download.mcafee.com/molbin/shared/mcgdmgr/1,0,0,26/mcgdmgr.cab
    O16 - DPF: {D7208880-9B7A-43E1-AABB-8C888A5704F9} (NetCamPlayerWeb11gv2 Control) - http://mghoward.ourlinksys.com/NetCamPlayerWeb11gv2.cab
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
    O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
    O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
    O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\program files\common files\mcafee\mna\mcnasvc.exe
    O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
    O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
    O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
    O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
    O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
    O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
    O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
    O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
    O23 - Service: ProtexisLicensing - Unknown owner - C:\WINDOWS\system32\PSIService.exe
    O23 - Service: TiVo Beacon (TivoBeacon2) - Unknown owner - C:\Program Files\Common Files\TiVo Shared\Beacon\TiVoBeacon.exe" /service (file missing)



    KAV-3rd log:

    -------------------------------------------------------------------------------
    KASPERSKY ONLINE SCANNER REPORT
    Tuesday, July 10, 2007 10:53:24 PM
    Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
    Kaspersky Online Scanner version: 5.0.93.0
    Kaspersky Anti-Virus database last update: 11/07/2007
    Kaspersky Anti-Virus database records: 360737
    -------------------------------------------------------------------------------

    Scan Settings:
    Scan using the following antivirus database: extended
    Scan Archives: true
    Scan Mail Bases: true

    Scan Target - My Computer:
    A:\
    C:\
    D:\
    E:\
    F:\
    G:\

    Scan Statistics:
    Total number of scanned objects: 88312
    Number of viruses found: 4
    Number of infected objects: 8
    Number of suspicious objects: 0
    Duration of the scan process: 01:40:08

    Infected Object Name / Virus Name / Last Action
    C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{D8CF38B4-192D-4664-A9EE-A642E49F830D}.log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
    C:\Documents and Settings\All Users\Application Data\Support.com\profiles\Mike Howard\triggers.log Object is locked skipped
    C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.ldb Object is locked skipped
    C:\Documents and Settings\Mike Howard\Application Data\Ideazon\ZEngine\data\mods\IDeazon.zbd Object is locked skipped
    C:\Documents and Settings\Mike Howard\Cookies\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\History\History.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\History\History.IE5\MSHist012007071020070711\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Temp\JETE25.tmp Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
    C:\Documents and Settings\Mike Howard\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\Mike Howard\ntuser.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
    C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
    C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
    C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp/{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp ZIP: infected - 1 skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp/{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp Infected: Trojan.Java.ClassLoader.ak skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp ZIP: infected - 1 skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp/{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp Infected: Trojan-Downloader.Java.OpenConnection.ah skipped
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp ZIP: infected - 1 skipped
    C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
    C:\System Volume Information\_restore{BEBACABC-1840-4478-AE44-1F009C0EA64C}\RP1\change.log Object is locked skipped
    C:\VundoFix Backups\fccbcbc.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.jp skipped
    C:\VundoFix Backups\vrtscrtx.dll.bad Infected: Trojan.Win32.BHO.bd skipped
    C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
    C:\WINDOWS\SchedLgU.Txt Object is locked skipped
    C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
    C:\WINDOWS\Sti_Trace.log Object is locked skipped
    C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\default Object is locked skipped
    C:\WINDOWS\system32\config\default.LOG Object is locked skipped
    C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
    C:\WINDOWS\system32\config\SAM Object is locked skipped
    C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY Object is locked skipped
    C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
    C:\WINDOWS\system32\config\software Object is locked skipped
    C:\WINDOWS\system32\config\software.LOG Object is locked skipped
    C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
    C:\WINDOWS\system32\config\system Object is locked skipped
    C:\WINDOWS\system32\config\system.LOG Object is locked skipped
    C:\WINDOWS\system32\h323log.txt Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
    C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_ccpcc6nXW6AUxOd Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_qWk5dtisU9TAwrz Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_rr5WOXPUf9GT35r Object is locked skipped
    C:\WINDOWS\Temp\mcmsc_SLzjFY7pbwQBr0U Object is locked skipped
    C:\WINDOWS\wiadebug.log Object is locked skipped
    C:\WINDOWS\wiaservc.log Object is locked skipped
    C:\WINDOWS\WindowsUpdate.log Object is locked skipped

    Scan process completed.

    Thanks
     
  11. askey127

    askey127 Malware Specialist

    Joined:
    Dec 22, 2006
    Messages:
    3,721
    viperstk,
    -----------------------------------------------------------
    Set Your Computer to Show All Files
    1. Click Start.
    2. Click My Computer.
    3. Select the Tools menu and click Folder Options.
    4. Select the View Tab.
    5. Under the Hidden files and folders heading, select Show hidden files and folders.
    6. Uncheck Hide protected operating system files (recommended).
    7. Click Yes to confirm.
    8. Uncheck the Hide file extensions for known file types.
    9. Click OK.
    -----------------------------------------------------------
    Folder Deletion
    In Windows Explorer (My Computer), navigate to the folder shown below, highlight the folder if found, and Delete.
    C:\VundoFix Backups\
    -----------------------------------------------------------
    File Deletion.
    In Windows Explorer (My Computer), navigate to the files shown below, select View, Details, highlight each listed file only, one at a time, and press Delete.

    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{37A080D0-CAF1-4994-9BDD-A98DF0FFDBE4}.tmp
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{5B20FD43-E4FE-417B-9F9E-A8712B1B2712}.tmp
    C:\Program Files\iolo\System Mechanic 5 Professional\Undo\Manual\{97759FF6-992D-4ED8-AB72-CB4DD7BEF6D6}\{9A0421A4-AADB-4198-9724-95DE866E4B53}.tmp

    Also delete any other files in that folder having the .tmp extension

    If you have any problem deleting a file, right click the file and choose Properties to see if it's read-only. Uncheck the read-only box, click Apply and OK. Then retry Delete.
    If a message pops up saying "File in use", or something like that, hit Ctrl-Alt-Delete and look under the Processes tab. If the exact filename is in there, highlight it and click End Process, then retry Delete.
    Please Note the name and location of any item you cannot delete, or any file not found.
    -----------------------------------------------------------
    Delete ComboFix
    -----------------------------------------------------------
    Run CCleaner Cleaning Scan. This will remove all Temp files, cookies, and Internet History.
    If it's not already running, Start CCleaner.
    Click on the Cleaner block on the left. Choose the Windows tab.
    Click the Run Cleaner button. This process could take a while. When CCleaner shows how much has been removed, cleaning is finished.
    Exit CCleaner by clicking on the X button in the upper right of the CCleaner window.
    -----------------------------------------------------------
    Install SpywareBlaster - SpywareBlaster will add a large list of programs and sites to your Internet Explorer settings that will protect you from accidentally running or downloading known malicious programs. Available from http://www.javacoolsoftware.com/spywareblaster.html
    After the installation, click Download Latest Protection Updates. When it finishes, click Enable All Protection.
    -----------------------------------------------------------
    Install WinPatrol - Download and Install WinPatrol, and view Instructions here: http://www.winpatrol.com/winpatrol.html
    - WinPatrol is an active program that drops a "Scotty Dog" icon into the system tray (right click to check/change status), allows you to monitor/edit startups, services, Browser helpers, and prompts for permission if any program tries to change your system. It also provides selective cookie management.
    -----------------------------------------------------------
    Set Your Computer to ReHide System Files
    • Click Start.
    • Click My Computer.
    • Select the Tools menu and click Folder Options.
    • Select the View Tab.
    • Under the Hidden files and folders heading, select Do Not Show hidden files and folders.
    • Check Hide protected operating system files (recommended).
    • Check Hide file extensions for known file types.
    • Click Yes to confirm if asked.
    • Click OK.
    In addition, go to Start, Search. When you click on 'All files and folders' on the left pane, click on the 'More advanced options' at the bottom. Make sure that 'Search system folders', 'Search hidden files and folders', and 'Search subfolders' are all UNchecked.

    If there are no other problems or questions, you should be good to go.

    askey127
     
  12. viperstk

    viperstk Thread Starter

    Joined:
    Jul 10, 2007
    Messages:
    7
    All complete!! Thank you so much for all your help and patience through this! My computer is back! I will be making a donation to this site and will be back in the future if problems arise.
    Again, thank you for all your help!!
    Mike (viperstk)
     
  13. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Similar Threads - VUNDO infection help
  1. Scudstorm
    Replies:
    13
    Views:
    870
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/593913

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice