Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Please help remove Ultimate Fixer [RESOLVED]

Started by mikem9 , Jul 11 2007 02:51 PM

  • This topic is locked This topic is locked

#1
mikem9
Posted 11 July 2007 - 02:51 PM

mikem9

    New Member

  • Member
  • Pip
  • 7 posts
Hi, my friend's computer is infected with Ultimate Fixer, and I've been trying to help him remove it, to no avail. And it's getting worse (shutting down browsers whenever we visit a site like this, trying to block hijackthis installation, tons of popups, etc.) He's not computer literate at all (doesn't know what kind of security he has, if any) and I'm the most tech-savvy person either, so if anyone can help, please try to make it fairly basic. Here is his hijackthis log, which I e-mailed to myself and posted from my computer:


Logfile of Trend Micro HijackThis
Scan saved at 4:18:21 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\system32\ybgbwnwv.exe
C:\WINDOWS\system32\scchk32.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mac.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdo...com/success.htm
R3 - Default URLSearchHook is missing
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\TdTr0uS5.dll
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\tmp93.tmp.dll
O2 - BHO: (no name) - {ab3c9d41-57d7-4efe-a983-e03c1de22c36} - C:\WINDOWS\system32\ati3nce.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorkFlow] D:\installs\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [ybgbwnwv.exe] C:\WINDOWS\system32\ybgbwnwv.exe
O4 - HKLM\..\Run: [SC2] C:\WINDOWS\system32\scchk32.exe
O4 - HKLM\..\Run: [winehq.org] rundll32.exe "C:\WINDOWS\ddbxvu.dll",realset
O4 - HKLM\..\Run: [MRT] "C:\WINDOWS\system32\MRT.exe" /R
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Owner\svchost.exe
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash...ers/SAXFile.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O20 - Winlogon Notify: ati3nce - C:\WINDOWS\SYSTEM32\ati3nce.dll
O20 - Winlogon Notify: instcat - x 0 (file missing)
O20 - Winlogon Notify: x 0 - x 0 (file missing)
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\TdTr0uS5.dll
O22 - SharedTaskScheduler: rgyeupxhdqdj - {42248C91-2117-477B-AC0E-C280556B1001} - C:\WINDOWS\system32\rgyeupxhdqdj.dll (file missing)
O22 - SharedTaskScheduler: sicakllcrjcj - {3578CC4F-0E1F-445E-8072-E78435C71001} - C:\WINDOWS\system32\sicakllcrjcj.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6887 bytes
  • 0

Advertisements

#2
don77
Posted 14 July 2007 - 11:47 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
hello mikem9 and sorry for the dealy in response

Can you download a program from your computer to a cd or disk and carry it over to the infected machine ?
( and this machine is baddly infected )


Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall
  • 0

#3
mikem9
Posted 15 July 2007 - 10:40 AM

mikem9

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
No problem about the delay, I'm just very appreciative you replied. I was able to run ComboFix and save the log to a disc, as well as a current hijackthis log, both of which I'm posting below from my computer.

"Owner" - 2007-07-15 12:17:38 - ComboFix 07-07-13.8 - Service Pack 2 NTFS

ADS removed - svchost.exe: deleted 88 bytes in 2 streams.

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\byvssr.dll
C:\WINDOWS\qonnml.dll
C:\WINDOWS\vtusqn.dll
C:\WINDOWS\xxxyyv.dll
C:\WINDOWS\rssvyb.ini
C:\WINDOWS\lmnnoq.ini
C:\WINDOWS\nqsutv.ini
C:\WINDOWS\vyyxxx.ini
C:\WINDOWS\system32\ati3nce.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\APPLIC~1\tmp10.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp13.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp15.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp165.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp167.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp17E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2E5.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3CF.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp45.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp5.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp6.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp70.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp8.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp8C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp91.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp93.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp94.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp96.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpD9.tmp.exe
C:\DOCUME~1\Owner\Desktop\internet.lnk
C:\Documents and Settings\Owner.\svchost.exe
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\system32\scchk32.exe
C:\WINDOWS\system32\tmp1B.tmp.dll
C:\WINDOWS\system32\tmp2.tmp.dll
C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\system32\tmp7.tmp.dll
C:\WINDOWS\system32\tmp93.tmp.dll
C:\WINDOWS\system32\tmp94.tmp.dll
C:\WINDOWS\system32\tmpD9.tmp.dll
C:\WINDOWS\system32\wsnpoem
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


2007-07-15 12:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-10 18:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-10 18:05 <DIR> d-------- C:\Program Files\True Sword 4
2007-07-10 18:05 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\True Sword
2007-07-10 13:32 <DIR> d-------- C:\VundoFix Backups
2007-07-10 13:30 <DIR> d-------- C:\Program Files\RogueRemover
2007-07-10 13:02 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-06-25 19:05 <DIR> d-------- C:\WINDOWS\system32\bmgenkji
2007-06-25 18:35 99,880 --a------ C:\bmgenkji1.exe
2007-06-25 18:35 95,808 --a------ C:\bmgenkji3.exe
2007-06-25 18:35 122,372 --a------ C:\WINDOWS\system32\tmp421af.exe
2007-06-25 18:35 100,952 --a------ C:\bmgenkji2.exe
2007-06-25 18:34 69,632 --a------ C:\WINDOWS\system32\TdTr0uS5.dll
2007-06-25 18:34 10,752 --a------ C:\WINDOWS\system32\ybgbwnwv.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 16:20:21 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Skype
2007-07-11 01:36:23 -------- d-----w C:\Program Files\StarWarsGalaxies
2007-06-12 20:04:41 -------- d-----w C:\Program Files\Google
2007-06-12 15:18:01 -------- d-----w C:\Program Files\Yahoo!
2007-06-12 15:17:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-12 15:17:21 -------- d-----w C:\Program Files\EA GAMES
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 23:54:27 526 -c--a-w C:\WINDOWS\eReg.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2005-11-19 22:39:17 823 ----a-w C:\Program Files\README.TXT
2005-11-19 22:39:17 47,114 -c--a-w C:\Program Files\autoruns.chm
2005-11-19 22:39:17 337,424 ----a-w C:\Program Files\autoruns.exe
2005-11-19 22:39:17 243,216 ----a-w C:\Program Files\autorunsc.exe
2005-05-07 15:30:47 56 --sh--r C:\WINDOWS\system32\C70AEAE386.sys
2005-05-07 15:30:48 10,856 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 12:02 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
2007-06-25 18:34 69632 --a------ C:\WINDOWS\system32\TdTr0uS5.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 06:20 C:\WINDOWS\SOUNDMAN.EXE]
"DiagAP8169"="C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 08:15]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-07-16 08:50]
"WorkFlow"="D:\installs\BrdJmp\WorkFlow.exe" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 14:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 19:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-30 00:10]
"LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2007-01-17 17:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"="C:\WINDOWS\system32\TdTr0uS5.dll" [2007-06-25 18:34]
"{42248C91-2117-477B-AC0E-C280556B1001}"="C:\WINDOWS\system32\rgyeupxhdqdj.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\x 0]
x 0


**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-15 12:21:47
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet002\Services\FLASHSYS]
"ImagePath"="\??\C:\WINDOWS\system32\DRIVERS\FLASHSYS.sys"

Completion time: 2007-07-15 12:22:43 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-15 12:22

--- E O F ---



Logfile of Trend Micro HijackThis
Scan saved at 12:26:34 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mac.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdo...com/success.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\TdTr0uS5.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorkFlow] D:\installs\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash...ers/SAXFile.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O20 - Winlogon Notify: x 0 - x 0 (file missing)
O22 - SharedTaskScheduler: za - {53B5F2B1-94DD-43E5-8187-EB4E31F00701} - C:\WINDOWS\system32\TdTr0uS5.dll
O22 - SharedTaskScheduler: rgyeupxhdqdj - {42248C91-2117-477B-AC0E-C280556B1001} - C:\WINDOWS\system32\rgyeupxhdqdj.dll (file missing)
O22 - SharedTaskScheduler: sicakllcrjcj - {3578CC4F-0E1F-445E-8072-E78435C71001} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5402 bytes



Thanks again for your help.
  • 0

#4
don77
Posted 15 July 2007 - 10:58 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
:whistling:
Nicely done
Lets run through these instructions then lets see if you can get online from his machine


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\bmgenkji
C:\bmgenkji1.exe
C:\bmgenkji3.exe
C:\WINDOWS\system32\tmp421af.exe
C:\bmgenkji2.exe
C:\WINDOWS\system32\TdTr0uS5.dll
C:\WINDOWS\system32\ybgbwnwv.exe


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53B5F2B1-94DD-43E5-8187-EB4E31F00701}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{42248C91-2117-477B-AC0E-C280556B1001}"=-
"{53B5F2B1-94DD-43E5-8187-EB4E31F00701}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\x_ _0__ ]


Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#5
mikem9
Posted 15 July 2007 - 11:21 AM

mikem9

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay, I think everything went as instructed. Here are the latest logs:

"Owner" - 2007-07-15 13:11:51 - ComboFix 07-07-13.8 - Service Pack 2 NTFS
Command switches used :: D:\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\bmgenkji1.exe
C:\bmgenkji2.exe
C:\bmgenkji3.exe
C:\WINDOWS\system32\bmgenkji
C:\WINDOWS\system32\TdTr0uS5.dll
C:\WINDOWS\system32\tmp421af.exe
C:\WINDOWS\system32\ybgbwnwv.exe


((((((((((((((((((((((((( Files Created from 2007-06-15 to 2007-07-15 )))))))))))))))))))))))))))))))


2007-07-15 12:17 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-10 18:24 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-10 18:05 <DIR> d-------- C:\Program Files\True Sword 4
2007-07-10 18:05 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\True Sword
2007-07-10 13:32 <DIR> d-------- C:\VundoFix Backups
2007-07-10 13:30 <DIR> d-------- C:\Program Files\RogueRemover
2007-07-10 13:02 <DIR> d-------- C:\Program Files\Enigma Software Group


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-15 16:49:03 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Skype
2007-07-11 01:36:23 -------- d-----w C:\Program Files\StarWarsGalaxies
2007-06-12 20:04:41 -------- d-----w C:\Program Files\Google
2007-06-12 15:18:01 -------- d-----w C:\Program Files\Yahoo!
2007-06-12 15:17:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-12 15:17:21 -------- d-----w C:\Program Files\EA GAMES
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 23:54:27 526 -c--a-w C:\WINDOWS\eReg.dat
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2005-11-19 22:39:17 823 ----a-w C:\Program Files\README.TXT
2005-11-19 22:39:17 47,114 -c--a-w C:\Program Files\autoruns.chm
2005-11-19 22:39:17 337,424 ----a-w C:\Program Files\autoruns.exe
2005-11-19 22:39:17 243,216 ----a-w C:\Program Files\autorunsc.exe
2005-05-07 15:30:47 56 --sh--r C:\WINDOWS\system32\C70AEAE386.sys
2005-05-07 15:30:48 10,856 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2001-03-02 12:02 37808 --------- C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2004-11-15 06:20 C:\WINDOWS\SOUNDMAN.EXE]
"DiagAP8169"="C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw" []
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-09-29 08:15]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2004-07-16 08:50]
"WorkFlow"="D:\installs\BrdJmp\WorkFlow.exe" []
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2004-12-20 14:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2005-10-06 19:03]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-30 00:10]
"LiveMonitor"="C:\Program Files\MSI\Live Update 3\LMonitor.exe" [2007-01-17 17:01]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2006-10-13 17:20]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\x 0]
x 0

*Newly Created Service* - CATCHME

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-15 13:12:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-15 13:12:56
C:\ComboFix-quarantined-files.txt ... 2007-07-15 13:12
C:\ComboFix2.txt ... 2007-07-15 12:22

--- E O F ---



Logfile of Trend Micro HijackThis
Scan saved at 1:13:40 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mac.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdo...com/success.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorkFlow] D:\installs\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash...ers/SAXFile.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O20 - Winlogon Notify: x 0 - x 0 (file missing)
O22 - SharedTaskScheduler: sicakllcrjcj - {3578CC4F-0E1F-445E-8072-E78435C71001} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5028 bytes
  • 0

#6
don77
Posted 15 July 2007 - 11:45 AM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Are you on his machine ?

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

O20 - Winlogon Notify: x_ _0__ - x_ _0__ (file missing)



Restart the computer and post back a fresh HJT log
  • 0

#7
mikem9
Posted 15 July 2007 - 04:34 PM

mikem9

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here's the new log. Thanks again for your help.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:31:11 PM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\MSI\LAN Utility\DiagAP8169.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\MSI\Core Center\CoreCenter.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.mac.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.windowsdo...com/success.htm
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [DiagAP8169] C:\Program Files\MSI\LAN Utility\DiagAP8169 /hw
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [WorkFlow] D:\installs\BrdJmp\WorkFlow.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: AutorunsDisabled
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: CoreCenter.lnk = C:\Program Files\MSI\Core Center\CoreCenter.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {230C3D02-DA27-11D2-8612-00A0C93EEA3C} (SAXFile FileUpload ActiveX Control) - http://www.winkflash...ers/SAXFile.cab
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplane...DC_1_0_0_44.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.m...ash/swflash.cab
O22 - SharedTaskScheduler: sicakllcrjcj - {3578CC4F-0E1F-445E-8072-E78435C71001} - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 5015 bytes
  • 0

#8
don77
Posted 15 July 2007 - 05:42 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
are you able to get online on the infected computer ?
we need to run an online scan

Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    Extended (if available otherwise Standard)
    • Scan Options:
    Scan Archives
    Scan Mail Bases
  • Click OK
  • Now under select a target to scan:Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

  • 0

#9
mikem9
Posted 16 July 2007 - 01:02 PM

mikem9

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Here's the Kaspersky scan. I could get online this time without the browser being closed, and it seems like the scan ran fine. Thanks again!


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 16, 2007 3:00:40 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 16/07/2007
Kaspersky Anti-Virus database records: 363037
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 78930
Number of viruses found: 12
Number of infected objects: 79
Number of suspicious objects: 0
Duration of the scan process: 00:27:13

Infected Object Name / Virus Name / Last Action
C:\107909218 Infected: Trojan-Downloader.Win32.Agent.bsr skipped
C:\19.tmp Infected: Packed.Win32.PolyCrypt.b skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\call256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\chat512.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\index2.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\profile256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\user1024.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\user16384.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007071620070717\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\QooBox\Quarantine\C\bmgenkji1.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\QooBox\Quarantine\C\bmgenkji2.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\QooBox\Quarantine\C\bmgenkji3.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\QooBox\Quarantine\C\Documents and Settings\Owner\svchost.exe.vir Infected: Packed.Win32.PolyCrypt.b skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp10.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp13.tmp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp167.tmp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp17E.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1A.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1C.tmp.exe.vir Infected: Trojan.Win32.Agent.anr skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp2.tmp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp4.tmp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp70.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp8C.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp96.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmpA.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\byvssr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\QooBox\Quarantine\C\WINDOWS\qonnml.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ati3nce.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\bmgenkji.vir\bmgenkji1.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Packed.Win32.PolyCrypt.b skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ntos.exe.vir Infected: Trojan.Win32.Pakes.al skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\qwerty12.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\TdTr0uS5.dll.vir Infected: Trojan-Downloader.Win32.Delf.aeo skipped
C:\QooBox\Quarantine\C\WINDOWS\system32\ybgbwnwv.exe.vir Infected: Trojan-Downloader.Win32.Agent.bsr skipped
C:\QooBox\Quarantine\C\WINDOWS\vtusqn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\QooBox\Quarantine\C\WINDOWS\xxxyyv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP552\A0082946.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP558\A0083068.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP560\A0084123.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084160.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084161.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084164.exe Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084165.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084166.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084177.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/1/EnigmaUpdater.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084177.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/2/esgi_md5h.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084177.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/7/SpyHunter.exe Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084177.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/17/Esgiutl1.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084177.exe/PRE/data/{65145FC9-DEA0-4738-A4FE-376C2BA51806}/18/SHSched.dll Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084177.exe/PRE Infected: not-a-virus:FraudTool.Win32.SpyHunter.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084177.exe Ghost Installer: infected - 6 skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084177.exe UPX: infected - 6 skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP561\A0084203.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP562\A0084214.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP562\A0084215.dll Infected: Email-Worm.Win32.Locksky.bh skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP564\A0084470.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP564\A0084473.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP564\A0084485.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP564\A0084486.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP564\A0084488.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084554.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084555.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084558.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084559.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084560.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084562.exe Infected: Trojan.Win32.Agent.anr skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084563.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084567.exe Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084572.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084574.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084579.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084580.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084589.exe Infected: Trojan.Win32.Agent.aoy skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084591.exe Infected: Trojan.Win32.Pakes.al skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084592.exe Infected: Packed.Win32.PolyCrypt.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084594.exe Infected: Packed.Win32.PolyCrypt.b skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084595.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084596.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084597.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084598.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084605.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084681.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084682.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084684.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084685.dll Infected: Trojan-Downloader.Win32.Delf.aeo skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\A0084686.exe Infected: Trojan-Downloader.Win32.Agent.bsr skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP567\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.
  • 0

#10
don77
Posted 16 July 2007 - 03:53 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
:whistling:

A couple things left here to do

First
Please download the OTMoveIt by OldTimer.
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\107909218
    C:\19.tmp
    C:\QooBox


  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Next
Create a new System Restore point, and flush old.
  • Create a New System Restore Point:
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  • On the Welcome page, click Create a restore point.
  • On the Create a Restore Point page, enter a descriptive name for your restore point, and then click Create.
  • Flush All Previous System Restore Points:
  • Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Disk Cleanup.
  • Click the More Options tab, and then under System Restore, click Clean up.
  • Click Yes to remove all but the most recent restore point. Click OK, click Yes to proceed with this action, and then click OK.


Rescan with Kaspersky and post back what it finds please
  • 0

#11
mikem9
Posted 16 July 2007 - 04:59 PM

mikem9

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Okay, things are looking better. Here's the text from the Results window in OTMoveIt:

C:\107909218 moved successfully.
C:\19.tmp moved successfully.
C:\QooBox\Quarantine\Registry_backups moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\wsnpoem moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32\drivers moved successfully.
C:\QooBox\Quarantine\C\WINDOWS\system32 moved successfully.
C:\QooBox\Quarantine\C\WINDOWS moved successfully.
C:\QooBox\Quarantine\C\DOCUME~1\Owner\Desktop moved successfully.
C:\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1 moved successfully.
C:\QooBox\Quarantine\C\DOCUME~1\Owner moved successfully.
C:\QooBox\Quarantine\C\DOCUME~1 moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings\Owner moved successfully.
C:\QooBox\Quarantine\C\Documents and Settings moved successfully.
C:\QooBox\Quarantine\C moved successfully.
C:\QooBox\Quarantine moved successfully.
C:\QooBox moved successfully.

Created on 07/16/2007 18:21:24


The Kaspersky scan was like 96% complete with no viruses found, but then ended up locating 10 I guess right at the very end. Here's that log:


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, July 16, 2007 6:53:21 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.0
Kaspersky Anti-Virus database last update: 17/07/2007
Kaspersky Anti-Virus database records: 363092
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\

Scan Statistics:
Total number of scanned objects: 73893
Number of viruses found: 10
Number of infected objects: 29
Number of suspicious objects: 0
Duration of the scan process: 00:25:31

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\call256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\callmember256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\chat512.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\chatmsg256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\contactgroup256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\index2.dat Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\profile256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\user1024.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\user16384.dbb Object is locked skipped
C:\Documents and Settings\Owner\Application Data\Skype\mikem92\voicemail256.dbb Object is locked skipped
C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007071620070717\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temp\SkypeSetup.exe Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ZRDJFTKK\SkypeSetup[1].exe Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped
C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{260C76AF-CC6E-4619-B26C-4C602EC8D029}\RP569\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\_OTMoveIt\MovedFiles\107909218 Infected: Trojan-Downloader.Win32.Agent.bsr skipped
C:\_OTMoveIt\MovedFiles\19.tmp Infected: Packed.Win32.PolyCrypt.b skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\bmgenkji1.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\bmgenkji2.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\bmgenkji3.exe.vir Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\Documents and Settings\Owner\svchost.exe.vir Infected: Packed.Win32.PolyCrypt.b skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp10.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp13.tmp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp167.tmp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp17E.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1A.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp1C.tmp.exe.vir Infected: Trojan.Win32.Agent.anr skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp2.tmp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp4.tmp.exe.vir Infected: Trojan-Downloader.Win32.Tiny.id skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp70.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp8C.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmp96.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\DOCUME~1\Owner\APPLIC~1\tmpA.tmp.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\byvssr.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\qonnml.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\ati3nce.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ke skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\bmgenkji.vir\bmgenkji1.exe Infected: not-a-virus:FraudTool.Win32.UltimateDefender.c skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\drivers\svchost.exe.vir Infected: Packed.Win32.PolyCrypt.b skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\ntos.exe.vir Infected: Trojan.Win32.Pakes.al skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\qwerty12.exe.vir Infected: Trojan.Win32.Agent.aoy skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\TdTr0uS5.dll.vir Infected: Trojan-Downloader.Win32.Delf.aeo skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\system32\ybgbwnwv.exe.vir Infected: Trojan-Downloader.Win32.Agent.bsr skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\vtusqn.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped
C:\_OTMoveIt\MovedFiles\QooBox\Quarantine\C\WINDOWS\xxxyyv.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

Scan process completed.
  • 0

#12
don77
Posted 16 July 2007 - 05:05 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
:whistling:

Just a couple things left and you should be on your way
Delete the following folder
C:\_OTMoveIt\MovedFiles

Click on OTmoveit click on Cleanup and this will remove all the tools we have downloaded including OTmove it


Please use the following suggestion to help prevent reinfection


Download the following program, For keeping crap off your system to begin with
Prevent the installation of ActiveX-based spyware, adware, browser hijackers, dialers, and other potentially unwanted pests. Block spyware/tracking cookies in Internet Explorer and Mozilla/Firefox. Restrict the actions of potentially dangerous sites in Internet Explorer.
Download Spyware Blaster


For an added check run an online virus scan, you can use one of the 2 below,
TrendMicro's HouseCall
ActiveScan

Be sure and give the Temp folders a cleaning out now and then as well, A handy tool to do this
Please download ATF Cleaner by Atribune.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Remeber to Check Windows for updates

Reset and Re-enable your System Restore to remove infected files that have been backed up by Windows. The files in System Restore are protected to prevent any programs from changing those files. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected)1. Turn off System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
2. Restart your computer.

3. Turn ON System Restore.On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.
[/list]System Restore will now be active again.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?
  • 0

#13
don77
Posted 23 July 2007 - 10:44 PM

don77

    Malware Expert

  • Retired Staff
  • 18,526 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP